A delegateable signature scheme (DSS) which was first introduced by Barak is mainly based on the non-interactive zero-knowledge proof (NIZK) for preventing the signing verifier from telling which witness (i.e., r...A delegateable signature scheme (DSS) which was first introduced by Barak is mainly based on the non-interactive zero-knowledge proof (NIZK) for preventing the signing verifier from telling which witness (i.e., restricted subset) is being used. However, the scheme is not significantly efficient due to the difficulty of constructing NIZK. We first show that a non-interactive witness indistinguishable (NlWl) proof system and a non-interactive witness hiding (NIWH) proof system are easier and more efficient proof models than NIZK in some cases. Furthermore, the witnesses em- ployed in these two protocols (NlWl and NIWT) cannot also be distinguished by the verifiers. Combined with the E-protocol, we then construct NlWl and NIWH proofs for any NP statement under the existence of one-way functions and show that each proof is different from those under the existence of trapdoor permutations, Finally, based on our NlWl and NIWH proofs, we construct delegateable signature schemes under the existence of one-way functions, which are more efficient than Barak's scheme under the existence of trapdoor permutations.展开更多
基金Supported partially by the National Natural Science Foundation of China(Grant Nos.90604034,10371127 and 10671114)
文摘A delegateable signature scheme (DSS) which was first introduced by Barak is mainly based on the non-interactive zero-knowledge proof (NIZK) for preventing the signing verifier from telling which witness (i.e., restricted subset) is being used. However, the scheme is not significantly efficient due to the difficulty of constructing NIZK. We first show that a non-interactive witness indistinguishable (NlWl) proof system and a non-interactive witness hiding (NIWH) proof system are easier and more efficient proof models than NIZK in some cases. Furthermore, the witnesses em- ployed in these two protocols (NlWl and NIWT) cannot also be distinguished by the verifiers. Combined with the E-protocol, we then construct NlWl and NIWH proofs for any NP statement under the existence of one-way functions and show that each proof is different from those under the existence of trapdoor permutations, Finally, based on our NlWl and NIWH proofs, we construct delegateable signature schemes under the existence of one-way functions, which are more efficient than Barak's scheme under the existence of trapdoor permutations.
