Recent work on structure-preserving signatures (SPS) studies optimality of these schemes in terms of the number of group elements needed in the verification key and the signature, and the number of pairing-product equations in the verification algorithm. While these measures are crucial for many applications, another important aspect to consider for performance is verification time, which for these schemes is dominated by pairings computation. Although prior work considers optimality in terms of number of pairing-product equations, this measure does not capture the exact number of pairings needed in verification. To fill this gap, we study the minimal number of pairings needed in verification of SPS. First, we prove lower bounds for schemes in the Type~II setting secure under chosen message attacks in the generic group model. We show that three pairings are necessary and at most one of these pairings can be precomputed. Second, we build an automated tool to search for schemes matching our lower bounds. Using this tool, we find a new randomisable SPS in the Type~II setting that is optimal with respect to our lower bound on the number of pairings, and minimal in terms of group operations to be computed during verification.
Read full abstract