TY - GEN
T1 - Non-interactive Threshold BBS+ from Pseudorandom Correlations
AU - Faust, Sebastian
AU - Hazay, Carmit
AU - Kretzler, David
AU - Rometsch, Leandro
AU - Schlosser, Benjamin
N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.
PY - 2025
Y1 - 2025
N2 - The BBS+ signature scheme is one of the most prominent solutions for realizing anonymous credentials. Its prominence is due to properties like selective disclosure and efficient protocols for creating and showing possession of credentials. Traditionally, a single credential issuer produces BBS+ signatures, which poses significant risks due to a single point of failure.I n this work, we address this threat via a novel t-out-of-n threshold BBS+ protocol. Our protocol supports an arbitrary security threshold t≤n and works in the so-called preprocessing setting. In this setting, we achieve non-interactive signing in the online phase and sublinear communication complexity in the number of signatures in the offline phase, which, as we show in this work, are important features from a practical point of view. As it stands today, none of the widely studied signature schemes, such as threshold ECDSA and threshold Schnorr, achieve both properties simultaneously. In this work, we make the observation that presignatures can be directly computed from pseudorandom correlations which allows servers to create signatures shares without additional cross-server communication. Both our offline and online protocols are actively secure in the Universal Composability model. Finally, we evaluate the concrete efficiency of our protocol, including an implementation of the online phase and the expansion algorithm of the pseudorandom correlation generator (PCG) used during the offline phase. The online protocol without network latency takes less than 14 ms for t≤30 and credentials sizes up to 10. Further, our results indicate that the influence of t on the online signing is insignificant, ≤6% for t≤30, and the overhead of the thresholdization occurs almost exclusively in the offline phase. Our implementation of the PCG expansion shows that even for a committee size of 10 servers, each server can expand a correlation of up to 217 presignatures in less than 100 ms per presignature.
AB - The BBS+ signature scheme is one of the most prominent solutions for realizing anonymous credentials. Its prominence is due to properties like selective disclosure and efficient protocols for creating and showing possession of credentials. Traditionally, a single credential issuer produces BBS+ signatures, which poses significant risks due to a single point of failure.I n this work, we address this threat via a novel t-out-of-n threshold BBS+ protocol. Our protocol supports an arbitrary security threshold t≤n and works in the so-called preprocessing setting. In this setting, we achieve non-interactive signing in the online phase and sublinear communication complexity in the number of signatures in the offline phase, which, as we show in this work, are important features from a practical point of view. As it stands today, none of the widely studied signature schemes, such as threshold ECDSA and threshold Schnorr, achieve both properties simultaneously. In this work, we make the observation that presignatures can be directly computed from pseudorandom correlations which allows servers to create signatures shares without additional cross-server communication. Both our offline and online protocols are actively secure in the Universal Composability model. Finally, we evaluate the concrete efficiency of our protocol, including an implementation of the online phase and the expansion algorithm of the pseudorandom correlation generator (PCG) used during the offline phase. The online protocol without network latency takes less than 14 ms for t≤30 and credentials sizes up to 10. Further, our results indicate that the influence of t on the online signing is insignificant, ≤6% for t≤30, and the overhead of the thresholdization occurs almost exclusively in the offline phase. Our implementation of the PCG expansion shows that even for a committee size of 10 servers, each server can expand a correlation of up to 217 presignatures in less than 100 ms per presignature.
KW - BBS+
KW - Pseudorandom Correlation Functions
KW - Pseudorandom Correlation Generators
KW - Threshold Signature
UR - http://www.scopus.com/inward/record.url?scp=105003248516&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-88661-4_9
DO - 10.1007/978-3-031-88661-4_9
M3 - منشور من مؤتمر
SN - 9783031886607
T3 - Lecture Notes in Computer Science
SP - 198
EP - 222
BT - Topics in Cryptology – CT-RSA 2025 - Cryptographers’ Track at the RSA Conference 2025, Proceedings
A2 - Patra, Arpita
PB - Springer Science and Business Media Deutschland GmbH
T2 - Cryptographers’ Track at the RSA Conference, CT-RSA 2025
Y2 - 28 April 2025 through 1 May 2025
ER -