Options
Non-interactive threshold BBS+ from pseudorandom correlations
Publikationstyp
Conference Paper
Date Issued
2025-04
Sprache
English
First published in
Number in series
15598 LNCS
Start Page
198
End Page
222
Citation
RSA Conference, CT-RSA 2025
Contribution to Conference
Publisher DOI
Scopus ID
Publisher
Springer
ISBN
978-3-031-88661-4
978-3-031-88660-7
978-3-031-88662-1
The BBS+ signature scheme is one of the most prominent solutions for realizing anonymous credentials. Its prominence is due to properties like selective disclosure and efficient protocols for creating and showing possession of credentials. Traditionally, a single credential issuer produces BBS+ signatures, which poses significant risks due to a single point of failure.I n this work, we address this threat via a novel t-out-of-n threshold BBS+ protocol. Our protocol supports an arbitrary security threshold t≤n and works in the so-called preprocessing setting. In this setting, we achieve non-interactive signing in the online phase and sublinear communication complexity in the number of signatures in the offline phase, which, as we show in this work, are important features from a practical point of view. As it stands today, none of the widely studied signature schemes, such as threshold ECDSA and threshold Schnorr, achieve both properties simultaneously. In this work, we make the observation that presignatures can be directly computed from pseudorandom correlations which allows servers to create signatures shares without additional cross-server communication. Both our offline and online protocols are actively secure in the Universal Composability model. Finally, we evaluate the concrete efficiency of our protocol, including an implementation of the online phase and the expansion algorithm of the pseudorandom correlation generator (PCG) used during the offline phase. The online protocol without network latency takes less than 14 ms for t≤30 and credentials sizes up to 10. Further, our results indicate that the influence of t on the online signing is insignificant, ≤6% for t≤30, and the overhead of the thresholdization occurs almost exclusively in the offline phase. Our implementation of the PCG expansion shows that even for a committee size of 10 servers, each server can expand a correlation of up to 217 presignatures in less than 100 ms per presignature.
Subjects
BBS+ | Pseudorandom Correlation Functions | Pseudorandom Correlation Generators | Threshold Signature
DDC Class
600: Technology