IACR News item: 07 March 2013
Christian Hanser, Daniel Slamanig
ePrint Reportoriginator can define and sign a message template, describing fixed parts of a message as well as multiple choices for exchangeable
parts of a message. One may think of a form with blank fields, where for such fields the originator specifies all the allowed strings to choose from. Then, a proxy is given
the power to sign an instantiation of the template signed by the originator by using some secret information. By an instantiation, the proxy
commits to one allowed choice per blank field in the template.
The resulting message signature can be publicly verified under the originator\'s and the proxy\'s signature verification keys.
Thereby, no verifying party except the originator and the proxy learn anything about the ``unused\'\' choices from the message template given a message signature. Consequently, the template is hidden from verifiers.
We discuss several applications, provide a formal definition of blank digital signature schemes and introduce a security model. Furthermore, we provide an efficient construction of such a blank digital signature scheme from any secure digital signature scheme, pairing-friendly elliptic curves and polynomial commitments, which we prove secure in our model. We also provide a detailed efficiency analysis of our proposed construction supporting its practicality. Finally, we outline several open issues and extensions for future work.
Additional news items may be found on the IACR news page.