Functional signatures: new definition and constructions

作     者：Qingwen GUO Qiong HUANG Sha MA Meiyan XIAO Guomin YANG Willy SUSILO Qingwen GUO;Qiong HUANG;Sha MA;Meiyan XIAO;Guomin YANG;Willy SUSILO

作者机构：College of Mathematics and InformaticsSouth China Agricultural University Guangzhou Key Laboratory of Intelligent AgricultureSouth China Agricultural University School of Computing and Information TechnologyUniversity of Wollongong 

出 版 物：《Science China(Information Sciences)》 (中国科学:信息科学(英文版))

年 卷 期：2021年第64卷第12期

页      面：189-201页

核心收录：

学科分类：07[理学] 070104[理学-应用数学] 0701[理学-数学] 

基　　金：supported by Major Program of Guangdong Basic and Applied Research (Grant No. 2019B030302008) National Natural Science Foundation of China (Grant Nos. 61872152, 61872409) Science and Technology Program of Guangzhou (Grant No. 201902010081) 

主　　题：cloud computation security digital signature functional signature non-interactive zero-knowledge proof e-commerce 

摘      要：Functional signatures(FS) enable a master authority to delegate its signing privilege to an assistant. Concretely, the master authority uses its secret key skFto issue a signing key skffor a designated function f ∈ FFSand sends both f and skfto the assistant E, which is then able to compute a signature σf with respect to pkFfor a message y in the range of f. In this paper, we modify the syntax of FS slightly to support the application scenario where a certificate of authorization is necessary. Compared with the original FS, our definition requires that FFSis an injective function family and for any f0, f1 ∈ FFS there does not exist an intersection between range(f0) and range(f1). Accordingly, we redefine the security of FS and introduce two additional security notions, called unlinkability and accountability. Signatures σfin our definition do not expose the intention of the master authority. We propose two constructions of FS. The first one is a generic construction based on signatures with perfectly re-randomizable keys, non-interactive zero-knowledge proof(NIZK) and traditional digital signatures, and the other is based on RSA(RivestShamir-Adleman) signatures with full domain hash and NIZK. We prove that both schemes are secure under the given security models.