Functional signatures: new definition and constructions

Functional signatures (FS) enable a master authority to delegate its signing privilege to an assistant. Concretely, the master authority uses its secret key sk F to issue a signing key sk f for a designated function f ∈ F_FS and sends both f and sk f to the assistant E , which is then able to compute a signature σ f with respect to pk F for a message y in the range of f . In this paper, we modify the syntax of FS slightly to support the application scenario where a certificate of authorization is necessary. Compared with the original FS, our definition requires that F_FS is an injective function family and for any f 0 , f_1∈ F_FS there does not exist an intersection between range ( f 0 ) and range ( f 1 ). Accordingly, we redefine the security of FS and introduce two additional security notions, called unlinkability and accountability. Signatures σ f in our definition do not expose the intention of the master authority. We propose two constructions of FS. The first one is a generic construction based on signatures with perfectly re-randomizable keys, non-interactive zero-knowledge proof (NIZK) and traditional digital signatures, and the other is based on RSA (Rivest-Shamir-Adleman) signatures with full domain hash and NIZK. We prove that both schemes are secure under the given security models.