Papers
Topics
Authors
Recent
Search
2000 character limit reached

CSI-IBBS: Identity-Based Blind Signatures

Updated 13 June 2026
  • CSI-IBBS is a cryptographic protocol that fuses identity-based cryptography with blind signatures to enable certificate-free, privacy-preserving authentication.
  • The protocol leverages both code-based and isogeny-based constructions, relying on hard problems like syndrome decoding and group-action inverse problems for quantum resistance.
  • Efficient key extraction, zero-knowledge proofs, and non-interactive verification underpin its practical applications in digital cash, voting, and secure communications.

Identity-based blind signatures (CSI-IBBS) are cryptographic protocols that synthesize identity-based cryptography (IBC) with the privacy attributes of blind signature schemes. In a CSI-IBBS system, a trusted Key Generation Center (KGC) issues signing keys derived from user identities; users subsequently obtain blind signatures on their messages such that the KGC does not learn the underlying content. The cryptographic hardness underlying CSI-IBBS can be based on either code-based structures—leveraging syndrome decoding problems (SD) and related assumptions—or on isogeny-based constructions, specifically using the CSIDH group action to obtain quantum-resistant security. These constructions are designed to provide scalable, certificate-free public key authentication, privacy-preserving digital signatures, and strong resistance to both classical and quantum cryptanalytic attacks (Bhoumik et al., 7 Sep 2025, Cayrel et al., 2013).

1. Cryptographic Foundations

CSI-IBBS protocols are built over two principal families of post-quantum hard problems:

  • Code-based CSI-IBBS: The main security assumptions are the hardness of decoding random linear codes (syndrome decoding, SD), the Goppa-code distinguishing problem (GD), and the Permuted-Kernels problem (PKP) (Cayrel et al., 2013).
  • Isogeny-based CSI-IBBS (using CSIDH): Security is reduced to the group-action inverse problem (GAIP) and its multi-target variant (MT-GAIP) over supersingular elliptic curves, relying on the infeasibility of efficiently finding class group actions in the setting of CSIDH (Bhoumik et al., 7 Sep 2025).

Key primitives include cryptographic hash functions (modeled as random oracles) for identity and message binding, and structure-preserving key extraction and blinding mechanisms to support user privacy and unlinkability.

2. Protocol Architecture and Algorithms

The CSI-IBBS protocol comprises four core algorithmic interfaces: Setup, Extract (identity-based key derivation), Blind/Unblind, and Blind Sign/Verify.

CSIDH-based CSI-IBBS protocol:

  • Setup: The KGC selects master secrets s0,s1Z/NZs_0, s_1 \leftarrow \mathbb{Z}/N\mathbb{Z} and computes two vectors of public master curves applying the CSIDH group action. The public parameters include a base supersingular curve, field modulus pp, class number NN, a set of “super-exceptional” elements cc, and two hash functions H1H_1 and H2H_2.
  • Extract: For user identity ID\text{ID}, the KGC samples randomized exponent vectors, computes user-bound secret exponents, and outputs a user secret key uskID=(δ,xδ)usk_\text{ID} = (\delta, x_\delta) and public key (X0,X1)(X_0, X_1).
  • Blind Signature Protocol: A four-message interactive protocol between the user and signer enables the user to blind the message, obtain a zero-knowledge proof of correct signing, and recover the final blind signature without revealing the message content to the signer.
  • Verification: Efficient non-interactive checks recompute the binding vectors and validate signature components using group-action computations and hash evaluations; acceptance is predicated on the Fiat–Shamir challenge being satisfied (Bhoumik et al., 7 Sep 2025).

Code-based CSI-IBBS protocol:

  • Setup: The KGC selects a binary Goppa code with a public (disguised) parity-check matrix H=QH~PH = Q \widetilde{H} P, and an efficient decoder. Public parameters include pp0, two hash functions pp1, pp2, and error capacity pp3.
  • Extract: The KGC computes user-specific syndromes and attempts to decode via the Goppa trapdoor decoder, outputting a sparse secret vector (pp4) and a small integer index pp5 as the secret key.
  • Blinding/Unblinding: Users construct randomized syndromes and parity-check matrices, leveraging trapdoor decoding and permutations to obfuscate their requests. Unblinding recovers the signature from the KGC's response using the stored permutation and auxiliary data.
  • Blind Sign/Verify: The KGC uses the secret key to sign the blinded message and provides a zero-knowledge proof (PKP) that the blinded code shares an isometric kernel with the public Goppa code. Verification checks involve syndrome consistency and validation of the PKP transcript (Cayrel et al., 2013).

3. Security Properties

CSI-IBBS schemes achieve the following rigorous guarantees, under their respective assumptions and in the random-oracle model:

  • Blindness: The KGC (signer) learns no information about the signed message or linkage to the user’s final signature, due to the statistical independence of the blinded requests (e.g., pp6 in code-based, or blinded challenge vectors in CSIDH-based). Simulation arguments demonstrate that transcripts can be relabeled or simulated without knowledge leakage (Bhoumik et al., 7 Sep 2025, Cayrel et al., 2013).
  • Existential Unforgeability (EUF-CMA-CIDA): Any adversary capable of forging a signature or mounting an adaptive chosen-identity or message attack can be reduced to an efficient solver for SD/GD/PKP (classical) or GAIP/MT-GAIP (isogeny), leveraging reprogrammable random oracles and “one-more forgery” proof methodologies.
  • Identity-based Security: Extraction of secret keys for other identities is infeasible even if multiple secret key extractions are observed; the inherent randomness or binding properties of pp7 (identity hashes) in both protocol classes decouple secret exponents from master keys, reducing to the underlying hardness assumptions.
  • Zero-Knowledge: Verification proofs (e.g., PKP or Σ-protocols) are honest-verifier zero-knowledge: knowledge of secret keys is demonstrated without revealing any auxiliary information, relying on standard rewinding and simulation techniques in the context of repetition-based identification protocols (Bhoumik et al., 7 Sep 2025).

4. Performance and Implementation Costs

CSIDH-based CSI-IBBS

Algorithm Dominant CSIDH Actions Asymptotic Cost
Setup pp8 actions pp9
Key Extraction NN0 actions NN1
Sign (S₁, S₂) NN2 actions (per round) NN3
User blur/unblind NN4 actions NN5
Verify NN6 actions NN7

At 128-bit quantum security (CSIDH-512, NN8), the master public key is approximately 75 KB and each signature is about 76 KB (Bhoumik et al., 7 Sep 2025).

Code-based CSI-IBBS

Component Typical Size (n=4096, t=50)
Public Key NN9 KB
Identity Secret cc0 bits (vector)
Signature cc1 kbit (Stern sign)

Performance bottlenecks in the code-based protocol include the cost of identity extraction (expected cc2 decoding attempts) and communication overhead due to large proofs of PKP (cc3 Mbit) (Cayrel et al., 2013).

A salient property of CSI-IBBS is provision of honest-verifier zero-knowledge and strong quantum-resistance at practical key and signature sizes (linear in the security parameter cc4), while supporting stateless, certificate-free operation.

6. Parameter Selection and Practical Considerations

Parameter selection for CSI-IBBS depends on the desired security level:

  • CSIDH-based: Security is dominated by the choice of cc5, the number of small isogeny degrees, and the size of the class group cc6. Concrete instantiations (e.g., cc7 for CSIDH-512) achieve targeted quantum security with moderate key/signature overhead.
  • Code-based: For 128-bit classical security (quantum cc8), cc9, H1H_10, and public key sizes around 300 KB are used. Identity extraction can require optimization to avoid super-polynomial decoding costs, often employing the “mCFS” trick by choosing H1H_11 small or enlarging the counter space (Cayrel et al., 2013).

A primary challenge in code-based instantiations is the size of PKP proofs and the efficiency of the identity extraction loop. In isogeny-based schemes, efficiency scales linearly with H1H_12, and group-action evaluations dominate computational costs.

7. Outlook and Open Challenges

CSI-IBBS systems support privacy-preserving authentication, digital cash, and voting protocols in post-quantum infrastructures, balancing scalability with user privacy. Ongoing research directions include optimizing code-based extraction and PKP proof sizes, enhancing the efficiency of isogeny-based arithmetic, and further tightening reductions in the quantum security model.

Parameter and performance tuning, especially for code-based identity extraction methods and reduction of large zero-knowledge proofs, remains an active topic (Cayrel et al., 2013). Comparative assessment with non-identity-based and non-blind signature schemes is crucial for deployment decisions in emerging post-quantum security architectures.


References:

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Identity-Based Blind Signatures (CSI-IBBS).