Commuting signatures and veri�able encryption
Georg Fuchsbauer
University of Bristol
EUROCRYPT 17.05.2011
Results
New primitive: Commuting signatures (and veri�able encryption)
New functionality
E�cient instantiation in pairing groups
Application: Delegatable anonymous credentials
Non-interactive delegation
Signi�cant e�ciency improvements
Other results: Groth-Sahai proofs
Properties of proofs
Stronger notion of simulation
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 1 / 15
Results
New primitive: Commuting signatures (and veri�able encryption)
New functionality
E�cient instantiation in pairing groups
Application: Delegatable anonymous credentials
Non-interactive delegation
Signi�cant e�ciency improvements
Other results: Groth-Sahai proofs
Properties of proofs
Stronger notion of simulation
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 1 / 15
Results
New primitive: Commuting signatures (and veri�able encryption)
New functionality
E�cient instantiation in pairing groups
Application: Delegatable anonymous credentials
Non-interactive delegation
Signi�cant e�ciency improvements
Other results: Groth-Sahai proofs
Properties of proofs
Stronger notion of simulation
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 1 / 15
Outline of this talk
1 Commuting signatures
2 Delegatable anonymous credentials
3 Instantiating commuting signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 2 / 15
1 Commuting signatures
2 Delegatable anonymous credentials
3 Instantiating commuting signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 3 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
XSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
XSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Randomizable Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃ −→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄ −→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π −→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂ −→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
XSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
XSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
XSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , πXSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
X
Sign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
X
Sign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption I
Signature Msk−→ Σ Veri�cation: vk, M, Σ
Veri�able encryption
vk,M,Σ −→
{ −→ Σ , π̃
−→ Σ , π̃
Veri�cation: vk, M, Σ , π̃
−→ M , π̄
−→ M , π̄
Veri�cation: vk, M , Σ, π̄
−→ M , Σ , π
−→ M , Σ , π
Veri�cation: vk, M , Σ , π
−→ vk , M , Σ , π̂
−→ vk , M , Σ , π̂
Veri�cation: vk , M , Σ , π̂
Commuting signature and veri�able encryption
Proof adaptation: π̃π̄
}←→ π ←→ π̂
Sign M given M : Msk−→ Σ
π Veri�cation: vk, M , Σ , π
X
Sign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π
Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 4 / 15
Commuting signatures and veri�able encryption II
6
6
?
6
�����������9���
������
��:
������
�����:
XXXXXXXXz
`̀`̀X XXz
������
������
���XXXXXXXXXz
������
������
���XXXXXXXXXz
M, Σ
M
M µ
M µ ,Σ, π̄
M, Σ σ , π̃
M µ , Σ σ , π
(sk)
(σ)
(µ)
(sk)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 5 / 15
Commuting signatures and veri�able encryption II
6
6
?
6
�����������9���
������
��:
������
�����:
XXXXXXXXz
`̀`̀X XXz
������
������
���XXXXXXXXXz
������
������
���XXXXXXXXXz
M, Σ
M
M µ
M µ ,Σ, π̄
M, Σ σ , π̃
M µ , Σ σ , π
(sk)
(σ)
(µ)
(sk)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 5 / 15
Commuting signatures and veri�able encryption II
6
6
?
6
�����������9���
������
��:
������
�����:
XXXXXXXXz
`̀`̀X XXz
������
������
���XXXXXXXXXz
������
������
���XXXXXXXXXz
M, Σ
M
M µ
M µ ,Σ, π̄
M, Σ σ , π̃
M µ , Σ σ , π
(sk)
(σ)
(µ)
(sk)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 5 / 15
Commuting signatures and veri�able encryption II
6
6
?
6
�����������9���
������
��:
������
�����:
XXXXXXXXz
`̀`̀X XXz
������
������
���XXXXXXXXXz
������
������
���XXXXXXXXXz
M, Σ
M
M µ
M µ ,Σ, π̄
M, Σ σ , π̃
M µ , Σ σ , π
(sk)
(σ)
(µ)
(sk)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 5 / 15
1 Commuting signatures
2 Delegatable anonymous credentials
3 Instantiating commuting signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 6 / 15
Delegatable anonymous credentials
Delegatable anonymous credentials [BCCKLS09]
Users can prove to hold credential w/o revealing their identity
Credentials can be issued/delegated and obtained anonymously
Model
Each user holds a secret key and can
. . . produce arbitrarily many (unlinkable) pseudonyms from it
. . . can publish pseudonym as public key for a credential
. . . run interactive protocol to issue/delegate credentials to other users
. . . prove to hold credentials for every pseudonym
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 7 / 15
Delegatable anonymous credentials
Delegatable anonymous credentials [BCCKLS09]
Users can prove to hold credential w/o revealing their identity
Credentials can be issued/delegated and obtained anonymously
Model
Each user holds a secret key and can
. . . produce arbitrarily many (unlinkable) pseudonyms from it
. . . can publish pseudonym as public key for a credential
. . . run interactive protocol to issue/delegate credentials to other users
. . . prove to hold credentials for every pseudonym
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 7 / 15
Delegatable anonymous credentials
Delegatable anonymous credentials [BCCKLS09]
Users can prove to hold credential w/o revealing their identity
Credentials can be issued/delegated and obtained anonymously
Model
Each user holds a secret key and can
. . . produce arbitrarily many (unlinkable) pseudonyms from it
. . . can publish pseudonym as public key for a credential
. . . run interactive protocol to issue/delegate credentials to other users
. . . prove to hold credentials for every pseudonym
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 7 / 15
Delegatable anonymous credentials
Delegatable anonymous credentials [BCCKLS09]
Users can prove to hold credential w/o revealing their identity
Credentials can be issued/delegated and obtained anonymously
Model
Each user holds a secret key and can
. . . produce arbitrarily many (unlinkable) pseudonyms from it
. . . can publish pseudonym as public key for a credential
. . . run interactive protocol to issue/delegate credentials to other users
. . . prove to hold credentials for every pseudonym
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 7 / 15
Non-interactively delegatable anonymous credentials
����
����
����
----
-- ��
Nym(O)A
Nym(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
----
-- ��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
--
--
-- ��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
--
--
--
��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
--
--
-- ��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
----
-- ��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
----
--
��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Non-interactively delegatable anonymous credentials
����
����
����
----
--
��
Nym(O)A Nym
(B)A
Nym
(C)
A
Nym(A)B B
Nym
(C)
B
A
CNym(A)C Nym
(B)C
credO→Nym
(O)A
credO→Nym
(A)B
credO→Nym
(C)A
credO→Nym
(C)B
O
Security
Unforgeability
Anonymity (simulation-based)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 8 / 15
Black-box instantiation of NIDAC
In a nutshell
Pseudonym: encryption of user veri�cation key
Credential: veri�ably encrypted signature
Non-interactive delegation: commuting signature
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights
---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights
--
-Σ1
vk1vk0
vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´
Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´Adapt proof for vk2 ⇒
`vk2 , Σ3 , vk3 , π3
´
Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´Adapt proof for vk2 ⇒
`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
Black-box instantiation of NIDAC
Delegation of signing rights ---Σ1
vk1vk0 vkn• • •
Σ2 Σn
Signatures credential
Anonymous show --- vknvk1vk0 • • •
Σ1 Σ2 Σn
π1 π2 πn
Veri�able encryption
Anonymous delegation -- vk1vk0 vk2
Σ1 Σ2
π1 π2
π1 π2
vk3
Commuting signatures
Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′
3
´Adapt proof for vk2 ⇒
`vk2 , Σ3 , vk3 , π3
´Randomize previous encryptions/proofs
Send credential`
Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 9 / 15
1 Commuting signatures
2 Delegatable anonymous credentials
3 Instantiating commuting signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 10 / 15
Building blocks
Bilinear group: (p,G1,G2,GT , e,G ,H) with
Pairing: e : G1 ×G2 → GT bilinear
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Bilinear group: (p,G1,G2,GT , e,G ,H) with
Pairing: e : G1 ×G2 → GT bilinear
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Bilinear group: (p,G1,G2,GT , e,G ,H) with
Pairing: e : G1 ×G2 → GT bilinear
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Bilinear group: (p,G1,G2,GT , e,G ,H) with
Pairing: e : G1 ×G2 → GT bilinear
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptionsencryptions
commitments ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make encryptions
encryptionscommitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Pairing-product equation (PPE)
over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t , (E)
de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Building blocks
Groth�Sahai proofs [GS08]
E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])
proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E
1 Make
encryptions
encryptions
commitments
ci to Xi and dj to Yj
2 Construct proof π that committed values satisfy Ewithout revealing anything else
Given extraction key, one can extract the committed values Xi , Yj
Automorphic signatures [AFGHO10]
• Messages and signatures are group elements
• Veri�cation by pairing-product equation
}�structure preserving�
• Veri�cation keys lie in message space
Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 11 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
IndependenceProofs do not depend on t
Proofs for linear equations (γij = 0) do not depend on encrypted values
AdaptingProofs can be adapted when constants are turned into variables or vice versa
HomomorphicLet π be proof for E and ciphertexts (c1, . . . , cm,d1, . . . ,dn)Let π′ be proof for E′ and ciphertexts (c′
1, . . . , c′
m′ ,d′1, . . . ,d′
n′)
Then π · π′ is a proof for E · E′ and (c1, . . . , cm, c′1, . . . , c′
m′ ,d1, . . . . . . ,d′n′)Q
e(Aj ,Yj )Qe(A′
j,Y ′
j)Qe(Xi ,Bi )
Qe(X ′
i,B′
i)QQ
e(Xi ,Yj )γi,jQQ
e(X ′i,Y ′
j)γ′i,j = t · t′
(E · E′)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
IndependenceProofs do not depend on tProofs for linear equations (γij = 0) do not depend on encrypted values
AdaptingProofs can be adapted when constants are turned into variables or vice versa
HomomorphicLet π be proof for E and ciphertexts (c1, . . . , cm,d1, . . . ,dn)Let π′ be proof for E′ and ciphertexts (c′
1, . . . , c′
m′ ,d′1, . . . ,d′
n′)
Then π · π′ is a proof for E · E′ and (c1, . . . , cm, c′1, . . . , c′
m′ ,d1, . . . . . . ,d′n′)Q
e(Aj ,Yj )Qe(A′
j,Y ′
j)Qe(Xi ,Bi )
Qe(X ′
i,B′
i)QQ
e(Xi ,Yj )γi,jQQ
e(X ′i,Y ′
j)γ′i,j = t · t′
(E · E′)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
IndependenceProofs do not depend on tProofs for linear equations (γij = 0) do not depend on encrypted values
AdaptingProofs can be adapted when constants are turned into variables or vice versa
HomomorphicLet π be proof for E and ciphertexts (c1, . . . , cm,d1, . . . ,dn)Let π′ be proof for E′ and ciphertexts (c′
1, . . . , c′
m′ ,d′1, . . . ,d′
n′)
Then π · π′ is a proof for E · E′ and (c1, . . . , cm, c′1, . . . , c′
m′ ,d1, . . . . . . ,d′n′)Q
e(Aj ,Yj )Qe(A′
j,Y ′
j)Qe(Xi ,Bi )
Qe(X ′
i,B′
i)QQ
e(Xi ,Yj )γi,jQQ
e(X ′i,Y ′
j)γ′i,j = t · t′
(E · E′)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
IndependenceProofs do not depend on tProofs for linear equations (γij = 0) do not depend on encrypted values
AdaptingProofs can be adapted when constants are turned into variables or vice versa
HomomorphicLet π be proof for E and ciphertexts (c1, . . . , cm,d1, . . . ,dn)Let π′ be proof for E′ and ciphertexts (c′
1, . . . , c′
m′ ,d′1, . . . ,d′
n′)
Then π · π′ is a proof for E · E′ and (c1, . . . , cm, c′1, . . . , c′
m′ ,d1, . . . . . . ,d′n′)Q
e(Aj ,Yj )Qe(A′
j,Y ′
j)Qe(Xi ,Bi )
Qe(X ′
i,B′
i)QQ
e(Xi ,Yj )γi,jQQ
e(X ′i,Y ′
j)γ′i,j = t · t′
(E · E′)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
IndependenceProofs do not depend on tProofs for linear equations (γij = 0) do not depend on encrypted values
AdaptingProofs can be adapted when constants are turned into variables or vice versa
HomomorphicLet π be proof for E and ciphertexts (c1, . . . , cm,d1, . . . ,dn)Let π′ be proof for E′ and ciphertexts (c′
1, . . . , c′
m′ ,d′1, . . . ,d′
n′)
Then π · π′ is a proof for E · E′ and (c1, . . . , cm, c′1, . . . , c′
m′ ,d1, . . . . . . ,d′n′)Q
e(Aj ,Yj )Qe(A′
j,Y ′
j)Qe(Xi ,Bi )
Qe(X ′
i,B′
i)QQ
e(Xi ,Yj )γi,jQQ
e(X ′i,Y ′
j)γ′i,j = t · t′
(E · E′)
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
Stronger notion of simulatability
[GS08]: NIZK proof of satis�ability:Given E, simulator can produce (c1, . . . , cm,d1, . . . ,dn) and π
Now: Proof for given ciphertexts:Given E, (c1, . . . , cm), simulator can produce (d1, . . . ,dn) and π
Application: Given pseudonyms of delegator and delegatee ⇒ simulate credential
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
Stronger notion of simulatability
[GS08]: NIZK proof of satis�ability:Given E, simulator can produce (c1, . . . , cm,d1, . . . ,dn) and π
Now: Proof for given ciphertexts:Given E, (c1, . . . , cm), simulator can produce (d1, . . . ,dn) and π
Application: Given pseudonyms of delegator and delegatee ⇒ simulate credential
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Properties of Groth-Sahai proofs
n∏i=j
e(Aj ,Yj)m∏i=1
e(Xi ,Bi )m∏i=1
n∏j=1
e(Xi ,Yj)γi,j = t (E)
Stronger notion of simulatability
[GS08]: NIZK proof of satis�ability:Given E, simulator can produce (c1, . . . , cm,d1, . . . ,dn) and π
Now: Proof for given ciphertexts:Given E, (c1, . . . , cm), simulator can produce (d1, . . . ,dn) and π
Application: Given pseudonyms of delegator and delegatee ⇒ simulate credential
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 12 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)
1 User could produce(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)
1 User could produce(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Instantiating commuting signatures
Round-optimal blind signature
Protocol to sign M from [AFGHO10]:
User sends
Randomization M̃ of M
Encryptions M , R
Proof of consistency τ
Signer sends �pre-signature� Σ′
(using M̃)
User, knowing R, turns Σ′ into Σ on M
Blind signature:
Verif. encryption of Σ:(M, Σ , π̃
)1 User could produce
(M , Σ ,π
)
Goal: Msk−→ Σ , π
2 De�ne:}def= encryption of M
3 M̃ −→ Σ′ −→ Σ′
4 Encryptions homomorphic
R and Σ′ −→ Σ
5 Properties of GS proofsτ −→ π
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 13 / 15
Conclusion
Commuting signatures imply
Veri�ably encrypted signatures
Blind signatures
CL signatures and P-signatures
Applications
Delegatable anonymous credentials
First instantiation with non-interactive issuing/delegationE�ciency improvements: • No complex 2-party computation
• Size of credentials less than half
Receipt-free e-voting [BFPV11]
Fully anonymous transferable e-cash [BCFGST11]
Updated full version in June: eprint.iacr.org/2010/233
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 14 / 15
Conclusion
Commuting signatures imply
Veri�ably encrypted signatures
Blind signatures
CL signatures and P-signatures
Applications
Delegatable anonymous credentials
First instantiation with non-interactive issuing/delegationE�ciency improvements: • No complex 2-party computation
• Size of credentials less than half
Receipt-free e-voting [BFPV11]
Fully anonymous transferable e-cash [BCFGST11]
Updated full version in June: eprint.iacr.org/2010/233
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 14 / 15
Conclusion
Commuting signatures imply
Veri�ably encrypted signatures
Blind signatures
CL signatures and P-signatures
Applications
Delegatable anonymous credentials
First instantiation with non-interactive issuing/delegationE�ciency improvements: • No complex 2-party computation
• Size of credentials less than half
Receipt-free e-voting [BFPV11]
Fully anonymous transferable e-cash [BCFGST11]
Updated full version in June: eprint.iacr.org/2010/233
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 14 / 15
Conclusion
Commuting signatures imply
Veri�ably encrypted signatures
Blind signatures
CL signatures and P-signatures
Applications
Delegatable anonymous credentials
First instantiation with non-interactive issuing/delegationE�ciency improvements: • No complex 2-party computation
• Size of credentials less than half
Receipt-free e-voting [BFPV11]
Fully anonymous transferable e-cash [BCFGST11]
Updated full version in June: eprint.iacr.org/2010/233
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 14 / 15
Thank you! ©̂̈
G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 15 / 15