TI-ulPCS: Threshold-Issuance - Un-linkable Policy Compliant Signatures

Abstract

Digital signatures, as a strong cryptographic primitive, ensure the authenticity and integrity of signed messages. On one hand, no one can forge a verifiable signature without knowing the secret key, on the other hand, any correctly formed signature is always verifiable under the public key of the signer. Besides signing digital data, they serve as foundational components in more advanced cryptographic systems, including blind signatures, group signatures, direct anonymous attestation, e-cash, e-voting protocols, adaptive oblivious transfer, anonymous credential schemes, Policy-Compliant Signatures, etc. Policy-Compliant Signatures (PCS) enable the enforcement of joint policies between the signer and the verifier. A signature of this type is valid if not only it is correctly signed by the actual signer but also the attributes of both the signer and verifier fulfill a predefined policy. A PCS scheme allows a central authority to enforce a global policy by issuing keys tied to user attributes without revealing the attributes or policy. Unlinkable PCS (ulPCS) strengthens PCS properties by ensuring that signatures generated by the same signer remain unlinkable. However, both PCS and ulPCS rely on a single issuer, which introduces a single point of failure. In this thesis, we study the concept of Threshold-Issuance Unlinkable PCS (TI-ulPCS). This cryptographic primitive builds on threshold cryptography to distribute the trust among multiple issuers, ensuring that a predefined threshold of issuers must collaborate to issue keys, without any single issuer having full control. We begin by defining and constructing Threshold-Issuance Predicate Encryption (TI-PE), which supports both attribute-hiding and blind-issuance of credentials. We achieve blind-issuance through commitment schemes combined with zero-knowledge proofs. For signing, we use Non-interactive Threshold Structure- Preserving Signatures on Equivalence Classes (NI-TSPS-EQ) and employ a threshold digital signature instead of a single-signer digital signature.