Structure-Preserving Signatures from Type II Pairings Masayuki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT Mehdi Tibouchi, NTT Mathematical structures in cryptography β’ Cyclic prime order group G β πΊ π₯ β πΊ π¦ = πΊ π₯+π¦ β’ Useful mathematical structure β β β β ElGamal encryption Pedersen commitments Schnorr proofs β¦ Pairing-based cryptography β’ Groups G1 , G2 , G π with pairing π: G1 × G2 β G π β πΊ π₯ β πΊ π¦ = πΊ π₯+π¦ β π πΊ π₯ , π» π¦ = π πΊ, π» π₯π¦ β’ Additional mathematical structure β β β β β One-round tripartite key exchange Identity-based encryption Short digital signatures NIZK proofs β¦ Structure-preserving cryptography β’ Preserve mathematical structure of pairing groups β Communication consists of group elements in G1 , G2 β Use generic group operations β’ Multiplication, membership testing, pairing β Avoid structure-destroying operations β’ No cryptographic hash-functions β’ Modular design β Structure-preserving building blocks easy to combine Bilinear group setup β’ π, G1 , G2 , G π , π, πΊ, π» β Gen(1π ) β Groups G1 , G2 , G π of prime order π β Bilinear map π: G1 × G2 β G π β’ π πΊ π₯ , π» π¦ = π πΊ, π» π₯π¦ β’ G1 = β©πΊβͺ , G2 = β©π»βͺ , G π = β©π πΊ, π» βͺ β’ Types β Type I: G1 = G2 and πΊ = π» β Type II: G1 β G2 but there is efficiently computable homomorphism π: G2 β G1 (and πΊ = π π» ) β Type III: G1 β G2 and no efficient homomorphism Structure-preserving signatures β’ Setup describes bilinear group and group elements in G1 , G2 β’ Verification key adds group elements in G1 , G2 β’ Messages consist of group elements in G1 , G2 β’ Signatures consist of group elements in G1 , G2 β’ Verifier uses pairing product equations to check validity of signatures, e.g., π πΊ, π = π π, π π π π , π π π, π» Efficiency of structure-preserving signatures Pairing type Verification equations Signature size Verification key size Type I: G1 = G2 2 3 2 (1) Type II: π: G2 β G1 1 2 2 Type III: G1 β G2 2 3 2 (1) Matching upper and lower bounds for all types of bilinear groups First lower bound on verification key size Type II: Holds when π β G2 Unknown for Type I and III Constructions β’ Structure-preserving signatures in Type II groups with efficiently computable linear map π: G2 β G1 β’ Strongly existentially unforgeable signatures β Infeasible to forge signature on new message β Infeasible to forge new signature on old message β’ Randomizable signatures β Infeasible to forge signature on new message β Possible to randomize signature on old message such that it looks like a fresh signature Strongly unforgeable signatures β’ Setup 1π : Return ππ = π, G1 , G2 , G π , π, πΊ, π» π, G1 , G2 , G π , π, πΊ, π» β Gen(1π ) β’ KeyGen ππ : Return ππΎ = (π, π) and ππΎ = π£, π€ π£, π€ β ππ ; π = πΊ π£ ; π = πΊ π€ β’ Signππ,ππΎ (π): Given π β G2 return Ξ£ = (π , π) π‘ β ππβ ; π = π» π‘βπ€ ; π = π£ 1 ππ‘ π»π‘ β’ Verifyππ,ππΎ π, (π , π) : Accept if and only if π, π , π β G2 and π ππ π , π = π π, π π πΊ, π» Randomizable signatures β’ Setup 1π : Return ππ = π, G1 , G2 , G π , π, πΊ, π» π, G1 , G2 , G π , π, πΊ, π» β Gen(1π ) β’ KeyGen ππ : Return ππΎ = (π, π) and ππΎ = π£, π€ π£, π€ β ππ ; π = πΊ π£ ; π = πΊ π€ β’ Signππ,ππΎ (π): Given π β G2 return Ξ£ = (π , π) π β ππ ; π = π»π ; π= 2 +π€ π£ π π π» β’ Verifyππ,ππΎ π, (π , π) : Accept if and only if π, π , π β G2 and π πΊ, π = π π, π π π π , π π π, π» β’ Randomizeππ,ππΎ (π, Ξ£): Return Ξ£β² = (π β² , πβ²) πΌ β ππ ; π β² = π π» πΌ ; πβ² = 2 2πΌ πΌ ππ π» Efficiency Beats lower bounds in Type I and III groups β’ Signature size β 2 group elements in G2 Unilateral signature β’ Verification key size β 2 group elements in G1 Provably minimal β’ Less efficient than signatures in Type III groups β In current Type II instantiations we have larger G2 elements than Type III. So even though we have fewer group elements, Type III signatures are smaller β Also, currently membership testing in G2 is expensive, so verification is slower than comparable Type III signatures [Chatterjee and Menezes, ePrint 2014] Security β’ The signature schemes are provably secure in the generic bilinear group model β’ We conjecture that for a minimal size signature scheme it is necessary to use an interactive assumption (it is the case for Type III signatures) β’ Can tweak the randomizable signature scheme to become secure under a non-interactive assumption by adding a group element to verification key and signature β’ Verify signature Ξ£ = (π , π, π) on π by checking π πΊ, π = π(π, π)π π, π π π π , π π π, π» Lower bounds for π β G1 Matches lower bounds in Type I and Type III settings β’ Theorem A structure-preserving signature scheme in the Type II setting on messages π β G1 must have at least 2 verification equations β Even for one-time signatures under random message attack β’ Theorem A structure-preserving signature scheme in the Type II setting on messages π β G1 must have at least 3 group elements in the signatures β Generic signer, even for random message attack Lower bounds for π β Gπ Theorems show our constructions are optimal β’ Theorem A structure-preserving signature scheme in the Type II setting with a single verification equation must have at least 2 group elements in the verification key One-time signatures can be smaller π πΊ, π = π π, π π(π, π») β Even for one-time signatures under random message attack β’ Theorem A structure-preserving signature scheme in the Type II setting on messages π β G2 must have at least 2 group elements in the signatures β Generic signer, even for random message attack Summary β’ Complete classification Pairing type Verification equations Signature size Verification key size Type I: G1 = G2 2 3 2 (1) Type II: π: G2 β G1 1 2 2 Type III: G1 β G2 2 3 2 (1) β’ Constructions β Strong π ππ π , π = π π, π π πΊ, π» β Randomizable π πΊ, π = π π, π π π π , π π π, π»
© Copyright 2026 Paperzz