1-out-of-n Oblivious Signatures: Security Revisited and a Generic Construction with an Efficient Communication Cost

TL;DR

This work revisits the security guarantees for 1-out-of-$n$ oblivious signatures, identifying flaws in the TOO08 unforgeability model and proposing a robust Seq‑sEUF‑CMA definition that captures sequential signing adversaries. It then improves a recent generic construction by Zhou, Liu, and Han by integrating a Merkle-tree technique to reduce the second communication from $O(n)$ to $O( ext{log } n)$ while maintaining security under standard assumptions. The construction uses a commitment scheme and a digital-signature scheme, with reductions to DS security, commitment binding, and hash-collision properties to prove Seq‑sEUF‑CMA security. The result yields a practical, ROM-free oblivious-signature scheme with significantly reduced communication overhead and broad instantiation potential under standard cryptographic assumptions. The work also discusses the limitations of extending the model to concurrent-signing scenarios and highlights avenues for simplifying the unforgeability framework in future work.

Abstract

1-out-of-n oblivious signature by Chen (ESORIC 1994) is a protocol between the user and the signer. In this scheme, the user makes a list of n messages and chooses the message that the user wants to obtain a signature from the list. The user interacts with the signer by providing this message list and obtains the signature for only the chosen message without letting the signer identify which messages the user chooses. Tso et al. (ISPEC 2008) presented a formal treatment of 1-out-of-n oblivious signatures. They defined unforgeability and ambiguity for 1-out-of-n oblivious signatures as a security requirement. In this work, first, we revisit the unforgeability security definition by Tso et al. and point out that their security definition has problems. We address these problems by modifying their security model and redefining unforgeable security. Second, we improve the generic construction of a 1-out-of-n oblivious signature scheme by Zhou et al. (IEICE Trans 2022). We reduce the communication cost by modifying their scheme with a Merkle tree. Then we prove the security of our modified scheme.

Figures (8)

• Figure 1: Comparison with generic construction of $1$-out-of-$n$ oblivious signature schemes.
• Figure 2: The $\mathrm{sEUF}\mathchar'-\mathrm{CMA}$ security game $\mathsf{Game}^{\mathsf{sEUFCMA}}_{\mathsf{DS}, \mathsf{A}}$.
• Figure 3: The ambiguity security game $\mathsf{Game}^{\mathsf{Amb}}_{(1, n)\mathsf{\mathchar'-OS}, \mathsf{A}}$.
• Figure 4: The $\mathrm{Seq}\mathchar'-\mathrm{sEUF}\mathchar'-\mathrm{CMA}$ security game $\mathsf{Game}^{\mathsf{Seq\mathchar'- sEUFCMA}}_{(1, n)\mathsf{\mathchar'-OS}, \mathsf{A}}$. The main modifications from previous works security game are highlighted in white box.
• Figure 5: The generic construction $(1, n)\mathsf{\mathchar'-OS}_{\mathsf{ZLH}}[\mathsf{COM}, \mathsf{DS}]$.

Theorems & Definitions (15)

• definition thmcounterdefinition: Commitment Scheme
• definition thmcounterdefinition: Computational Hiding
• definition thmcounterdefinition: Strong Computational Binding
• definition thmcounterdefinition: Digital Signature Scheme
• definition thmcounterdefinition: sEUF-CMA Security
• definition thmcounterdefinition: Collision Resistance Hash Function Family
• definition thmcounterdefinition: Merkle Tree Technique Mer87
• lemma thmcounterlemma: Collision Extractor for Merkle Tree
• definition thmcounterdefinition: Oblivious Signature Scheme
• definition thmcounterdefinition: Ambiguity