International Association
for Cryptologic Research

Structure-preserving signatures (SPS) have emerged as an important cryptographic building block, as their compatibility with the Groth-Sahai (GS) NIZK framework allows to construct protocols under standard assumptions with reasonable efficiency. Over the last years there has been a significant interest in the design of threshold signature schemes. However, only very recently Crites et al. (ASIACRYPT 2023) have introduced threshold SPS (TSPS) along with a fully non-interactive construction. While this is an important step, their work comes with several limitations. With respect to the construction, they require the use of random oracles, interactive complexity assumptions and are restricted to so called indexed Diffie-Hellman message spaces. Latter limits the use of their construction as a drop-in replacement for SPS. When it comes to security, they only support static corruptions and do not allow partial signature queries for the forgery. In this paper, we ask whether it is possible to construct TSPS without such restrictions. We start from an SPS from Kiltz, Pan and Wee (CRYPTO 2015) which has an interesting structure, but thresholdizing it requires some modifications. Interestingly, we can prove it secure in the strongest model (TS-UF-1) for fully non-interactive threshold signatures (Bellare et al., CRYPTO 2022) and even under fully adaptive corruptions. Surprisingly, we can show the latter under a standard assumption without requiring any idealized model. All known constructions of efficient threshold signatures in the discrete logarithm setting require interactive assumptions and idealized models. Concretely, our scheme in type III bilinear groups under the SXDH assumption has signatures consisting of 7 group elements. Compared to the TSPS from Crites et al. (2 group elements), this comes at the cost of efficiency. However, our scheme is secure under standard assumptions, achieves strong and adaptive security guarantees and supports general message spaces, i.e., represents a drop-in replacement for many SPS applications. Given these features, the increase in the size of the signature seems acceptable even for practical applications.

Predicate inner product functional encryption (P-IPFE) is essentially attribute-based IPFE (AB-IPFE) which additionally hides attributes associated to ciphertexts. In a P-IPFE, a message $${\textbf {x}}$$ x is encrypted under an attribute $${\textbf {w}}$$ w and a secret key is generated for a pair $$({\textbf {y}}, {\textbf {v}})$$ ( y , v ) such that recovery of $$\langle {{\textbf {x}}}, {{\textbf {y}}}\rangle $$ ⟨ x , y ⟩ requires the vectors $${\textbf {w}}, {\textbf {v}}$$ w , v to satisfy a linear relation. We call a P-IPFE unbounded if it can encrypt unbounded length attributes and message vectors. $$\bullet $$ ∙ zero predicate IPFE . We construct the first unbounded zero predicate IPFE (UZP-IPFE) which recovers $$\langle {{\textbf {x}}}, {{\textbf {y}}}\rangle $$ ⟨ x , y ⟩ if $$\langle {{\textbf {w}}}, {{\textbf {v}}}\rangle =0$$ ⟨ w , v ⟩ = 0 . This construction is inspired by the unbounded IPFE of Tomida and Takashima (ASIACRYPT 2018) and the unbounded zero inner product encryption of Okamoto and Takashima (ASIACRYPT 2012). The UZP-IPFE stands secure against general attackers capable of decrypting the challenge ciphertext. Concretely, it provides full attribute-hiding security in the indistinguishability-based semi-adaptive model under the standard symmetric external Diffie–Hellman assumption. $$\bullet $$ ∙ non-zero predicate IPFE . We present the first unbounded non-zero predicate IPFE (UNP-IPFE) that successfully recovers $$\langle {{\textbf {x}}}, {{\textbf {y}}}\rangle $$ ⟨ x , y ⟩ if $$\langle {{\textbf {w}}}, {{\textbf {v}}}\rangle \ne 0$$ ⟨ w , v ⟩ ≠ 0 . We generically transform an unbounded quadratic FE (UQFE) scheme to weak attribute-hiding UNP-IPFE in both public and secret key setting. Interestingly, our secret key simulation secure UNP-IPFE has succinct secret keys and is constructed from a novel succinct UQFE that we build in the random oracle model. We leave the problem of constructing a succinct public key UNP-IPFE or UQFE in the standard model as an important open problem.