Identity-Based Blind Signature Scheme

• Identity-based blind signature schemes use unique user identifiers as public keys, eliminating the need for traditional certificates.
• They integrate sigma protocols with honest-verifier zero-knowledge proofs to guarantee unforgeability and privacy even against quantum attacks.
• Post-quantum security is achieved using CSIDH frameworks, while compression techniques enhance efficiency in e-cash and e-voting applications.

An identity-based blind signature scheme combines the principles of identity-based cryptography (IBC) with the privacy-preserving guarantees of blind signature protocols. This class of signature systems leverages unique user identifiers (such as email addresses) as public keys, obviating the need for certificate-based authentication, while further enabling signers to issue signatures on blinded messages without discovering their plaintext content or establishing a linkage between the message and its signature. Modern constructions of identity-based blind signature schemes, notably those building on isogeny-based post-quantum frameworks such as CSIDH, offer strong security properties in both the classical and quantum settings, often augmented by honest-verifier zero-knowledge proofs to enforce privacy and correctness.

1. Identity-Based Cryptography: Public Key Elimination and Scalability

Identity-based cryptography, as introduced by Shamir, encodes a user’s identity information directly as their public key, delegating the generation of secret keys to a central trusted entity known as the Private Key Generator (PKG). For a given identity $\mathsf{ID}_A$, the corresponding public key is derived as $C_A = H(\mathsf{ID}_A)$ for some collision-resistant hash function $H$. The PKG then computes the private key $V_A$ for user $A$ using its own master secret, often represented as $V_A = x \cdot C_A$ for some $x \in \mathbb{Z}_n^*$. This construction avoids the need for certificates, removing the complexities of PKI such as certificate validation, distribution, and revocation management. As a result, IBCs provide improved efficiency and scalability, notably in environments with limited computational resources or bandwidth, such as wireless sensor networks and IoT deployments (Kar et al., 2019, Bhoumik et al., 7 Sep 2025).

2. Blind Signature Protocols and Privacy Preservation

Blind signature protocols enable a user to obtain a valid signature from a signer without revealing the underlying message to that signer. Classical constructions, exemplified by the Schnorr blind signature, are instantiated with commitment-challenge-response frameworks (sigma-protocols) that incorporate blinding randomness. The core security property is that, although the signature is valid for the message, the signer gains no information about which messages were signed, thereby preventing linkage even upon signature presentation. In the context of identity-based settings, blind signatures are critical in applications requiring both authentication and privacy, such as privacy-preserving e-cash and electronic voting.

In the design presented in (Bhoumik et al., 7 Sep 2025), the underlying sigma protocol is extended: the challenge space is enlarged from binary to ternary vectors, specifically $\{-1, 0, 1\}^n$, to prevent the malicious formation of subgroups in $\mathbb{Z}_n^\times$. This enables effective use of both the master public key and the user-specific public key during verification, while maintaining the blinding integrity through honest-verifier zero-knowledge (HVZK) proofs.

3. Isogeny-Based Post-Quantum Frameworks: CSIDH

Contemporary identity-based blind signature schemes increasingly target post-quantum security by replacing traditional number-theoretic hardness assumptions with those based on elliptic curve isogenies. CSIDH (Commutative Supersingular Isogeny Diffie–HeLLMan) forms the basis for such post-quantum primitives, substituting the group operation of multiplicative cyclic groups with the action of ideal class groups on the set of supersingular elliptic curves.

Key derivation and signing operations leverage CSIDH group actions, typically denoted $[s \cdot c]\ast E_0$, where $E_0$ is a base curve and $[s \cdot c]$ specifies the ideal class action parameterized by the secret $s$ and an exceptional set $c \subseteq \mathbb{Z}_N$. The primary intractability underpinning security is the group action inverse problem (GAIP), with security reductions presented against its multi-target extension (MT-GAIP). By design, all operations (including public key and signature computations) are independent of discrete log or factoring hardness, providing resistance even against quantum adversaries (Bhoumik et al., 7 Sep 2025).

4. Security Properties: Unforgeability, Blindness, and Zero-Knowledge

Security for identity-based blind signature schemes is established through:

• Unforgeability under Adaptive Chosen-Message Attacks (EUF-CMA): Proofs demonstrate that forging a valid signature under an unqueried identity is reducible to solving GAIP/MT-GAIP.
• Blindness: The signer is unable to distinguish which message was signed, based on protocol transcripts.
• Honest-Verifier Zero-Knowledge: The interactive identification (IBID) and signature (IBBS) protocols are sigma protocols satisfying perfect completeness, special soundness, and HVZK.

A notable mathematical structure in these schemes is the use of random challenge vectors and responses. Given a sigma protocol with challenge vector $c \in \{-1,0,1\}^n$, the simulator selects $(c_0, c_1)$ such that $c = c_0 \odot c_1$ and generates responses $(r_0, r_1)$ satisfying protocol equations: $$\begin{cases} Y_i = [g^{r_i}] * (X_i)^{c_i} & \text{if } c_i \neq 0\ Y_i = [g^{r_i}] * (E_0) & \text{otherwise} \end{cases}$$ This ensures transcripts are indistinguishable from real protocol executions, upholding the HVZK property. Security reductions explicitly show that any adversary capable of breaking the identification protocol or forging signatures also solves the corresponding isogeny-based hard problem.

5. Signature and Key Size, Computational Efficiency, and Performance

The performance profile of these schemes depends upon the size parameter $n$, which determines both the security level and the linear scaling of all key and signature components. In CSIDH-based constructions, public keys, secret keys, and signature elements are vectors in $\mathbb{Z}_N^n$ or are represented as actions on elliptic curve parameters. For example, at 128-bit quantum security, the signature size is approximately 76 KB. All algorithms—setup, user key extraction, signing, and verification—involve group actions, each requiring $O(n)$ field operations; full protocol runs, which leverage vectorized operations, have computational complexity $O(n^2)$. Implementations (e.g., CSIDH-512) report approximately $10^4$–$10^5$ field operations per group action, confirming practical implementability within moderate computational resources (Bhoumik et al., 7 Sep 2025).

6. Compression Techniques and Practical Implementations

In the context of pairing-based identity-based signatures, signature component sizes heavily depend on the underlying pairing curves. For instance, elements in $G_1$ and $G_2$ may be represented using 40–260 bytes, and signature tuples often comprise several such elements. Two principal methods to minimize signature size (Kar et al., 2019):

• Point Compression for $G_1$ Elements: Storing only the $X$ coordinate of an elliptic curve point (plus a sign bit for the $Y$ coordinate), compressing from $2n$ bytes to $(n+1)$ bytes; during verification, $Y$ is recomputed from $X$.
• Hash/Scalar Compression: Reducing hash outputs modulo the group order; e.g., reducing 256-bit hashes to $\leq32$ bytes for curves where $|\mathbb{Z}_r|\leq2^{256}$.

Applying these methods in identity-based blind signature settings directly lessens bandwidth and storage requirements. However, care must be exercised that the blinding property is not inadvertently compromised by compression, especially if both $G_1$ and $G_2$ elements are involved or if decompression is required during the verification or unblinding phase. The paper emphasizes that compression is more straightforward for $G_1$ and that it is not clear whether $G_2$ or $G_T$ elements can be compressed as effectively.

Conclusion

Identity-based blind signature schemes combine direct identity-derived public key cryptography with the unlinkability and zero-knowledge features of blind signature protocols. Recent efforts, such as schemes based on the CSIDH framework, yield post-quantum security through the use of isogenies while maintaining practical performance and allowing for signature compression. Rigorous security analysis demonstrates resistance against strong adversaries (including those equipped with quantum resources) via reductions to established hard problems in elliptic curve isogenies. The result is a family of cryptographic primitives well-suited to privacy-preserving authentication and transaction systems in both classical and post-quantum application domains (Kar et al., 2019, Bhoumik et al., 7 Sep 2025).