Traceable Signature with Stepping Capabilities

Traceable signatures schemes were introduced by Kiayias, Tsiounis and Yung in order to solve traceability issues in group signature schemes. They wanted to enable authorities to delegate some of their detection capabilities to tracing sub-authorities. Instead of opening every single signatures and then threatening privacy, tracing sub-authorities are able to know if a signature was emitted by specific users only.

In 2008, Libert and Yung proposed the first traceable signature schemes proven secure in the standard model. We design another scheme in the standard model, with two instantiations based either on the

$\textsf{SXDH}$

or the

$\textsf{DLin}$

assumptions. Our construction is far more efficient, both in term of group elements for the signature, and pairing computation for the verification. Besides the “step-in” (confirmation) feature that allows a user to prove he was indeed the signer, our construction provides the “step-out” (disavowal) procedure that allows a user to prove he was not the signer.

Since list signature schemes are closely related to this primitive, we consider them, and answer an open problem: list signature schemes are possible without random oracles.