Speaker: Hong-Sheng Zhou
Day:  Wednesday, 3/05/2008
Room: ITEB 336
Time: 1:00-2:00pm

Title: Equivocal Blind Signatures and Adaptive UC-Security

Abstract:
We study the design of adaptively secure blind signatures in the
universal composability (UC) setting. First, we introduce a new
property for blind signature schemes that is suitable for arguing
security against adaptive adversaries: an equivocal blind signature is
a blind signature where there exists a simulator that has the power of
making signing transcripts correspond to any message signature pair.
Second, we present a general construction methodology for building
adaptively secure blind signatures: the starting point is a 2-move
"equivocal lite blind signature", a lightweight 2-party signature
protocol that we formalize and implement both generically as well as
concretely; formalizing a primitive as "lite" means that the adversary
is required to show all private tapes of adversarially controlled
parties; this enables us to conveniently separate zero-knowledge (ZK)
related security requirements from the remaining security properties
in the blind signature design methodology. Next, we focus on the
suitable ZK protocols for blind signatures. We formalize two special
ZK ideal functionalities, single-verifier-ZK (SVZK) and
single-prover-ZK (SPZK), both special cases of multi-session ZK that
may be of independent interest, and we investigate the requirements
for realizing them in a commit-and-prove fashion as building blocks
for adaptively secure UC blind signatures. Regarding SPZK we find the
rather surprising result that realizing it only against static
adversaries is sufficient to obtain adaptive security for UC blind
signatures.

We instantiate all the building blocks of our design methodology both
generically based on the blind signature construction of Fischlin as
well as concretely based on the 2SDH assumption of Okamoto, thus
demonstrating the feasibility and practicality of our approach. The
latter construction yields the first practical UC blind signature that
is secure against adaptive adversaries. We also present a new more
general modeling of the ideal blind signature functionality.

This is joint work with Aggelos Kiayias; the paper is
 available at http://dx.doi.org/10.1007/978-3-540-78524-8_19