1

Universal reencryption is an interesting encryption primitive. Attempts to build signatures schemes or protocols with authentication incorporating it have frequently failed though.

A plausible application of a signature scheme employing universal reencryption might be:

Alice's software obtains a blind signed credential from a signing authority, perhaps stating her age. Alice wishes to use this credential with multiple websites, but obviously using the same signature on multiple websites violates the browser's cross origin policy because a typical signature depends upon a nonce that could be used to track Alice. A signature scheme based upon reencryption might allow Alice to mutate the nonce embedded in the signature.

There is an easy solution to this problem if the signing authority simply gives Alice thousands of single use blind singed tokens and keeps her stocked up, but that entails some logistical complications.

It'd be lovely if Alice could just use the same signature over and over, mutating it each time through universal reencryption or similar. Are there any signature schemes that support anonymizing the signature like this?

cygnusv
  • 5,072
  • 1
  • 23
  • 48
Jeff Burdges
  • 1,136
  • 5
  • 17

1 Answers1

1

If we have a signature scheme with deterministic verifier and a non-interactive protocol which is [co-non-malleable as an argument of knowledge] and statistically witness-indistinguishable, then we can get a fully non-interactive version of what you want by letting "mutate" be
"run that protocol's prover on", and letting "verify" be "run that protocol's verifier on".
If the protocol is only in the CRS model but has the property that
statistical witness-indistinguishability holds for all possible outputs of the CRS generator, then assuming the existence of a compatible private key would be enough leave the CRS model
by letting the "CRS" be part of the public key, since the signer would store enough about the generator's randomness to let one verify that the "CRS" is a possible output of the generator. ​ Section 8.3 gives such a protocol. ​ Given a statistically hiding commitment scheme,
this paper's proof of Theorem 4 lets "assuming the existence of a compatible private key"
be replaced with "letting the signing phase be interactive".