Efficient structure-preserving signature scheme from standard assumptions

We present an efficient signature scheme that facilitates Groth-Sahai proofs [25] of knowledge of a message, a verification key, and a valid signature on the message, without the need to reveal any of them. Such schemes are called structure-preserving. More precisely, the structure-preserving property of the signature scheme requires that verification keys, messages, and signatures are group elements and the verification predicate is a conjunction of pairing product equations. Our structure-preserving signature scheme supports multiple messages and is proven secure under the DLIN assumption. The signature consists of 53 + 6n group elements, where n is the number of messages signed, and to the best of our knowledge is the most efficient one secure under a standard assumption. We build the scheme from a CCA-2 secure structure-preserving encryption scheme which supports labels, non-interactive zero-knowledge (NIZK) proofs, and a suitable hard relation. We provide a concrete realization using the encryption scheme by Camenisch et al. [12], Groth- Sahai (GS) NIZK proofs, and an instance of the computational Diffie- Hellman (CDH) problem [17]. To optimize the scheme and achieve better efficiency, we also revisit the Camenisch et al. structure-preserving encryption scheme and GS NIZK proofs, and present a new technique for doing more efficient proofs for mixed types of equations, namely, for multi-exponentiation and pairing product equations, using pairing randomization techniques. Together with non-interactive zero-knowledge proofs, our scheme can be used as a building block for constructing efficient pairing-based cryptographic protocols that can be proven secure without assuming random oracles, such as anonymous credential systems [4], oblivious transfer [23,11], e-cash schemes [13], range and set membership proofs [9], blind signatures [20,3], group signatures [5].