PS Signatures with MIRACL: Randomizable and Short

We just love the magic of crypto pairing, and the opportunity to produce short and randomizable signatures. A signature can then be change in order to hide the original signature.

One of the best methods around is the PS (Pointcheval Sanders) Short Randomizable Signature and was defined in [1]:

It uses crypto pairs to produce a signature which can be randomized. Initially we have two pairing points (g1 on the G1 curve, and g2 on the G2 curve. The private key is created with two random numbers (x and y):

sk=(x ,y)

and a public key with:

pk=(g2,x g2,y g2)=(g2,X,Y)

To create the signature we take a message (m) and create a random value for the signature (h) and then determine two signature elements:

sig1=h g1

sig2=(x+y×m)×sig1

In this case sig1 and sig2 will be points on G1, and X and Y are points on G2. To check the signature, we have (sig1, pk and sig2) and then equate this pairing:

e(sig1,X+m×Y)=e(sig2,g2)