CSI-IBBS: Identity-Based Blind Signatures
- CSI-IBBS is a cryptographic protocol that fuses identity-based cryptography with blind signatures to enable certificate-free, privacy-preserving authentication.
- The protocol leverages both code-based and isogeny-based constructions, relying on hard problems like syndrome decoding and group-action inverse problems for quantum resistance.
- Efficient key extraction, zero-knowledge proofs, and non-interactive verification underpin its practical applications in digital cash, voting, and secure communications.
Identity-based blind signatures (CSI-IBBS) are cryptographic protocols that synthesize identity-based cryptography (IBC) with the privacy attributes of blind signature schemes. In a CSI-IBBS system, a trusted Key Generation Center (KGC) issues signing keys derived from user identities; users subsequently obtain blind signatures on their messages such that the KGC does not learn the underlying content. The cryptographic hardness underlying CSI-IBBS can be based on either code-based structures—leveraging syndrome decoding problems (SD) and related assumptions—or on isogeny-based constructions, specifically using the CSIDH group action to obtain quantum-resistant security. These constructions are designed to provide scalable, certificate-free public key authentication, privacy-preserving digital signatures, and strong resistance to both classical and quantum cryptanalytic attacks (Bhoumik et al., 7 Sep 2025, Cayrel et al., 2013).
1. Cryptographic Foundations
CSI-IBBS protocols are built over two principal families of post-quantum hard problems:
- Code-based CSI-IBBS: The main security assumptions are the hardness of decoding random linear codes (syndrome decoding, SD), the Goppa-code distinguishing problem (GD), and the Permuted-Kernels problem (PKP) (Cayrel et al., 2013).
- Isogeny-based CSI-IBBS (using CSIDH): Security is reduced to the group-action inverse problem (GAIP) and its multi-target variant (MT-GAIP) over supersingular elliptic curves, relying on the infeasibility of efficiently finding class group actions in the setting of CSIDH (Bhoumik et al., 7 Sep 2025).
Key primitives include cryptographic hash functions (modeled as random oracles) for identity and message binding, and structure-preserving key extraction and blinding mechanisms to support user privacy and unlinkability.
2. Protocol Architecture and Algorithms
The CSI-IBBS protocol comprises four core algorithmic interfaces: Setup, Extract (identity-based key derivation), Blind/Unblind, and Blind Sign/Verify.
CSIDH-based CSI-IBBS protocol:
- Setup: The KGC selects master secrets and computes two vectors of public master curves applying the CSIDH group action. The public parameters include a base supersingular curve, field modulus , class number , a set of “super-exceptional” elements , and two hash functions and .
- Extract: For user identity , the KGC samples randomized exponent vectors, computes user-bound secret exponents, and outputs a user secret key and public key .
- Blind Signature Protocol: A four-message interactive protocol between the user and signer enables the user to blind the message, obtain a zero-knowledge proof of correct signing, and recover the final blind signature without revealing the message content to the signer.
- Verification: Efficient non-interactive checks recompute the binding vectors and validate signature components using group-action computations and hash evaluations; acceptance is predicated on the Fiat–Shamir challenge being satisfied (Bhoumik et al., 7 Sep 2025).
Code-based CSI-IBBS protocol:
- Setup: The KGC selects a binary Goppa code with a public (disguised) parity-check matrix , and an efficient decoder. Public parameters include 0, two hash functions 1, 2, and error capacity 3.
- Extract: The KGC computes user-specific syndromes and attempts to decode via the Goppa trapdoor decoder, outputting a sparse secret vector (4) and a small integer index 5 as the secret key.
- Blinding/Unblinding: Users construct randomized syndromes and parity-check matrices, leveraging trapdoor decoding and permutations to obfuscate their requests. Unblinding recovers the signature from the KGC's response using the stored permutation and auxiliary data.
- Blind Sign/Verify: The KGC uses the secret key to sign the blinded message and provides a zero-knowledge proof (PKP) that the blinded code shares an isometric kernel with the public Goppa code. Verification checks involve syndrome consistency and validation of the PKP transcript (Cayrel et al., 2013).
3. Security Properties
CSI-IBBS schemes achieve the following rigorous guarantees, under their respective assumptions and in the random-oracle model:
- Blindness: The KGC (signer) learns no information about the signed message or linkage to the user’s final signature, due to the statistical independence of the blinded requests (e.g., 6 in code-based, or blinded challenge vectors in CSIDH-based). Simulation arguments demonstrate that transcripts can be relabeled or simulated without knowledge leakage (Bhoumik et al., 7 Sep 2025, Cayrel et al., 2013).
- Existential Unforgeability (EUF-CMA-CIDA): Any adversary capable of forging a signature or mounting an adaptive chosen-identity or message attack can be reduced to an efficient solver for SD/GD/PKP (classical) or GAIP/MT-GAIP (isogeny), leveraging reprogrammable random oracles and “one-more forgery” proof methodologies.
- Identity-based Security: Extraction of secret keys for other identities is infeasible even if multiple secret key extractions are observed; the inherent randomness or binding properties of 7 (identity hashes) in both protocol classes decouple secret exponents from master keys, reducing to the underlying hardness assumptions.
- Zero-Knowledge: Verification proofs (e.g., PKP or Σ-protocols) are honest-verifier zero-knowledge: knowledge of secret keys is demonstrated without revealing any auxiliary information, relying on standard rewinding and simulation techniques in the context of repetition-based identification protocols (Bhoumik et al., 7 Sep 2025).
4. Performance and Implementation Costs
CSIDH-based CSI-IBBS
| Algorithm | Dominant CSIDH Actions | Asymptotic Cost |
|---|---|---|
| Setup | 8 actions | 9 |
| Key Extraction | 0 actions | 1 |
| Sign (S₁, S₂) | 2 actions (per round) | 3 |
| User blur/unblind | 4 actions | 5 |
| Verify | 6 actions | 7 |
At 128-bit quantum security (CSIDH-512, 8), the master public key is approximately 75 KB and each signature is about 76 KB (Bhoumik et al., 7 Sep 2025).
Code-based CSI-IBBS
| Component | Typical Size (n=4096, t=50) |
|---|---|
| Public Key | 9 KB |
| Identity Secret | 0 bits (vector) |
| Signature | 1 kbit (Stern sign) |
Performance bottlenecks in the code-based protocol include the cost of identity extraction (expected 2 decoding attempts) and communication overhead due to large proofs of PKP (3 Mbit) (Cayrel et al., 2013).
5. Comparison to Prior and Related Schemes
- CsiIBS (Peng et al.): Achieves similar performance but at the expense of larger public keys per identity and a separate Fiat–Shamir transformation to obtain non-interactivity, as opposed to built-in OR-proofs in CSI-IBBS (Bhoumik et al., 7 Sep 2025).
- CSI-Otter (Katsumata et al.): Provides partially blind signatures with a similar OR-proof structure, but lacks native identity-based operation and thus requires additional mechanisms for identity binding (Bhoumik et al., 7 Sep 2025).
- Overbeck’s protocol and Cayrel–Gaborit–Girault IBS: Form the code-based foundation, combining identity extraction and syndrome decoding with Stern’s protocol for zero-knowledge proofs and blind signatures (Cayrel et al., 2013).
A salient property of CSI-IBBS is provision of honest-verifier zero-knowledge and strong quantum-resistance at practical key and signature sizes (linear in the security parameter 4), while supporting stateless, certificate-free operation.
6. Parameter Selection and Practical Considerations
Parameter selection for CSI-IBBS depends on the desired security level:
- CSIDH-based: Security is dominated by the choice of 5, the number of small isogeny degrees, and the size of the class group 6. Concrete instantiations (e.g., 7 for CSIDH-512) achieve targeted quantum security with moderate key/signature overhead.
- Code-based: For 128-bit classical security (quantum 8), 9, 0, and public key sizes around 300 KB are used. Identity extraction can require optimization to avoid super-polynomial decoding costs, often employing the “mCFS” trick by choosing 1 small or enlarging the counter space (Cayrel et al., 2013).
A primary challenge in code-based instantiations is the size of PKP proofs and the efficiency of the identity extraction loop. In isogeny-based schemes, efficiency scales linearly with 2, and group-action evaluations dominate computational costs.
7. Outlook and Open Challenges
CSI-IBBS systems support privacy-preserving authentication, digital cash, and voting protocols in post-quantum infrastructures, balancing scalability with user privacy. Ongoing research directions include optimizing code-based extraction and PKP proof sizes, enhancing the efficiency of isogeny-based arithmetic, and further tightening reductions in the quantum security model.
Parameter and performance tuning, especially for code-based identity extraction methods and reduction of large zero-knowledge proofs, remains an active topic (Cayrel et al., 2013). Comparative assessment with non-identity-based and non-blind signature schemes is crucial for deployment decisions in emerging post-quantum security architectures.
References:
- “CSI-IBBS: Identity-Based Blind Signature using CSIDH” (Bhoumik et al., 7 Sep 2025)
- “Post-Quantum Cryptography: Code-based Signatures” (Cayrel et al., 2013)