[Resource Topic] 2024/183: On Security Proofs of Existing Equivalence Class Signature Schemes

Welcome to the resource topic for 2024/183

On Security Proofs of Existing Equivalence Class Signature Schemes

Authors: Balthazar Bauer, Georg Fuchsbauer


Equivalence class signatures (EQS), introduced by Hanser and Slamanig (AC’14), sign vectors of elements from a bilinear group. Signatures can be ``adapted’', meaning that anyone can transform a signature on a vector to a (random) signature on any multiple of that vector. (Signatures thus authenticate equivalence classes.) A transformed signature/message pair is then indistinguishable from a random signature on a random message. EQS have been used to efficiently instantiate (delegatable) anonymous credentials, (round-optimal) blind signatures, ring and group signatures and anonymous tokens.

The original EQS construction (J.Crypto’19) is only proven in the generic group model, while the first construction from standard assumptions (PKC’18) only yields security guarantees insufficient for most applications. Two works (AC’19, PKC’22) propose applicable schemes which assume the existence of a common reference string for the anonymity notion. Their unforgeability is argued via a security proof from standard (or non-interactive) assumptions.

In this work we show that their security proof is flawed and explain the subtle issue.

ePrint: https://eprint.iacr.org/2024/183

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .