Thesis

Quantization using Jet Space Geometry
and
Identity Management using
Credential Schemes
Sietse Ringers
This PhD project was carried out at the Johann Bernoulli Institute of the University of
Groningen, and the Institute for Computing and Information Sciences of the Radboud
University. It was financially supported by the FWN / JBI RUG and the Secure Self-
Enrollment (SSE) project from KPN.
Copyright © 2016 Sietse Ringers
Cover page: a Calabi-Yau manifold processed by a machine learning algorithm called

“Deep Style”
This work is licensed under the Creative Commons Attribution-

ShareAlike 4.0 International License. To view a copy of this license,
visit https://creativecommons.org/licenses/by-sa/4.0/.
ISBN: 978-90-367-9113-7 (printed version)

ISBN: 978-90-367-9112-0 (electronic version)
and
Credential Schemes
PhD thesis
to obtain the degree of PhD at the

University of Groningen
on the authority of the
Rector Magnificus Prof. E. Sterken
and in accordance with
the decision by the College of Deans.
This thesis will be defended in public on
Friday 7 October at 14:30 hours
by
Sietse Ringers
born on 11 July 1984
in Lelystad
Supervisor
Prof. J. Top
Co-supervisors
Dr. A. V. Kiselev
Dr. J.-H. Hoepman
Assessment Committee
Prof. G. R. Renardel de Lavalette
Prof. S. Gutt
Prof. B. de Decker
Contents (chapters)
Contents (chapters) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
Contents (detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
I Quantization using Jet Space Geometry 1

1 The Schouten Bracket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 The BV-formalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3 Deformation quantization and the dual of Lie algebras . . . . . . . . . . . . 45
4 How not to deform quantize on jet spaces . . . . . . . . . . . . . . . . . . . 69
II Identity Management using Credential Schemes 81

5 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6 Linkability and malleability in self-blindable credentials . . . . . . . . . . . 111
7 Partially blind Boneh–Boyen signatures . . . . . . . . . . . . . . . . . . . . . 125
8 The self-blindable U-Prove scheme from FC’14 is forgeable . . . . . . . . . 143
9 An efficient self-blindable attribute-based credential scheme . . . . . . . . 151
End Matter 181

10 Summary and conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Inleiding en samenvatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Biography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
List of notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
ii Contents (chapters)
Contents (detailed)
Contents (chapters) i
Contents (detailed) iii
Introduction vii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Part 1: Quantization using jet space geometry . . . . . . . . . . . . . . . . . vii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Bibliographic notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Part 2: Identity management using credential schemes . . . . . . . . . . . . xii
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Bibliographic notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
I Quantization using Jet Space Geometry 1

1 The Schouten Bracket 3
1.1 The geometry of jet space . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1.1 The infinite jet bundle . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 The Einstein summation convention . . . . . . . . . . . . . . . 5
1.1.3 Tangent vectors and vector fields . . . . . . . . . . . . . . . . . 5
1.1.4 Differential forms and covectors . . . . . . . . . . . . . . . . . . 6
1.1.5 Horizontal jet bundles . . . . . . . . . . . . . . . . . . . . . . . 8
1.1.6 Adjoint modules and total differential operators . . . . . . . . 9
1.2 The Schouten bracket . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3 Variational multivectors . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 Definitions of the bracket . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4.1 Odd Poisson bracket . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4.2 A recursive definition . . . . . . . . . . . . . . . . . . . . . . . . 19
1.4.3 Graded vector fields . . . . . . . . . . . . . . . . . . . . . . . . . 22
2 The BV-formalism 25
iv Contents (detailed)
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2 Secondary calculus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3 BV-algebras and the quantum master equation . . . . . . . . . . . . . 28
2.4 Products of integral functionals . . . . . . . . . . . . . . . . . . . . . . 33
2.5 Euler-Lagrange equations with gauge symmetries . . . . . . . . . . . 36
2.6 A Laplacian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3 Deformation quantization and the dual of Lie algebras 45

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
3.2 Star products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.3 The Kontsevich star product . . . . . . . . . . . . . . . . . . . . . . . . 52
3.4 Gauge transformations . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5 Hochschild cohomology . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.5.1 The star product up to order 2 . . . . . . . . . . . . . . . . . . . 61
3.6 The Kontsevich star product on the dual of Lie algebras . . . . . . . . 62
3.6.1 The dual as a Poisson manifold . . . . . . . . . . . . . . . . . . 62
3.6.2 The enveloping and symmetric algebras . . . . . . . . . . . . . 63
3.6.3 The Kontsevich star product . . . . . . . . . . . . . . . . . . . . 65
4 How not to deform quantize on jet spaces 69

4.1 The variational Hamiltonian formalism . . . . . . . . . . . . . . . . . . 69
4.2 Three candidate star products . . . . . . . . . . . . . . . . . . . . . . . 72
4.3 The Mathematica program . . . . . . . . . . . . . . . . . . . . . . . . . 74
II Identity Management using Credential Schemes 81

5 Preliminaries 83
5.1 Algorithms and efficient computations . . . . . . . . . . . . . . . . . . 83
5.1.1 Turing machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
5.1.2 Computation time and efficiency . . . . . . . . . . . . . . . . . 85
5.1.3 Conventions and notations . . . . . . . . . . . . . . . . . . . . . 86
5.2 Groups and group families . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.3 Intractability assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.4 Elliptic curves and bilinear pairings . . . . . . . . . . . . . . . . . . . . 91
5.4.1 BN-curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.5 Zero-knowledge proofs . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.5.1 Computational indistinguishability . . . . . . . . . . . . . . . . 94
5.5.2 Interactive algorithms . . . . . . . . . . . . . . . . . . . . . . . . 95
5.5.3 Formal languages and zero-knowledgeness . . . . . . . . . . . 95
5.5.4 Σ-protocols and other variations . . . . . . . . . . . . . . . . . 97
5.5.5 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.6 Signature schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Contents (detailed) v
5.7 Credential schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

5.7.2 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.7.3 Unlinkability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
6 Linkability and malleability in self-blindable credentials 111

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
6.2 Self-blindable credentials . . . . . . . . . . . . . . . . . . . . . . . . . . 113
6.2.1 Security properties . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.3 Relating malleability and linkability . . . . . . . . . . . . . . . . . . . . 117
6.4 Broken self-blindable credential schemes . . . . . . . . . . . . . . . . . 119
6.5 Do unmalleable, unlinkable self-blindable credential schemes exist? . 122
6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
7 Partially blind Boneh–Boyen signatures 125

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.1.1 Partially blind signature schemes . . . . . . . . . . . . . . . . . 126
7.1.2 Weakly unforgeable signature schemes . . . . . . . . . . . . . . 128
7.1.3 Paillier encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 129
7.2 The Boneh–Boyen signature scheme . . . . . . . . . . . . . . . . . . . . 130
7.3 The partially blind Boneh–Boyen scheme . . . . . . . . . . . . . . . . . 131
7.3.1 Blind Boneh–Boyen signatures . . . . . . . . . . . . . . . . . . . 134
7.4 Blindness and unforgeability . . . . . . . . . . . . . . . . . . . . . . . . 134
7.4.1 Blindness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
7.4.2 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
7.5 Attribute-based credentials using our scheme . . . . . . . . . . . . . . 139
7.5.1 Signatures as credentials . . . . . . . . . . . . . . . . . . . . . . 139
7.5.2 Showing a credential . . . . . . . . . . . . . . . . . . . . . . . . 139
7.6 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
8 The self-blindable U-Prove scheme from FC’14 is forgeable 143

8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
8.2 The credential scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
8.3 Forging new credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8.3.1 Constructing signatures on the elements gi . . . . . . . . . . . 145
8.3.2 Constructing a forged credential . . . . . . . . . . . . . . . . . 147
8.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
8.4.1 The problem in the unforgeability argument . . . . . . . . . . 147
8.4.2 Why Theorem 6.6 is not applicable . . . . . . . . . . . . . . . . 148
8.4.3 The attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9 An efficient self-blindable attribute-based credential scheme 151

9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
9.1.1 Related work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
vi Contents (detailed)
9.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

9.2.1 The LRSW assumptions . . . . . . . . . . . . . . . . . . . . . . 154
9.2.2 The discrete logarithm problem in bilinear group pairs . . . . 156
9.2.3 A signature scheme on the space of attributes . . . . . . . . . . 157
9.3 The credential scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
9.3.1 Unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
9.3.2 Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
9.3.3 Combining credentials using the private key . . . . . . . . . . 168
9.4 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
9.4.1 The Fiat-Shamir heuristic . . . . . . . . . . . . . . . . . . . . . . 169
9.4.2 Exponentiation count . . . . . . . . . . . . . . . . . . . . . . . . 169
9.4.3 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
9.5 Proving unforgeability using the XKEA assumption . . . . . . . . . . 173
9.5.1 The XKEA assumption . . . . . . . . . . . . . . . . . . . . . . . 173
9.5.2 The XKEA assumption and the generic group model . . . . . . 175
9.5.3 Unforgeability based on XKEA . . . . . . . . . . . . . . . . . . 176
9.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
End Matter 181

10 Summary and conclusions 183
10.1 Quantization using jet space geometry . . . . . . . . . . . . . . . . . . 183
10.2 Identity management using credential schemes . . . . . . . . . . . . . 184
Inleiding en samenvatting 187
Acknowledgments 197
Biography 199
Bibliography 201
Quantization using Jet Space Geometry . . . . . . . . . . . . . . . . . . . . . 201
Identity Management using Credential Schemes . . . . . . . . . . . . . . . 204
List of notations 215

Index 219
Introduction
Preface
This thesis consists of two parts: one that deals with geometrical aspects of differential
equations and the mathematical side of two ways of quantizing physical theories, and
one that deals with identity management and credential schemes in computer science. In
the sections below, for each part we present an introduction that gives some motivation
and historical context, and highlights some common themes between the chapters.
Following that there are summaries that describe in more detail the contents of the
two parts, and what we have contributed to their topics. (A Dutch version is included,
starting on p. 187.)
Part 1: Quantization using jet space geometry

Introduction
If there is one thing that mathematicians and physicists (and also computer scientists)
have in common, it is their appreciation and desire for aesthetics: both mathematicians
and physicists strive for that perfect proof or the most elegant theory. Although they do
not always agree on what is aesthetically pleasing and what is not, in overlapping areas
such as mathematical physics their interests and tastes seem to align more often than
not. This can lead to very interesting cross-fertilization.
A theme that occurs throughout the first part of this thesis, and which finds apprecia-
tion from people from both parties, is that of specialization: applying a general theory to
a well-understood specific case, obtaining a special case of the theory. This special case
of the more general theory is often well-known. Actually, it is often more interesting
to think about going in the other direction: having some theory, one can try to go the
other way and think about possible generalizations. This can be a guiding and inspiring
viii Introduction
principle in the construction and understanding of new theories. Physically, traversing

this path has led to ever more powerful theories that can describe and predict progres-
sively more phenomena, while simultaneously the mathematical sides of the theories
have grown more clear, powerful and mature as well. This leads to the following re-
search question, which we will deal with throughout this part of the thesis: How can
the principles of generalization and specialization be used to deepen our understanding of the
connections between mathematics and theoretical physics, in particular in the fields of jet space
geometry and of quantization methods, and to what extent can this advance the mathematical
side of these connections?
Let us try to make this more tangible by considering two examples, of which the first
corresponds to Chapters 1 and 2. Most of the partial differential equations occurring
in physics, and many originating from mathematics as well, can be described elegantly
in terms of infinite jet bundles. The independent variables together form a base space,
while the unknowns form the fiber of a fiber bundle over the base space. The differential
equation can then be described as a submanifold of the infinite jet bundle associated to
the fiber bundle. Physically, such systems allow one to describe the dynamics of, for
example, fields, waves or strings. When one applies this machinery to a point particle,
however, the partial differential equation becomes an ordinary one, the base space
collapses to a point and the infinite jet bundle to a (finite-dimensional) smooth manifold.
The physics of point-particles is well-understood, and is formulated in terms of the
geometry that comes naturally with manifolds, such as vector fields and the De Rham
differential. Under the “specialization map” that sends the general theory to the case of
the point particle, one can then wonder what the inverse of this geometrical machinery
is. Essentially, the idea that there should be such inverses under this specialization
map, and that they should play similar roles in the general physics theories as they do
in the specialized ones, is the mathematical version of the idea from physics that the
point-particle case should be a special case of the general framework. This idea is called
secondary calculus, and although it plays an important role throughout the first part of
this thesis it features most prominently in Chapter 2 (see Section 2.2 on p. 26.)
The second example is the topic of Chapter 3. In physics, quantum mechanics revolves
around the Planck constant h̄ ≈ 1.055 × 10−34 Js. Disregarding the constant nature of
the Planck constant for the moment, quantum mechanical theories are generally such
that when one takes all formulas and applies the limit h̄ → 0, one obtains some classical
approximating theory. Mathematically, it makes sense to think of the Planck constant as
a deformation parameter, so that the quantum theory is a deformation of the classical
theory. This is the essential idea behind quantization deformation. One starts with the
classical theory of a point particle that lives on some manifold M, whose dynamics is
described by a Poisson structure and a Hamiltonian vector field. Physically, the space
of observables of this theory is the ring of functions C ∞ ( M). Then one interprets the
quantum mechanical space of observables as a deformation in h̄ of C ∞ ( M), leading to a
non-commutative product called the star product, which contains not only the original
pointwise product of functions on C ∞ ( M) but also the Poisson structure in terms of
which the dynamics is described. This leads to an elegant quantum theory of point
particles, which is such that if one takes the limit h̄ → 0 one re-obtains the classical
theory that was our starting point. (This method of quantizing classical physics theories
Introduction ix
quantum h̄ → 0 / classical
jet bundle jet bundle
n=0 n=0
Ch. 4 Ch. 1, 2
h̄ → 0
quantum Ch. 3 / classical
smooth smooth
Figure 1. A schematic overview of the chapters and their topics. The text in the
vertices indicates whether the theory is quantum mechanical or classical, and if it
lives on smooth manifolds or jet bundles. An arrow indicates that one can specialize
the theory to the one the arrow points at, by taking the limit prescribed by the label
of the arrow (n refers to the dimension of the base space). Note that the chapters
essentially travel in the opposite direction.
is certainly not the only one; in the physics community the BRST- and BV-formalisms
seem to be more popular, as they are central to the highly successful standard model.)
Figure 1 shows the relations between the chapters. We see that both Chapters 2 and 3
start from a classical theory of a point particle living on a manifold, and then generalize
this to other subjects than point particles (i.e., to jet bundles) and to a quantum theory (i.e.,
deformation quantization), respectively. This leads to a classical theory that can describe
many physical phenomena on the one hand, and a quantum theory of point particles
on the other hand. One can then wonder if both of these can in turn be considered as
the specialization of some quantum theory of more general physical configurations than
point particles – that is, of the theory that would be in the top-left corner of the diagram
above. Mathematically, this would be a deformation quantization theory on jet bundles.
We briefly consider this question in Chapter 4.
Abstract
The chapters of this first part of the thesis are organised as follows.
Chapter 1 gives a brief introduction to infinite jet bundles and a number of related ge-
ometrical constructions, since these occur in most of the first part of this thesis.
After that we describe multivectors on jet bundles as our first application of sec-
ondary calculus. These constitute the domain of the variational Schouten bracket,
which takes two such multivectors and returns a new one; we explain how this
bracket is a natural extension of the Schouten bracket on smooth manifolds. The
variational Schouten bracket has appeared in multiple guises in the mathematical
and physical literature over the years, leading to a number of different descriptions
of the same concept. In the final section of this chapter, we show how each of these
different versions are actually equivalent, when care is taken. This chapter is based
on the following article.
x Introduction
[KR12] A. V. Kiselev and S. Ringers. “A comparison of definitions for the

Schouten bracket on jet spaces”. In: Proceedings of the Sixth International
Workshop “Group Analysis of Differential Equations and Integrable Systems”.
Larnaca, Cyprus, 2012, 15p. arXiv: 1208.6196.
Chapter 2 is concerned with the Batalin-Vilkovisky formalism, which is one of the tech-
niques for achieving the quantization of classical physics theories. Together with
the variational Schouten bracket discussed in the first chapter, an important ingre-
dient of this formalism is the BV-Laplacian: a differential operator of order two
that should square to zero, and that together with the bracket forms a mathemati-
cal structure known as a BV-algebra. A problem, however, with the BV-Laplacian
as it is usually defined within the physics literature, is that it contains “infinite
constants” or delta-functions that then need to be removed by regularization. Af-
ter having cast the geometrical setup in terms of the infinite jet bundles that were
introduced in the previous chapter, we briefly explore the possibility of defining a
BV-Laplacian that does not contain such infinite constants. We will see, however,
that the obvious way of doing this does not result in a BV-algebra.
Chapter 3 revolves around deformation quantization, an entirely different method for
the quantization of classical physics theories (but only for point particles). We
first briefly explain the physical formalism of point particles in terms of Poisson
structures and Hamiltonian vector fields on smooth manifolds. Using Kontsevich’
celebrated result on the deformation quantization of Poisson manifold, any such
theory can be converted into a quantum mechanical one, whose main ingredient is
a noncommutative but associative product, called the star product. After having
defined the notion of star products and the one that Kontsevich found for arbitrary
Poisson manifolds, we give a thorough explanation of this formalism applied to
the natural Poisson structure on the dual of Lie algebras.
Chapter 4 briefly discusses possible ways of combining secondary calculus in the form
of infinite jet bundles with deformation quantization. Within the framework of
secondary calculus, Poisson structures and Hamiltonian vector fields have gener-
alizations to the setup of infinite jet bundles. One can then wonder if there is such
a thing as a variational deformation quantization: a generalization of star products
to the variational setup. Physically, such theories might be a generalization of the
deformation quantization method from point particles to more general configura-
tions. There are a number of possible generalizations that one can try, of which we
show in this final chapter that none of these work.
Prerequisites
At the very least the reader should be familiar with smooth manifolds and the various
structures and machinery surrounding them; some familiarity with symplectic and
Poisson manifolds will help. There is a very brief introduction to infinite jet spaces
in Chapter 1, but this serves more to fix notation than to truly explain these matters;
it would be best if the reader already has some knowledge on these matters (see the
section below for references). In principle no prior knowledge of physics is required; all
Introduction xi
relevant physical concepts are introduced in the text (although, again, familiarity with
these subjects will help).
Bibliographic notes
The rather miraculous observation that nature always seems to allow an accurate math-
ematical description – or conversely, that mathematics somehow always manages to
capture physical theories so precisely, has been described beautifully by, among others,
Wigner and Hamming in the following two articles.
[Wig60] E. P. Wigner. “The unreasonable effectiveness of mathematics in the natural

sciences”. In: Comm. Pure Appl. Math. 13 (Feb. 1960). url: https://www.
dartmouth.edu/~matc/MathDrama/reading/Wigner.html.
[Ham80] R. W. Hamming. “The unreasonable effectiveness of mathematics”. In: Amer.
Math. Monthly 87.2 (Feb. 1980). url: https://www.dartmouth.edu/~matc/
MathDrama/reading/Hamming.html.
For more on infinite jet bundles, their geometry, and how they relate to partial differential
equations we refer to the following books and articles, the last of which introduces the
concept of secondary calculus.
[KV99] I. S. Krasil’shchik and A. M. Vinogradov, eds. Symmetries and conservation

laws for differential equations of mathematical physics. Vol. 182. Translations
of Mathematical Monographs. Providence, RI: Amer. Math. Soc., 1999,
pp. xiv+333.
[KV11] I. S. Krasil’shchik and A. Verbovetsky. “Geometry of jet spaces and integrable
systems”. In: J. Geom. Phys. 61.9 (2011), pp. 1633–1674. arXiv: 1002.0077.
[Kis12c] A. V. Kiselev. “The twelve lectures in the (non)commutative geometry of
differential equations”. 140p, preprint IHÉS M-12-13. 2012. url: http :
//preprints.ihes.fr/2012/M/M-12-13.pdf.
[Olv00] P. J. Olver. Applications of Lie groups to differential equations. Second Edition.
Vol. 107. Graduate Texts in Mathematics. New York: Springer-Verlag, 2000,
p. 541.
[Vin01] A. M. Vinogradov. Cohomological Analysis of Partial Differential Equations and
Secondary Calculus. Vol. 204. Translations of Mathematical Monographs.
Amer. Math. Soc., 2001.
The BRST- and the BV-formalisms were introduced in the following papers.
[BRS75] C. Becchi, A. Rouet, and R. Stora. “Renormalization of the abelian Higgs-

Kibble model”. In: Commun. Math. Phys. 42 (June 1975), pp. 127–162.
[BRS76] C. Becchi, A. Rouet, and R. Stora. “Renormalization of gauge theories”. In:
Ann. Phys. 98 (June 1976), pp. 287–321.
[Tyu75] I. V. Tyutin. “Gauge Invariance in Field Theory and Statistical Physics in
Operator Formalism”. Lebedev Physics Institute preprint 39. 1975.
xii Introduction
[BV81] I. A. Batalin and G. A. Vilkovisky. “Gauge algebra and quantization”. In:

Phys. Lett. B 102 (June 1981), pp. 27–31.
[BV83] I. A. Batalin and G. A. Vilkovisky. “Quantization of gauge theories with
linearly dependent generators”. In: Phys. Rev. D 28 (10 Nov. 1983), pp. 2567–
2582.
The origin of the concept of deformation quantization seems to be [Bay+77; Bay+78a;

Bay+78b]. The deformation quantization of smooth Poisson manifolds was achieved by
Kontsevich in [Kon03]; before that Fedosov proved that all symplectic manifolds can be
deformed quantized [Fed94].
[Bay+77] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “Quan-

tum mechanics as a deformation of classical mechanics”. In: Letters in Math-
ematical Physics 1.6 (1977), pp. 521–530.
[Bay+78a] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “Defor-
mation theory and quantization. I. Deformations of symplectic structures”.
In: Annals of Physics 111.1 (1978), pp. 61–110.
[Bay+78b] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “De-
formation theory and quantization. II. Physical applications”. In: Annals of
Physics 111.1 (1978), pp. 111–151.
[Kon03] M. Kontsevich. “Deformation Quantization of Poisson Manifolds”. In: Letters
in Mathematical Physics 66.3 (2003), pp. 157–216. arXiv: q-alg/9709040.
[Fed94] B. V. Fedosov. “A simple geometrical construction of deformation quantiza-
tion”. In: J. Differential Geom. 40.2 (1994), pp. 213–238.
Part 2: Identity management using credential schemes

Introduction
In recent years, the importance of information in our society has increased at staggering
rates, primarily because of the arrival and omnipresence of the (personal) computer and
the internet. More and more of the things we do happens online in one way or another.
People use the internet to stay in touch with each other, to meet new people, to buy
and sell, to schedule appointments, and to file their tax returns, to name a few. All of
these actions generate information that can be stored and analyzed. In addition, since
a few years nearly everyone has a smart phone on their person at all times, constantly
connected to the internet, enabling firstly the constant and automatic recording of all
sorts of data – for example, sound, location and movement, but also clicks or taps,
purchases, or social relations – and secondly the easy and efficient transmission of this
information through the internet. At the same time, the cost of transmitting and storing
data is decreasing rapidly, and modern databases can easily store and quickly provide
access to vast amounts of data.
Introduction xiii
Information about properties and activities of individuals, or personal information for

short, is particularly important. In my case, this includes basic information like my age,
name and where I live, but also that I have an interest in classical music, the fact that I
purchased an e-book some weeks back, and my relationship status. It also includes past
activities, as well as additional relevant information to these activities, such as spoken
or written text in one form or another, financial records, or implications such as that I
am interested in cryptography.
Considering the value of personal information along with the ease with which it can
now be collected and stored, it is no surprise that many parties have started collecting it,
in various ways and for various purposes. For example, the core business of Facebook
and Google is to gather information about people to sell to advertisers; and a number of
institutions of national security have turned out to tap from the internet as much data
as they are able to take.
In some cases this monitoring of behavior and activities – i.e., surveillance – is what we
want. For example, tax collection agencies necessarily need to be informed of people’s
incomes and savings, and many people routinely and purposefully share all sorts of
data with the rest of the world on Facebook. In other cases there may be severe moral
or legal issues, for example when a repressive government attempts to use surveillance
to stifle dissent. People do not always have the option to do anything about it, even if
they do not agree; for example, as someone who is not a citizen of the United States, I
have no legal way to control or prevent the NSA from gathering information about me
by tapping and analyzing internet traffic. People need not even be aware of it; the extent
of the surveillance through the internet by agencies such as the NSA and GCHQ was
largely unknown before the disclosures by Edward Snowden in 2013, and most people
are largely unaware or do not think about how much of their personal information
they give away when routinely interacting with the internet. It also often happens that
an institution or company gathers much more data than it strictly needs in order to
perform the services that it is expected to perform. It is clear, then, that surveillance can
threaten people’s privacy in many ways, and it is dangerous at least for the following
three additional reasons.
• If whatever you do is always recorded by large companies and national institutions,

these entities might be able to use this information against you in the future.
Many of such entities claim that they can be trusted with all this information and
responsibility, but even if this is true right now, there is no telling what they will
be like in the future. Perhaps we live in a totalitarian state fifty years from now; if
such a state knows everything about everyone there would be no escaping it.
• Once data about what you do or who you are is stored outside your control, it
is very difficult to keep track of where and how it is stored, what is done with
it, and who controls it. For example, privacy policies that state what is done
with customer data are often subject to change without notice; the government
could in the future implement (secret) laws or regulations that grants it access to
such data; or the data may be stolen or leaked. Since such data can nowadays
be stored essentially indefinitely, the risk of these things happening at some point
in the future is significant, and indeed all three examples mentioned above have
xiv Introduction
happened a number of times by now. This issue also magnifies the risk described
in the first point above.
• People may refrain from doing what they would otherwise do, knowing that they
are watched online. For fear of potential future repercussions dissenting opinions
and actions are thus repressed, leading to self-censorship. This is thoroughly
unhealthy in an open and democratic society.
Summarizing, in a society where information equals money and power, it is unwise

to heedlessly give your personal information away. It is a resource, and one that is
constantly gaining importance at that. For these reasons, we believe it is becoming
increasingly important that people are aware of and in control of who knows what
about them. There is, in other words, a need for identity management: the process of
obtaining, using and protecting data that deals with ones identity, online or offline,
generally for the purpose of providing access to services. Note that we are not looking
for ways to constantly hide all personal information, because this simply would not be
possible: for example, a customer in a liquor store will somehow need to convince the
show owner of the fact that she is over 18. However, there is no need for the shop owner
to learn anything about her other than that fact in order to sell her the liquor.
Facts about persons such as that the customer is over 18, or that she has a subscription
to some newspaper are called attributes. In fact, a passport can be seen as a list of
such attributes created in an unforgeable way by the government. The example above
illustrates that we want to be able to selectively disclose attributes, so that the customer
in the liquor store can prove that she is indeed over 18, without revealing her precise
age, name or other details that are not relevant to the purchase.
In the second part of this thesis, we will attempt to achieve these goals using a
cryptographic technique called attribute-based credential schemes. In such a scheme a party
called the issuer can grant credentials to users. Each credential can contain multiple
attributes (which can store a limited amount of data), along with a signature created by
the issuer over the attributes. The user can then selectively show some of his attributes,
keeping the others hidden. The receiving party (often called the verifier) can use the
signature to ensure that the credential was indeed created by the issuer. For example,
using one such credential issued to me by the government, I could disclose all my
personal information to a border guard at the airport, or just prove that I am over 18 to
a shop owner.
Some credential schemes additionally offer an attractive feature called multi-show
unlinkability: when two credentials are shown to a verifier, then the verifier cannot tell if
he was shown one and the same credential twice, or two different ones (as long as the
disclosed attributes, if any, do not tell the credentials apart). A credential scheme can
separately or simultaneously be issuer unlinkable, preventing the credential issuer from
linking credential usage sessions to specific credentials that it issued.
We will primarily focus on the following properties that credential schemes can offer.
Security. In order for the verifier to be truly convinced that the user owns a valid
credential (more specifically, that this credential was given to the user by the
issuer), it should be provable that users cannot create credentials on their own,
Introduction xv
without the issuer’s knowledge or consent. Similarly, whenever a scheme claims

to offer certain anonymity features this too should be provable.
Efficiency. A credential scheme should be easy to use in practice. One way to achieve
this could be to implement it on smart cards, which have highly limited resources.
Therefore it makes sense to try to maximize the efficiency of credential schemes.
Attribute-based. As noted above, in different situations one might want to disclose
different attributes. We will, however, also study some schemes that do not offer
attributes, or indeed any storage capacity at all.
Anonymity. Whenever possible, a credential scheme should hide as much of the user
as possible, or as much as the user wishes. Although this can already partly be
achieved by hiding irrelevant attributes, we will mostly be interested in schemes
that offer one and preferably both kinds of unlinkability.
Many of the schemes that we will study make use of bilinear group pairs: that is,
a pair of two prime-order elliptic curves that admit a special map called the pairing.
Elliptic curves offer high security levels combined with small group elements and fast
algorithms for the group operations, while pairings give the ability to inspect relations
between specific group elements. Thus the second part of this thesis deals with the
following research question: Does there exist or can we create a credential scheme in the setting
of bilinear group pairs, that achieves all of the objectives stated above, including unlinkability?
To what extent is there a trade-off between these objectives?
The credential schemes that we study will achieve progressively more of the four goals
above simultaneously. In Chapters 6 and 8 we study a number of existing schemes that
were meant to be efficient, unlinkable and unforgeable, but failed. We will indeed find
a trade-off between anonymity and efficiency, in the contrast between the two attribute-
based credential schemes that we define and study in Chapters 7 and 9; the former offers
high efficiency but no unlinkability, while the latter is not quite as efficient, but still
finally achieves all four goals.
Abstract
The chapters of this second part of the thesis are organised as follows.
Chapter 5 introduces some basic notions and notations that we will use throughout
this part of the thesis: what it means for something to be or not to be efficiently
computable, cyclic groups and bilinear pairings, and zero-knowledge proofs and
signature schemes. This chapter also introduces and defines credential schemes,
the main topic of the subsequent chapters.
Chapter 6 studies a number of (non-attribute-based) credential schemes from the lit-
erature, which are broken in the sense that they do not offer the features they
claim to offer. We prove a general theorem saying that in certain circumstances,
it is very difficult to have such credential schemes provide both unlinkability and
unforgeability. This chapter is based on the following article.
xvi Introduction
[HLR15] J.-H. Hoepman, W. Lueks, and S. Ringers. “On Linkability and Mal-
leability in Self-blindable Credentials”. In: Information Security Theory
and Practice: 9th IFIP WG 11.2 International Conference, WISTP 2015. Ed.
by N. R. Akram and S. Jajodia. Cham: Springer International Publish-
ing, 2015, pp. 203–218.
Chapter 7 introduces an interactive signing algorithm for a generalization of the Boneh–
Boyen signature scheme, that hides part of the message and the resulting signature
from the signer. As an application, we describe a new attribute-based credential
scheme, that is simpler and very efficient, at the cost of not being unlinkable
(although the issuer is prevented from linking credentials that it issued with exe-
cutions of the showing protocol). Compared with its most well-known competitor,
the U-Prove credential scheme, this scheme offers similar efficiency but higher
security guarantees.
Chapter 8 discusses the attribute-based scheme by Hanzlik and Kluczniak [HK14]. This
scheme was meant to be an unlinkable version of U-Prove, which (like our scheme
from Chapter 7) is not unlinkable but very efficient. Unfortunately, we have discov-
ered an attack in Hanzlik and Kluczniak’s scheme which allows colluding users
to forge credentials over any set of attributes that they wish, without involvement
or knowledge of the issuer. In this chapter we describe this attack, and we point
out the error in the paper by Hanzlik and Kluczniak. This chapter is based on the
following article.
[VRH16] E. Verheul, S. Ringers, and J.-H. Hoepman. “The self-blindable U-Prove

scheme from FC’14 is forgeable”. In: Financial Cryptography and Data
Security – FC’16 (2016). In print. url: https://eprint.iacr.org/
2015/725.
Chapter 9 finally introduces a second attribute-based credential scheme that does offer
unlinkability, and which achieves all four goals stated in the previous section. Its
security is guaranteed by our unforgeability proof. We also prove that the scheme
is unlinkable, so that it protects the user’s anonymity as much as possible. Finally,
although the scheme is not as efficient as the one from Chapter 7, it is more efficient
than any comparable (in particular, unlinkable) scheme that we know of. At the
end of the chapter, we briefly compare our scheme with the ones from the previous
chapters.
Bibliographic notes
The Data Protection Directive of the European Union limits the collection and usage of
personal data for companies and institutions operating within the European Union.
[EUDPD] Data Protection Directive. Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data.
See also http://ec.europa.eu/justice/data- protection/. url: http:
//eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:31995L0046.
Introduction xvii
Many of the activities of the NSA, GCHQ and a number of other such institutions were
leaked by Edward Snowden in 2013, and subsequently published by news media such
as The Guardian, The New York Times, The Washington Post, Der Spiegel and The Intercept. A
complete archive of all these documents is maintained by the Canadian Journalists for
Free Expression (CJFE).
[CJFE] Snowden Surveillance Archive. Canadian Journalists for Free Expression. url:
https://cjfe.org/snowden.
This thesis will mostly be concerned with the cryptographic side of identity manage-
ment using credential schemes. There are many more aspects to this subject, ranging
from what identity, privacy and anonymity really mean and are, to societal and legal
implications. The second chapter of the PhD thesis of G. Alpár, as well as the paper that
this chapter was based on, contain an extensive discussion about these matters.
[AHS11] G. Alpár, J. Hoepman, and J. Siljee. “The Identity Crisis. Security, Privacy and
Usability Issues in Identity Management”. In: CoRR abs/1101.0427 (2011).
url: http://arxiv.org/abs/1101.0427.
[Alp15] G. Alpár. “Attribute-Based Identity Management: Bridging the Crypto-
graphic Design of ABCs with the Real World”. PhD thesis. Radboud Univer-
sity, Nĳmegen, The Netherlands, 2015.
The two best-known attribute-based credential schemes are U-Prove by S. Brands (and
now owned by Microsoft), and Idemix by J. Camenisch and A. Lysyanskaya (and now
owned by IBM). The former is very efficient while the latter offers more anonymity
features and stronger security guarantees.
[Bra00] S. Brands. Rethinking Public Key Infrastructures and Digital Certificates: Building
in Privacy. MIT Press, 2000.
[CL01] J. Camenisch and A. Lysyanskaya. “An Efficient System for Non-transferable
Anonymous Credentials with Optional Anonymity Revocation”. In: Ad-
vances in Cryptology — EUROCRYPT 2001. Ed. by B. Pfitzmann. Vol. 2045.
LNCS. Springer Berlin Heidelberg, 2001, pp. 93–118.
xviii Introduction
Part I
Quantization using Jet Space

Geometry
Chapter 1
The Schouten Bracket
The Schouten bracket (or antibracket) plays a central role in the Poisson formalism, as
well as in the Batalin-Vilkovisky quantization of gauge systems and the BV-Laplacian.
In the latter case, the bracket measures the failure of the BV-Laplacian to be a derivation
with respect to the product of integral functionals, and it distinguishes physical and non-
physical quantum observables through the quantum master equation (see section 2.3 on
p. 28 for more details).
There are several (in)equivalent ways to realize the Schouten bracket on jet spaces.
After having introduced some basic concepts and notations in the fist section that we
will use throughout the thesis, we will compare a number of possible definitions for the
Schouten bracket, examining in what ways they agree or disagree and how they relate
to the case of usual manifolds.
This chapter is based on the following article.
[KR12] A. V. Kiselev and S. Ringers. “A comparison of definitions for the Schouten

bracket on jet spaces”. In: Proceedings of the Sixth International Workshop “Group
Analysis of Differential Equations and Integrable Systems”. Larnaca, Cyprus,
2012, 15p. arXiv: 1208.6196.
The initiative for this article came from Arthemy Kiselev. My contribution has been
the text itself, as well as almost one half of the mathematical content, which was jointly
developed by both authors.
1.1 The geometry of jet space

In this section we introduce some notations and review basic facts that we will use
throughout this part of the thesis. For a more detailed exposition of these matters, see
for example [Olv00; KV11; KV99; Vin01; Kis12c].
4 Chapter 1. The Schouten Bracket
1.1.1 The infinite jet bundle

Let π : E → M be a vector bundle. Then the infinite jet bundle J ∞ (π ) is usually defined
as the inverse direct limit of the sequence
πk+1,k πk,k−1 πk−1,k−2 π2,1 π1,0
· · · −−−→ J k (π ) −−−→ J k−1 (π ) −−−−→ · · · −−→ J 1 (π ) −−→ J 0 (π ) = E −
π
→ M.
More concretely, an element of J ∞ (π ) consists of a sequence θ = ( x, θk )k∈N such that

• θk ∈ J k (π ) for all k ∈ N,
• if k > l then πk,l (θk ) = θl .
Then there are projections π∞ : J ∞ (π ) → M and π∞,k : J ∞ (π ) → J k (π ), defined
respectively by π∞ (θ ) = x and π∞,k (θ ) = θk .
We organize the coordinates as follows. xi are the coordinates, with indices i, j, k, . . . ,
along the base manifold; qα are the fiber coordinates of the bundle E, with indices
α, β, γ . . . . A point from the infinite jet space is then θ = ( xi , qα , qαxi , qαxi x j , . . . , qασ , . . . ) ∈
J ∞ (π ), where σ is a multi-index. If s ∈ Γ(π ) is a section of π we denote with
j∞ (s) its infinite jet, which is a section j∞ (s) ∈ Γ(π∞ ). Its value at x ∈ M is
|σ| α
jx∞ (s) = ( xi , sα ( x ), ∂s ( x ), . . . , ∂∂xσs ( x ), . . . ) ∈ J ∞ (π ).
α
∂xi
The following theorem has important consequences for our purposes.
Theorem 1.1 (Borel’s lemma). For any infinite sequence of real numbers ( a0 , a1 , . . . ) ∈ R∞
there exists a smooth function f : R → R that has ak as its k-th Tailor coefficients; that is, the
Tailor series of f at zero is1
∞
X 1
a xk .
k! k
k =0
After a lot of generalizations this theorem has the following consequence.

Corollary 1.2. If π : E → M is a vector bundle and θ ∈ J ∞ (π ) is such that π∞ (θ ) = x for
some x ∈ M, then θ is the jet at x of some smooth local section of π. That is, there exists a local
section s : U → E (where U ⊂ M) such that θ = jx∞ (s).
Because of this, we may interpret elements θ ∈ J ∞ (π ) as the Taylor coefficients of local
sections.
We define the ring of smooth functions F (π ) on J ∞ (π ) as
F (π ) = { f : J ∞ (π ) → R | ∃k ∈ N such that f ∈ C ∞ ( J k (π ))} ∪ C ∞ ( M).
Thus, smooth functions on J ∞ (π ) are required to depend on only finitely many coordi-
nates. Sometimes we will also write C ∞ ( J ∞ (π )) for F (π ).
1Notice that this theorem does not include any requirement on the convergence of the series. Therefore, it
is entirely possible that this expansion has a convergence radius of 0 – it may converge only at x = 0 (at which
it does converge, as is easily seen). Even worse, since the function f that is claimed to exist is only smooth and
not nessecarily analytic, if this series does converge outside of 0 then it need not equal f at those points. For
example, consider the smooth function f that has f ( x 6= 0) = exp(−1/x2 ) and f (0) = 0. All of its derivatives
are 0 at 0, so its Tailor series at 0 does not agree with f at any point except 0.
1.1. The geometry of jet space 5
1.1.2 The Einstein summation convention

Throughout this thesis we shall employ the Einstein summation convention: when an
index variable appears twice in a single term, once as an upper and once as a lower
index, it implies summation of that term over all the values of the index. For example, if
ω is a one-form on some manifold M with coordinates xi , then we will write ω = ωi dxi ;
the summation in=1 is implied. We employ the following additional conventions.
P
1. When an upper index appears on a coordinate located under the bar in a derivative,
as in ∂x∂ i , then the i counts as a lower index. Similarly, in ∂b∂α the α counts as an
upper index. This lets us write, for example, vector fields as X = X i ∂x∂ i .
2. If σ is a multi-index and it appears twice in a term, then an infinite summation
over all multi-indices is implied.
3. The exception to these rules are when the index i or multi-index σ appears as the
exponent of a sign. When it does, it does not imply a summation. This allows us
to write the variational derivative concisely as2 δqδα = (−)σ Dσ ∂q∂a (note that there
σ
is still a summation over all multi-indices implied by the other two occurrences of
σ).
Whenever there is reason to deviate from these rules we will explicitly write the sum-
mation signs.
1.1.3 Tangent vectors and vector fields

If θ = jx∞ (s) ∈ J ∞ (π ) is an arbitrary element of the infinite jet space J ∞ (π ), then the total
derivatives at that point are the vector fields Di defined by
∂
Di | jx∞ (s) := j∞ (s)∗
∂xi x
which in coordinates is
∂ ∂
Di = i
+ qασ+1i α . (1.1)
∂x ∂qσ
In addition, if σ = (i1 , . . . , in ) is a multi-index we define Dσ = ( D1 )i1 ◦ ( D2 )i2 ◦ · · · ◦

( Dn ) i n .
Since vertical tangent vectors on J ∞ (π ) are spanned by the tangent vectors ∂q∂a , it is
σ
immediate that the total derivatives form an Ehresmann connection, called the Cartan
connection C . Moreover, since they are defined as pushforwards, it is also immediate that
the total derivatives commute, i.e. they form a involutive distribution on J ∞ (π ), and the
Cartan connection is flat. Thus, the tangent space Tθ J ∞ (π ) splits: Tθ J ∞ (π ) = Cθ ⊕ Vθ ,
where Vθ := ker( Dθ π∞ ) is the vertical subspace of Tθ J ∞ (π ).
We say that a vector field X on J ∞ (π ) is evolutionary when both [ X, C] ⊂ C and X is
vertical, i.e., X ∈ ker(π∞ )∗ . Solving these requirements yields that any evolutionary
2We write (−)n as an abbreviation for (−1)n , and when σ is a multi-index we write (−)σ instead of (−)|σ| .
vector field is of the form
(q) ∂
∂ ϕ = Dσ ( ϕ α ) ,
∂qασ
(q)
where ϕα ∈ F (π ). We call ϕ = ( ϕ1 , . . . , ϕα ) the generating section of ∂ ϕ ; by construction
this is a section of the pullback bundle π∞ ∗ ( π ) : π ∗ ( E ) → J ∞ ( π ). Denoting κ ( π ) : =
∞
∗
Γ(π∞ (π )) = Γ(π ) ⊗C∞ ( M) F (π ) for brevity, then, we thus have that variational vector
(q)
fields are in one-to-one correspondence with elements ϕ ∈ κ (π ) by ϕ 7→ ∂ ϕ , and we
will often use this correspondence to identify the two concepts. We also transfer the
bracket of vector fields to κ (π ) by setting
(q) (q) (q)

[ ∂ ϕ1 , ∂ ϕ2 ] = : ∂ [ ϕ ,
1 ,ϕ2 ]
(q) (q)
from which it follows that [ ϕ1 , ϕ2 ] = ∂ ϕ1 ( ϕ2 ) − ∂ ϕ2 ( ϕ1 ).
In the remainder we will often just write vector for evolutionary vector fields.
1.1.4 Differential forms and covectors
We denote the space of all k-forms on J ∞ (π ) by Λk (π ). We say that a differential form

ω ∈ Λk (π ) is horizontal if it yields zero when any of its arguments is vertical; that is,
X ω = 0 for any vertical vector field X. We denote the space of horizontal k-forms by
k
Λ (π ). As vertical vector fields are of the form Xσα ∂q∂α , it follows that a form is horizontal
σ
only if it can be written as ωi1 ,...,ik dxi1 ∧ · · · ∧ dxik . Similarly, we say that a form is vertical
when it yields zero whenever one or more of its arguments is horizontal. Thus the set
of differential k-forms splits into a horizontal and a vertical part:
k
i
Λ ( π ) ⊗ C k −i Λ ( π ),
M
k
Λ (π ) =
i =0
and we call C k−i Λ(π ) the space of vertical forms.

This splitting induces a similar splitting of the de Rham differential ddR( J ∞ (π )) on
J ∞ (π )into a horizontal part d and a vertical part dC :
ddR( J ∞ (π )) = d + dC ,
i i +1 i i
where d : Λ (π ) ⊗ C j Λ(π ) → Λ (π ) ⊗ C j Λ(π ) and dC : Λ (π ) ⊗ C j Λ(π ) → Λ (π ) ⊗
C j+1 Λ(π ). We call these operators the horizontal and Cartan differentials, respectively.
They are indeed differentials, they anticommute with each other as well as with the de
Rham differential ddR( J ∞ (π )) , and they are antiderivations of the wedge product. From
this it follows that in coordinates, these operators are
∂
d = dxi ∧ Di and dC = dC qσa ∧ ,
∂qσa
with the understanding that the vector fields on the right hand side of the wedge
products act on their arguments by the Lie derivative, and where
dC qσa = dqσa − qσa +1i dxi .
i
Taking the space Λ ⊗ C j Λ (dropping the suffix (π ) for now), we consider the cohomol-
ogy with respect to the horizontal differential d:

i j Λ → Λ i +1 ⊗ C j Λ

i,j
ker d : Λ ⊗ C
E1 (π ) :=
i −1 i

im d : Λ ⊗ C jΛ → Λ ⊗ C jΛ
i
This is called the C -spectral sequence. In addition, we set H (π ) = E1i,0 (π ), that is,
horizontal i-forms modulo the horizontal differential d. For i = n = dim( M) elements
n
of the space H (π ) are called Hamiltonians or Lagrangians. Denoting the equivalence
n
class of a horizontal n-form h dn x ∈ Λ (π ) by h dn x (where h ∈ F (π ) is a function),
R
n
an element H = h dn x ∈ H (π ) maps a section s ∈ Γ(π ) to the reals as follows:
R
Z
s 7→ H(s) = h( jx∞ (s)) dn x.
If ξ : F → J ∞ (π ) is a vector bundle and P = Γ(ξ ) its space of sections, then the adjoint
n
module Pb of P is defined to be the space HomF (π ) ( P, Λ (π )), and we denote the coupling
between a module P and its adjoint by h , i. Applying this to κ (π ) = Γ(π∞ ∗ ( π )), we
n
define the space of covectors to be κ b (π ) := κ[(π ) = Hom (κ (π ), Λ (π )). This
F (π )
n
b (π ) ∼
space then satisfies κ = (C 1 Λ(π ) ⊗ Λ (π ))/ im d = E1n,1 (π ). Elements of the right
( p)
hand side of this isomorphism act on evolutionary vector fields ∂ ϕ via the unique
representative of the equivalence class that can be written as pα dC qα ∧ dn x for certain
functions pα ∈ F (π ). In other words, if ϕ ∈ κ (π ) and p = pα dC qα ∧ dn x ∈ κ
b (π ), then
(q) n
h p, ϕi = p(∂ ϕ ) = pα ϕα dn x ∈ Λ (π ).
The variational derivative of a function h ∈ F (π ) is defined by
δh ∂h
α
= (−)σ Dσ α . (1.2)
δq ∂qσ
n
b (π ) for ω ∈ Λ (π ), which
R
In addition, we set δ = pr H n (π ) ◦ dC , i.e. δω = dC ω ∈ κ
we also call the variational derivative, or the Euler operator. Then it follows that if
n
ω = h dn x ∈ Λ (π ) we have
Z Z
δh n δh α
δω = α
d C q α
∧ d x = : δq ; (1.3)
δq δqα
the notation defined in the right hand side is slightly abusive (as strictly speaking
n
δqα ∈ H (π )) but convenient. Sometimes we need to keep track with respect to what
coordinates q the Euler operator takes its variational derivatives; in that case we will
write δq . Finally, it is easy to see that the variational derivative of functions of the form
n −1
Di h is zero. As a consequence, if ξ ∈ Λ (π ) then δ(dξ ) = 0. Therefore, the action of
n
b (π ), so that we may write δH = δ(h dn x ).
R
δ descends to cohomology, δ : H (π ) → κ
1.1.5 Horizontal jet bundles

Let ξ be a vector bundle over J ∞ (π ), and suppose s1 and s2 are two sections of this
bundle. We say that they are horizontally equivalent [KKV04] at a point θ ∈ J ∞ (π ) if
Dσ (s1α ) = Dσ (s2α ) at θ for all multi-indices σ and fiber-indices α. Denote the equivalence
class by [s]θ . The set
Jπ∞ (ξ ) := {[s]θ | s ∈ Γ(ξ ), θ ∈ J ∞ (π )}
is called the horizontal jet bundle of ξ. It is clearly a bundle over J ∞ (π ), whose elements
above θ are determined by all the derivatives sασ := Dσ (sα ) for all multi-indices σ and
fiber-indices α.
Now consider this formalism applied to bundles over J ∞ (π ) of the form π∞ ∗ ( ζ ). Thus
now ζ is a bundle over M that we pull back via π∞ to create a bundle over J ∞ (π ); the
∗
construction above then takes jet space of this bundle (with respect to the horizontal
coordinates). Alternatively, one might wonder what happens if we do this the other
ξ∞
way around, i.e. we first take the jet space of ζ, obtaining a bundle J ∞ (ζ ) −→ M, and
then pull back along π∞∗ . The following proposition shows that these two operations
commute, while simultaneously providing a convenient description of the resulting jet

space. We make the following convention: if π and ζ are the projections of two bundles
over the same manifold M, then we denote the projection of the Whitney sum of π and
ζ by π × M ζ.
Proposition 1.3. As bundles over J ∞ (π ), the horizontal jet bundle Jπ∞ (π∞
∗ ( ζ )) and π ∗ ( J ∞ ( ζ ))
∞
are equivalent. Moreover, as a bundle over M they are both equivalent to the Whitney sum
J ∞ ( π ) × M J ∞ ( ζ ) = J ∞ ( π × M ζ ).
∗ ( J ∞ ( ζ )) is as a set equal to
Proof. The pullback bundle π∞
∗ ∞
π∞ ( J (ζ )) = {( jx∞ (q), jx∞ (u)) ∈ J ∞ (π ) × J ∞ (ζ ) | x ∈ M},
from which we immediately see that π∞ ∗ ( J ∞ ( ζ )) is equivalent to the Whitney sum

∞
J (π × M ζ ) of π and ζ. Thus it remains to show that π∞ ∗ ( J ∞ ( ζ )) and J ∞ ( π ∗ ( ζ )) are
π ∞
∞
equivalent as bundles over J (π ).
Consider an element [s]θ ∈ Jπ∞ (π∞ ∗ ( ζ )). Thus, s is a section s ∈ Γ ( π ∗ ( ζ )). By

∞
Borel’s theorem (see Corollary 1.2 on page 4), an arbitrary element over x ∈ M from
J ∞ (π ) can be written as jx∞ (q) for some q ∈ Γ(π ). Now define a section u ∈ Γ(ζ ) by
u := j∞ (q)∗ s = s ◦ j∞ (q), i.e., u( x ) = s( jx∞ (q)). Then by the definition of the total
derivative, we have
∂u a ∂
( x ) = i s a ◦ j∞ (q) ( x ) = Dxi s a jx∞ (q) ,

∂x i ∂x
that is, the partial derivatives of u and the total derivatives of s coincide. This shows that
if we define a map by
[s] jx∞ (q) 7→ ( jx∞ (q), jx∞ (u)) ∈ π∞

∗ ∞
( J (ζ )),
where u is the section associated to s and q as outlined above, then this map is well-
defined and smooth. Moreover, since the partial derivatives of a section u at x and the
total derivatives of a section s at jx∞ (q) completely define the equivalence classes jx∞ (u)
and [s] jx∞ (q) respectively, this map is also a bĳection. Lastly, it is clear that as a bundle
morphism over J ∞ (π ), it preserves fibers.
When ζ is a bundle over M instead of over J ∞ (π ), and there is no confusion possible,

we will abbreviate Jπ∞ (π∞ ∗ ( ζ )) with J ∞ ( ζ ).
π
This identification endows the horizontal jet space Jπ∞ (ζ ) with the Cartan connection
– namely the pullback connection on π∞ ∗ ( J ∞ ( ζ )). Therefore there exist total derivatives
∞
Di on the horizontal jet space Jπ (ζ ); in coordinates these are just, denoting the fiber
coordinate of ζ with u β , the operators
∂ ∂ β ∂
Di = i
+ qασ+1i α + uτ +1i β .
∂x ∂q σ ∂uτ
Thus, instead of the horizontal derivatives Dσ (uα ) of sections there are now the fiber
β
coordinates uασ , which have no derivatives along the fiber coordinates: ∂q∂α uτ = 0.
σ
1.1.6 Adjoint modules and total differential operators

Let ξ : E → J ∞ (π ) be a vector bundle, and P = Γ(ξ ) its space of sections, which is an
F (π )-module. The adjoint module Pb of P is defined to be the space
n
Pb := HomF (π ) ( P, Λ (π )).
n
We denote the natural coupling between Pb and P by h·, ·i : Pb × P → Λ (π ).
Proposition 1.4. If ξ : Eξ → J ∞ (π ) is a vector bundle over J ∞ (π ), then Γ‘

(ξ ) = Γ( Eξ∗ ⊗
n
Λ (π )).
Furthermore, if ζ : Eζ → M is a vector bundle over M, then, denoting ζb := Eζ∗ ⊗ Λn ( M ),
we have
ΓŸ ∗ ( ζ )) = Γ ( π ∗ ( ζb)).
(π∞ ∞
Proof. We start with the first claim. Denote P := Γ(ξ ), let p ∈ P, b and let (ei )i=1,...,k be
∞
a frame for Eξ (i.e. a set of sections ei so that at each θ ∈ J (π ), (ei (θ ))i=1,...,k spans
the fiber above θ), so that if ϕ ∈ P then ϕ = ϕi ei for some functions ϕi ∈ F (π ). Then
n
h p, ϕi = h p, ϕi ei i = ϕi h p, ei i. But the coupling h·, ·i gives an element of Λ (π ), which is
itself a space of sections, so it takes an argument θ from J ∞ (π ), and we see that
h p, ϕi(θ ) = ϕi (θ ) · h p, ei i(θ ).
Therefore, h p, ϕi(θ ) depends only on the value ϕ(θ ) of ϕ at θ, and not on all of ϕ. Thus,
if we define
n
q(θ ) : ξ −1 (θ ) ⊂ Eξ → Λ (π ),
q(θ )( ϕ(θ )) := h p, ϕi(θ )
then we see that this definition makes sense, and that q(θ ) acts linearly on elements
of ξ −1 (θ ) and returns a number times dn x. That is, q(θ ) is an element of the fiber of
n
Eξ∗ ⊗ Λ (π ) above θ, which acts on ξ −1 (θ ) by letting the first component of the tensor
n
product act. q itself, then, is a smooth section Γ( Eξ∗ ⊗ Λ (π )). This space of sections
already has an obvious F (π )-linear action on P by letting the first component of the
tensor product act pointwise on elements of P, so that we have found a correspondence
that goes both ways.
If, moreover, ξ = π∞∗ ( ζ ) for some vector bundle ζ : E → M, then3
ζ
∗ ( ζ )) = Γ π ∗ ( ζ )∗ ⊗ Λn ( π )

Pb = ΓŸ
(π∞ ∞

∗
= Γ π∞ (ζ ∗ ) ⊗ π∞
∗
(Λn ( M))

∗
= Γ π∞ ( Eζ∗ ⊗ Λn ( M)) = Γ(π∞ ∗ b
(ξ )).
Let ξ, ξ 0 be two vector bundles over J ∞ (π ). Set Pξ := Γ(ξ ) and similarly Pξ 0 . An R-linear
map ∆ : Pξ → Pξ 0 is called a total differential operator if for any point θ ∈ J ∞ (π ) and any
section q ∈ Pξ the value of ∆(q) at θ is completely determined by the values of Dσ (q) at θ.
For the space of these operators we write C Diff( Pξ , Pξ 0 ). For the space of maps that take
k arguments and is linear and C -differential in each of them, we write C Diffk ( Pξ , Pξ 0 ).
∗ (ζ ) = Γ(ζ ) ⊗ ∞
3Alternatively, recall that P := π∞ C ( M) F ( π ). Take a pure tensor from this space, s ⊗ f with
s ∈ Γ(ζ ) and f ∈ F (π ). Also take some p ∈ P b. Then we have p(s ⊗ f ) = p( f · (s ⊗ 1)) = f p(s ⊗ 1). That is, p
is completely determined by how it acts on s, so we may regard it as an element p ∈ HomC∞ ( M) (Γ(ζ ), Λn ( M )).
Now via an identical argument as in the first part of this proof, p(s)( x ) in fact only depends on s( x ) and not
on all of s so that it comes from some q ∈ Eζ∗ ⊗ Λn ( M ).
1.2. The Schouten bracket 11
In coordinates, a ∆ ∈ C Diff( Pξ , Pξ 0 ) is a matrix of the form

X
(∆) ab = aσab Dσ ,
σ
where a = 1, . . . , dim ξ, b = 1, . . . , dim(ξ 0 ) and aσab ∈ F (π ).

Note that any map ∆ of this form can also be seen as a linear bundle morphism
∆ : Jπ∞ (ξ ) → ξ 0 , by setting ∆([q]θ ) = ∆(q)(θ ).
Definition 1.5. If Q is another module of sections of another bundle over J ∞ (π ) and
∆ : P → Q is a total differential operator, then the adjoint ∆† : Q
“ → Pb of ∆ is defined as
the map that satisfies for all q̂ ∈ Q
“ and p ∈ P
Z Z
hq̂, ∆( p)i = h∆† (q̂), pi.
In other words, ∆† is such that hq, ∆( p)i − h∆† (q), pi is d-exact.
1.2 The Schouten bracket

The Schouten bracket is a natural generalization of the commutator of vector fields to
the fields of multivectors. It was introduced by J. A. Schouten [Sch40; Sch53], who
with A. Nĳenhuis [Nĳ55] established its main properties. Later it was observed by
A. Lichnerowicz [Lic77; Lic78], that the bracket provides a way to check if a bivector
π on a manifold determines a Poisson bracket via the formula Jπ, πK = 0, which was
the first intrinsically coordinate-free method to see this and established the use of the
bracket in the Poisson formalism. Moreover, this makes the bracket instrumental in the
definition of the Poisson(-Lichnerowich) cohomology on a Poisson manifold.
Historically, the bracket on jet space seems to have been researched in two distinct areas
of mathematics and physics, which have been separate for a long time. The first branch
is the quantization of gauge systems; here the bracket is known as the . It occurs for
example in the seminal papers on the BRST and BV formalism, [BRS75; BRS76; Tyu75]
and [BV81; BV83] respectively, where it is used to create a nilpotent operator JΩ, · K
providing a resolution of the space of observables. Other occurences of the bracket in
this context are [Zin75], [CF00], [HT92] and [Wit90], the last of which contains some
geometrical interpretation of the bracket.
In the Poisson formalism on jet spaces it was understood in [GD80] that the bracket
plays a similar role for recognizing Poisson brackets as on usual manifolds. Concepts
such as Hamiltonian operators and the relation of the bracket with the Yang-Baxter
equation are developed in [GD80] and [RS94; RS03]; for a review, see [Dor93]. A version
of the bracket that can be restricted to equations was developed in [KKV04]. Later, a
different, recursive way of defining the bracket, that we will discuss in this chapter, was
shown in [KV11].
Generalizations to the Z2 -setup and the purely non-commutative setting of the entire
theory have been discussed in [Kon93], [OS98], and more recently [Kis12b]; for a review,
see [Kis12c].
The realization that the brackets in these areas of mathematics and physics coincide
is not an obvious one. Accordingly, a number of seemingly distinct ways of defining
the bracket has been developed, of which the equivalence is not always immediate and
sometimes a subtle issue. In the remainder of this chapter we will examine four of those
definitions, of which three will turn out to be equivalent when care is taken.
The remainder of this chapter is structured as follows. In section 1.3 the notion of
variational multivectors (which will be the arguments of the bracket) are introduced; at
this point it will become clear why the definition of the bracket for usual manifold fails in
the case of jet spaces. In section 1.4 we first define the Schouten bracket as an odd Poisson
bracket; then, after giving some examples of the bracket acting on two multivectors, we
show that this definition is equivalent to the recursive one introduced in [KV11]. Using
the recursive definition we shall prove the Jacobi identity for the bracket, which yields a
third definition for the bracket, in terms of graded vector fields and their commutators.
1.3 Variational multivectors

In the case of a smooth manifold M, one can think of multivectors in two distinct but
equivalent ways:
• A multivector of degree k is a (sum of) wedge products of k vector fields, where
the wedge product is defined as the (normalized) antisymmetrization of the tensor
product.
• A multivector of degree k is a map ω : (Λ1 ( M ))k → C ∞ ( M ) that is linear over
C ∞ ( M) and completely antisymmetric.
The natural pairing between the set of vector fields and Λ1 ( M ) can be extended to a pair-
ing h , i : ( i TM) × Λn ( M ) → C ∞ ( M ), and this pairing then provides an identification
V
between these two viewpoints.
For reasons that will become clear later on (see Remark 1.11 on p. 15) the first viewpoint
is not available to us when we want to generalize the concept of multivectors to the
variational setup. Therefore we will take the second. To that end, consider the bundle
πb : E∗ ⊗ Λn ( M) → M. Then π∞ ∗ (πb ) = π∞ ∗ ( E∗ ) ⊗ Λ ( π ), so that κb (π ) = Γ(π∞∗ (π
b )).
Thus, the formalism of horizontal jet spaces (see section 1.1.5 on p. 8) is applicable
to covectors, so we either take p to be an element from κ b (π ), an actual covector, or
p ∈ Jπ∞ (π b ).
Definition 1.6. A variational k-vector ω, or just a k-vector, is a F (π )-linear function that
n
maps k covectors into H (π ), i.e.,
n
b (π ))k → H (π ),
ω : (κ
that is totally skew-symmetric, and moreover a total differential operator: that is, its value
is completely determined by the total derivatives of its arguments.4 The number k = |ω |
4Here we mean all total derivatives Dσ - including the one that has empty index σ = ∅, which is the identity.
That is, ω is also allowed to depend on its arguments directly.
1.3. Variational multivectors 13
is called its degree.

Note that for arbitrary ω (i.e., not necessarily R skew-symmetric), by partial integration
we can always write ω ( p1 , . . . , pk ) = h p1 , A( p2 , . . . , pk )i, for some operator A, which
then is a (k − 1)-linear map taking values in κ (π ). The demand that ω be totally skew-
symmetric then implies firstly that A is also totally skew-symmetric, and secondly that
it is skew-adjoint in each of its arguments:
Z
ω ( p1 , . . . , pk ) = h p1 , A( p2 , . . . , pk )i
Z
= − h p j , A( p1 , . . . , p j−1 , p1 , p j+1 , . . . , pk )i.
Let us write a k-vector ω as ω ( p1 , . . . , pk ) = f ( p1 , . . . , pk ) dn x for some function f . This

R
function f is linear in each of its arguments, but as the next example shows, f need not
be totally antisymmetric.
Example 1.7. Consider the following operator, which is associated to the Korteweg-
KdV = − 1 D + 2qD + q , or equivalently h p1 , AKdV ( p2 )i =
Ä Vries-equation: A2
De ä 2 3 x 2
1 1 2 1 2 1 2
− 2 p p xxx + 2qp p x + q x p p dx. This is not antisymmetric because none of the terms
are antisymmetric. However, we can fix this non-antisymmetry by integrating by parts:
Å ã
∼ 1 1 2
h p1 , AKdV
2 ( p 2
)i = − ( p p xxx + p 1 2
p xxx ) + 2qp 1 2
p x − ( qp 1 2
x p + qp 1 2
p x ) dx
4
Å ã
∼ 1 1 2 1
= p x p xx − p1xx p2x + qp1 p2x − qp1x p2 dx,
4 4
which is now explicitly antisymmetric.

We now make the observations above more formal.
b (π ))k → F (π ) in
Remark 1.8. Let ω be a k-vector. Then there exists a function f : (κ
total derivatives, which is totally antisymmetric, such that
Z
ω ( p1 , . . . , p k ) = f ( p1 , . . . , pk ) dn x.
Indeed, if ω ( p1 , . . . , pk ) = g( p1 , . . . , pk ) dn x for some non-antisymmetric function g,

R
then since ω is totally antisymmetric, we have
1 X
ω ( p1 , . . . , p k ) = (−)σ ω ( pσ(1) , . . . , pσ(k) )
k!
σ ∈ Sk
Ñ é
Z
1 X
= (−)σ g( pσ(1) , . . . , pσ(k) ) dn x,
k!
σ ∈ Sk
so f ( p1 , . . . , pk ) := k!1 σ∈Sk (−)σ g( pσ(1) , . . . , pσ(k) ) is such a function. Note, however,

P
that f is not unique, because constructing f in this way for the example above would
yield an expression which differs from the one in the example.
At this point we take the fibers of the bundle πb and of π∞∗ (π

b ), and reverse their parity,
Π : p 7→ b, while we keep the entire underlying jet space intact [Vor02]. The result is the
horizontal jet space Jπ∞ (Ππ
b ) with odd fibers over x. An element θ from this space has
coordinates
θ = ( xi , qα , qαxi , . . . , qασ , . . . ; bα , bα,xi , . . . , bα,σ , . . . ).
The coupling h p, ϕi = pα ϕα dn x extends tautologically to the odd b’s, as do the total

derivatives: Dσ bα = bα,σ .
Definition 1.9. A noncommutative variational k-vector, with k ∈ N ∪ {0}, is an element of

n ∗ (Ππ
H (π∞ b )) having a density that is k-linear in the odd b’s or their derivatives (i.e.,
it is a homogeneous polynomials of degree k in bα,σ ). If ξ is a k-vector we will call
k = deg(ξ ) = |ξ | its degree. Note that by partial integration, any such k-vector ξ can be
written as
Z
ξ (b) = hb, A(b, . . . , b)i
for some total totally skew-symmetric total differential operator A that takes k − 1 argu-
ments, takes valuesR in κ (π ), and isR skew-adjoint in each of its arguments (e.g., in the
case of a 2-vector, hb1 , A(b2 )i = hb2 , A(b1 )i). We will also use the term variational
multivector if the vector is not necessarily homogeneous, or if we do not want to specify
the degree of the variational multivector.
Note further that this does not imply Rthat every density is, or has to be, a homogeneous
polynomial of degree k; for example, bbx dn x = (bbx + Dx (bbx bxx )) dn x.
R
Suppose we have some coordinate expression for a representative of the (nonzero)

cohomology class ω (b). Then each term contains each jet coordinate bσa at most once,
because if such a coordinate would occur twice they would square to zero. Therefore, it
is possible to see from which slot the jet coordinate came from. This allows us to evaluate
the noncommutative k-vector on k covectors: we set
1 X
ω ( p1 , . . . , p k ) = (−)σ ω ( pσ(1) , . . . , pσ(k) ), (1.4)
k!
σ ∈ Sk
i.e. in the coordinate expression of (the representative of) ω we replace the i-th b that we
come across with pσ(i) (moving from left to right), and sum over all permutations σ ∈ Sk .
It is clear that the resulting expression is completely antisymmetric in its arguments, and
n
is an element of H (π ); that is, it is a k-vector in the sense of Definition 1.6. In fact, the
following is now clear.
Proposition 1.10. Let ω be a k-vector. The map that assings to ω the noncommutative k-vector
defined by ω (b) := ω (b, . . . , b) for b ∈ Jπ∞ (Ππ
b ) is an injection, whose injective inverse is given
by equation (1.4).
1.4. Definitions of the bracket 15
Thus, the notions of k-vectors and noncommutative k-vectors coincide, and henceforth
we will treat them as the same. This machinery allows us to give a particularly convenient
form of the variational Schouten bracket.
Remark 1.11. Contrary to the case of usual manifolds M, where the space of k-vectors is
isomorphic to k TM, the space of variational k-vectors does not split in such a fashion.
V
As a result, the two formulas
JX, Y ∧ ZK = JX, YK ∧ Z + (−)(| X |−1)|Y | Y ∧ JX, ZK (1.5)
for multivectors X, Y and Z, and
JX1 ∧ · · · ∧ Xk , Y1 ∧ · · · ∧ Y` K
X
= (−)i+ j [ Xi , Yj ] ∧ X1 ∧ · · · ∧ X
“i ∧ · · · ∧ Xk ∧ Y1 ∧ · · · ∧ Y
bj ∧ · · · ∧ Y` (1.6)
i ≤i ≤ k
1≤ j≤`
for vector fields Xi and Yj , no longer hold. Both of these formulas provide a way of
defining the bracket on usual, smooth manifolds (together with JX, f K = X ( f ) for vector
fields X and functions f ∈ C ∞ ( M), and JX, YK = [ X, Y ] for vector fields X and Y).
To sketch an argument why the space R of variational k-vectors does not split in this
way,Rtake for example a 0-vector ω = f dn x and a 1-vector, which we can write as
η = hb, ϕi for some ϕ ∈ κ (π ). How would we define the wedge product ω ∧ η ? Both
of the factors contain a volume form and if we just put them together using the wedge
product we get 0, so this approach does not work.
R
Suppose then we set in this case ω ∧ η = f hb, ϕi. Now the problem is that f is not
uniquely determined by ω and ϕ is not uniquely determined by η; both areR fixed only
nx = g)) dn x, but f hb, ϕi 6=
R R
up
R to d-exact
R terms. For example, ω = f d ( f + D i (
f hb, ϕi + Di ( g)hb, ϕi, because the second term is in general not identically zero.
R RÄ ä
Similarly, we have η = hb, ϕi = hb, ϕi + d(α(b)) , for any linear map α mapping
b into (n − 1)-forms. In the same way as above, this trivial term stops being trivial
whenever we multiply it on the left with the density of a 0-vector, say. The difficulty
persists for multivectors of any degree k and so there is no reasonable wedge product or
splitting. (We will, however, solve this absence more or less by hands in Chapter 2, by
Definition 2.11 on p. 36.)
1.4 Definitions of the bracket

1.4.1 Odd Poisson bracket
Now that there are odd coordinates bα , we have to distinguish between left and right
derivatives. Suppose f ∈ F (π × Ππ b ) is a function on J ∞ (π × Ππ
b ) that does not depend
on bα,σ for some indices α, σ. Then the left and right derivatives with respect to bα,σ are
defined respectively by
−
→ ←−
∂ ∂
(bα,σ f ) = f , ( f bα,σ ) = f .
∂bα,σ ∂bα,σ
For arbitrary f , g ∈ F (π × Ππ
b ) these imply the following graded Leibniz rules:
−
→ −
→ −
→
∂ ∂ ∂
( f g) = ( f ) g + (−)| f | f g
∂bα,σ ∂bα,σ ∂bα,σ
←− ←− ←−
∂ ∂ ∂
( f g) = f g + (−)| g| ( f ) g.
∂bα,σ ∂bα,σ ∂bα,σ
Thus, when operating on a product of functions the arrow indicates on which factor the
derivative acts first. As for the variational derivatives, we set (c.f. equation (1.2))
−
→ −
→ ←− ←−
δ ∂ δ ∂
= (−)σ Dσ and = (−)σ Dσ ,
δbα ∂bα,σ δbα ∂bα,σ
so that the relation between the Euler operator δb and the left and right variational
derivatives is (c.f. equation (1.3))
Z −→ Z ←−
δω δω
δb ω = δbα = δbα ,
δbα δbα
that is, the arrow on top of the variational derivative points away from the variation δbα .
Definition 1.12. Let ξ and η be variational multivectors respectively. The variational

Schouten bracket Jξ, ηK of ξ and η is the (|ξ | + |η | − 1)-vector defined by5
Z "← − − → ←− − →#
δξ δη δξ δη
Jξ, ηK = − (1.7)
δqα δbα δbα δqα
in which one easily recognizes a Poisson bracket. The fact that this is a (|ξ | + |η | − 1)-
δ
vector comes from the variational derivatives δb occuring in the expression: if η takes
δη
|η | arguments then δb takes |η | − 1 arguments.
We will use the following two lemmas to calculate examples 1.15 through 1.18.
R R
5To be precise, if ξ = f (b, . . . , b) dn x and η = g(b, . . . , b) dn x, where f and g are both homogeneous
polynomials in bα,σ of degree |ξ | and |η | respectively, then the bracket is given by
Z Å←
− −
→ ←− −→ã
δ f δg δ f δg
Jξ, ηK = − dn x,
which does not depend on the representatives f and g because δ ◦ d = 0. This notation, although correct, does
not seem to be used in the literature.
Lemma 1.13. Suppose ξ = hb, A(b, . . . , b)i is a multivector. Then

−
→
δξ
= |ξ | A(b, . . . , b)α . (1.8)
δbα
Proof. Set k = |ξ |. We calculate

−
→
δξ
δbα = δb ξ = δb hb, A(b, . . . , b)i
δbα
k −1
X
= hδb, A(b, . . . , b)i + hb, A(b, . . . , δb, . . . , b)i
n =1
Now δb anticommutes with the b left to it, and A is antisymmetric in all of its arguments,
so we can switch δb with the b on its left, giving two cancelling minus signs. Doing this
multiple times, we obtain
k −1
X
= hδb, A(b, . . . , b)i + hb, A(δb, b, . . . , b)i.
j =1
Next we first switch δb with the b to its left, and then use the fact that A is skew-symmetric
in its first argument, again giving two cancelling minus signs:
= hδb, A(b, . . . , b)i + (k − 1)hδb, A(b, . . . , b)i

= khδb, A(b, . . . , b)i
= k δbα A(b, . . . , b)α .
The result follows by comparing the coefficients of δbα .
R
R 1.14. Let ξ and η be k and `-vectors respectively, so that ξ =
Lemma hb, A(b, . . . , b)i and
η = hb, B(b, . . . , b)i respectively. Then
Z h i
(q) (q)
Jξ, ηK = (−)k(`−1) `∂ B(b,...,b) ξ − (−)k−1 k∂ A(b,...,b) η . (1.9)
Proof. In the second term of the definition of the Schouten bracket, we first reverse the
arrow on the b-derivative, giving a sign (−)k−1 . In the first term, we swap the two factors
←− −→ −→
( δξ /δqα )( δη/δbα ). For this we have to move the ` − 1 b’s of δη/δbα through the k b’s of
←−
δξ /δqα , giving a sign (−)k(`−1) . Thus
Z "← − −→ ←− −→#
δξ δη δξ δη
Jξ, ηK = −
Z " −
→ ← − −
→ −→#
k (`−1) δη δξ k −1 δξ δη
= (−) − (−)
δbα δqα δbα δqα
Z ï ò
∂ξ ∂η
= (−) k (`−1)
` Dσ B ( b ) − (−)k−1 kDσ A(b)α α
α
∂qασ ∂qσ
Z h i
(q) (q)
= (−)k(`−1) `∂ B(b) ξ − (−)k−1 k∂ A(b) η .
n
Example 1.15. Let H ∈ H (π ) be a 0-vector, and take a one-vector ϕ ∈ κ (π ), i.e.,
η = hb, ϕi. As k = 0 the term on the right in equation (1.9) vanishes. We are left with
Z
(q)
JH, ϕK = ∂ ϕ H,
(q)
i.e., the Schouten bracket calculates the velocity of H along ∂ ϕ .
R R
Example 1.16. Suppose ξ and η are two one-vectors, i.e., ξ = hb, ϕ1 i and η = hb, ϕ2 i
for some ϕ1 , ϕ2 ∈ κ (π ). Then
Z Z
(q) (q) (q) (q)
Jξ, ηK = ∂ ϕ2 ( ξ ) − ∂ ϕ1 ( η ) = ∂ ϕ2 hb, ϕ1 i − ∂ ϕ1 hb, ϕ2 i
Z
(q) (q)
= hb, ∂ ϕ2 ϕ1 i − hb, ∂ ϕ1 ϕ2 i
which holds because b does not depend on the jet coordinates qα , whence
Z Z
= hb, [ ϕ2 , ϕ1 ]i = − hb, [ ϕ1 , ϕ2 ]i.
Thus, in this case the variational Schouten bracket just calculates the ordinary commu-
tator of evolutionary vector fields, up to a minus sign (c.f. equation (1.6)).
R
Example 1.17. SupposeR the base and fiber are both R, and let ξ = bbx dx be a (nontrivial)
two-vector and η = bx3 q xx dx be a one-vector. Then, again using equation (1.9),
Z Z Z
(q)
Jξ, ηK = 0 + 2∂bx (bx3 q xx ) dx = 2 Dx2 (bx )bx3 dx = 2 x3 bxxx b dx.
We shall return to this example on p. 21 (see Example 1.23).

R R
Example 1.18. In this final example, let ξ = bbx dx again and η = q x bbx dx; then
Z Z Z
(q)
Jξ, ηK = 0 + 2 ∂bx (q x bbx ) dx = 2 Dx (bx ) · bbx dx = 2 bbx bxx dx.
Notice the factor 2 standing in front of the answers in the last two examples; it will
become important in the next section.
1.4.2 A recursive definition

The second way of defining the bracket, due to I. Krasil’shchik and A. Verbovet-
sky [KV11], is done in terms of the insertion operator: let ξ be a k-vector, and let p ∈ κ
b (π )
or p ∈ Jπ∞ (π
b ) (i.e., p can be either an actual covector or an element from the correspond-
ing horizontal jet space). Denote by ξ ( p) or ι p (ξ ) the (k − 1)-vector that one obtains by
putting p in the rightmost slot of ξ:
k
1X
ξ ( p)(b) = ι p (ξ )(b) = ξ (b, . . . , b, p) = (−)k− j ξ (b, . . . , b, p, b, . . . , b), (1.10)
| {z } k
k −1 j =1
where p is in the j-th slot in the right hand side. Note that if we were to insert k − 1
additional elements of κb (π ) in this expression in this way, we recover formula (1.4).
R
Lemma 1.19. If ξ = hb, A(b, . . . , b)i is a k-vector, then
−
→ −
→ ←
− ←
−
δξ ( p) k − 1 δξ δξ ( p) k − 1 δξ
= ( p) and =− ( p ). (1.11)
δbα k δbα δbα k δbα
−
→
Proof. ξ ( p) is a (k − 1)-vector, so δξ ( p)/δbα = (k − 1) A(b, . . . , b, p)α by Lemma 1.13.
−
→
However, ξ is a k-vector, so ( δξ /δbα )( p) = (kA(b, . . . , b)α )( p) = kA(b, . . . , b, p)α , from
which the first equality of the Lemma follows. The second equality is established by
reversing the arrow of the derivative, using the first equality, and restoring the arrow to
its original direction again; this results in the extra minus sign in this equality.
On the other hand, if p ∈ Jπ∞ (π b ) then δξ ( p)/δqα = (δξ/δqα )( p). Indeed, we have
α
∂p β,τ /∂qσ = 0, and if f is one of the densities of a k-vector, then the total derivative Di
and the insertion operator ι p commute. For example,
ι p ( Di bα,σ ) = ι p (bα,σ+1i ) = pα,σ+1i
and
Di (ι p (bα,σ )) = Di ( pα,σ ) = pα,σ+1i .
Thus, from the formula δqδα = |σ|>0 (−)σ Dσ ∂q∂α for the variational derivative it follows
P
σ
that δξ ( p)/δqα = (δξ/δqα )( p).
Theorem 1.20. Let ξ and η be k and `-vectors, respectively, and p ∈ Jπ∞ (π
b ). Then
` k
Jξ, ηK( p) = Jξ, η ( p)K + (−)`−1 Jξ ( p), ηK. (1.12)
k+`−1 k+`−1
Proof. We relate the two sides of the equation by letting p range over the slots as in
equation (1.10). In this calculation we will for brevity omit the fiber indices α.
−−
Å← →ã
δξ δη
Consider the first term of the left hand side, δq δb ( p). If we were to take the sum
as in equation (1.10), we would obtain an expression containing k + ` − 1 slots; in some
−
→
cases p is in one of the ` − 1 slots of δη/δb and in the other cases it is in one of the k slots
←−
of δξ /δq. All of these terms carry the normalizing factor 1/(k + ` − 1). Now we notice
the following:
−
→
• Each term in whichÅ p is in a slot coming from δη/δb has a matching term in the
←− −
→ã
δη
expansion of δξ δq ι p δb according to (1.10), except that there each term would
−
→
carry a factor 1/(` − 1), because now p only has access to the ` − 1 slots of δη/δb.
• Similarly, each term of the left hand side of (1.12) inÅwhich p is in one of the slots
←
− −ã −
← →
δξ δη
of δξ /δq has a matching term in the expansion of ι p δq δb , but there they carry
a factor 1/k.
• Moreover, in that case they also carry the sign (−)`−1 , which comes from the fact
−
→
that here p had to pass over the ` − 1 slots of δη/δb.
Gathering these remarks, we find

←− −→! ←
− −
→! ←−! − →
δξ δη ` − 1 δξ δη `−1 k δξ δη
( p) = ιp + (−) ιp
δq δb k + ` − 1 δq δb k+`−1 δq δb
←
−− → ←− −
→
` δξ δη ( p) `−1 k δξ ( p) δη
= + (−) ,
k + ` − 1 δq δb k + ` − 1 δq δb
where we have used the first equation of Lemma 1.19 in the first term.
Now we consider the second term of the left hand side of (1.12), and use a similar
reasoning:
←− −
→! ←− −
→! ←−! − →
δξ δη ` δξ δη ` k−1 δξ δη
( p) = ιp + (−) ιp
δb δq k + ` − 1 δb δq k+`−1 δb δq
←−− → ←− −
→
` δξ δη ( p) `+1 k δξ ( p) δη
= + (−) ,
k + ` − 1 δb δq k + ` − 1 δb δq
where now the second equation of Lemma 1.19 has been used. Subtracting the results
of these two calculations, we obtain exactly the right hand side of equation (1.12).
Thus, by recursively reducing the degrees of the arguments of the bracket, formula (1.12)
expresses the value of the bracket of a k-vector and an `-vector on k + ` − 1 covectors.
We can interpret it as a second definition of the Schouten bracket, provided that we also
set
Z Z
(q)
JH, ϕK = ∂ ϕ H = hδH, ϕi
n
for 1-vectors ϕ and 0-vectors H ∈ H (π ). Theorem 1.20 then says that this definition is
equivalent to Definition 1.12. However, let us notice the following:
Remark 1.21. There are numerical factors in front of the two terms of the right hand
side; these are absent in [KV11]. For example, the bracket of a 2-vector ξ and a 0-vector
H is JH, ξK( p) = 2ξ (δH, p) according to both Definition 1.12 and Theorem 1.20; note the
factor 2.
Remark 1.22. Secondly, it is important that the p that is inserted in (1.12) is not an actual
b ). Otherwise, unwanted terms like ∂(ϕq) ( p) occur in the final
covector, but that p ∈ Jπ∞ (π
steps, and equivalence with Definition 1.12 is spoiled. Thus one takes two multivectors,
inserts elements from the horizontal jet space according to the formula, and only plugs
in the (derivatives of) actual covectors at the end of the day. This remark is again absent
from [KV11].
R
ExampleR1.23. Let us re-calculate Example 1.17 using this formula. So, let ξ = bbx dx
and η = bx3 q xx dx, and let p1 , p2 ∈ Jπ∞ (π
b ). Then
1 2
Jξ, ηK( p1 , p2 ) = Jξ, ηK( p2 )( p1 ) = Jξ, η ( p2 )K( p1 ) + Jξ ( p2 ), ηK( p1 )
2 2
1
= −2 · · Jξ ( p1 ), η ( p2 )K + 1 · Jξ ( p2 ), η ( p1 )K + 1 · Jξ ( p1 , p2 ), ηK
Z h 2 i
(q) (q) (q)
= (−)2 ∂ p1 ( p2 x3 q xx ) − ∂ p2 ( p1 x3 q xx ) + 12 ∂ x3 q ( p1 p2x − p2 p1x ) dx
x x xx
Z î ó
= x3 p1xxx p2 − ( p1 p2 ) dx.
(Keeping track of the coefficients and signs is a good exercise.) This is precisely what
one gets after evaluating the result of Example 1.17 on p1 and p2 .
Theorem 1.20 allows us to reduce the Jacobi identity for the Schouten bracket to that
of the commutator of one-vectors.
Proposition 1.24. Let r, s and t be the degrees of the variational multivectors ξ, η and ζ,
respectively. The Schouten bracket satisfies the graded Jacobi identity:
(−)(r−1)(t−1) ξ, Jη, ζK + (−)(r−1)(s−1) η, Jζ, ξK + (−)(s−1)(t−1) ζ, Jξ, ηK = 0.

q y q y q y
(1.13)
Proof. We proceed by induction using Theorem 1.20. When the degrees of the three
vectors do not exceed 1, the statement follows from the reductions of the Schouten
bracket to known structures, as in Examples 1.15 and 1.16. Now let the degrees be
arbitrary natural numbers. Denote by I1 , I2 and I3 the respective terms of the left hand
side of (1.13). Then for any p ∈ Jπ∞ (π

b ) we have that
I1 ( p) = (−)(r−1)(t−1) ξ, Jη, ζK ( p)
q y
(−)(r−1)(t−1) Ä yä
(s + t − 1) ξ, Jη, ζK( p) + r (−)s+t−2 ξ ( p), Jη, ζK
q y q
=
r+s+t−2
(−)(r−1)(t−1) q
(t ξ, Jη, ζ ( p)K + s(−)t−1 ξ, Jη ( p), ζK
y q y
=
r+s+t−2
yä
+ r (−)s+t−2 ξ ( p), Jη, ζK .
q
Similarly,
(−)(r−1)(s−1) q
(r η, Jζ, ξ ( p)K + t(−)r−1 η, Jζ ( p), ξK
y q y
I2 ( p) =
r+s+t−2
+ s(−)r+t−2 η ( p), Jζ, ξK ),
q y
(−)(s−1)(t−1) Ä q
s ζ, Jξ, η ( p)K + r (−)s−1 ζ, Jξ ( p), ηK
y q y
I3 ( p) =
r+s+t−2
yä
+ t(−)r+s−2 ζ ( p), Jξ, ηK .
q
For notational convenience, let us set I1 ( p) + I2 ( p) + I3 ( p) =: I/(r + s + t − 2). Next we

rearrange the terms in I:
I = (−)r−1 t{(−)(r−1)(t−2) ξ, Jη, ζ ( p)K + (−)(r−1)(s−1) η, Jζ ( p), ξK

q y q y
+ (−)(s−1)(t−2) ζ ( p), Jξ, ηK } + (−)t−1 s{(−)(r−1)(t−1) ξ, Jη ( p), ζK

q y q y
+ (−)(r−1)(s−2) η ( p), Jζ, ξK + (−)(s−2)(t−1) ζ, Jξ, η ( p)K }

q y q y
+ (−)s−1 r {(−)(r−2)(t−1) ξ ( p), Jη, ζK + (−)(r−2)(s−1) η, Jζ, ξ ( p)K

q y q y
+ (−)(s−1)(t−1) ζ, Jξ ( p), ηK },
q y
i.e., we obtain the Jacobi identity for ξ, η and ζ ( p); for ξ, η ( p) and ζ; and for ξ ( p), η and
ζ (each times some unimportant factors). Thus we see that if we know that the identity
holds for (r − 1, s, t), (r, s − 1, t) and (r, s, t − 1), then it holds for (r, s, t).
1.4.3 Graded vector fields

Proposition 1.25. If ξ and η are k and `-vectors respectively, then their Schouten bracket is equal
to
←−
Z Z
Jξ, ηK = Qξ (η ) = (ξ ) Q η , (1.14)
where for any k-vector ξ, the graded evolutionary vector field Qξ is defined by
(q) (b)
Qξ := ∂−δ ξ + ∂δq ξ . (1.15)
b
Proof. This is readily seen from the equalities

Z Z ←−! Z ← −
(b) δξ ∂η δξ ∂η
∂δq ξ (η ) = Dσ α
= α
(−)σ Dσ
δq ∂bα,σ δq ∂bα,σ
Z ←− − →
δξ δη
=
δqα δbα
which is the first term of the Schouten bracket Jξ, ηK. The second term of (1.15) is done
similarly.
As a consequence of this proposition, R the Schouten bracket is a derivation: if η is a

product of k factors, then Jξ, ηK = Qξ (η ) has k terms, where in the i-th term, Qξ acts on
the i-th factor while leaving the others alone. However, while the bracket is a derivation
in both of its arguments separately, it is not a bi-derivation (i.e., a derivation in both
arguments simultaneously), as in equation (1.6). To see why this is so, take a multivector
η and let us suppose for simplicity that it has a density that consists of a single term
containing ` coordinates, which Rcan be either q’s or b’s: η = i`=1 ai , for a set of letters
Q
ai . Then the i-th term of Jξ, ηK = Qξ (η ) is a sign which is not important for the present
purpose, times a1 · · · Qξ ( ai ) · · · a` .
Now suppose that ξ = kj=1 c j for some set of letters c j , and note that Qξ ( ai ) =
Q
←−
(ξ ) Q ai + trivial terms. Let us call the trivial term ω for the moment. Then we see that
←−
a1 · · · Q ξ ( a i ) · · · a ` = a1 · · · ( ξ ) Q ai · · · a ` + a1 · · · ω · · · a ` .
Here the first term expands to what it should be in order for the bracket to be a bi-
derivation, namely a sum consisting of terms of the form
←−
a1 · · · c1 · · · ( c j ) Q ai · · · c k · · · a `
times possible minus signs. The second term, however, is generally no longer trivial, so
that it does not vanish. Therefore the bracket is not in general a bi-derivation.
Theorem 1.26. The Schouten bracket is related to the graded commutator of graded vector fields
as follows:
Z Z
QJξ,η K f = [ Qξ , Qη ] f , (1.16)
for any smooth function f on the horizontal jet space Jπ∞ (π

b ).
Proof. Expanding the right hand side of equation (1.16) using the definition of the graded
commutator and equation (1.15), we infer that
Z Z Z
[ Qξ , Qη ] f = Qξ ( Qη ( f )) − (−)(|ξ |−1)(|η |−1) Qη ( Qξ ( f ))
= ξ, Jη, f K − (−)(|ξ |−1)(|η |−1) η, Jξ, f K = Jξ, ηK, f

q y q y q y
Z
= QJξ,η K f .
where we used the graded Jacobi identity (see Proposition 1.24) in the third line.
This provides a third way of defining the Schouten bracket, equivalent to the previous
two. Since the only fact that is used in this proof is that the Schouten bracket satisfies the
graded Jacobi identity, Theorem 1.26 is actually equivalent to the Jacobi identity for the
Schouten bracket. It is also possible to prove Theorem 1.26 directly (see [Kis12c, p. 84],
by inspecting both sides of equation (1.16); in that case the Jacobi identity may be proved
as a consequence of Theorem 1.26.
As a bonus, we see that if P is a Poisson bi-vector, i.e., JP, PK = 0, then Q P is a
differential, ( Q P )2 = 0. This gives rise to the Poisson(-Lichnerowicz) cohomology
groups HkP .
Finally, we note that these definitions of the Schouten bracket also exist and remain
coinciding in the Z2 -graded setup J ∞ (π0 |π1 ) → Mn0 |n1 , and in the setup of purely

non-commutative manifolds and non-commutative bundles (see [Kon93], [OS98] and

lastly [Kis12c], which contains details and discussion, and generalizes the topic of this
chapter to the non-commutative world).
Chapter 2
The BV-formalism
In theoretical physics, the Batalin–Vilkovisky formalism is a technique for the quantiza-

tion of certain gauge-invariant systems, formulated in terms of fields and anticommuting
antifields; the Schouten bracket (usually called the antibracket); and a linear differen-
tial called the BV-Laplacian. Mathematically, the function(al)s on fields and antifields
together with the Schouten bracket and the BV-Laplacian form a BV-algebra. Nearly all
of this can be concisely formulated in terms of calculus on (parity-odd) jet bundles. Un-
fortunately, the BV-Laplacian as it is usually defined in the literature contains “infinite
constants” or delta-functions that need to be regularized. In this chapter we will define
the notion of BV-algebras and briefly explain their phyiscal importance, review and in-
troduce the geometrical setup of such systems, and finally we explain why a particular
Laplacian that contains no such infinite constants or delta functions is not suitable for
use in the BV-formalism.
2.1 Introduction
The Batalin–Vilkovisky (BV) Laplacian ∆ is a necessary ingredient in the quantiza-
tion of gauge-invariant systems of Euler–Lagrange equations [BV81; BV83; HT92]. Its
construction relies on the presence of canonically conjugate pairs of variables such
as fields and antifields, or ghost-antighost pairs, which stem from the derivation of
the Euler–Lagrange equations of motion δS = 0 and Noether relations, respectively
(see [BV81; BV83; BRS75; BRS76; Tyu75] and [Kis12a; Kis12c]). The BV-Laplacian ∆ is
intimately connected to the variational Schouten bracket J , K (the odd Poisson bracket,
or antibracket [Wit90]), which was discussed in the previous chapter.
When the Laplace equation ∆F = 0 holds for an integral functional F of fields and
antifields, then Feynman’s path integral of F over the space of admissible fields is
essentially independent of the non-physical antifields. As soon as the setup becomes
26 Chapter 2. The BV-formalism
quantum and all objects depend also on the Planck constant h̄, the Laplace equation
∆ O · exp(iSBV h̄ /h̄ ) = 0 selects the quantum observables O (here S h̄ is the extension

BV
in powers of h̄ for the full BV-action SBV = S + . . . of a given gauge-invariant model
δS = 0). This approach yields the quantum master equation upon SBV h̄ and creates the
cohomology groups with respect to the quantum BV-differential Ω = −ih̄∆ + JSBV h̄ , · K.
The observables are Ω-closed, Ω(O) = 0; Feynman’s path integral is then used to
calculate their expectation values and correlations.
On top of the difficulties which are immanent to a definition of the path integral,
the BV-Laplacian ∆ itself often suffers from a necessity to be regularized manually
if one wishes to avoid the otherwise appearing “infinite constants” or Dirac’s delta-
distributions (e.g., see [CF00], in which such constants appear). On the other hand, in
the case where the base space – that is, the space of the independent variables – reduces
to a single point, the jet bundle becomes a supermanifold; in this case the BV-Laplacian
contains no infinite constants [Sch93; Sch94; Sch99].
In this chapter we explore the geometrical setup and the physical importance of the
Laplacian. Our considerations will revolve around the philosophy of secondary calculus,
which, as explained in section 2.2, is the idea that when one reduces the base space
to the zero-dimension manifold {pt}, the tools and concepts at hand should reduce to
known structures on (super)manifolds. Then, in section 2.3 we give the definition of
BV-algebras, as well as briefly exploring the Laplacian on supermanifolds (as opposed to
the Laplacian on jet bundles), giving a firm understanding of what the Laplacian looks
like before its variational generalization. In sections 2.4 and 2.5 we introduce and extend
the geometrical setup for the BV-Laplacian, after which we will examine a candidate
BV-Laplacian on jet bundles in section 2.6.
2.2 Secondary calculus

Before we proceed it is convenient to briefly discuss the ideology of secondary calculus,
which is a very instructive analogy between the geometry of jet spaces and that of
smooth manifolds. This parallel was introduced by A. M. Vinogradov in [Vin01, Ch. 5];
see also [KV11; KV99; Vit09]. Without naming it we have already dealt with it in
Chapter 1, where we generalized, for example, multivectors to variational multivectors
and the Schouten bracket to its variational cousin; it will also play a role in both this
chapter and Chapter 4.
The physics of a point particle can be succinctly and elegantly described by, for ex-
ample, the Hamiltonian formalism on a smooth manifold E (see the introduction to
Chapter 3 on p. 45). In this case its dynamics is specified by an ordinary differential
equation, and expressed with the use of the calculus on the manifold E; that is, by dif-
ferential forms, vector fields, the de Rham differential, et cetera. Note that the position
of the point particle can be specified by an element x ∈ E, which are in one-to-one cor-
respondence with sections of the trivial bundle E → {pt}. Thus, we have identified a
bundle with a single fiber and trivial base space.
Now we consider two possible generalizations for such schemes (of which the first
motivated the name “secondary calculus”):
2.2. Secondary calculus 27
1. The classical physics of point particles can be generalized to quantum mechanics;

in this case the equation of motion (an ordinary differential equation) is replaced
by the Schrödinger equation, which is a partial differential equation.
2. There are many other (classical) physical systems imaginable that do not involve
point particles, but, for example, strings or fields. In these cases the dynamics are
usually also described by a partial differential equation.
In both cases there is a bundle π : E → M, inducing a jet bundle J ∞ (π ) in which

the relevant partial differential equation lives. We see that with respect to the setup
E → {pt} of point particles described above, the base space {pt} has been replaced by a
manifold M.
The idea of secondary calculus is that the calculus and machinery of infinite jet bundles
may be used to describe the dynamics of these systems, in the same way as the dynamics
of point particles can be expressed using calculus on manifolds. Thus, concepts such as
smooth functions, vector fields, differential forms and the de Rham derivative all gain
“secondary”, or variational, generalizations. A guiding principle in the construction of
these generalization is that they should reduce to their smooth counterparts when one
π
takes the base space M of the bundle E → M to be the zero-dimensional manifold {pt}.
Let us compile a brief list of such variational generalizations. As the position of a
point particle is determined by a section s : {pt} → M, we find that the “points” in
secondary calculus are the sections s ∈ Γ(π ). Having such a “point” and an element
n
H = h dn x ∈ H (π ), we can calculate the number
R
Z
H(s) := h( jx∞ (s)) dn x,
M
n
suggesting that H (π ) is a natural generalization of the space of functions C ∞ ( E).1
Referring also to Chapter 1, we may compile a dictionary of variational generalizations;
see Table 2.1.
Jet space J ∞ ( E → M )
π π
Manifold E → {pt}
points ←→ sections of π
n
elementsR h dn x from H (π )
R
functions ←→
value at a point, f ( x ) ←→ ∞ n
integral M h( jx (s)) d x
vector fields ←→ evolutionary vector fields, κ (π )
multivector fields ←→ variational multivectors
p,q
the de Rham complex ←→ the C -spectral sequence E1 (π )
de Rham differential ddR ←→ the Euler operator δ
the Schouten bracket ←→ the variational Schouten bracket
Table 2.1. Variational generalizations of calculus on manifolds.
This chapter is essentially concerned with how the BV-Laplacian ∆ fits into this table.
1Note, however, that under the contraction M 7→ {pt} the space of functions F (π ) on J ∞ (π ) also reduces
to C ∞ ( E); this will become important in Chapter 4.
Although we are primarily interested in the entry on the right hand side, in the next
section we shall examine what it looks like on (super)manifolds, as well as defining
BV-algebras and briefly explaining their physical relevance.
2.3 BV-algebras and the quantum master equation

Definition 2.1. A BV-algebra A is a graded associative supercommutative algebra with
unit, equipped with:
• A bilinear bracket J , K of order one satisfying a graded Leibniz rule with respect to
the product of A, i.e. the bracket satisfies for all x, y, z ∈ A
Jx, yK = −(−)(| x|−1)(|y|−1) Jy, xK, (skew-symmetry)

Jx, Jy, zKK = JJx, yK, zK + (−)(| x|−1)(|y|−1) Jy, Jx, zKK, (graded Jacobi identity)
Jx, yzK = Jx, yKz + (−)(| x|−1)|y| yJx, zK. (Leibniz rule)
• A second order nilpotent differential operator ∆ called the Laplacian, which has
degree −1 with respect to the grading of A and satisfying
Ä ä
Jx, yK = (−)| x| ∆( xy) − ∆( x )y − (−)| x| x∆y , (2.1)
∆2 = 0,
∆(1) = 0.
Thus the bracket measures the failure of the Laplacian being a left-derivation2 with
respect to the product of the algebra A. Moreover, we have the following immediate
consequence.
Proposition 2.2. The Laplacian is a derivation of the bracket,
∆(Jx, yK) = J∆x, yK + (−)| x|−1 Jx, ∆yK. (2.2)
Proof. We calculate ∆(Jx, yK) by applying ∆ to the right hand side of (2.1):
Ä ä
∆(Jx, yK) = (−)| x| ∆2 ( xy) − ∆(∆( x )y) − (−)| x| ∆( x∆y))
Ä ä
= (−)| x|−1 ∆(∆( x )y) + (−)| x| ∆( x∆y)) . (2.3)
2With some adjustments to a number of minus signs, one may modify the Laplacian such that the bracket
measures its failure in being a right-derivation. For example, in case of the Laplacian on a supermanifold
←
− ←−
(which we will discuss shortly), equation (2.5) would become ∆ = ∂ /∂xi ◦ ∂ /∂θi – that is, the arrows are
reversed.
2.3. BV-algebras and the quantum master equation 29
Next we expand the right hand side of (2.2) in the same way:
J∆x,yK + (−)| x|−1 Jx, ∆yK

Ä ä
=(−)| x|−1 ∆(∆( x )y) − ∆2 ( x )y − (−)| x|−1 ∆x∆y
Ä ä
+ (−)| x|−1 (−)| x| ∆( x∆y) − ∆x∆y − (−)| x| x∆2 y
Ä ä
=(−)| x|−1 ∆(∆( x )y) + (−)| x| ∆( x∆y) .
This matches precisely with (2.3).
As preparation for a first example of a BV-algebra, we first review some symplectic

geometry. If M is a 2n-dimensional symplectic manifold with symplectic form ω, then
it has Ω = ω n as its natural volume form, and on any manifold having a volume form
one can define the divergence div : Γ( TM) → C ∞ ( M) of a vector field by the following
formula:
div( X )Ω = d(i X Ω),
where i X is the insertion operator that inserts the vector field X in the leftmost slot of
its argument. Writing Ω = ρ dn x for the volume form, in a coordinate system xi (not
necessarily Darboux) this works out to
div X = ρ−1 ∂i (ρX i ) = ∂i X i + X i ∂i ln ρ.
(Note that ρ, being the density of a volume form, is nowhere zero.) Now the 2-form ω,
being nondegenerate, has an inverse α = ω −1 ∈ 2 TM; that is, a 2-vector. One can use
V
this 2-vector to define a Poisson bracket { , } on C ∞ ( M ) by the formula
{ f , g} := α(d f , dg).
Then, for any fixed function H we define its associated Hamiltonian vector field X H by3
X H = {·, H } = α(d·, dH ). (2.4)
Now a Laplacian by definition has to be of degree −1 in the grading of its algebra, but
C ∞ ( M) is an ungraded algebra. However, so far essentially none of the arguments above
depend on that the coordinates xi are even. Therefore, it is possible to generalize to the
following [Sch93; Sch94; Sch99].
Example 2.3. A P-manifold, or a symplectic supermanifold, is a supermanifold of dimension
3Alternatively, one may define the Hamiltonian vector field uniquely by the formula
dH = ω ( X H , ·).
However, this way of doing this has the disadvantage that it directly uses ω, meaning that it only makes sense
on symplectic manifolds. The definition given by (2.4) works for any Poisson manifold. We will also encounter
it in Chapter 3, in which Poisson brackets play a central role.
n|n equipped with a nondegenerate closed odd4 2-form ω. For such forms there is a
super-Darboux theorem, stating that ω can always be written as ω = dxi ∧ dθi for a
certain coordinate chart ( x1 , . . . , x n , θ1 , . . . , θn ).
When a P-manifold additionally has a form ρ dn x dn θ which is such that on each
coordinate patch there exist Darboux coordinates such that locally ρ( x, θ ) = 1, then the
supermanifold is said to be an SP-manifold.
Having this machinery in place, we can define (with due attention to the parity of the
coordinates and resulting signs) the Hamiltonian vector field X H of a function H and the
divergence of a vector field X exactly as in the previous example. Using this machinery
we finally define a Laplacian as follows:
∆f = 1
2 div X f .
Taking a Darboux coordinate chart5 ( x1 , . . . , x n , θ1 , . . . , θn ), in coordinates these struc-

tures become
←− −
→ ←− −→
∂f ∂g ∂ f ∂g
{ f , g} = i − ,
∂x ∂θi ∂θi ∂xi
−
→ −
→
∂ ∂
∆f = i . (2.5)
∂x ∂θi
In order to verify that (C ∞ ( M), J , K, ∆) is indeed a BV-algebra, all that is left to do is

check that equation (2.1) holds, which is easily done using the expressions above.
Finally, we take M = ΠT ∗ E as our supermanifold. If xi is a coordinate patch on E
and θi are the induced parity-odd coordinates on ΠT ∗ E, then we can express a nat-
ural symplectic odd 2-form on ΠT ∗ E by dxi ∧ dθi as usual. Using the identification
C ∞ (ΠT ∗ E) = Γ( • TE), we can transfer the Laplacian and the induced bracket to the
V
space of multivectors on E. The bracket then precisely coincides with the Schouten
bracket of multivectors on E. Referring to Table 2.1, this is the entry on the BV-Laplacian
in the left column – meaning that we expect a variational generalization of the BV-
Laplacian to be such that under the contraction M 7→ {pt} we obtain this example.
Let us now briefly explain the primary physical application of BV-algebras. Thus, let
( A, J , K, ∆) be a (complex) BV-algebra. In quantum field theory one is concerned with
the Feynman path integral of elements of A (which in that case consists of (products of)
integral functionals, i.e. M(πBV ); this will be treated in detail in Section 2.5 on p. 36).
Without precisely explaining what this path integral is, we will use the fact that the path
integral of such a functional F can only be independent on the non-physical antifields
when the following Laplace equation holds:
∆F = 0.
4If zi with i = 1, . . . , 2n is a coordinate patch and |zi | ∈ Z/2Z is the parity of these coordinates, then the
parity of the two-form ω = dzi ωij dz j is given by |ω | = |ωij | + |zi | + |z j |. For example, dxi ∧ dx j is even, while
θ i dθ j ∧ dθ k and dxi ∧ dθi are both odd.
5We write the index i of the odd coordinates θi as lowerscripts in order to be able to keep on using the
Einstein summation convention (see section 1.1.2 on p. 5).
2.3. BV-algebras and the quantum master equation 31
Adjoining the Planck constant and its inverse6 to the BV-algebra A by Ah̄ := A ⊗
C Jh̄, h̄−1 K, the system is specified by the full BV-action SBV
h̄ ∈ A h̄ , and the calculation of
certain expectation values can be done by calculating the path integral over the functional
exp(iSBV h̄ /h̄ ). For this reason the following will have to hold:
h̄
Ç å
iSBV
∆ exp = 0.
h̄
Moreover, an element O ∈ Ah̄ is called a quantum observable if the following equation

holds:
Ç Ç h̄ åå
iSBV
∆ O exp = 0.
h̄
These equations are our starting point; we will derive from them the quantum master
h̄ and equation (2.7) on the observable O . (We refer to [HT92] for
equation (2.6) on SBV
more details.)
h̄ ∈ A h̄ be even. If the identity ∆ (exp(iS h̄ /h̄ )) = 0 holds, then S h̄
Proposition 2.4. Let SBV BV BV
satisfies the quantum master equation:
1 h̄
JS , Sh̄ K = ih̄∆SBV
h̄
. (2.6)
2 BV BV
We will need the following two lemmas.
Lemma 2.5. Let F ∈ Ah̄ be even, let G ∈ Ah̄ be another element, and let n ∈ N≥1 . Then
JG, F n K = nJG, FKF n−1 .
Proof. We use induction on the Leibniz rule for the bracket J , K. Note that all signs vanish
since F is even, meaning that whenever F is multiplied with any element from Ah̄ , the
factors may be freely swapped without this resulting in minus signs. For n = 1 the
statement is trivial. Suppose the formula holds for some n ∈ N>1 , then
JG, F n+1 K = JG, F · F n K = JG, FKF n + FJG, F n K

= JG, FKF n + nFJG, FKF n−1
= (n + 1)JG, FKF n ,
so that the statement also holds for n + 1.
6Neither the Planck constant h̄ nor the factor i is always present in articles on this subject; mainly papers
that are more mathematical in nature sometimes skip one or both of these. Apparently, they do not always
play a crucial role.
Lemma 2.6. Let F ∈ Ah̄ be even, and let n ∈ N≥2 . Then
1
∆( F n ) = n(∆F ) F n−1 + n(n − 1)JF, FKF n−2 .
2
Proof. We use induction and the previous lemma. For n = 2 the formula clearly holds
by equation (2.1). Suppose that it holds for some n ∈ N>2 , then
∆( F n+1 ) = ∆( F · F n ) = (∆F ) F n + JF, F n K + F∆( F n )

1
= (∆F ) F n + nJF, FKF n−1 + nF (∆F ) F n−1 + n(n − 1) FJF, FKF n−2
2
1
= (n + 1)(∆F ) F n + (n + 1)nJF, FKF n−1 ,
2
so that the statement also holds for n + 1.
Proof of Proposition 2.4. For convenience, we set F = h̄i SBV

h̄ . Then
∞ ∞
!
X 1 n X 1
0 = ∆(exp F ) = ∆ F = ∆( Fn )
n! n!
n =0 n =0
∞ ∞
n 1
(∆F ) F n−1 + n(n − 1)JF, FKF n−2
X X
=
n! 2n!
n =0 n =0
∞ ∞
1 1 1
F n−1 + JF, FK F n −2
X X
= (∆F )
( n − 1) ! 2 ( n − 2) !
n =1 n =2
i i h̄
Å ã Å ã Å ã
1 h̄ 1 h̄ h̄
= ∆F + JF, FK exp F = ∆S − JS , S K exp S ,
2 h̄ BV 2h̄2 BV BV h̄ BV
from which the result follows.
h̄ ∈ A h̄ , and suppose that S h̄ is even. If O is a

Proposition 2.7. Take two elements O , SBV BV
quantum observable and SBV satisfies ∆(exp(iSBV
h̄ h̄ /h̄ )) = 0, then O satisfies
h̄
Ω(O) := JSBV , O K − ih̄∆O = 0. (2.7)
The operator Ω is known as the quantum BV-differential.
Proof. For convenience, let us set F = h̄i SBV

h̄ again. We first calculate, using Lemma 2.5,
∞ ∞
1 n
JO , FKF n−1 = JO , FK exp F.
X X
JO , exp FK = JO , F n K =
n! n!
n =0 n =0
2.4. Products of integral functionals 33
Now ∆(O exp F ) = 0 since O is a quantum observable, so
0 = ∆(O exp F ) = (∆O) exp F + JO , exp FK + O ∆(exp F )

i i h̄
Å ã Å ã
h̄
= (∆O) + JO , FK exp F = (∆O) + JO , SBV

K exp SBV ,
h̄ h̄
from which the assertion follows.
Proposition 2.8. Let O ∈ Ah̄ , and let the even SBV

h̄ ∈ A h̄ satisfy the quantum master equa-
tion (2.6) for the BV-Laplacian ∆. Then the quantum BV-differential Ω, defined in (2.7), squares
to zero:
Ω2 (O) = 0.
Proof. We calculate
h̄ h̄ h̄
Ω2 (O) = [[SBV

, JSBV , O K − ih̄∆O]] − ih̄∆ JSBV , O K − ih̄∆O
h̄ h̄ h̄ h̄ h̄
= [[SBV , JSBV , O K]] − ih̄JSBV , ∆O K − ih̄J∆SBV , O K + ih̄JSBV , ∆O K
+ (ih̄)2 ∆2 O .
The last term vanishes identically since the Laplacian is a differential, while the second
term cancels against the fourth term. Using the Jacobi identity for the bracket J , K on the
first term, we obtain:
h̄ h̄ h̄ h̄ h̄ h̄
Ω2 (O) = 21 [[JSBV , SBV K, O]] − ih̄J∆SBV , O K = [[ 12 JSBV , SBV K − ih̄∆SBV , O]] = 0,
h̄ .
by the quantum master equation for SBV
2.4 Products of integral functionals

From this section and onwards, we will once again work in the variational setup. Having
generalized the Schouten bracket on a smooth manifold to the variational Schouten
bracket in the spirit of secondary calculus, we note that the variational Schouten bracket
seems to have lost a property that its smooth counterpart does satisfy: the fact that J , K is
a derivation in each of its arguments (see Remark 1.11 on p. 15). In this section we shall
investigate, and eventually restore this property for the variational Schouten bracket.
We start with a vector bundle π : E → M as usual. Then, as discussed previously,
n
every equivalence class7 H = h([q]) dn x ∈ H (π ) determines a map H : Γ(π ) → k
R
(which we let be either R or, possibly, C). Namely, for any s ∈ Γ(π ) we set
Z Z
j ∞ ( s ) ∗ h [ q ] dn x = h( jx∞ (s)) dn x ∈ k.

H : s 7→ H(s) = (2.8)
M M
7Here and onwards, if h ∈ F (π ) is some function then we will sometimes write h([q]) to make explicit the
dependence of h on the jet coordinates qα and qασ of J ∞ (π ).
Next, we introduce a multiplicative structure F ⊗k G 7→ F · G by the rule
( F · G )(s) := F (s) G (s), s ∈ Γ ( π ),

n
for two integral functionals F, G ∈ H (π ); here the product on the right hand side
is that of k. It is clear that under the viewpoint that sections are “points” this is the
n
generalization to H (π ) of the pointwise product on the algebra of smooth functions of
n
a smooth manifold. There is, however, a problem: the space H (π ) is not closed under
n
this product, in the sense that generally F · G ∈
/ H (π ). We solve this by taking (formal)
n
sums of products of arbitrary finite numbers of integral functionals from H (π ):
∞
n
H (π )⊗i ( Map Γ(π ) → k ,
M
M( π ) : = (2.9)
i =1
in the space Map(Γ(π ) → k) of all maps which assign a number to every section.
Remark 2.9. By constructing the space of maps M(π ) in this fashion, we have not exited
the realm of integral functionals R on jet spaces. To see this, take two integral functionals
F = f ( x, [q]) d x and G = g( x , [q0 ]) dn x 0 on π. Then we may write F · G as
n 0
R
Z
F·G = f ( x, [q]) g( x 0 , [q0 ]) dn x ∧ dn x 0 .
Now f ( x, [q]) g( x 0 , [q0 ]) may be considered as a function on the jet space of π × π, the
product bundle of π with itself above the base manifold M × M, of which the coordinates
2n
are xi and x 0 j respectively. The top cohomology of this space is then H (π × π ), and
2n
we have F · G = f g dx ∧ dx 0 ∈ H (π × π ). Thus, F · G is an integral functional with
R
n n
respect to the bundle π × π, and we see that the second term H (π ) ⊗k H (π ) in the
2n
direct sum in (2.9) is a subspace of H (π × π ). Continuing this line of reasoning to
products of any number of factors we find
n i ·n
H ( π ) ⊗i ⊂ H (|π × ·{z
· · × π}),
i copies
and therefore also

+∞
M i ·n
M( π ) ⊂ H (|π × ·{z
· · × π}).
i =1 i copies
2n
(Note that this is a strict inclusion; for example, H (π × π ) contains functionals such
n n
as q xx0 dn x ∧ dn x 0 while H (π ) ⊗k H (π ) does not.) Thus, although composite but
R
homogeneous functionals from M(π ) (i.e., functionals of the form F = F1 · · · Fi for some
n
i and Fk ∈ H (π ) for 1 ≤ k ≤ i) are not integral with respect to the bundle π, they are
2.4. Products of integral functionals 35
integral with respect to another bundle, namely π × · · · × π .

| {z }
i copies
One of the major differences between ordinary derivatives ∂/∂xi on C ∞ ( M ) and the
variational derivative δ/δqα on F (π ) is that the former satisfies a Leibniz rule, but the
latter does not. Equivalently, the de Rham differential ddR satisfies the Leibniz rule but
the Euler operator δ does not. The above interpretation of the “pointwise” product F · G
of two functionals F, G allows us to formulate a variational analog of this Leibniz rule
(that simultaneously mirrors the Leibniz rule that the functional derivative satisfies when
acting on the product F [s] G [s] of two functionals).
Proposition 2.10. If F and G are two functionals on π then
δ( FG ) = (δF ) G + F (δG ) ∈ E12n,1 (π × π ) (2.10)
where the first δ is the Euler operator on π × π, and the second and third is that of π.
Proof. Let us for ease of notation assume that the base space and fiber of π are both one-
dimensional; the general result follows immediately by carefully restoring
R the indices in
the proof below. Recall that the Euler operator is defined as δ : ω 7→ dC ω. On π × π,
there are the base coordinates x and x 0 and fiber coordinates q and q0 . Moreover, in the
jet space J ∞ (π × π ) the derivatives may mix; i.e., there are coordinates of the form q xx0 .
Thus, the Cartan differential on π × π becomes
∂ ∂
dC = dC q σ + dC q0τ 0
∂qσ ∂qτ
where both the multi-indexes σ and τ may contain both x and x 0 . We obtain
Z
δ( FG ) = dC ( f g) dx ∧ dx 0
Z Å
∂( f g) ∂( f g)
ã
= d qσ + d q dx ∧ dx 0 .
0
∂qσ C ∂q0τ C τ
Now f depends only on q and x, and g depends only on q0 and x 0 . Therefore, although
in the manifold J ∞ (π × π ) the coordinates of the kind q xx0 occur, the product f g does
not in fact depend on them. Considering the term containing σ above, the consequence
is that this term will be nonzero only if σ does not contain any x 0 . Of course, a similar
statement holds for the term containing τ. Thus we get
Z Å
∂f
ã
∂g
δ( FG ) = g dC qσ + f 0 dC q0τ dx ∧ dx 0
∂qσ ∂qτ
Z Å
f
ã
∼ δ δg
= g dC q + f 0 dC q0 dx ∧ dx 0 .
δq δq
In the partial integration in the previous step, in the first term no derivatives fall on g,
since σ contains only x because f only depends on x, while g only depends on x 0 . A
similar remark explains the second term. Lastly, as a notational trick we separate the
integrals again, obtaining
Z Z Z Z
δf δg
δ( FG ) = dC q dx g dx 0 + f dx d q0 dx 0
δq δq0 C
= (δF ) G + F (δG ).
In section 2.2 we compiled a list of variational generalizations of concepts on smooth

n
manifolds; there we listed H (π ) as the generalization of the ring of functions C ∞ ( M)
on a manifold M. The latter being an algebra, it is now clear that the product · on M(π )
is the variational generalization of the product of C ∞ ( M ).
Going further, let us now consider the Schouten bracket. To the initial bundle π we
adjoin its parity-odd dual Ππ, b whose fiber coordinates we shall denote in this chapter
not with b but with q† . Also anticipating future notations, we set πBV = π × Ππ, b so
n
that the arguments for the Schouten bracket are elements of H (πBV ). Moving now
to the space M(πBV ), we see that a natural variational generalization of the wedge
product of multivectors on manifolds is the product · on M(πBV ), solving the problem
that was noted in Remark 1.11 on p. 15. For this reason, and also anticipating physical
applications, we thus define the following, creating the variational generalization of
equation (1.5).
Definition 2.11. Let F, G, H ∈ M(πBV ) be (products of) variational multivectors on π.
n
We inductively extend the Schouten bracket on H (πBV ) to the space M(πBV ) by the
following formula:
JF, G · HK = JF, GK · H + (−)(| F|−1)|G| G · JF, HK.
It is easy to see that this bracket on M(πBV ) is still graded skew-symmetric and still
satisfies the graded Jacobi identity.
2.5 Euler-Lagrange equations with gauge symmetries

The remainder of this chapter is exclusively concerned with Euler-Lagrange equations
that have gauge symmetries. Therefore, in this section we examine the relevant concepts
and the geometrical setup.
Take a bundle π : E → M. Deviating from previous conventions, we temporarily
denote the fiber coordinates not with qα but with φ a (we will need the letter q for the full
collection of BV-coordinates later on). Fixing coordinates in the base space and fiber, a
system of differential equation is then given by E = { Fi ([φ]) = 0}, i = 1, . . . , k, where
Fi ∈ F (π ). Thus, the fiber coordinates φ a here play the role of unknowns. The functions
Fi together form a tuple F ([φ]) = F1 ([φ]), . . . , Fk ([φ]) , which is then an element of a
certain vector bundle of rank k over J ∞ (π ). In our case this bundle is always of the
form π∞ ∗ ( ξ ) for a certain vector bundle ξ : E → M. Setting P : = Γ ( π ∗ ( ξ )), we have
0 0 0 0 ∞ 0
F ∈ P0 .
Now it may happen that the equations Fi ([φ]) are not independent, but themselves
2.5. Euler-Lagrange equations with gauge symmetries 37
satisfy some differential equation – independent of whether [φ] satisfies the equations
Fi ([φ]) = 0 or not. Recalling that F ∈ P0 is a section, we thus would have
Φ( F ) = 0 ∈ P1 ,
where P1 = Γ(π∞ ∗ ( ξ )) is another space of sections, also of a pullback of a bundle

1
∞
ξ 1 : E1 → M to J (π ), and where Φ : P0 → P1 is a differential operator in total derivatives.
If Φ is R-linear, then it induces a map Φ : Jπ∞ (ξ 0 ) = J ∞ (π ) × M J ∞ (ξ 0 ) → π∞
∗ ( E ), that
1
we shall denote with the same symbol, by Φ([ F ], [φ]) = Φ( F )([φ]).
We consider the following example to see this machinery in action.
Example 2.12 (Electromagnetism). In the case of electromagnetism the independent

variable is the gauge potential A = Ai dxi , which is a one-form on the (four-dimensional)
Riemannian8 manifold M. Defining the field strength F = dA, the equation of motion
is then
F = d ? F = d ? dA = 0 ∈ Λ3 ( M),
∂i F ij = 0,
here the lower line is the upper line in coordinates; ? is the Hodge star; and coordinates
are raised using the Riemannian metric on M. The equations above tautologically satisfy
0 = dF = d2 ? F = d2 ? dA ∈ Λ4 ( M ),
0 = ∂ j ∂i F ij = 0,
independent of whether A satisfies the equation of motion (the lower line, which again
is the upper line in coordinates, always holds because ∂ j ∂i is symmetric in an exchange
of i and j, while the two-form F ij is antisymmetric in i and j). We now translate the
above system to the formalism of jet space:
• The vector bundle containing the unknowns is π : Λ1 ( M) → M. Thus we take the

infinite jet bundle J ∞ (π ) with respect to this bundle, with elements of the form
A = ( Ai , Ai;x , . . . , Ai;σ , . . . ) ∈ J ∞ (π ). If A is such a jet, then as an abuse of notation
1
we shall still write A = Ai dxi ∈ Λ (π ) in the remainder of this example.
3
• F is a map that takes a jet A and maps it to A 7→ F ( A) = d ?dA ∈ Λ (π ) =
π∞∗ ( Λ3 ( M ) → M )). Thus we find F ∈ P = Γ π ∗ ( Λ3 ( M ) → M ) .
0 ∞
• Setting P1 = Γ π∞ ∗ ( Λ4 ( M ) → M ) , we find that the relation between the equations

of motion is encoded by
2
P1 3 Φ( F ) = dF = d ? dA;
we see that Φ : P0 → P1 is an differential operator in total derivatives.

8In physics literature the manifold M is generally not Riemannian but pseudo-Riemannian, having a metric
with signature (−, +, +, +); this may be obtained by performing a Wick rotation in the time direction. For
convenience we take M to be Riemannian in this example.
We shall return to this case in Example 2.18 on p. 41 (although there we consider the
larger class of Yang-Mills equations, from which electromagnetism can be obtained by
taking G = U (1) as the structure group).
Setting Φ1 = Φ, it may happen that there are relations Φ2 ( F, Φ1 ) = 0 between the
relations Φ1 and the equation F. Continuing, we may find relation Φi ∈ Pi between the
lesser generations of relations F, Φ1 , . . . , Φi−1 , resulting in a tower of spaces of sections
Pi that become progressively larger. We will assume, however, that this tower is finite;
there are only λ ∈ N relations.
Now we specialize to Euler-Lagrange equations. A partial differential equation E =
{ F ([φ]) = 0} is Euler-Lagrange if it is of the form
E = {δS = 0 ∈ κ
b (π )}
n
for a certain S = L dn x ∈ H (π ), which is called the action; the function L (or sometimes
R
the density L dn x) is called its Lagrangian. The F (π )-module containing the equation P0
is the range of the Euler operator; that is, P0 = κ b (π ). Suppose that there is a relation
Φ( F ) = 0 ∈ P1 between the equation F = δS, and suppose moreover that this relation is
linear (which indeed seems to be the case in the majority of the physics literature). Recall
n
that (see section 1.1.6 on p. 9) the adjoint of P1 is defined as Pb1 = HomF (π ) ( P1 , Λ (π ));
we denote the coupling between Pb1 and P1 by h , i as usual. Having defined all the
notations, we can now formulate and prove a particularly elegant version of Noether’s
second theorem.
Theorem 2.13 (Noether’s second theorem). Consider the adjoint map Φ† : Pb1 → Pb0 =
b[
κ (π ) = κ (π ) of the linear operator in total derivatives Φ : P0 → P1 . Then Φ† (e) is a Noether
symmetry of the action S for any e ∈ Pb1 , and therefore a symmetry of the Euler-Lagrange equation
δS = 0.
Proof. Taking any element e ∈ Pb1 , we trivially have

Z Z Z
(φ)
0 = he, Φ( F )i = hΦ (e), F i = hΦ† (e), δSi ∼
∼ †
= ∂ Φ † ( e ) ( S );
although these are actually all equalities, we use the symbol ∼ = to indicate that an
integration by parts took place under the integration sign. The equation above says
that Φ† (e) ∈ κ (π ) is a Noether symmetry of the equation for any e ∈ Pb1 . The second
claim holds because any Noether symmetry of the action S induces a symmetry of the
equation δS = 0.
We should remark that Φ need not be linear in order for Noether’s second theorem to
hold. For a proof of the general nonlinear case, see e.g., [Kis12c, Ch. 6].
Let us set π0 = π and πi = ξ i . Proceeding in building the setup for the BV-Laplacian,
(φ)
we now take the parity-reversed covectors associated to the vectors9 ∂ ϕ , as before in
9Note that the vector bundle π is used to introduce
Pthe physical fields φ1 , . . ., φm ; however, these objects
n
could be, for example, components of a covector A = α =1 φ α dx α of a gauge connection’s one-form in a fiber
bundle over M with a given structure Lie group (see Examples 2.12 and 2.18 on pages 37 and 41, respectively).
2.6. A Laplacian 39
Section 1.3, yielding the horizontal jet bundle Jπ∞0 (Ππb0 ) = J ∞ (π0 × M Ππ b0 ). We will
† †
denote the new odd fiber coordinates with φa and φa,σ for their derivatives; these are
called the antifields. Passing to the bundle P1 = Γ( Jπ∞0 (π1 )) containing the Noether
identities, we denote the fiber coordinates in π1 with γ†,µ (the antighosts). Adjoining the
parity-reversed dual bundle Π Pb1 as well, whose fiber coordinates are the odd ghosts γµ ,
we obtain the jet space J ∞ (π0 × M Ππb0 × M π1 × M Ππ b1 ).
Continuing this reasoning, the higher order Noether relations between the other
relations give rise to λ + 1 sets of pairs of dual, opposite-parity bundles πi ↔ Ππ bi .
Denoting the Whitney sums
π = π0 × M · · · × M π λ and πBV = π × M Ππ
“,
we thus have constructed the Batalin–Vilkovisky (BV) superbundle
(πBV )∞ : J ∞ (π ) × M J ∞ (Ππ
“ ) −→ M.
We denote by
qα = (φ a , γ†,µ , c†ν , . . .)
the entire set of even-parity BV-coordinates and by
q†α = (φa† , γµ , cν , . . .)
their odd-parity duals.

n
Remark 2.14. In the terminology of the previous chapter, elements H ∈ H (πBV ) would
be multivectors of the bundle π, either nonhomogeneous or having a certain degree |H|.
Here and onwards we will just call them integral functionals. This notion of the degree
of functionals coincides with the ghost numbers or ghost parity from the physics literature;
there the degree of H is often written as e(H) or gh(H).
The entire collection of auxiliary bundles – that is, π0 and πi for all i = 1, . . . , λ –
is even with respect to the ghost parity. The ghost parities of objects that belong to Pi
and Π Pbi at each i are always opposite: the former are ghost-parity even and the latter
are odd. Should one consider an independently graded setup of fields φ a as fibers of
a superbundle π = π 0 |π 1 or a setup with Z-graded differential forms taken as fields

n
(see [CF00]), and should one then introduce the action functional S ∈ H (π ), a count
of extra signs in the equations of motion, Noether identities etc., would be tedious but
straightforward (c.f. Example 2.19 on page 41).
2.6 A Laplacian
n
In this final section we will examine a candidate BV-Laplacian ∆ on H (πBV ). Contrary
to the conventional BV-Laplacian from the physical literature it will involve no delta-
functionals or infinities, but unfortunately, it will turn out that with respect to the
variational Schouten bracket on M(πBV ), it is not a Laplacian in the sense of Definition 2.1
on p. 28.
n
Definition 2.15. Let H = h dn x ∈ H (πBV ) be an integral functional, possibly depend-
R
ing on the entire collection of BV-variables and on their derivatives up to arbitrarily

n n
high order. We define a Laplacian ∆ : H (πBV ) → H (πBV ) on the space of integral
functionals as follows:
Z − → − →!
δ δh
∆(H) = dn x. (2.11)
δqα δq†α
Remark 2.16. Consider the right variational derivative in the defining equation (2.11) for
the Laplacian:
−
→ −
→ −
→
δ ∂ X ∂
†
= †+ (−) Dσ ◦ †
σ
δqα ∂qα ∂qα,σ
σ 6 =∅
To the immediate left of this in equation (2.11) stands the next variational deriva-
−
→ −
→
tive, δ /δqα . Since δ /δqα ◦ Dσ = 0 for any α and σ, all of the terms in the sum over
−
→ −
→
σ 6= ∅ above disappear, and the right variational derivative δ /δqα becomes just ∂ /∂q†α
in equation (2.11). Moreover, all terms of the left variational derivative that contain total
derivatives do not contribute to the functional, because the integral over a total derivative
is zero according to our convention on no boundary terms. Therefore, equation (2.11)
reduces to
→ −
Z − →
∂ ∂h n
∆(H) = d x. (2.12)
∂qα ∂q†α
Thus, we find that our Laplacian is insensitive to all jet coordinates with derivatives qσa .
This results in some serious problems that we will discuss in Counterexample 2.20 on
p. 42. First, however, we note that this observation has the following consequence.
n n
Proposition 2.17. The linear operator ∆ : H (πBV ) → H (πBV ) is a differential: ∆2 = 0.
Proof. Using the observation above twice, we obtain

Z −
→ − → − → − →
2 ∂ ∂ ∂ ∂h n
∆ (H) = d x.
∂qα ∂q†α ∂q β ∂q†β
Since the middle two partial derivatives in this expression commute, this becomes
Z −
→ − → − → − →
∂ ∂ ∂ ∂
2
∆ (H) = (h) dn x.
∂qα ∂q β ∂q†α ∂q†β
2.6. A Laplacian 41
This is the composition of an expression which is symmetric in α and β (the left two
partial derivatives) and an expression which is antisymmetric in α and β (the right two
partial derivatives). Therefore it is zero.
Although it will in general turn out to be a problem that the Laplacian ∆ is insensitive
to derivative coordinates qασ (and q†α,σ ), this is of course not an issue when the functional
to which the Laplacian is applied does not contain any derivative coordinates – or when
the terms that do contain them do not contribute, as is the case in the following example.
Example 2.18. Take a compact, semisimple Lie group G with Lie algebra g and consider
the corresponding Yang-Mills theory (c.f. Example 2.12 on p. 37, where G = U (1)). Write
Aia for the (coordinate expression of) the gauge potential A – a lower index i because
A is a one-form on the base manifold (i.e., a covector), and an upper index a because
A is a vector in the Lie algebra g of the Lie group G. Defining the field strength F by
Fija = ∂i A aj − ∂ j Aia + f bc
a Ab Ac where f a are the structure constants of g, the Yang-Mills
i j bc
action is
Z
1
S0 = Fija F a,ij dn x.
4
Denoting the parity-odd ghosts from Π Pb1 by γ a and the even antighosts from P1 by γc† ,
the full BV-action SBV is
Z Z
1
SYM = S0 + Ai† a ( D i γ a
+ f a b c
A
bc i γ ) d4
x − c a b † 4
f ab γ γ γc d x.
2
Let us calculate the Laplacian of this functional. As a consequence of equation (2.11),

the only terms which survive in ∆(SYM ) are those which contain both A and A† , or both
γ and γ† (this is so for both our Laplacian ∆, and the BV-Laplacian from the literature).
Therefore,
Z −
→ − → −→ − → !
δ δ a i† b c 1 δ δ c a b †
∆(SYM ) = ( f A a Ai γ ) − ( f γ γ γc ) d4 x
δAdj δA j† bc 2 δγd† δγd ab
d
Z −
→ −
→ !
δ d b c 1 δ c b † c a †
= (f A γ ) − ( f γ γc − f ad γ γc ) d4 x
δAdj bc j 2 δγd† db
Z Å ã
d c 1 d b d a
= f dc γ − ( f db γ − f ad γ ) d4 x = 0.
2
Example 2.19. Consider the nonlinear Poisson sigma model introduced in [CF00]. Since
its fields are not all purely even, we would have to generalize all of our reasoning so
far to a Z2 -graded setup – which is, as noted before, tedious but straightforward. A
calculation of ∆(SCF ) of the BV-action SCF of this model would, up to minor differences
in conventions and notations, proceed just as it does in the paper itself, in section 3.2 –
except that no infinite constants or delta functions appear.
Contrary to the conventional BV-Laplacian, the Laplacian ∆ defined here does not always
satisfy the equation ∆(JF, GK) = J∆F, GK + (−)| F|−1 JF, ∆GK. The reason is that if we were
to proceed with the calculation of ∆(JF, GK), it is not permissible to swap the symbols
δ/δqα – which here stand for the variational derivative – with each other. To see this
explicitly, take the following counterexample.
Counterexample 2.20. Let the base and fiber both be one-dimensional, and set
Z Z
F = q† qq xx dx and G = q†xx cos q dx.
Let f and g be the two integrands. We calculate

←
−
δf
= q† q xx + Dx2 (q† q) = q† q xx + q†xx q + 2q†x q x + q† q xx = 2q† q xx + q†xx q + 2q†x q x ,
δq
(2.13)
←− −→
δf δg
= qq xx , = −q†xx sin q,
δq† δq
−
→
δg
= Dx2 (cos q) = Dx (−q x sin q) = −q xx sin q − q2x cos q.
δq†
(Note that since all four variational derivatives contain at most one parity-odd q† or
its derivatives, the directions of the arrows do not actually matter – i.e., switching
their direction does not result in minus signs.) Consider ∆(JF, GK). As was noted in
n
Remark 2.16 on p. 40, we may write ∆(H) = (∂/∂q) ◦ (∂/∂q† )(H) for any H ∈ H (πBV );
R
†
therefore, only terms in which JF, GK carries at least one q without derivatives with
−
→
respect to the base space survive. This implies that in the first term of the bracket, δ f /δq ·
←−
δg/δq† , the second and third term of the right hand side of (2.13) do not contribute, so
we need not take them into account:
Z
2q† q xx (−q xx sin q − q2x cos q) + · · · − qq xx · (−q†xx sin q) dx,

JF, GK =
where the dots indicate the omitted terms. For the same reason, the last term also does
not contribute.
We calculate
Z
∂ ∂
∆(JF, GK) = −2 (q† q2xx sin q + q† q xx q2x cos q) dx
∂q ∂q†
Z
∂ 2
= −2 (q sin q + q xx q2x cos q) dx
∂q xx
Z
= −2 (q2xx cos q − q xx q2x sin q) dx,
whose integrand is not cohomogically trivial (as may be seen by calculating its variational
derivative, which gives nonzero).
2.6. A Laplacian 43
Now ∆F = q xx dx ∼ = 0, so J∆F, GK = 0. On the other hand, g has no q† without any

R
x-derivatives in it so ∆G = 0, so JF, ∆GK = 0 as well. In conclusion,
J∆F, GK + (−)| F|−1 JF, ∆GK = 0 6= ∆(JF, GK).
Thus, we find that
∆(JF, GK) = J∆F, GK + (−)| F|−1 JF, ∆GK, (2.14)
does not hold. Moreover, this implies that the triad (M(πBV ), J , K, ∆) cannot be a BV-
algebra in the sense of Definition 2.1 on p. 28. Indeed, suppose that (M(πBV ), J , K, ∆) is
a BV-algebra, then the equation above would be a consequence of
Ä ä
JF, GK = (−)| F| ∆( FG ) − ∆( F ) G − (−)| F| F∆G , (2.15)
as noted in Proposition 2.2 on p. 28. Since (2.14) does not hold, we conclude that it is
impossible for (2.15) to hold. Contrary to the case of the Schouten bracket, which we
extended to products of functionals by a definition, we cannot solve the problem by
simply defining ∆( FG ) to be such that equation (2.15) becomes true.
Remark 2.21. Let us briefly attempt to give an intuitive, non-rigorous reason as to why
our approach did not work. In Remark 2.9 we have seen that the product of two integral
2n
functionals F · G is not itself an integral functional, but an element of H (π × π ). That
is, each integral functional lives on its own separate copy of the bundle, and when we
multiply them, these bundles remain separate (up until we evaluate it on the diagional
F [q] G [q]).
We believe that the reason why a Laplacian defined in terms of a double functional
works (at the cost of involving delta-functions and infinite constants), while one defined
in terms of a double variational derivative does not work, is similar in nature.
δF [q]
Consider the defining formula for the functional derivative δqα ( x) of a functional:
Z
δF [q] d
φ( x ) dx = F [qα + tφ],
δqα ( x ) dt t =0
where the test function φ must have compact support but may otherwise be arbitrary.
Taking a second functional derivative, we obtain
ZZ
δ δF [q] d d
φ( x )ψ(y) dx dy = F [q + tφ + t̃ψ].
δq β (y) δqα ( x ) dt t=0 dt̃ t̃=0
The right hand side makes it immediately clear that, in contrast with variational deriva-
tives, taking functional derivatives commute. From the left hand side we can see a
different reason for this phenomenon: the two functional derivatives refer to two dif-
ferent integrals; i.e., two different geometries, as is the case for the product of two
functionals as noted above. Because they are separate from each other in this way, we
can freely swap them, just as one can swap partial derivatives of a smooth function.
Consider now a double variational derivative of some function. The two variational
derivatives now refer to the same geometry, and are not insensitive to each other the
way functional derivatives are. Indeed, we have seen in Remark 2.16 on p. 40 that
the left variational derivative of the Laplacian defined in (2.11) on p. 40 eats the total
derivatives coming from the right variational derivative, while the integration over
the base space removes the total derivatives of the left variational derivative. From
a more phenomenological perspective, we might say that what a double variational
derivative calculates does not correspond to our intuition and expectancy of taking
multiple derivatives.
As a result of this, our Laplacian is insensitive to any dependence of its argument
on derivative coordinates, which is a very strange thing indeed to have in a variational
setup. Indeed, since we have already seen that the Schouten bracket is sensitive to the
presence of derivative coordinates, it is perhaps unreasonable to expect the Laplacian
and Schouten bracket to combine to any reasonable structure such as a BV-algebra.
We suspect, then, that what we need is the following: a generalization or re-
interpretation of the variational derivative that, like functional derivatives, brings with
it its own geometry, so that when applied twice these geometries do not interfere with
each other. Of course, such a double application of this operator should be sensitive to
derivative coordinates. At the same time we do not want it to involve delta-functions
when applied once, twice, or any number of times. We remain hopeful that such an
operator may be defined in terms of jet bundles. Note that the Euler operator satisfies a
Leibniz rule (see Proposition 2.10), while the variational derivative does not, so in that
sense the Euler operator is more close to the functional derivative. Perhaps the operator
that we are looking for, then, is the Euler operator or some close relative. Unfortunately,
we did not have time to pursue this any further.
We will briefly return to these matters in Remark 4.5 on p. 74.
Chapter 3
Deformation quantization and

the dual of Lie algebras
Deformation quantization is one of the ways in which one can convert a classical physics
theory into a quantum mechanical theory. In this chapter, we review the technique
of quantization deformation and its relation to the Hochschild complex of the ring of
functions, after which we give a thorough explanation of the Kontsevich deformation
quantization of the dual of Lie algebras.
3.1 Introduction
In physics, quantization refers to the process of taking a classical (that is, non-quantum-
mechanical) theory of a physical system, and converting it into a quantum mechanical
theory of the same system. There are many methods for achieving this, varying in com-
plexity, how they work, and how rigorous they are. One technique, whose origin seems
to be the influential papers [Bay+77; Bay+78a; Bay+78b], is called deformation quanti-
zation; it revolves around the idea that the quantum mechanical space of observables
should be understood as a deformation of the pointwise product of the algebra of clas-
sical observables C ∞ ( M ) on the manifold M. The deformation parameter is the Planck
constant h̄ (which here is just a formal parameter, instead of its physical value). Intu-
itively, the act of deformation quantization then is to “restore” the higher-order terms
with respect to h̄ that have been neglected in the classical version of the theory. In order
to retain the correspondence with the original classical system, the deformation quan-
tization will have to be compatible with the mathematical structures in terms of which
the physics of the classical system was described.
For some types of manifolds, notably symplectic manifolds, it has been known for
some time how to achieve deformation quantization. Then, in 1997, Maxim Kontsevich
46 Chapter 3. Deformation quantization and the dual of Lie algebras
posted an article to the arXiv (see http://arxiv.org/abs/q-alg/9709040) that was

published in Letters in Mathematical Physics a full six years later [Kon03], in which he
proved that any Poisson manifold can be deformed quantized. In this article Kontsevich
briefly considers the resulting deformation quantization of the dual g∗ of a Lie algebra
g, which has a natural Poisson structure induced by the Lie bracket on g. We will
extensively review this case in section 3.6.
Before that, we first define star products in general in section 3.2, and then the Kont-
sevich star product in section 3.3. In section 3.4 we examine the automorphisms of
star products, arriving at the concept of gauge transformations; after that we study
Hochschild cohomology and its relation to star products in section 3.5.
Let us first give a brief description of the physical meaning of Poisson manifolds: the
following is known as the Hamiltonian formalism. Let M be a Poisson manifold with
Poisson-bivector α ∈ 2 TM so that { f , g} = α(d f , dg). If H ∈ C ∞ ( M ) is a function,
V
then X H := {·, H } = α(d·, dH ) is a vector field, called the Hamiltonian vector field of H.
One is then interested in the integral curves γ : I → M along X H ; that is, solutions of
the differential equation
γ̇(t) = X H (γ(t)). (3.1)
Thus, the dynamics of the system are determined by the function H and the Poisson
bracket { , } on M.
Example 3.1. If H is the Hamiltonian of a classical system, and the coordinates on phase
space R2 are p, q, then Hamilton’s equations read
∂H ∂H
q̇ = , ṗ = − .
∂p ∂q
Setting γ(t) = ( p(t), q(t)) then this is the same as
∂ ∂
γ̇(t) = ṗ(t) + q̇(t)
∂p γ(t) ∂q γ(t)
∂H ∂ ∂H ∂
=− (t) + (t) = X H (γ(t))
∂q ∂p γ(t) ∂p ∂q γ(t)
where X H is the vector field X H = − ∂H ∂

∂q ∂p +
∂H ∂
∂p ∂q . With respect to the Poisson structure
α= − ∂p
∂
∧ (which is dual to the symplectic two-form ω = dp ∧ dq) we precisely have
∂
∂q
X H = {·, H }.
A deformation quantization of such a Hamiltonian system would be an associative star

product
( f , g) 7→ f ? g
on the ring C ∞ ( M )Jh̄K 3 f , g of formal power series over C ∞ ( M ); the star product ?
has to be such that the zeroth-order term of f ? g is the pointwise product f g while the
3.1. Introduction 47
first-order term is the Poisson bracket { f , g}. We will describe this in more detail in the
next section, after the following example.
Example 3.2. For a first example of a star product, we begin with V := R3 , together
with the cross product (v, w) 7→ v × w ∈ V of two vectors. This antisymmetric product
features prominently in areas of physics such as mechanics and electromagnetism, and
it has many generalizations to more abstract spaces. It is, however, not associative
(instead, it satisfies the Jacobi identity). One of the generalizations of this cross product
is a family of related products, called star products. Although these products are generally
not commutative or anticommutative, they are, contrary to the cross product, always
associative.
We proceed as follows. First, we take the symmetric algebra S(R3 ) of R3 , whose product
(that we denote by · or contatenation) is commutative and associative but satisfies no
other relations. We extend the cross product × of R3 to S(R3 ) inductively by the
following equation (the Leibniz rule):
(uv) × w = u(v × w) + v(u × w).
(the brackets indicate which product is to be performed first). Requiring that × stays
anticommutative on S(R3 ) fixes it completely.
Writing vn for the symmetric product of n vectors v, and v×n for the cross product of
n vectors v, we have the following.
Theorem 3.3. For each h̄ ∈ R there is an associative star product ? on S(R3 ), satisfying for
any v, w ∈ R3 :
n Ç å
n
X
k n b n−k ×k
v ?w = h̄ Bk v ( v × w ),
k
k =0
where the B
bk are the (first) Bernoulli numbers.1 In particular,
v ? w = vw + 2h̄ (v × w).
Thus, for example,
h̄2
v2 ? w = v2 w + h̄v(v × w) + 6 v × v × w. (3.2)
The two equations in the theorem above in fact determine the star product x ? y for all
x, y ∈ S(R3 ).
This is an example of the Kontsevich product on Lie algebras.2 We shall discuss these
1The (first) Bernoulli numbers are the coefficients of the Taylor series of − x/(e− x − 1):
∞
−x X xk
= B
b.
e− x − 1 k! k
k =0
The first four of these numbers are B0 = 1, B1 = 1/2, B2 = 1/6, B4 = −1/30, while Bk = 0 for any odd k
larger than 1.
2Actually, a star product which is gauge equivalent to the Kontsevich product.
in more general form, and prove the theorem above, in section 3.6.3 on p. 65, and we
will return to this example in Example 3.34 on p. 68.
3.2 Star products

Let M be a smooth manifold; we will denote with A = C ∞ ( M ) its ring of smooth
functions, which is an associative algebra over R. We consider the space of formal power
series AJh̄K over A in the parameter h̄.
Definition 3.4. A star product is an RJh̄K-linear product on AJh̄K, which for f , g ∈ A takes
the following form:
∞
X
( f , g) 7→ f ? g = f g + h̄B1 ( f , g) + h̄2 B2 ( f , g) + · · · = h̄i Bi ( f , g),
i =0
where B0 ( f , g) = f g, such that
• the star product is associative,

• the constant function 1 ∈ A is a unit: 1 ? f = f ? 1 = f for all f ∈ A,
• Bi is for each i a bilinear differential operator of bounded order, i.e. they are of the
form
X
Bi ( f , g) = βKL
i ( ∂ K f )( ∂ L g ).
K,L
Here K, L are multi-indices of any length; ∂K is the usual notation for higher order
derivatives; and βKL
i is smooth for all its indices, and nonzero for only finitely
many choices of K, L and i.
How the star product acts on arbitrary elements of AJh̄K (that is, formal power series of
smooth functions) follows from the condition of RJh̄K-linearity:
Ñ é Ñ é
X X X
h̄n f n ? h̄m gm = h̄n+m f n ? gm
n ≥0 m ≥0 n,m
X
h̄n+m f n gm +
X
= h̄n+m+l Bl ( f n , gm ).
n,m n,m,l
There are some immediate consequences to this definition. First, from f = 1 ? f =

1 · f + n≥1 h̄n Bn (1, f ) it follows that, for any n ≥ 1,
P
Bn (1, f ) = Bn ( f , 1) = 0,
and by linearity it follows that Bn always gives zero whenever one of its arguments is
constant. Moreover, we have the following.
3.2. Star products 49
Proposition 3.5. B1 satisfies for all f , g, h ∈ A
f B1 ( g, h) − B1 ( f g, h) + B1 ( f , gh) − B1 ( f , g)h = 0. (3.3)
This means precisely that the map B1 : A ⊗ A → A is a 2-cocycle in the Hochschild

complex of A, which will be discussed later (see Section 3.5 starting on p. 56).
Proof. Working out associativity up to and including first order, we have
( f ? g) ? h = ( f g + h̄B1 ( f , g) + O(h̄2 )) ? h
= f gh + h̄B1 ( f , g)h + h̄B1 ( f g, h) + O(h̄2 ),
f ? ( g ? h) = f ? ( gh + h̄B1 ( g, h) + O(h̄2 ))
= f gh + h̄ f B1 ( g, h) + h̄B1 ( f , gh) + O(h̄2 ).
Subtracting the upper equation from the lower one gives
0 = h̄( f B1 ( g, h) + B1 ( f , gh) − B1 ( f g, h) − B1 ( f , g)h) + O(h̄2 ),
Let us decompose B1 into an symmetric and antisymmetric part: B1+ ( f , g) = 12 ( B1 ( f , g) +

B1 ( g, f )) and B1− = 21 ( B1 ( f , g) − B1 ( g, f )).
Proposition 3.6. The antisymmetric part B1− of B1 is a biderivation, i.e. a derivation with respect
to both arguments. Thus there exists a bivector α ∈ Γ( M, 2 TM) such that
V
B1− ( f , g) = hα, d f ∧ dgi,
for any f , g ∈ A, where h , i is the natural coupling between differential forms and multivectors.
This statement is a corollary of the more general Corollary 3.20 on p. 60, but we provide
a direct proof below.
Proof. It suffices to show that B1− is a derivation in its first slot. If it is then it is also a
derivation in its second slot, and any antisymmetric R-bilinear map which is a bideriva-
tion is of the form described above. Thus, let f , g, h ∈ A. As B1 satisfies equation (3.3),
so does its antisymmetric part B1− . Now, using (3.3) twice (with the substitutions f → h,
h → g and g → f in the second line), we have
B1− ( f g, h) = f B1− ( g, h) + B1− ( f , gh) − B1− ( f , g)h,

− B1− (h, f g) = hB1− ( f , g) − B1− (h f , g) − B1− (h, f ) g.
Then
2B1− ( f g, h) = B1− ( f g, h) − B1− (h, f g)

= f B1− ( g, h) + B1− ( f , gh) − B1− (h f , g) − B1− (h, f ) g.
But, once again using (3.3), the inner two terms can be rewritten as follows:
B1− ( f , hg) − B1− ( f h, g) = − f B1− (h, g) + B1− ( f , h) g,
so that
2B1− ( f g, h) = f B1− ( g, h) − f B1− (h, g) + B1− ( f , h) g − B1− (h, f ) g

= 2( f B1− ( g, h) + gB1− ( f , h)).
Let us denote for any f , g ∈ A
f ?g−g? f
{ f , g}? := mod h̄ = 2B1− ( f , g).
h̄
Proposition 3.7. The bracket { , }? satisfies the Jacobi identity,
{ f , { g, h}? }? + { g, {h, f }? }? + {h, { f , g}? }? = 0.
Proof. By a direct verification:
{ f , { g, h}? }? + { g, {h, f }? }? + {h, { f , g}? }?

Å
1
= 2 f ? ( g ? h) − f ? (h ? g) − ( g ? h) ? f + (h ? g) ? f
h̄
g ? (h ? f ) − g ? ( f ? h) − (h ? f ) ? g + ( f ? h) ? g
ã
h ? ( f ? g) − h ? ( g ? f ) − ( f ? g) ? h + ( g ? f ) ? h mod h̄
= 0.
The previous two propositions show that the bracket { , }? induced by B1− is in fact a
Poisson bracket on M, for any star product ? on M. Then it may happen that if M is
a Poisson manifold with Poisson bracket { , }, and ? is a star product on M, that the
Poisson bracket of M coincides with the one induced by ?; that is, { f , g} = { f , g}? for
any f , g ∈ A. When this is the case, we say that the star product ? is a deformation of
the Poisson bracket { , }. A natural question is then whether every Poisson bracket can
be deformed to a star product in this sense; Kontsevich showed in [Kon03] that this is
indeed the case.
Example 3.8. (See, e.g., [Kon03] or [CI], from which the calculation below comes.) Let
M = Rn with the Poisson bivector α = αij ∂i ∧ ∂ j , where the coefficients αij are constant
and such that αij = −α ji . The bracket associated to this bivector then automatically
satisfies the Jacobi identity so that it is a Poisson bracket. There is a well-known star
3.2. Star products 51
product, called the Moyal product, associated to this Poisson structure:

h̄2
( f ? g)( x ) = f g + h̄αij ∂i ( f )∂ j ( g) + αij αkl ∂i ∂k ( f )∂ j ∂l ( g) + · · · ( x )
Ç å 2
∂ ∂
= exp h̄αij i j f ( x ) g(y) . (3.4)
∂x ∂y x =y
It is clear that the antisymmetric part of the first-order term B1 of this star product equals
the bracket given by α = αij ∂i ∧ ∂ j . Moreover, this star product is associative. Indeed,
observe first that
ÅÅ ã ã
∂ ∂ ∂
( f ( x, y)| x=y ) = + f ( x, y) .
∂x ∂x ∂y x =y
Now
ï Å ã ò
∂ ∂
(( f ? g) ? h)( x ) = exp h̄αij i j ( f ? g)( x )h(z)
∂x ∂z x =z
" Å ãÅ Å ã ã #
ij ∂ ∂ kl ∂ ∂
= exp h̄α exp h̄α f ( x ) g(y) h(z)
∂xi ∂z j ∂x k ∂yk x =y x =z
ï Å Å ã ã Å ã ò
ij ∂ ∂ ∂ kl ∂ ∂
= exp h̄α + i exp h̄α f ( x ) g(y)h(z)
∂xi ∂y ∂z j ∂x k ∂yk x =y=z
ï Å Å ãã ò
∂ ∂ ∂ ∂ ∂ ∂
= exp h̄ αij i j + αkl k l + αmn m n f ( x ) g(y)h(z)
∂x ∂z ∂y ∂z ∂x ∂y x =y=z
ñ Ç Ç åå Å ã ô
∂ ∂ ∂ ∂ ∂
= exp h̄αij i + j exp h̄αkl k l f ( x ) g(y)h(z)
∂x ∂y j ∂z ∂y ∂z x =y=z
= ( f ? ( g ? h))( x ).
For later reference, when M = R2 and the Poisson bivector with respect to the coordinates
x1 and x2 is written in the form α = ∂1 ∧ ∂2 − ∂2 ∧ ∂1 , then we can use the binomial
theorem on (3.4) to obtain
Å ã
∂ ∂ ∂ ∂
( f ? g)( x ) = exp h̄ − 2 1 f ( x ) f (y)
∂x1 ∂y2 ∂x ∂y x =y
∞ n
X h̄n X ∂ n −i ∂i ∂i ∂ n −i
= (−)i f ( x ) g ( x ). (3.5)
n!
n =0
(∂x1 )n−i (∂x2 )i (∂x1 )i (∂x2 )n−i
i =0
3.3 The Kontsevich star product

In this section we give a brief description of the Kontsevich star product. We first
introduce a set Gn of oriented labeled graphs.
Definition 3.9. For an integer n ≥ 0 we say that a graph Γ belongs to Gn if
• Γ is oriented, labeled, and has no multiple edges and no loops;

• Γ has n + 2 vertices called {1, . . . , n} ∪ { L, R}, and 2n edges;
• From each vertex k start two edges, that we denote by ik and jk respectively. These
vertices are ordered as (ik , jk ).
The set Gn is finite; it contains (n(n + 1))n elements for n ≥ 1 and one element for n = 0.
It follows immediately from the definition that all edges start at the vertices {1, . . . , n}
and none of them start at L or R.
Next, we associate to each graph Γ ∈ Gn a bidifferential operator
BΓ,α : A × A → A, A = C ∞ (V ), V is a coordinate chart in Rn ,
that depends on the bivector α (which need not necessarily be Poisson for this procedure),
as follows:
• At the vertex k which has outgoing arrows ik , jk , put the coefficient αik jk ;
• Put a derivative ∂ik = ∂/∂xik at each edge ik , and ∂ jk at each edge jk ;
• Place a function f ∈ A at L and g ∈ A at R;
• Multiply all elements described above in the order given by the labeling of the
graph.
Take for example the following graph:
j2
1 2 /3
i2
Γ = j1 i3
i1 j3
y %
L R
This graph corresponds to the differential operator
BΓ,α = αi1 ji αi2 j2 ∂ j2 (αi3 j3 )∂i1 ∂i3 ( f )∂ j1 ∂i2 ∂ j3 ( g).
Kontsevich then essentially proved in [Kon03] that there exist weights wΓ ∈ R for each
graph Γ ∈ Gn that do not depend on the bivector α, such that the formula
∞
X X
f ? g := h̄n wΓ BΓ,α ( f , g) (3.6)
n =0 Γ∈ Gn
3.4. Gauge transformations 53
defines a star product in the sense of Definition 3.4. There is an explicit formula for the
weights wΓ included in [Kon03], but for brevity we do not include it here.
Example 3.10. Returning to the Moyal product on M = Rn (c.f. Example 3.8), the only
nonzero operators BΓ,α that survive in the sum (3.6) are the ones corresponding to the
graphs (suppressing the labels ik , jk of the edges for clarity)
1 1 2 1 2 3
··· (3.7)
} !
R L R L L R
That is, all arrows land on L and R (the placeholders of the functions f and g), and none
of them land on the vertices {1, . . . , n}, as a consequence of the fact that the coefficients
αij of the Poisson bivector α are constant. Then one can show that the weights wΓ of the
surviving graphs (3.7) are such that the Kontsevich star product (3.6) reduces precisely
to the Moyal star product (3.4).
3.4 Gauge transformations

The algebra AJh̄K is an RJh̄K-module, and as such, we may consider its group of auto-
morphisms; that is, invertible maps D : AJh̄K → AJh̄K which are linear over RJh̄K. For
f ∈ A, such an automorphism D acting on f is necessarily of the form
X
D ( f ) = D0 ( f ) + h̄n Dn ( f )
n >0
for certain RJh̄K-linear operators Dn . How D acts on arbitrary elements is again given
by RJh̄K-linearity:
Ñ é
X X X
D h̄n f n = h̄n D ( f n ) = h̄n+m Dm ( f n ).
n ≥0 n ≥0 n≥0,m≥0
n
n≥0 h̄ Dn : AJh̄K → AJh̄K be an automorphism of RJh̄K-
P
Definition 3.11. Let D =
modules. If D1 equals the identity while Dn for n > 0 is a differential operator of
bounded order, then we say that D is a gauge transformation.
The set of gauge transformations has a natural action on star products. If D is a gauge
transformation, this action on a star product ? is defined as follows:3
f ?0 g := D −1 ( D ( f ) ? D ( g)).
3This also explains why the zeroth-order term of D must be the identity: if it were something else, say
D0 , then we would have f ?0 g = D0−1 ( D0 ( f ) D0 ( g)) + O(h̄). However, by the definition of star products (see
Definition 3.4 on p. 48), the zeroth order term of f ?0 g must be the pointwise product of f and g, so that this
formula would imply that f g = D0−1 ( D0 ( f ) D0 ( g)). This can impossibly hold if D0 is a differential operator
different from the identity.
In other words, ?0 is the unique star product that makes D into an algebra homomorphism
(here D −1 must be understood as the inverse in the sense of formal power series; note
that D −1 exists since D is assumed to be an automorphism). Whenever two star products
are related to each other via such an automorphism we say that they are gauge equivalent,
or just equivalent for short.4
Since D −1 is also an RJh̄K-linear automorphism, it too can be expanded as a series in
h̄:
D −1 = 1 +
X
D
‹n
n >0
‹n (note that these are not such that D

for certain differential operators D ‹n = D −1 ).
n
Necessarily, these operators D‹n are completely determined by the demand that D ◦
D −1 = D −1 ◦ D = 1.
Examining the equation f = D −1 ( D ( f )) up to first order, we can explicitly determine
D1 :
‹
f = D −1 ( f + h̄D1 ( f ) + O(h̄2 ))
= D −1 ( f ) + D −1 (h̄D1 ( f )) + O(h̄2 )
‹1 ( f ) + h̄D1 ( f ) + O(h̄2 )
= f + h̄ D
‹1 ( f ) = − D1 ( f ). Using this, let us now calculate how a gauge trans-

so that we find D
formation D acts on the first order term of star products: suppose that D maps ? to ?0 .
Then
f ?0 g = D −1 ( D f ? Dg)
Ä ä
= (1 − h̄D1 + O(h̄2 )) ( f + h̄D1 f + O(h̄2 )) ? ( g + h̄D1 g + O(h̄2 ))
Ä ä
= (1 − h̄D1 + O(h̄2 )) f g + h̄( f D1 g + gD1 f + B1 ( f , g)) + O(h̄2 ))
= f g + h̄( B1 ( f , g) + f D1 g + gD1 f − D1 ( f g)) + O(h̄2 )
so that the first order term B10 of ?0 equals
B10 ( f , g) = B1 ( f , g) + f D1 g + gD1 f − D1 ( f g). (3.8)
Since the latter three terms are symmetric under an exchange of f and g, it follows
immediately that the antisymmetric part does not change, i.e., ( B10 )− ( f , g) = B1− ( f , g).
This has the following immediate consequence.
Proposition 3.12. Let M be a Poisson manifold with Poisson bracket { , }. If ? is a deformation
of the Poisson bracket { , }, then all star products that are equivalent to ? are also deformations of
{ , }.
4When ? and ?0 are such that the corresponding bilinear operators Bn and Bn0 are differential operators,
and D maps ? to ?0 , then one can prove that it follows from this that each Dn is a linear differential operator
of bounded order; see for example [GR99] for a proof of this.
3.4. Gauge transformations 55
As to the positive part of B1 , we have the following (which we will prove later).
Proposition 3.13. For any star product with first order term B1 there is a gauge transformation
D such that B10 is skew-symmetric, i.e. ( B10 )+ = 0.
This allows us to restrict the search for deformations of a Poisson structure to those that
have no symmetric first-order part. Equation (3.8) and the observation directly below it
show that for this to hold, D = 1 + n h̄n Dn must be such that
P
B1+ ( f , g) = D1 ( f g) − f D1 g − gD1 f . (3.9)
Thus, Proposition 3.13 states that there always exists a differential operator D1 such that
this holds. We remark that this equation precisely expresses that B1+ is a coboundary
with respect to the Hochschild differential d H ; in the next section we will see that this is
true (see Corollary 3.18 on p. 60), thus proving Proposition 3.13.
For later reference, let us study in more detail what a gauge transformed star product
looks like. We take a star product ? = h̄n Bn ; here it will be convenient to include the
zeroth term B0 = · in the sum as above. (We will make heavy use of the Einstein
summation convention here; also, all sums start at 0 unless explicitly written otherwise.)
Similarly, we write our gauge transformation as D = h̄n Dn . We first examine the inverse
D −1 = h̄i D
‹i . Taking f ∈ AJh̄K, we must have
Ä ä
f = D −1 D ( f ) = h̄i D
X
‹i h̄ j D j ( f ) = h̄n D
‹i D j ( f ).
n =i + j
For this to hold all terms of order n > 0 must be zero. Recalling that D0 = Id, we can
thus express D‹n inductively as
n −1
X
‹n = − Dn −
D D
‹i Dn−i . (3.10)
i =1
Next, taking f , g ∈ AJh̄K, we examine the following expression:

Ä ä Ä ä Ä ä
D f ? Dg = h̄i Di ( f ) ? h̄ j D j ( g) = h̄k Bk h̄i Di ( f ), h̄ j D j ( g)
X Ä ä
= h̄n Bk Di ( f ), D j ( g) .
n =i + j + k
Using now that D0 = Id and B0 = ·, we write this schematically as

X
D f ? Dg = h̄n Bn ( f , g) + gDn f + f Dn g + terms involving B<n and D<n .
n
Finally, using (3.10) on the above we conclude for the gauge transformed star product ?0
that
f ?0 g = D −1 ( D f ? Dg) (3.11)
X
= h̄n Bn ( f , g) + gDn f + f Dn g − Dn ( f g) + terms involving B<n and D<n .
n
3.5 Hochschild cohomology

In the previous sections we have seen two hints of the Hochschild cohomology, for a
good reason: the subject of star products and deformation quantization is intimately
connected to the Hochschild cohomology of the algebra A. In this section we explore
(part of) this connection.
Definition 3.14. A differential graded Lie algebra g over a field k of characteristic zero, or
DGLA for short, is a graded vector space g = ⊕i gi over k, together with a bilinear map
[ , ] : gi × g j → gi+ j and a differential d : gi → gi+1 satisfying the following for any three
homogeneous elements x, y, z ∈ L:
[ x, y] = −(−)| x||y| [y, x ], (skew-symmetry)

| x ||y|
[ x, [y, z]] = [[ x, y], z] + (−) [y, [ x, z]], (graded Jacobi identity)
d([ x, y]) = [dx, y] + (−1)| x| [ x, dy]. (graded Leibniz rule)
Vk +1
k
We denote the shifted space of multivector fields with Tmulti ( M) = Γ( TM), and
write
∞
M
k
Tmulti ( M) = Tmulti ( M)
k =−1
for the sum; equipping Tmulti ( M ) with the zero differential d∧TM = 0 and the Schouten
bracket J , K makes it into a DGLA.
The other relevant DGLA is called the Hochschild DGLA of A = C ∞ ( M ):
∞
C k ( A) = HomR ( A⊗(k+1) , A),
M
C ( A) = C k ( A ),
k =−1
endowed with the Hochschild differential d H : C k ( A) → C k+1 ( A) given by, for Φ ∈

C k ( A ),
d H Φ ( f 0 ⊗ · · · ⊗ f k +1 ) = f 0 Φ ( f 1 ⊗ · · · ⊗ f k +1 )
k
X
− (−)i Φ( f 0 ⊗ · · · ⊗ f i f i+1 ⊗ · · · ⊗ f k+1 )
i =0
+ (−)k Φ( f 0 ⊗ · · · ⊗ f k ) f k+1 . (3.12)
3.5. Hochschild cohomology 57
Although it will not be important for our purposes, for completeness we also include
the definition of the bracket of this DGLA. For Φi ∈ C ki ( A) it is given by
[Φ1 , Φ2 ] = Φ1 ◦ Φ2 − (−)k1 k2 Φ2 ◦ Φ1 ,
where the (non-associative) product ◦ is defined by
(Φ1 ◦ Φ2 )( f 0 ⊗ · · · ⊗ f k1 +k2 )
k1
X
= (−1)ik2 Φ1 ( f 0 ⊗ · · · ⊗ f i−1 ⊗ (Φ2 ( f i ⊗ · · · ⊗ f i+k2 )) ⊗ f i+k2 +1 ⊗ · · · ⊗ f k1 +k2 ).
i =0
Writing m A : A × A → A for the pointwise product m A ( f , g) = f g on A, note that with

respect to this bracket, the Hochschild differential d H can be expressed concisely as
d H = ad m A = [m A , ·].
Using this expression and the graded Jacobi for [ , ] it is easy to prove that d H is indeed
a differential:
d H (d H Φ) = [m A , [m A , Φ]] = [[m A , m A ], Φ] − [m A , [m A , Φ]] = −[m A , [m A , Φ]]
from which it follows that (d H )2 = 0. The graded Leibniz rule is similarly easy:
d H [Φ1 , Φ2 ] = [m A , [Φ1 , Φ2 ]] = [[m A , Φ1 ], Φ2 ] + (−)|m A ||Φ1 | [Φ1 , [m A , Φ2 ]]

= [d H Φ1 , Φ2 ] + (−)|Φ1 | [Φ1 , d H Φ2 ].
That the bracket [ , ] is skew-symmetric follows immediately from its definition. The
only thing that remains in order to show that (C ( A), d H , [ , ]) is indeed a DGLA is the
graded Jacobi identity for the bracket [ , ]; for this we refer to, for example, [CI].
k
There is an important map U : Tmulti ( M) → C k ( A), which is an extension of the usual
identification between vector fields and first order differential operators. This map is
defined as follows: if χ = X0 ∧ · · · ∧ Xk is a homogeneous multivector field then
1 X
U (χ)( f 0 ⊗ · · · ⊗ f k ) = (−)σ Xσ(0) ( f 0 ) · · · Xσ(k) ( f k ), (3.13)
( k + 1) !
σ ∈ Sk +1
k
and it is of course linearly extended to act on all of Tmulti ( M). The definition is extended
0
to Tmulti , i.e. vector fields, as the identity map.
Proposition 3.15. The map U is a chain map:
d H U (χ) = 0 = U (d∧TM χ).
Proof. Applying equation (3.12) to d H U (χ)( f 0 ⊗ · · · ⊗ f k+1 ), consider the i-th term in
the sum:
U (χ)( f 0 ⊗ · · · ⊗ f i f i+1 ⊗ · · · ⊗ f k ) = f i U (χ)( f 0 ⊗ · · · ⊗ f i+1 ⊗ · · · ⊗ f k )

+ U (χ)( f 0 ⊗ · · · ⊗ f i ⊗ · · · ⊗ f k ) f i+1 ,
which holds due to the Leibniz rule that Xσ(i) satisfies (it being a vector field). But now
consider the (i + 1)-th term:
U (χ)( f 0 ⊗ · · · ⊗ f i+1 f i+2 ⊗ · · · ⊗ f k ) = f i+1 U (χ)( f 0 ⊗ · · · ⊗ f i+2 ⊗ · · · ⊗ f k )

+ U (χ)( f 0 ⊗ · · · ⊗ f i+1 ⊗ · · · ⊗ f k ) f i+2 .
The first term on the right hand side in fact equals the second term of the right hand side
of the equation above it, and since the signs of the corresponding terms in equation (3.13)
are always opposite these two terms cancel against each other. Thus, each term of the
sum in (3.13) splits into two terms, where the right term always cancels against the left
term of the next term of the sum. The only terms that are left after this are
− f 0 U (χ)( f 1 ⊗ · · · ⊗ f k ) − (−)k U (χ)( f 0 ⊗ · · · ⊗ f k−1 ) f k ,
but these cancel against the first and last terms of the right hand side of the defining
equation of the Hochschild differential (3.12).
Defining the Hochschild cohomology,
ker(d H : C k ( A) → C k+1 ( A))

HH k ( A) = ,
im(d H : C k−1 ( A) → C k ( A))
the proposition above implies that the map U descends to the Hochschild cohomology:
‹ : T k ( M ) → HH k ( A),
U U
‹(χ) := [U (χ)].
multi
k
(Note that Tmulti coincides with its own cohomology because its differential is 0).
Theorem 3.16 (Hochschild-Kostant-Rosenberg). U
‹ is an isomorphism of vector spaces,
k
Tmulti ( M) ∼
= HH k ( A).
This version of the HKR-theorem is proved explicitly in [Kon03, section 4.6].

For any λ ∈ C k ( A) let λΣ denote its antisymmetrization, i.e.
1
λΣ ( f 0 , . . . , f k ) =
X
(−)σ λ( f σ(0) , . . . , f σ(k) ). (3.14)
( k + 1) !
σ ∈ S k +1
In the next lemma we show that the image of the Hochschild differential d H has no
antisymmetrization. Combined with the HKR theorem, this observation will allow us
to gain a thorough understanding of the relationships between C k ( A), Tmulti
k and d H ; in
particular, it will allow us to prove Proposition 3.13 on p. 55.
Lemma 3.17. For all λ ∈ C k ( A) we have
(d H λ)Σ = 0.
Proof. For any O ∈ C k ( A), let us define a shorthand notation: if σ ∈ Sk+1 then
σ [O( f 0 , . . . , f k )] = O( f σ(0) , . . . , f σ(k) ).
Expanding (d H λ)Σ , we obtain

Å h i
Σ
X
H
(d λ ) ( f 0 ⊗ · · · ⊗ f k +1 ) = (−) σ f 0 λ( f 1 ⊗ · · · ⊗ f k+1 )
σ
σ ∈ Sk +1
k
X h i
− (−)i σ λ( f 0 ⊗ · · · ⊗ f i f i+1 ⊗ · · · ⊗ f k+1 )
i =0
h iã
k
+ (−) σ λ( f 0 ⊗ · · · ⊗ f k ) f k+1 . (3.15)
Take a σ ∈ Sk+1 and consider the first term:

h i
(−)σ σ f 0 λ( f 1 ⊗ · · · ⊗ f k+1 ) . (3.16)
Now we take τ = 0 1 · · · k k + 1 ∈ Sk+1 , whose sign is −(−)k , and we consider

the last term of the right hand side of (3.15) with respect to the element στ ∈ Sk+1 :
h i h i
(−)στ (−)k στ λ( f 0 ⊗ · · · ⊗ f k ) f k+1 = −(−)k (−)σ (−)k σ λ( f 1 ⊗ · · · ⊗ f k+1 ) f 0
P
which is minus the expression in (3.16). As σ and στ both occur in the sum σ∈Sk+1
over Sk+1 , then, these two terms cancel against each other. In this way, for each first term
of the right hand side of (3.15), there is a last term in the right hand side in (3.15) that
cancels it. Therefore, none of the first and last terms survive.
The middle terms of (3.15) vanish for a similar reason: the term
h i
(−)σ σ λ( f 0 ⊗ · · · ⊗ f i f i+1 ⊗ · · · ⊗ f k+1 )

cancels against the term (setting ρ = i i+1 )
h i
(−)σρ σρ λ( f 0 ⊗ · · · ⊗ f i f i+1 ⊗ · · · ⊗ f k+1 )
h i
= −(−)σ σ λ( f 0 ⊗ · · · ⊗ f i+1 f i ⊗ · · · ⊗ f k+1 )
which also appears in the sum over Sk+1 .
Note that for k = 0, i.e., for λ : A → A, the statement that (d H λ)Σ = 0 is the same as
saying that d H λ : A ⊗ A → A is symmetric in its two arguments. This case is particularly

easy to see when writing it out:
d H λ( f , g) = f λ( g) − λ( f g) + λ( f ) g = d H λ( g, f ).
Corollary 3.18. A cocycle B ∈ C k ( A) is exact if and only if BΣ = 0.
Proof. The Lemma above already proved one direction; therefore we only need to prove
that BΣ = 0 implies exactness. Suppose therefore that BΣ = 0. Since U‹ is an isomorphism
k
by the HRK Theorem 3.16, there exists a χ ∈ Tmulti ( M) such that [ B] = U ‹(χ) = [U (χ)].
This is just another way of saying
B = U (χ) + d H λ for some λ ∈ C k−1 ( A).
Moving d H λ to the other side and taking the antisymmetrization of both sides, we obtain
( B − d H λ ) Σ = 0 + 0 = U ( χ ) Σ = U ( χ );
the last equality holds as a direct consequence of the definition (3.13) of U . Thus
B = d H λ.
This finally shows that equation (3.9) on p. 55 holds and with that Proposition 3.13 is
proven.
Corollary 3.19. Each equivalence class [ B] of a cocycle B ∈ C k ( A) has a unique totally antisym-
k
metric representative that is of the form U (χ) for a certain χ ∈ Tmulti ( M). That is, any cocycle
B can be written as
B = U (χ) + d H λ
for a certain λ ∈ C k−1 ( A).
Proof. Again by the HKR theorem, there must exist a χ ∈ Tmulti k ( M) such that [ B] =
[U (χ)]; as U (χ) is completely antisymmetric by definition, this proves existence. As to
uniqueness, let B, B0 ∈ [ B], so that B0 = B + d H λ for some λ ∈ C k−1 ( A). Suppose that
they are both completely antisymmetric. Then
B0 = ( B0 )Σ = ( B + d H λ)Σ = BΣ = B.
Corollary 3.20. Any totally antisymmetric cocycle B ∈ C k ( A) satisfies B = U (χ) for a certain
k
χ ∈ Tmulti ( M ).
Corollary 3.21. If B ∈ C k ( A) is d H -closed and completely antisymmetric then it is a derivation

with respect to all of its arguments.
Corollary 3.22. Let B ∈ C k ( A) be d H -closed. Let χ be such that BΣ = U (χ). Then U

‹−1 ([ B]) =
χ.
Proof. Write B = BΣ + ( B − BΣ ) =: BΣ − B, eΣ = 0. Thus B

e then clearly B e = d H λ for a
certain λ and so
[ B] = [U (χ)] + [d H λ] = [U (χ)] = U
‹(χ),
3.5.1 The star product up to order 2

In section 1.4.2 in [Kon03], Kontsevich writes out explicitly a formula for a star product
up to and including order 2:
h̄2 ij kl
f ? g = f g + h̄αij ∂i ( f )∂ j ( g) + α α ∂i ∂ k ( f ) ∂ j ∂ l ( g )
2
h̄2 Ä ij ä
+ α ∂ j (αkl )(∂i ∂k ( f )∂l ( g) − ∂k ( f )∂i ∂l ( g)) + O(h̄3 ). (3.17)
3
However, this does not seem to agree with his general formula (3.6), because terms of
the following form do not occur in it:
1o /2
Γ = with corresponding operator BΓ,α = ∂k αij ∂i αkl ∂ j ⊗ ∂l .

L R
(3.18)
In this section we explain why these terms are absent from Kontsevich’s formula: they
will be gauge transformed away by a suitable gauge transformation D.
Proposition 3.23. Any d H -exact term can be gauge-transformed away from any star product
? = 1 + n>0 h̄n Bn . That is, if Bn contains a d H -exact term d H λ for some n, then ? is
P
gauge-equivalent to a star product ?0 = 1 + n>0 h̄n Bn0 such that
P
0 = B for m < n,
• Bm m
0
• Bn = Bn − d H λ.
Proof. Suppose that Bn ( f , g) = P( f , g) + d H λ( f , g) for certain P ∈ C1 ( A) and λ ∈

C0 ( A). Note that we can rewrite equation (3.11) as
Bn0 ( f , g) = Bn ( f , g) + d H Dn ( f , g) + terms involving B<n and D<n .

Now we set Dm = 0 for m 6= n and Dn = −λ. Then the terms involving B<n and D<n
vanish, and we find
Bn0 ( f , g) = Bn ( f , g) − d H λ( f , g) = P( f , g) + d H λ( f , g) − d H λ( f , g) = P( f , g),
0
Bm ( f , g) = Bm ( f , g) when m < n.
Note that D = 1 − h̄n λ will occur in Bm 0 when m > n; therefore, only the terms of ?
of order lower than n remain unmodified. If it happens that Bm 0 for m > n contains
d H -exact terms, hoewever, then these can be removed by this very procedure.
Now the term in question BΓ,α from (3.18) is d H -exact. Indeed,

Å ã
1
BΓ,α = d H − ∂k (αij )∂i (αkl )∂ j ∂l .
2
Therefore, we can remove it by using the proposition above. Thus, the formula (3.17)
does not equal the general formula (3.6) up to order 2; instead, they are gauge equivalent.
3.6 The Kontsevich star product on the dual of Lie algebras

Consider the dual g∗ of a finite-dimensional Lie algebra g. Being a vector space, this
dual is also a manifold, and it inherits a natural Poisson structure from the Lie bracket
[ , ] on g. In this section we will work out in detail what the Kontsevich star product is in
this case. First we fix some notation and review basic theory.
3.6.1 The dual as a Poisson manifold

The dual g∗ of g is the topic of this section, so we write xi with upper indices for its
coordinates, so that its basis vectors are ei with lower indices. The basis vectors of g dual
to ei are then ei .
Remark 3.24. The basis vectors ei of g act on g∗ by virtue of (g∗ )∗ = g, i.e. ei ( x j e j ) =
x j e j (ei ) = xi . As ei is a linear function on g∗ it is an element of C ∞ (g∗ ), and the previous
calculation shows that in fact it coincides with the coordinate function. Therefore, we
may think of the basis vectors of g not only as such, but also as the coordinate functions
on g∗ .
The structure of g∗ as a vector space yields an isomorphism g∗ ∼ = Tv g∗ for each v ∈ g∗ .
This isomorphism is given by the map v 7→ Xv where Xv is the unique derivation that
acts as the directional derivative in the direction of v; i.e., for f ∈ C ∞ (g∗ ) we have
d
Xv ( f )( a) = f ( a + tv).
dt t =0
By the chain rule it is immediate that this isomorphism maps the basis vector ei ∈ g∗ to
∂
∂xi v
∈ Tv g∗ . Now consider the cotangent space of g∗ , i.e. Tv∗ g∗ . Then this isomorphism
3.6. The Kontsevich star product on the dual of Lie algebras 63
gives
Tv∗ g∗ = ( Tv g∗ )∗ ∼
= (g∗ ) ∗ ∼
= g.
If ei is the basis of g dual to the basis ei of g∗ , then this isomorphism maps ei to dxi |v .
Definition 3.25. The Poisson bracket on g∗ is the unique biderivation on C ∞ (g∗ ) whose
value on γ1 , γ2 ∈ g = g∗∗ ⊂ C ∞ (g∗ ) is [γ1 , γ2 ] ∈ g∗∗ . That is, writing h , i : g∗ × g → R
for the coupling between g∗ and g, we have for x ∈ g∗
{γ1 , γ2 }( x ) = h x, [γ1 , γ2 ]i.
This determines the bracket completely, because if its value on all linear functions is
known then its values on the coordinate functions is known. Indeed, taking the basis ei
of g and an x ∈ g∗ we may calculate its coefficients αij of the bivector α ∈ Γ( 2 Tg∗ ) that
V
corresponds to this Poisson structure at x ∈ g∗ by
ij ij
αij ( x ) = {ei , e j }( x ) = h x, [ei , e j ]i = h x l el , ck ek i = ck x k .
To calculate what it does on arbitrary functions f , g ∈ C ∞ (g∗ ), note first that [ , ] descends
∂f
onto g ∧ g because of its antilinearity. Writing d f | x = ∂xi ( x )ei ∈ g and similarly for g
using the isomorphism described above, we find
{ f , g}( x ) = hα, d f ∧ dgi( x ) = hα( x ), d f | x ∧ dg| x i = h x, [d f | x , dg| x ]i

∂f
≠ ï ò∑
i ∂g
= x k ek , ( x ) e , ( x ) e j
∂xi ∂x j
ij ∂ f ∂f
≠ ∑
∂g ij ∂g
= x k e k , c l e l i ( x ) j ( x ) = c k x k i ( x ) j ( x ).
∂x ∂x ∂x ∂x
This bivector inherits the Jacobi identity from that of [ , ] on g, so that (g∗ , { , }) is indeed
a Poisson manifold.
3.6.2 The enveloping and symmetric algebras

Denote with U (g) = T (g)/( x ⊗ y − y ⊗ x − [ x, y]) the enveloping algebra of the Lie
algebra g. If x ∈ g denote with x the corresponding element of U (g). If {ei }i is a basis
for g then we have the following well-known theorem.
Theorem 3.26 (Poincaré-Birkhoff-Witt). The algebra U (g) has the following basis:
e i1 · · · e i n , i1 ≤ · · · ≤ i n , n ∈ N≥0 ,
together with 1.
In particular, the map that sends x to x is injective so that we may drop the distinction
between x and x; henceforth we shall denote them both with x.
The algebra U (g) comes with a natural filtration: namely, Un (g) is the subspace of
U (g) generated by products of at most n elements from g. Therefore we may consider the
associated graded space: grn U (g) = Un (g)/Un−1 (g) and gr U (g) = ⊕n grn U (g), which
has a well-defined multiplication induced by that of U (g). π is the natural projection
map U (g) → gr U (g) that maps a ∈ Un (g) to π ( a) = a + Un−1 (g) ∈ grn U (g). Since
U (g) is as an algebra generated by the elements x ∈ g ⊂ U (g), it follows that gr U (g) is
generated by the elements π ( x ), x ∈ g. But these elements commute:
π ( x )π (y) − π (y)π ( x ) = π ( xy − yx ) = π ([ x, y]) = 0 ∈ gr2 U (g).
Thus gr U (g) is a commutative algebra. Hence, by the universal property of the sym-
metric algebra S(g) there exists an algebra homomorphism
I : S(g) → gr U (g)
that extends the linear map g → gr U (g) given by x 7→ π ( x ). Since the latter elements
generate gr U (g), this map is surjective.
Proposition 3.27. The PBW theorem is equivalent with the following statement: the map
I : S(g) → gr U (g) is an isomorphism of algebras.
Proof. It suffices to show that I is injective. Set x J = x j1 · · · x jn , where J is an increasing

multi-index of length n. Since grn U (g) is commutative, as a vector space it is spanned
by elements of the form π ( x J ). These are the image under I of the monomial basis in
Sn (g). Now I is injective if and only if the π ( x J ) are a basis in grn U (g), i.e. there is no
relation of the form
X X
0= c J π(x J ) = c J x J + Un−1
| J |=n | J |=n
which is the same as saying that there is no relation of the form

X
0= cJ xJ;
| J |≤n
note the ≤ sign in the sum. This is equivalent with the monomials x J with | J | ≤ n being
linearly independent in Un (g), which is the PBW theorem. That these monomials also
span Un (g) can be proved easily using induction (without using the PBW theorem).
It also follows that since U (g) and S(g) share the same basis, that they are isomor-
phic as vector spaces (but not as algebras, since one is commutative while the other is
not). Instead of using this basis-dependent isomorphism, we will construct another,
basis-independent linear isomorphism t : S(g) → U (g) that is more convenient for
our purposes, as follows. Note that there is an isomorphism s between the quotient
S(g) = T (g)/h x ⊗ y − y ⊗ x i and the subspace of T (g) consisting of symmetric tensors,
given by
1 X
X1 · · · X n 7 → s ( X1 · · · X n ) = X σ (1) ⊗ · · · ⊗ X σ ( n ) .
n!
σ ∈ Sn
Proposition 3.28. Denoting p : T (g) → U (g) for the projection of T (g) to the quotient space
U (g) = T (g)/( x ⊗ y − y ⊗ x − [ x, y]), the composition t = p ◦ s : S(g) → U (g) is a linear
isomorphism.
Once again we point out that this is not an algebra isomorphism.
Proof. Set Sn (g) = ⊕in=1 Si (g), i.e., all symmetric tensors of order up to n; thus, Sn (g) is
the filtration induced by the gradation of S(g). We shall prove that t is an isomorphism
when restricted to Sn (g) for each n. The isomorphism maps a P ∈ S(g) to s( P) + K,
where K is the ideal generated by x ⊗ y − y ⊗ x − [ x, y]. But if P ∈ S(g) is homogeneous
then s( P) ∈ T (g) is also homogeneous, while no homogeneous elements are contained
in the ideal K. Therefore, s( P) will never be an element of K, so if P 6= 0 then t( P) 6= 0.
Therefore t is injective, and since Sn (g) and Un (g) have the same dimension t is also
surjective.
Remark 3.29. For later reference, we give a brief description of the inverse t−1 : U (g) →
S(g) of the isomorphism t. The inverse of an element of the form g = γ1 ◦ · · · ◦ γn ∈ U (g)
may be calculated as follows. Neighbouring factors · · · ◦ γi ◦ γi+1 ◦ · · · may be swapped
at will, at the cost of a commutator · · · ◦ [γ1 , γi+1 ] ◦ · · · . Note that the resulting term
containing this commutator is in Un−1 (g), i.e., its order with respect to the filtration of U
is reduced by one. Thus, switching neighbouring factors in this way, we can rewrite g to
1 P
g = n! σ ∈Sn γσ (1) ◦ · · · ◦ γσ (n) + r, where r contains all the terms with the commutators.
Then t ( g) = γ1 · · · γn + t−1 (r ). Proceed by induction.
− 1
3.6.3 The Kontsevich star product

Returning to the algebra of smooth functions C ∞ (g∗ ) on g∗ , we want to explicitly describe
the Kontsevich star product ? on C ∞ (g∗ )Jh̄K. For this purpose it is convenient to first
restrict our attention to polynomials in the coordinate functions xi , instead of arbitrary
smooth functions; afterwards we shall extend the result to all of C ∞ (g∗ ). Recalling that
xi is simultaneously a basis vector of the dual g of g∗ (see Remark 3.24 on p. 62), any
polynomial in the coordinate functions xi may be interpreted as an element of S(g).
Therefore, we now examine the algebra (S(g)Jh̄K, ?). Let us set Uh̄ (g) = T (g)Jh̄K/( x ⊗
y − y ⊗ x − h̄[ x, y]); that is, Uh̄ (g) is U (g)Jh̄K but with the bracket rescaled to h̄[ , ]. First,
we observe the following.
Remark 3.30. Let p, q ∈ S(g) be two polynomials on g∗ , of degrees n and m respectively.
Then p ? q is not just a formal power series in h̄, but actually a polynomial in h̄ (with
coefficients in S(g)) – that is, it terminates. Indeed, consider the coefficient of h̄r in
the formula (3.6) for p ? q. This is a linear combination of expressions of the form
BΓ,α ( p, q) with Γ ∈ Gr . Now BΓ,α is a differential operator of order 2r, acting on p, q
ij
and the coefficient functions αij = ck x k of the Poisson bracket on g∗ . These three are,
however, all polynomials, so that if the order 2r of BΓ,α exceeds the combined order of
the coefficient functions αij and p and q, we obtain zero. Thus, the series (3.6) defining
p ? q terminates. For this reason, we are allowed to set h̄ = 1, obtaining a product ?1 on
S (g).
Theorem 3.31 ([Kon03]). If ? is the Kontsevich star product induced by the Poisson structure
{ , } on g∗ , then (S(g)Jh̄K, ?) is as an algebra canonically isomorphic to Uh̄ (g).
Proof. Taking two polynomials p, q ∈ S(g) of degrees n and m again, it follows from the
remark above that
p ?1 q = pq + r
where r ∈ S(g∗ ) is a polynomial on g∗ of order less than n + m. Turning this equation

around gives pq = p ?1 q − r. Then if γi ∈ g then γ1 · · · γn = γ1 ?1 · · · ?1 γn + r where r is
again a polynomial of order less than n, and it follows by induction that any polynomial
may be written as a linear combination of terms of the form γ1 ?1 · · · ?1 γn for γi ∈ g.
Now consider the algebra (S(g), ?1 ). Then, the map that sends γ ∈ g to γ ∈ S(g),
induces a homomorphism I : U (g) → S(g) by the universal property of U (g), i.e.,
I (γ ◦ η ) = I (γ) ?1 (η ). This map is surjective by the following argument: take an
arbitrary polynomial from S(g), and write it as a linear combination of terms of the
form γ1 ?1 · · · ?1 γn , then the same expression but with ?1 replaced by ◦ gets mapped
precisely onto (the rewritten version of) our polynomial.
Now let γ1 , γ2 ∈ g ⊂ C ∞ (g∗ ). Working out their star product directly using equa-
tion (3.17), we get
γ1 ?h̄ γ2 = γ1 γ2 + h̄αij ∂i (γ1 )∂ j (γ2 ) = γ1 γ2 + 21 h̄[γ1 , γ2 ].
Here, the product γ1 γ2 is the product in S(g). But then
γ1 ?h̄ γ2 − γ2 ?h̄ γ1 = h̄[γ1 , γ2 ],
i.e., on elements of g, Uh̄ (g) and (S(g)Jh̄K, ?h̄ ) have the same relation. This means
that I restricts onto the filtrations In : Un (g) → Sn (g) := ⊕in=0 Si (g), which are finite
dimensional. As these restrictions In are surjective by the previous argument, and as
the dimensions of Un (g) and Sn (g) agree, this restriction In of I is injective for each n.
Therefore I itself is injective so that I is indeed an isomorphism.
We can now reinstate h̄ by replacing S(g) with S(g)Jh̄K, U (g) with Uh̄ (g) and [ , ] with
h̄[ , ]. Then I is still an isomorphism.
This isomorphism yields the formula
p ? q = I ( I −1 ( p) ◦ I −1 (q)),
but this does not yet tell us how to compute the star product of two arbitrary polynomials,
because we do not know what the inverse of I looks like. This is because the isomorphism
I depends on the star product, of which we have not yet found an explicit description.
However, working in the h̄ = 1 theory again, it is easy to see the following fact.
Proposition 3.32. The linear isomorphism t : S(g) → U (g), defined in Proposition 3.28, is a
homomorphism with respect to ? if and only if t is the inverse of I : U (g) → S(g).
Proof. Suppose that t and I are inverses of each other, then for γi ∈ g,
γ1 ◦ · · · ◦ γn = t ◦ I (γ1 ◦ · · · ◦ γn ) = t(γ1 ? · · · ? γn ).
If, on the other hand, t is a homomorphism with respect to ? then
t ◦ I (γ1 ◦ · · · ◦ γn ) = t(γ1 ? · · · ? γn ) = γ1 ◦ · · · ◦ γn .
Let us set, for p, q ∈ S(g),
p ?G q = t−1 (t( p) ◦ t(q)); (3.19)
this associative star product is called the Gutt product [Gut83]. The proposition above
then implies that when the map t is a homomorphism with respect to the Kontsevich
product ?, that ? and ?G coincide. Since we do know the inverse of t (see Remark 3.29),
this allows us to calculate p ?G q for any p, q. When g is nilpotent both statements
of Proposition 3.32 hold [Kat00], so that the Gutt and Kontsevich star products indeed
coincide. When g is not nilpotent, then the Gutt star product is equivalent to Kontsevich’s
one by a gauge transformation [Dit99], so that we may as well identify the two. For
example, with the help of Remark 3.29 let us calculate, for γ, η ∈ g (and reinstating h̄)
γ2 ? η = t−1 (t(γ2 ) ◦ t(η )) = t−1 (γ ◦ γ ◦ η ) = 31 t−1 (3γ ◦ γ ◦ η )

= 13 t−1 (γ ◦ γ ◦ η + 2γ ◦ η ◦ γ + 2h̄γ ◦ [γ, η ])
= 13 t−1 (γ ◦ γ ◦ η + γ ◦ η ◦ γ + η ◦ γ ◦ γ + 2h̄γ ◦ [γ, η ] + h̄[γ, η ] ◦ γ)
h̄ −1
= γ2 η + 2h̄
3 γ [ γ, η ] + 6 t ( γ ◦ [ γ, η ] + [ γ, η ] ◦ γ + h̄ [ γ, [ γ, η ])
h̄2
= γ2 η + h̄γ[γ, η ] + 6 [ γ, [ γ, η ]]. (3.20)
1
From this formula one may calculate γ1 γ2 ? η by the identity γ1 γ2 = 4 (( γ1 + γ2 )2 −
(γ1 − γ2 )2 ). More generally, we have the following formula [Kat00].
Theorem 3.33. For any γ, η ∈ g the product ? satisfies

n Ç å
X n b n−k k
γn ? η = h̄k Bk γ adγ (η ),
k
k =0
where B
bk is the kth Bernoulli number. This formula determines ? completely.
For example, we can now easily calculate
h̄2 h̄3
γ3 ? η = γ3 η + 3h̄ 2
2 γ [ γ, η ] + 2 γ [ γ, [ γ, η ]] + 30 [ γ, [ γ, [ γ, η ]]],
γk = γ?k for any k,
and
γ2 ? γη = γ ? γ ? γη
= γ ? γ ? (γ ? η − 2h̄ [γ, η ])
= γ3 ? η − 2h̄ γ2 ? [γ, η ].
Example 3.34. Take g = su(2, R). As a vector space this is just R3 , and the structure
constants are eijk , the completely antisymmetric tensor. Therefore, the bracket satisfies
[v, w] = v × w, where × is the cross product coming from R3 . This results in the star
product discussed in Example 3.2 on p. 47; note that equation (3.20) precisely coincides
with (3.2).
This star product on S(g)Jh̄K uniquely extends to C ∞ (g∗ )Jh̄K. Indeed, if we know ? on all
polynomials, then we may calculate Bn for any n by calculating its coefficient functions
and reconstructing Bn from this. Thus, all Bn are fixed and known so that we can
calculate f ? g for any two functions f , g ∈ C ∞ (g∗ )Jh̄K.
Chapter 4
How not to deform quantize on

jet spaces
At the beginning of the previous chapter, we gave a brief explanation of the classical
Hamiltonian formalism on Poisson manifolds. While this formalism can describe a wide
range of physical systems, it can essentially handle only point particles. On the other
hand, many important physical theories certainly involve more than point particles; a
string, for example, is not zero but one-dimensional, and the electromagnetic field is
not a point at some location in space, but instead a field that is defined on all of space.
Mathematically, these systems are described by partial differential equations, and in
particular by a generalization of the Hamiltonian formalism to jet bundles; thus we
return our attention to jet bundles. What one would like to do, then, is to generalize
Kontsevich’s star product to the Hamiltonian formalism on jet space. In this chapter we
show that a certain naive way of attempting to do this does not work.
4.1 The variational Hamiltonian formalism

The Hamiltonian formalism on Poisson manifolds that was described briefly at the start
of Chapter 3 has a variational generalization, in the sense of secondary calculus (see
section 2.2 on p. 26). Before we can describe the variational case, however, we need to
slightly reformulate the non-variational case.
Recall that the solution of a Hamiltonian system on a Poisson manifold M is given by
the ordinary differential equation
γ̇(t) = X H (γ(t));
70 Chapter 4. How not to deform quantize on jet spaces
here H ∈ C ∞ ( M ) is the Hamiltonian, and X H is the vector field given by {·, H } =

α(d·, dH ). In order to make contact with the variational generalization of this, let us
write this in a different but equivalent way. The Poisson bivector α induces a fiberwise
morphism from T ∗ M to TM by ω 7→ A(ω ) := α(·, ω ), with the understanding that A(ω )
acts on functions f by A(ω )( f ) = α(d f , ω ). (Note that this morphism is non-invertible
unless α is invertible; that is, when M is symplectic.) Then, in coordinates it is easy to
see that A(ω )( f ) = αij ω j ∂i ( f ), so that
∂
A(ω ) = αij ω j ,
∂xi
and then, writing (as usual) h , i for the coupling between differential forms and vector
fields,
hd f , A(dg)i = h∂i ( f )dxi , αkj ∂ j ( g)∂k i = αij ∂i ( f )∂ j ( g) = α(d f , dg) = { f , g}.
Thus, instead of specifying a bivector α, in order to describe a Poisson bracket one may
also give a fiberwise morphism A : T ∗ M → TM satisfying the following two demands:
• For all one-forms ρ, ω we must have hρ, A(ω )i = −hω, A(ρ)i so that the resulting
bracket { f , g} A := hd f , A(dg)i is antisymmetric. In coordinates, if A(ωi dxi ) =
α ji ωi ∂ j then this means that α ji = −αij .
• The bracket { f , g} A = hd f , A(dg)i satisfies the Jacobi identity. This implies the
usual PDE on the components αij , namely that if P is the bivector given by P(ρ, ω ) =
hρ, A(ω )i then JP, PK = 0 (where J , K is the Schouten bracket on • TM).
V
The equation γ̇(t) = X H (γ(t)) specifying the solutions of the system may then be witten
as
γ̇(t) = A(dH )|γ(t) (4.1)
Now let π : E → M be a bundle and J ∞ (π ) be its infinite jet space. Any two-vector
n R
P ∈ C Diff2 (κ b (π ), H (π )) may be written as P(b)R = hb, A(b)i whereR A: κ b (π ) → κ (π )
is an operator in total derivatives, and A satisfies h p1 , A( p2 )i = − h p2 , A( p1 )i because
P is antisymmetric. If JP, PK = 0, then P is called a Poisson bivector, while A is called
a Hamiltonian operator (although a Poisson operator would perhaps be a better name).
n
Then it defines a Poisson bracket on the space of functionals H (π ) by
Z
{ H1 , H2 } A = hδH1 , A(δH2 )i = P(δH1 , δH2 )
n
for H1 , H2 ∈ H (π ). (Sometimes we will also write { H1 , H2 } P = { H1 , H2 } A .)
Definition 4.1. When a PDE can be written in the form
ut = A(δH )
n
for a certain Hamiltonian operator A and functional H ∈ H (π ), called the Hamiltonian,
4.1. The variational Hamiltonian formalism 71
then the PDE is said to be a Hamiltonian equation.
For more details on these matters, see e.g., [KV99, Ch. 5.2, 5.4].
Now that we have a natural generalization of the Hamiltonian formalism and of
Poisson brackets to jet bundles, we want to consider possible generalizations of star
products. It is, however, not immediately clear on which ring of “functions” such a star
product should be defined. Indeed, when the base space M of the jet bundle is {pt}, both
n
F (π ) and H (π ) reduce to C ∞ ( E), where E is the total space of the bundle E → {pt}.
π
Let us first consider the second option. We remark that considering integral func-
tionals is in perfect agreement with the ideology of secondary calculus (see Section 2.2
on p. 26), where one views sections s ∈ Γ(πBV ) as “points” and integral functionals
n
from H (π ) as particular examples of R-valued “functions” defined at every “point”.
n
In order to obtain a well-defined multiplication for functionals F ∈ H (π ), however, we
n
first have to extend H (π ) to the larger space defined in equation (2.9) in Ch. 2:
+∞
n
H ( π ) ⊗i .
M
M( π ) = (4.2)
i =1
n
R the product F · G := F ⊗ G
It is clear that this space (as opposed to H (π )) is closed under
of two functionals F, G. Having a Poisson bivector P = hb, A(b)i, we want the first-
n
order term in h̄ to be the Poisson bracket { , } P on H (π ). Thus, let us call P deformable
when the product · on the space M(π ) can be deformed to an associative (but generally
n n
non-commutative) star product ? on H (π )Jh̄K, which for F, G ∈ H (π )Jh̄K is of the form
F ? G = F · G + h̄{ F, G } P + O(h̄)2 .
Then the question (stated as Conjecture 9.4 in [Kis12c, Ch. 9]) is the following:
Question 4.2. Are all bivectors P deformable in this sense?
We note that the first-order term { F, G } P in this product is an integral functional, while
the zeroth order term is not.
Notice, however, that underR the evaluation at a section s ∈ Γ(π ), the functional F
becomes an integral F (s) = f ( jx∞ (s)) dn x over the spacetime M; that is, F (s) depends
on the values of s at all points of M. From a physical point of view this means that
the functional F is a nonlocal operator. On the other hand, consider now a function
f ∈ F (π ) on jet space. Under the evaluation on a section s ∈ Γ(π ), the function
f corresponds to a nonlinear differential operator on the components of s; that is, a
local operator. Moreover, F (π ) carries an obvious multiplication structure, namely the
pointwise product of two functions (which is still local). However, it is not immediately
clear what Poisson bracket there is on this space which would be the first-order term in
h̄ of our star product. Having said that, when M has a nowhere vanishing volume form
(coming for example from a Riemannian metric) that we keep denoting by dn x, then the
Poisson bivector
Z Ç å
δ f ij δg
P( F, G ) = A σ Dσ dn x (4.3)
δqi δq j
(where f and g are the densities of F and G, respectively) induces a bracket { , } on F (π )

by simply taking the (antisymmetrized1) integrand of the right hand side above:
Ç å
1 δ f ij δg
{ f , g} = A Dσ − ( f ↔ g ).
2 δqi σ δq j
This bracket { , } is then such that P( F, G ) = { f , g} dn x. Note that it is skew-symmetric

R
by definition, but it need not necessarily satisfy the Jacobi identity. Instead, the Jacobi
identity for P implies that {{ f , g}, h}+ is d-exact. Now let us again call such brackets
deformable when there is an associative star product ? on F (π )Jh̄K, which for f , g ∈
F (π ) takes the form
f ? g = f g + h̄{ f , g} + O(h̄2 ).
Question 4.3. Are all brackets { , } on the ring F (π ) such that the associated bracket { , } dn x
R
n
on H (π ) is Poisson deformable?2
4.2 Three candidate star products

We have seen in Example 3.10 on p. 53 that when the coefficients αij of the Poisson
bivector α on the smooth manifold are constant, then the Kontsevich product reduces to
the Moyal product (c.f. Example 3.8 on p. 50). Taking this as a starting point, we might
first want to attempt to generalize the Moyal product to jet space. As a naive approach
for doing this, we simply take formula (3.4) for the Moyal product on a manifold,
and replace every partial derivative ∂i with a variational derivative δ/δqi . Note that
contrary to derivatives ∂i on smooth manifolds, the variational derivatives δ/δqi do not
commute when acting on some function f , so that different orderings of the variational
derivatives yield different star products. In this section we shall consider three possible
generalizations of the Moyal product that differ in the ordering of their derivatives, and
show that all three are not associative.
Since (for each star product) we can show non-associativity by a single counterexam-
R
ple, we are free to take the following, rather specialized, case. Let P = hb, A(b)i =
ij
bi Aσ b j,σ dn x be a Poisson bivector. Keeping the Moyal case in mind, we require that
R
ij ij
Aσ = 0 when σ 6= ∅, and that A∅ = Aij is constant. Without loss of generality we may
assume that the remaining coefficients are antisymmetric, Aij = − A ji . If F = f dn x
R
n
1The fact that the bracket P( F, G ) on H (π ) is antisymmetric implies only that the integrand of (4.3) is
antisymmetric up to trivial terms. Therefore, in order to end up with an antisymmetric bracket on F (π ) it is
necessary to remove such trivial terms by explicitly taking the antisymmetrization.
2This is essentially Conjecture 9.3 from [Kis12c, Ch. 9], modified to take into account the bracket { , }.
4.2. Three candidate star products 73
and G = Rg dn x are two functionals, then the bracket { , } on F (π ) which is such that
R
P( F, G ) = { f , g} dx is
δ f δg
{ f , g} = Aij .
δqi δq j
For notational ease we henceforth write δi = δ/δqi and ∂iσ = ∂/∂qiσ . Then we postulate
the following formula as a first candidate for the term of order n in the candidate star
product:
1 i1 j1
Bn1 ( f , g) = A · · · Ain jn δi1 · · · δin ( f )δj1 · · · δjn ( g),
n!
which is what one obtains after replacing the ordinary derivatives with variational ones
in the n-th order term in the (upper line of) equation (3.4) on p. 51.
Next, we define an operator E( f , (i1 , . . . , in )) by moving all total derivatives that occur
in the expression δi1 · · · δin ( f ) to the far left:
E( f , (i1 , . . . , in )) := (−)σ1 ∪···∪σn Dσ1 . . . Dσn ∂i 1 . . . ∂iσnn ( f ).

σ
(4.4)
1
Our next candidate for the n-th order term is then

1 i1 j1
Bn2 ( f , g) = A · · · Ain jn E( f , (i1 , . . . , in )) E( g, ( j1 , . . . , jn )).
n!
Finally, let us specialize even further to a two-dimensional fiber with coordinates q1 , q2

and a one-dimensional base with coordinate x. Then the multi-index σ in a coordinate
qiσ consists only of the number of times a total derivative with respect to x is taken; that
j
is, qij = Dx qi . We take the coefficients Aij to be antidiagonal:
Å ã
0 1
A= .
−1 0
The third candidate formula is a generalization of equation (3.5) on p. 51:

n Ç å
1 X i n
Bn3 ( f , g) = (−) δn−i δi ( f )δ1i δ2n−i ( g).
n! i 1 2
i =0
The three candidate star products are then

X
f ?i g = f g + h̄n Bni ( f , g).
n >0
Theorem 4.4. None of the products ?i for i = 1, 2, 3 are associative.

Proof. We show the non-associativity by using the following functions:
f = h = q1 q2 , g = q1x q2x .
Using the Mathematica program that is described and included in the next section, we
have calculated the associators [ f , g, h]i := ( f ?i g) ?i h − f ?i ( g ?i h) for i = 1, 2, 3. It
turns out that for the functions f , g, h defined above the three associators are all equal to
Ä ä
[ f , g, h]i = h̄ 2(q11 )2 q22 − 2q21 (q21 )2 .
As this is nonzero, all three products are not associative.
Remark 4.5. Let us briefly attempt to give an intuitive, non-rigorous reason as to why
our approach did not work. We believe that the source of the trouble is similar to the
reason (sketched in Remark 2.21 on p. 43) why the Laplacian in Section 2.6 did not form
a BV-algebra with the Schouten bracket. Indeed, an obvious question here, to which we
do not have an answer, is the following: if we take the defining formula (3.4) for the
Moyal product and replace all partial derivatives with variational ones, in which order
must we place these variational derivatives? The derivatives in the Moyal product (and
in the Kontsevich product as well) commute, but the variational derivatives here do not.
In the theorem above we have examined three possible answers to this question, none
of which resulted in an associative star product.
We have seen in Section 2.6 that composing variational derivatives results in operators
that are insensitive to derivative coordinates. Indeed, in Remark 2.21 we explained that
we suspect that this is the source of the problems we had in section 2.6. But composing
variational derivatives is exactly what we have been doing here, and so it is perhaps not
surprising that we again run into problems. We suspect, then, that what we need is
the same as what we needed in Section 2.6: a generalization or re-interpretation of the
variational derivative that, like functional derivatives, brings with it its own geometry,
so that when applied twice these geometries do not interfere with each other.
4.3 The Mathematica program

The program is listed from page 77 to 79. It is also available at https://sietseringers.
net/files/starjet.nb, and when reading this document on a computer it may also be
saved to disk by clicking here.3
In order to increase the readability of the program below, let us first briefly comment
on some of the features of the Mathematica language.
• Functions take their arguments using square brackets, as in F[1, 1, 2].

• Multiple statements are separated from each other by a semicolon.
3Mac OS X users may have to open this document in Adobe Reader, as the Preview app built into OS X
seems to be unable to handle PDF attachments.
4.3. The Mathematica program 75
• Ordered arrays, or lists, are entered by curly braces; thus {1, 1, 2} is an example of
a list. The elements of such a list need not be just numbers; and not all elements of
a list need to be of the same type.
• The operator @@ is such that when one enters F@@{1, 1, 2}, then F[1, 1, 2] is exe-
cuted.
• Entering x // F is the same as F[x].
• When x /. y -> z is entered, then Mathematica replaces all occurrences of y in
the expression x by z.
• A new function F taking one argument is defined as follows: F[x_] := . . . The
:= operator is such that what stands to its right is not evaluated immediately (that
is, when Mathematica encounters the function definition of F), but only when the
newly defined function F is executed later on.
• New functions may be defined conditionally, in the following sense. One writes
F[x_] /; expr := . . . The variable x may occur in expr, which should be such
that it evaluates to either true or false. This particular function definition for
F is then only used when it is called with an argument x that is such that expr
evaluates to true. As an example, if one writes F[x] /; x==0 := Foo; F[x] /;
x!=0 := Bar; then F[0] will return Foo while F[1] will return Bar.
• The (predefined) function Prepend takes two arguments, of which the first is
assumed to be a list. It returns the same list with its second argument prepended to
the first argument. For example, Prepend[{a,b,c},d] returns the list {d,a,b,c}.
• The (predefined) function D[ f , x ] returns the partial derivative of f with respect to
x.
• If Mathematica encounters a symbol (such as h̄) which has not yet been defined,
and it does not precede a left square bracket [ that would indicate that it is a
function, then it assumes it to be a (complex) number.
j=1,2,3
The final point above means that we can achieve linearity in h̄ for the operators Bn
by simply not defining h̄. Finally, in Mathematica a superscript is usually interpreted
as a power, so we represent the jet coordinates by qi,j ; here i is the fiber-index and takes
values i = 1, 2, while j is the number of derivatives.
Next, we describe the custom functions defined below.
degree[ f ] takes a function f , and returns the differential degree of the function (that is,
the smallest j ∈ N such that f ∈ C ∞ ( J j (π ))). It does this simply by compiling a list
of all variables qi,j that occur in f , and returning the highest j that it finds. (This
means that if the function f is such that its full expression is not known at the time
when it is fed to degree, then this function will not work . This is not a problem in
our case.)
TD[ f , n] returns the total derivative of f with respect to the base coordinate x; it is
implemented directly using equation (1.1). The optional argument n specifies how
many times the total derivative of f should be taken. If absent it will assumed to
be 1.
e[ f , {i1 , . . . , in }] corresponds to the operator E defined in (4.4). The ik are fiber-indices,
meaning that they should be 1 or 2. Notice that when E (and therefore also e)
is given a multi-index that contains a single element, then it coincides with the
variational derivative.
VarDer[ f , {i1 , . . . , in }] returns the iterated variational derivative of f with respect to qin ,
. . . , qi1 . It is implemented using the function e as e[. . . e[ f , in ], in−1 ] . . . ], i1 ].
n
star[ B, f , g] calculates f g + order
P
n=1 h̄ Bn ( f , g ). Here the B in Bn is the first argument of
star, in order to allow for the calculation of star products associated to multiple
sets of differential operators ( Bn )n . Since the output is meant to equal the star
product only up to the order specified by the order variable, terms of order higher
than that are truncated.
Assuming the degree of a function f can be determined reliably by degree (see the
remark in its description above), the functions TD, e and VarDer should always return
the correct value for any f of any degree. However, the output of star is truncated (at
the order specified by the order variable), because it is impossible to have a program
such as this calculate the full star product as it would contain a sum over an infinite
number of terms. On the other hand, we will only use this program to calculate the star
product of the functions f , g and h, all of which contain two fiber-coordinates qi . As all
j=1,2,3
operators Bn ( f , g) defined in the previous section take at least n derivatives with
respect to the fiber coordinates, each term of the output of star will contain at most two
fiber-coordinates q. Therefore, even if star would not truncate its output at some order,
everything would at most be of order 2 anyway.
Definitions
degreef_ ; NotNumericQf :
MaxCasesf, q _,_ , Infinity . qi_,j_  j;
degreef_ ; NumericQf : 0;
Df, x  Sumq1,i1 Df, q1,i   q2,i1 Df, q2,i ,

TDf_ :
i, 0, degreef;
TDf_, 0 : f;
TDf_, 1 : TDf;
TDf_, n_Integer ; n  1 : NestTD, f, n;
 First we build up the expression with placeholder

ef_, args_List : Modulei,
functions d and td instead of D and TD,

otherwise D and TD would evaluate expression with
summation variables which would result in zero. After
the expression has been built we replace the
placeholder functions with the actual ones 
Sum  Prepend
 Generate the list of summation variables and
their ranges for the total derivatives 
Arrayi , 0, degreef &, Lengthargs,
 This is what we sum over 
1PlusArrayi &,Lengthargs td
d  Prepend
 Generate the list of fiber coords wrt to
which we take the derivative 
Arrayqargs ,i  &, Lengthargs,
 This is what we differentiate 
,
f
Plus  Arrayi  &, Lengthargs


 . d  D, td  TD  Expand
;
VarDerf_, l_List ; Lengthl  1 : ef, l;
VarDerf_, l_List ; Lengthl  1 :
eVarDerf, Deletel, 1, l1;
a1,2  1;
a2,1  1;
a2,2  0;
a1,1  0;
 Helper function used in B1 and B2 below 

IBn_ f_, g_ ; n  0 : Modulek, l,
1
Sum  Prepend
n
JoinArrayk , 1, 2 &, n, Arrayl , 1, 2 &, n,
df, Arrayk  &, n Productakm,lm , m, n
dg, Arrayl  &, n

;
B1n_ f_, g_ : IBn f, g . d  VarDer;
B20 f_, g_ : f g;
B2n_ f_, g_ : IBn f, g . d  e;
B10 f_, g_ : f g;
B3n_ f_, g_ ; n  0 : Modulei,
1
Sum
n
1i Binomialn, i
df, JoinArray1 &, n  i, Array2 &, i
dg, JoinArray1 &, i, Array2 &, n  i
, i, 0, n
 . d  VarDer;
B30 f_, g_ : f g;
 The star product itself 

order  4;
starB_, f_, g_ : Collect  —i Bi f, g, — .

order
—^k_ ; k  order  0;
i0
AssociatorB_, f_, g_, h_ :

Collect
ExpandstarB, starB, f, g, h  starB, f, starB, g, h,
—;
Calculations
f  q1,0 q2,0 ;
h  f;
g  q1,1 q2,1 ;
— 2 q21,1 q22,0  2 q21,0 q22,1 

AssociatorB1, f, g, h
— 2 q21,1 q22,0  2 q21,0 q22,1 

— 2 q21,1 q22,0  2 q21,0 q22,1 

Part II

Credential Schemes
Chapter 5
Preliminaries
Cryptography is mostly concerned with creating efficient algorithms and protocols for
which it is infeasible to violate some security feature. Modern-day computers can
perform some kinds of calculations very quickly, while we believe them to be notoriously
bad at certain other kinds. Cryptographers often exploit this by creating schemes that
are such that any algorithm that is able to violate the security feature of the scheme in
question would lead to an efficient algorithm for performing the kind of computations
that computers are believed to be bad at. This results in schemes that do what we want
them to do, and that do not allow actions or events that we do not want to happen.
In this chapter, we will expand on what we mean with algorithms and cryptographic
schemes, as well as on the notions of efficient and infeasible computations. We also
introduce basic cryptographic notions such as some often-used cyclic groups, elliptic
curves and bilinear pairings, signature schemes, zero-knowledge proofs, and credential
schemes themselves. Readers who are already familiar with these topics may safely skip
this chapter1 (perhaps with the exception of the last section on credential schemes).
5.1 Algorithms and efficient computations

5.1.1 Turing machines
In order to abstractly reason about algorithms and what they can and cannot do, we will
use an idealized computing device called the Turing machine [Tur37]. This is a machine
that manipulates a tape that is infinitely long on the right hand side, which consists
of cells; each such cell contains a symbol from a certain finite non-empty set Σ called
the alphabet. The alphabet contains a special symbol t called the blank symbol, and all
1Much of the contents of these sections can also be found in Computational Complexity by Papadimitriou
[Pap94], and Volumes 1 and 2 of Foundations of Cryptography by Goldreich [Gol00; Gol04].
84 Chapter 5. Preliminaries
Figure 5.1. Artistic representation of a Turing machine.
but finitely many cells of the tape contain the blank t. The content of the tape between
the leftmost cell and the rightmost cell that do not contain t is called the input of the
machine.
The computer itself is modeled by a tape-head that is always positioned above a cell.
It can read and modify the contents of this cell, and move the tape left or right one cell
at a time. The machine is always in a certain state. Denoting the set of all possible states
of our machine with K, the machine acts according to a transition function:
δ : K × Σ → (K ∪ {halt, yes, no}) × Σ × {←, →, −}
Given the current state q ∈ K and the symbol σ ∈ Σ currently under the tape-head, this
function returns a triple ( p, ρ, D ), where
• p is the next state of the machine,

• ρ is the symbol to be overwritten on the current position of the tape-head,
• D specifies whether the tape should move left, right, or not at all after having
written ρ.
When starting, the machine is always in a special starting state, and the tape-head is
positioned above the leftmost cell of the tape. If we denote the left end of the tape as
a special symbol ., then we ensure that the tape never falls off the end of the tape by
requiring that if q is any state, then δ(q, .) = ( p, ., →) for some other state p (which may
but need not equal q).
We call the three states halt, yes, and no the ending states. If p is not one of these
three states, then the machine writes the symbol ρ on its current position (overwriting
whatever was there previously), and moves left, right, or not at all as specified by D.
If p = halt, then the machine halts and whatever is currently on the tape between the
leftmost cell and the rightmost cell that does not contain t is the output of the machine.
If p = yes or p = no then the machine halts as well, and it is said to have accepted or
rejected its input, respectively.
Clumsy though this model may seem at first, it is believed that any algorithm can be
expressed in terms of it (and for this reason we shall often use the term “algorithm”
and “Turing machine” interchangably). For example, it is easy to reduce a similar
machine that operates on multiple tapes simultaneously in each step to the one above.
Additionally, we can endow the machine with the ability to sample random data by
5.1. Algorithms and efficient computations 85
giving it access to an extra tape that has been completely filled with random symbols (if
a Turing machine has such a tape then we say that it is a probabilistic Turing machine;
otherwise it is deterministic). Finally, if we put one end of a tape into one such machine,
and the other end into a second machine, then the output of the first machine can act as
input to the second; that is, we now also have a model for interactive algorithms.
Sometimes it will be necessary to endow a Turing machine A with some special
capability, in order to study the consequences. We can model this situation as follows.
Machine A is given an extra special tape, of which the other end is connected to an
“oracle”. A may write a request on this special tape, that is instantly overwritten by the
oracle’s answer. For example, the oracle may compute the discrete log of some group
element, or give an answer to the Halting Problem for some algorithm-input pair (see
Section 5.3). We purposefully do not expand on the nature of the oracle, because how
the oracle works is not important; what matters is what happens if machine A has access
to it. This allows us to prove statements of the form “Even if algorithm A can perform
some amount of queries to oracle X, it cannot violate security feature Y.”
5.1.2 Computation time and efficiency

If A is a Turing machine, then an interesting question is the following: given some
input x, after how many steps will A terminate? In fact, A need not terminate at all: it
could be that it moves to the right forever, or always stays at the same position, forever
overwriting the cell at that position. When it does halt, however, then we will refer to
the number of steps that A took as the execution time of the machine on input x. If A
does not halt on input x, then we say that its execution time is infinite.
Let A be a Turing machine (probabilistic or not) operating on alphabet Σ. Denote
with Σ∗ the set of possible finite concatenations of all symbols from Σ – i.e., all possible
contents of the tape of A (excluding the blank symbols t). Given an input x ∈ Σ∗ to
machine A, we can define the length of | x | as the number of cells that x takes on the tape
of M. Now we can define the time complexity function TA : N → N ∪ {∞} of A as follows:
TA (n) = max m ∈ N ∪ {∞} ∃ x ∈ Σ∗ , | x | = n

s.t. A halts after m steps when started on input x .
That is, for all inputs of length n, TA (n) is the maximum time A takes to compute its
output.
Definition 5.1. A Turing machine A is said to be polynomial-time if there there exists a

polynomial p : N → N and an integer n0 such that TA (n) ≤ p(n) whenever n > n0 .
Note that if A is polynomial-time then it must halt on any possible input x.

Much of the literature has adapted the following convention: Efficient computations are
those that can be carried out by probabilistic polynomial-time Turing machines. One reason
for this is that many desirable properties and reductions of Turing machines are stable
under this assumption. For example, if a multi-tape Turing machine is polynomial-time,
then so is its reduction to a Turing machine that operates on one tape. Accordingly,
if a computation takes superpolynomial time (in the sense that there exists no proba-
bilistic polynomial-time Turing machine that can perform the computation), then it is
considered to be infeasible.2
An important related notion is that of negligible functions. We write ν(`) < negl(`)
when the function ν : N → R≥0 is negligible; that is, for any polynomial p there exists
an ` p such that ν(`) < 1/p(`) if ` > ` p . This allows us to define a second notion of
infeasibility: if P(A( x ) → y) denotes the probability that algorithm A outputs y on input
x, and this probability is negligible in | x |, then we consider this to be infeasible. This is
related to being polynomial-time in the following way: if P(A( x ) → y) is negligible in
| x | for any polynomial-time algorithm A, and algorithm A0 outputs y with a probability
that does not depend on | x |, then A0 cannot be polynomial-time.
The parameter ` is called the security parameter.3 Its purpose is the following. When-
ever the running time of an algorithm A is superpolynomial, we can increase the param-
eter ` until the running time of A becomes so vast that effectively no existing computer
can perform the calculation. Alternatively, if the running time of A is polynomial but
its chance of success is negligible in `, then by increasing ` we can make the chance of A
winning so close to zero that it is truly negligible.
5.1.3 Conventions and notations

As above, we will usually denote algorithms and Turing machines with calligraphic
letters such as A and B . If A is an algorithm, then by y ← A( x ) we denote that y
was obtained by running A on input x. If A is a deterministic then y is unique; if A
is probabilistic then y is a random variable. If A and B are interactive algorithms, we
write a ← A(·) ↔ B(·) → b when A and B interact and afterwards output a and b,
respectively. If algorithm A has oracle access to an oracle O, we write AO .
Although the alphabet in terms of which the input to our machines is encoded can in
principle be anything, we will henceforth assume that bits {0, 1} are used for encoding
inputs, so that | x | will denote the length of x in bits. For example, if x is a positive integer
then | x | = dlog2 x e.
5.2 Groups and group families

Nearly all cryptographic schemes operate in families of finite cyclic groups G = { Gα }α∈ I ,
where I is some infinite but countable index set. The groups Gα are generally similar
in structure but have increasing order. This allows one to prove that violating a certain
2This sense of whether a computation is feasible will not always align with the actual feasibility of a
computation. For example, an algorithm that takes k100 steps on inputs of length k will cease to be computable
very quickly, even though it is polynomial-time. For that reason it is important to try to maximize the efficiency
of our schemes, even if they are already polynomial-time. Similarly, if TA (k ) = k100 then it need not be the
case that the execution time is k100 for all inputs of length k – perhaps there exists only a single input of that
length that takes that long.
Besides these remarks there are many more subtleties and other things to be said about this subject. For a
more comprehensive discussion about these matters we refer to [Pap94].
3Many texts use the letter k for the security parameter, but we will reserve that letter to denote the attributes
of attribute-based credential schemes in later chapters.
5.2. Groups and group families 87
security feature becomes increasingly difficult as one moves to larger groups within the
group family.4
If G is such a group family, then an instance generator for G is a probabilistic polynomial-
time algorithm that, given an integer ` in unary,5 outputs an α ∈ I and generator g ∈ Gα .
Note that then |α| must be polynomially bounded by `, as no polynomial-time algorithm
can write output of superpolynomial length. In particular, this implies that if a function
is negligible in `, then it is also negligible in |α|.
Let us now describe a number of group families (and how they can be generated) that
are commonly used in cryptographic schemes. Only the last of these will occur in the
next chapters of this thesis. Below and henceforth, we write Zn := Z/nZ for the ring of
integers modulo n.
Example 5.2 (Quadratic residues). Given 1` , choose a prime p such that p0 = ( p − 1)/2 is
also prime with | p0 | = `. Then the group of quadratic residues QR p ⊂ Z∗p is the subgroup
of Z∗p consisting of the elements that have square roots – i.e., x ∈ QR p only if there is an
y ∈ Z p such that x = y2 mod p; or, more concisely,
QR p = (Z∗p )2 = {y2 | y ∈ (Z/pZ)∗ }.
It is easy to see that this group consists of those elements from Z∗p whose discrete
logarithm with respect to some fixed generator is even (note that since the order φ( p) =
p − 1 of Z∗p is even, evenness of such a discrete log a ∈ Z p−1 does not depend on
the representative of a mod p − 1; also, one can show that if the mentioned property
holds for one generator, then it also holds for any other generator). Since there are
φ( p)/2 = ( p − 1)/2 = p0 such elements, the order of QR p is the prime p0 .
Example 5.3 (RSA groups). Given 1` , choose two distinct primes p, q such that the
lengths of p and q are close to ` (these values may “differ in length by a few digits”
[RSA78]). Set n = pq, and return p, q. Then n is the public key and p, q the private key
of the well-known and heavily used RSA signature scheme [RSA78].
Example 5.4 (Quadratic residues in RSA groups). Given 1` , choose two distinct primes
p, q such that the lengths of p and q are close to ` as above, and such that p0 = ( p − 1)/2
and q0 = (q − 1)/2 are also prime. Set n = pq. Then the group of quadratic residues
QRn ⊂ Z∗n , defined the same as above, is a cyclic subgroup of order p0 q0 in Z∗n . The
Idemix credential scheme [CL01] is defined in this group.
4We speak of group families instead of just groups mostly in order to have a parameter (in this case |α|) in
which quantities can be negligible. In future chapters we will often be more sloppy, and say for example “If
G is a finite cyclic group of order p then quantity so-and-so is negligible in | p|”, with the understanding that
then G is part of a group family whose members have increasing order.
5That is, KeyGen is given a string “111 · · · 111” of length ` (henceforth we will write 1` for this string). This
is done because we want the instance generator to be polynomial-time in ` itself, not in the amount of digits
that ` has in binary or decimal.
Example 5.5 (Elliptic curves). Given 1` , let q be a prime or prime power, and let E(Fq )
be an elliptic curve over the unique field6 Fq of order q that contains a subgroup G of
prime order p, where p should be of length `. Return the parameters specifying G and
a random generator of G. For example, if q is not a power of 2 or 3, then the curve may
be specified by a Weierstrass equation
E : y2 = x3 + ax + b
together with a point P ∈ E(Fq ) of order p.

Nowadays many cryptographic schemes operate within such groups, such as for
example ECDSA, ECDH, the Boneh–Boyen signature scheme (see Chapter 7), and our
own attribute-based credential scheme (see Chapter 9). U-Prove [Bra00] can also be
implemented in such groups.
We are purposefully rather vague here in how the curve should be selected, because this
varies widely depending on the application. We will describe one construction that is
suitable for the schemes of Chapters 7 and 9 in Section 5.4 below.
In each of these examples it is common to assume the difficulty of computing discrete
logarithms (see Definition 5.6 below). Often the Decisional Diffie-Hellman assumption
is also taken (Definition 5.10), although for certain elliptic curves this assumption does
not hold (see Section 5.4).

We will often encounter elements from the Zn := Z/nZ for some integer n. As mentioned
above, we will consistently refer to this ring as Zn , also when n is prime so that Zn is
a field. If a ∈ Zn then we will usually refer to the equivalence class a mod n ∈ Zn , as
opposed to, for example, the smallest positive element of this equivalence class. This
means that if a, b ∈ Zn and we write for example a/b, then we refer to modular division.7
Whether the group at hand is written additively or multiplicatively depends on the
application, the number-theoretic origin of the group, on the conventions of the liter-
ature and on the preference of the author. For example, Z∗n is almost always written
multiplicatively for obvious reasons. In number-theoretic literature elliptic curves are
almost always written additively, but in cryptography multiplicative notation seems to
be used more often, also in the case of elliptic curves. The difference between the two
is only notational, in the sense that mathematically they are completely equivalent, and
so we will sometimes use the one and then the other. We will, however, adopt the fol-
lowing convention: if G is some group (other than Zn for some n) then we will always
denote elements from G with capital letters such as X and P, while we write coefficients
from Z|G| with lower or greek letters.
6Such a field is often also called a finite field or Galois field, and sometimes denoted with GF(q). For any
prime power, such a field exists and it is unique in the sense that all other fields of the same prime power order
are isomorphic to it. When q is prime it is isomorphic to Zq , but when q is a prime-power then these two are
distinct (in fact, in this case Zq is not a field).
7In Chapter 7 we will deviate from some of these rules.
5.3. Intractability assumptions 89
5.3 Intractability assumptions

Now that we have a model for computers and algorithms and an understanding of what
they can efficiently do, it is time to turn to what they cannot do. Unfortunately, proving
that there exists no algorithm that solves a particular problem is often significantly more
difficult than showing that there does exist an algorithm solving some problem.8 Instead
one often proves statements of the form “If no algorithm can efficiently solve problem
X, then no algorithm can efficiently solve problem Y”. For that reason one often assumes
the computational intractability of solving some well-studied problem, and then shows
that it follows from this assumption that a desired security feature holds. The most
well-known intractability assumption of this kind is probably the following.
Definition 5.6 (Discrete logarithm (DL) assumption). Let G = { Gα }α be a family of
finite cyclic groups. The Discrete Logarithm assumption holds in G if no probabilistic
polynomial-time algorithm can, when given (α, P, Pk ) output k with probability that is
non-negligible in |α|.
Sometimes we will write our group G additively instead of multiplicatively as above; in
that case the problem would ask for k where K = kP.9
Let G be a finite cyclic group of order p, which we now assume to be prime, and let
P1 , . . . , Pn ∈ G all be distinct generators. If for some K ∈ G the numbers (k1 , . . . , k n ) ∈ Znp
k
are such that K = in=1 Pi i , then (k1 , . . . , k n ) is called a DL-representation of K with respect
Q
to ( P1 , . . . , Pn ). When k1 = · · · = k n = 0, so that K = 1, we say that the DL-representation
is a trivial DL-representation of 1. As an example of the kind of reasoning mentioned
above, we now show the following.
Proposition 5.7. Let G = { Gα }α be a family of finite cyclic groups of prime order, in which
the DL-assumption holds. Then no probabilistic polynomial-time algorithm can, on input α
and ( P1 , . . . , Pn ) where the Pi are randomly generated, create a non-trivial DL-representation of
1 ∈ G with respect to ( P1 , . . . , Pn ) with non-negligible probability in |α|.
Proof. (From [Bra00, p. 60]). Suppose that such an algorithm A does exist. We construct
an algorithm B that, on input K, L ∈ G computes logK L mod p using A as follows:
1. B generates 2n random numbers r1 , . . . , rn , s1 , . . . , sn ∈ Z p , and sets, for each i,
Pi = K ri Lsi .
2. B then executes (k1 , . . . , k n ) ← A(α, P1 , . . . , Pn ), and checks whether the output of

A is indeed a non-trivial DL-representation of 1. If it is not then B halts.
8A notable exception to this is Turing’s negative answer to the Halting Problem, which asks if there exists
an algorithm that, when given any other algorithm A and input x, can decide whether A( x ) will halt or not.
In the paper where he introduced Turing machines [Tur37], Turing proved that no such Turing machine exists.
9Like many assumptions of this kind, its difficulty depends on how we represent the group elements. For
example, let G be a finite group of prime order p (for example, G could be a subgroup of an elliptic curve,
see Example 5.5). Then the discrete logarithm problem may hold in G while it definitely does not hold in Z p ,
even though these groups are isomorphic (indeed, if K = kP for K, k, P ∈ Z p then the algorithm that computes
k = KP−1 will be very efficient). We will briefly touch on a similar subtlety in Section 9.5.2 on p. 175.
3. If in=1 si k i = 0 mod p then B halts.

P
4. B outputs
n
! n
!−1
X X
− ri k i si k i mod p.
i =1 i =1
Since
n n n
! !
k
Y X X
1= Pi i = exp K, ri k i exp L, si k i
i =1 i =1 i =1
n n
!
X X
= exp K, ri k i + (logK L) si k i
i =1 i =1
it follows that the exponent on the right hand side must equal 0:
n
X n
X
ri k i + (logK L) si k i = 0 mod p,
i =1 i =1
so that the output of B is indeed logK L.

It remains to show that the chance of success of B – that is, the chance that B does
not terminate in step 3 – is not negligible. Let e be the chance that A succeeds. The
output (k1 , . . . , k n ) of A cannot depend on the numbers si , because they are hidden from
A because of the randomness of the numbers ri . For any tuple (s1 , . . . , sn−1 ) there exists
exactly one number sn which is such that in=1 si k i = 0 mod p, so that there are pn−1
P
“bad” tuples among the total of pn tuples. Since B chooses the numbers si randomly,
the change that it chooses a “bad” tuple is therefore pn−1 /pn = 1/p, so that there is a
chance 1 − 1/p that it chooses a “good” tuple.
Since step 4 takes place only if step 3 is successful, and step 3 takes place only if step
2 is successful, the overall success probability of B is e(1 − 1/p) which is not negligible
if e is not negligible.
Although they do not play as large a role in this thesis as the discrete logarithm-problem
and the above consequence, we also mention the following two assumptions.
Definition 5.8 (Integer factorization). The integer factorization problem states that no
probabilistic polynomial-time algorithm exists that can, given a composite n = pq where
p, q are two primes, factor n with probability that is non-negligible in min(| p|, |q|).
Definition 5.9 (Computational Diffie-Hellman assumption (CDH)). Let G = { Gα }α be

a group family. The Computational Diffie-Hellman assumption holds in G if there exists
no probabilistic polynomial-time algorithm A that can, given an α along with a tuple
( P, P a , Pb ) output P ab with probability that is non-negligible in |α|.
This assumption is used in the Diffie-Hellman key exchange protocol [DH76], which is
one of the cornerstones of the internet. It allows two parties to establish a shared secret
5.4. Elliptic curves and bilinear pairings 91
in the presence of eavesdroppers, which they can then use, for example, as the key in
a symmetric encryption protocol in order to securely communicate over their insecure
channel.
A closely related assumption is the following.
Definition 5.10 (Decisional Diffie-Hellman assumption (DDH)). Let G = { Gα }α again

be a group family. The Decisional Diffie-Hellman assumption holds in G if there exists
no probabilistic polynomial-time algorithm A that can, given an α along with a tuple
( P, P a , Pb , Pc ) tell whether c = ab (i.e., whether the tuple is a valid CDH instance) with
probability that is non-negligible in |α|. More precisely, for any probabilistic polynomial-
time algorithm A there exists a negligible function ν such that
Pr[A(α, P, P a , Pb , P ab ) = 1] − Pr[A(α, P, P a , Pb , Pc ) = 1] = ν(|α|),
where the probability is over the choice of P ∈ Gα , a, b, c ∈ R Z p (p being the order of

Gα ), and the random bits used by A.
Notice that the DDH assumption implies the CDH assumption (since if CDH is easy then
DDH is too), and both of them imply the discrete logarithm assumption (otherwise we
could just take the discrete logs of the latter three elements with respect to P and examine
the result). We will rephrase the DDH assumption later in terms of computational
indistinguishability (see Example 5.13).
5.4 Elliptic curves and bilinear pairings

Many cryptographic schemes, including the ones from Chapters 7 and 9, are defined in
cyclic groups G whose order is prime, such as for example QRq ⊂ Zq for some prime
q, or (subgroups of) elliptic curves. The structure of these groups is fairly simple: for
example, each element unequal to 1 is a generator10, and the set of coefficients (Z p if the
order of G is p) is a field (so that if P ∈ G and k ∈ Z∗p , then P1/k exists for any P and k).
In such situations there are at least two reasons for choosing elliptic curves over
number theoretic groups such as QR p . The first is that for the latter there exist more
efficient methods for computing discrete logarithms than for elliptic curves, so that
elliptic curves offer the same security against discrete logarithm-attacks at smaller sizes
(see, e.g., [LV01; Len05]). The second advantage is that some elliptic curves admit bilinear
pairings: efficiently computable bilinear maps that take two group elements and return
a third element.
Definition 5.11. A bilinear group pair ( G1 , G2 ) consists of two cyclic groups, both of
prime order p, such that there exists a bilinear map or pairing; that is, a map e : G1 × G2 →
GT (with GT another multiplicative group of order p) satisfying the following properties:
10To see this, let P ∈ G be a generator (such a generator always exists; we will not show this here). If Q is
any other element different from 1, then it can be written as Q = Pq for some nonzero q ∈ Z p . Now if R = Pr
is yet another element, then R = Pr = Pqr/q = Qr/q . The fraction in the power exists because Z p is a field.
Thus Q is also a generator, and since Q was arbitrary, any element from G unequal to 1 is a generator.
• Bilinearity: For all P, P0 ∈ G1 and Q, Q0 ∈ G2 we have e( PP0 , Q) = e( P, Q)e( P0 , Q)

and e( P, QQ0 ) = e( P, Q)e( P, Q0 ); or equivalently, e( P a , Qb ) = e( P, Q) ab for any
a, b ∈ Z p .
• Non-degeneracy: If P ∈ G1 , Q ∈ G2 are two generators, then the element e( P, Q) is
a generator of GT (that is, it is unequal to 1 ∈ GT ).
• Computability: There exists an efficient algorithm for computing e( P, Q) for any
Q ∈ G1 , Q ∈ G2 .
There are three distinct types of pairings:
1. G1 = G2 , or G1 ∼ = G2 and both sides of the isomorphism are efficiently com-

putable.11
2. There exists an efficiently computable isomorphism from G2 to G1 but not vice
versa.
3. There exist no efficiently computable isomorphism from G2 to G1 or vice versa.
Notice that in group pairs of Type 1, the DDH-problem cannot hold in G1 ∼

= G2 : if
( P, P a , Pb , Pc ) ∈ G14 is given then one can check whether
?
e( P, Pc ) = e( P a , Pb )
holds, which will only be the case if c = ab. For a similar reason, the DDH-problem will
not hold in G2 in the case of a Type 2 pairing (but it might hold in G1 ).
The importance and utility of pairings in cryptography became clear in 2000 when
Joux devised a three-party one-round key agreement protocol that uses Type 1 pair-
ings [Jou00]. In the years after that many other novel Type 1 schemes were created, but
in recent years attention has shifted to Type 3 pairings, mostly for the following reasons.
• Type 1 pairings must be instantiated either using curves defined over fields of
characteristic 2 or 3 (i.e., F2` or F3` for some `), or using a supersingular curve
over a prime field. However, recent advances in solving the discrete logarithm
problem in fields of characteristic 2 and 3 [Adj+15; GKZ14] have made the former
untenable, while the performance of the latter is significantly less than that of Type
3 pairings.12
• Type 3 pairings also perform better than Type 2 pairings. Additionally, there is
some evidence that the presence of the efficiently computable isomorphism from
G2 to G1 of Type 2 pairings is not essential, in the sense that most or all Type 2
schemes can be converted to Type 3 schemes [CM11].
For these reasons we will prefer Type 3 pairings in this thesis. We will mostly use them
to check that two elements from, say, G1 have some specific relative discrete logarithm
(without knowing this discrete logarithm). This goes as follows. Let P, Q be generators
11Of course, the two groups are always isomorphic, the isomorphism being Pk 7→ Qk for generators P, Q of
G1 , G2 – but this isomorphism is not efficiently computable if the DL-problem holds.
12For an informal discussion on these issues, we refer to this blog post by S. Galbraith: “New dis-
crete logarithm records, and the death of Type 1 pairings”, https://ellipticnews.wordpress.com/2014/02/01/
new-discrete-logarithm-records-and-the-death-of-type-1-pairings/
5.4. Elliptic curves and bilinear pairings 93
of G1 , G2 respectively, and let A = Q a be known (but not a). If P0 ∈ G1 is then some

other element then we can check whether or not P0 = P a by checking
?
e( P, A) = e( P0 , Q).
Such pairings exist for particular types of elliptic curves; we mention for example
[MNT01] and the BN-curves [BN06], which we describe below. For more informa-
tion about bilinear group pairs and pairings we refer to [GPS08]; see also, for example,
Chapters I and X from [BSS05].
5.4.1 BN-curves
As an example of a group pair that is suitable for Type 3 pairings, we briefly describe
the construction of Barreto-Naehrig curves [BN06]. These are curves over Zq for a prime
q of the form y2 = x3 + b. They are parameterized by the following two polynomials in
the integer u, which may be positive or negative:
q = q(u) = 36u4 + 36u3 + 24u2 + 6u + 1,

p = p(u) = 36u4 + 36u3 + 18u2 + 6u + 1.
A BN-curve is generated as follows.
• Given 1` , find a u such that both p(u) and q(u) are prime, and such that | p(u)| = `;
• Find a b ∈ Zq such that b + 1 = y2 mod q for some y ∈ Zq , and such that pP = ∞,
where P = (1, y);
• Return p, q, b, P.
Then G1 = E(Zq ) is a curve of order p and P ∈ G1 is a generator. Actually it suffices

to return just u and y, since using u the values of p and q can be computed using the
polynomials above, and b = y2 − 1 mod q.
The embedding degree of these curves is 12, meaning that the second group G2 of
these group pairs is of the form E(Fq12 )[ p]. However, Baretto and Naehrig noticed that
for these curves there will exist a ξ ∈ Fq2 such that there exists a twist E0 of E, of the form
E0 : y2 = x3 + b/ξ which is such that p|#E0 (Fq2 ), along with an isomorphism ψ : E0 → E.
This means that using this twist we can take G2 to be G2 = ψ−1 ( E(Fq12 )[ p]) = E0 (Fq2 )[ p],
so that the elements of G2 are not much bigger than those of G1 . Additionally, ξ can be
chosen such that X 6 − ξ is irreducible over Fq2 , meaning that Fq12 can be represented as
Fq2 [ X ]/( X 6 − ξ ), leading to further speedups in the computation of the pairing.
On these curves one can use for example the Tate or Ate pairing. We will not detail
the algorithms for these pairings; but see for example [DSD07] as well as the citations in
Definition 5.11.
5.5 Zero-knowledge proofs

In many cryptographic schemes it is necessary for one party (the prover) to convince
another party (the verifier) that it knows some secret, without disclosing it. For example,
we might want to prevent the verifier from learning some sensitive piece of information
for privacy purposes. For this reason we must expand on what it means for an algorithm
“to know” something – or more precisely, what an interactive algorithm learns from an
interaction with some other interactive algorithm.
Simply put, we shall say that the interactive algorithm has learned nothing new if
whatever data or knowledge it obtained from the interaction, it could also have computed
by itself beforehand, without any interaction. Specifically, for any verifier there will exist
a (noninteractive) polynomial-time algorithm called the simulator, whose output will be
indistinguishable from everything the verifier learns when interacting with the prover.
This captures that the verifier learns nothing from an interaction with the prover, as it
could have computed the result of the interaction without the help of the prover in the
first place, by invoking this simulator.
Before we can turn to the definition of zero-knowledge proofs we must define what
it means for two sets to be computationally indistinguishable, and introduce some
notations for interactive algorithms.
5.5.1 Computational indistinguishability

Both the prover and the verifier may be probabilistic protocols, so that their output
may vary even if the input does not. For that reason, the notion of computational
indistinguishability that we need is defined in terms of random variables.
Definition 5.12 (Computational indistinguishability). Let S be a countable set. A prob-
ability ensemble indexed by S is a sequence of random variables { Xs }s∈S indexed by
S.
Two probability ensembles X = { Xs }s∈S and Y = {Ys }s∈S are computationally indis-
c
tinguishable (in which case we write X ≈ Y) if for every probabilistic polynomial-time
algorithm A there exists a negligible function ν such that
Pr[A( Xs , s) = 1] − Pr[A(Ys , s) = 1] = ν(|s|).
Thus as the length of s increases, it becomes progressively more unlikely that A reacts
one way when given a value from Xs but another way when given a value from Ys .
Example 5.13. The DDH problem (see Definition 5.10) in a group family G = { Gα }α∈ I
can concisely be formulated in terms of computationally indistinguishability as follows.
If
Xα = ( P, P a , Pb , P ab ) and Yα = ( P, P a , Pb , Pc ),
are two random variables where P is randomly selected from Gα and a, b, c are random
c
integers, then the DDH problem holds in G if { Xα }α∈ I ≈ {Yα }α∈ I .
5.5. Zero-knowledge proofs 95
5.5.2 Interactive algorithms

Let A be an interactive algorithm interacting with some other algorithm B . Suppose
that both algorithms are given some input x, while A is additionally given input w and
a randomness tape r. The next-message function A x,w,r is a function that, when given a
set of messages (m1 , . . . , mt ), returns what A would have output after having received
the messages (m1 , . . . , mt ).
Definition 5.14 (Black-box access). We say that B has black-box access to A, and we write
B→A, if B has oracle access to the next-message function A x,w,r of A.
Definition 5.15. We denote with viewA (A( x, w) ↔ B( x, a)) a random variable con-
taining x, w, the random tape of A, and the messages that A receives during a joint
conversation with B( x, a).
5.5.3 Formal languages and zero-knowledgeness

For our purposes it suffices to define a formal language L as some subset of all possible
sequences of bits, i.e., L ⊂ {0, 1}∗ .
Definition 5.16. Let L be a formal language. A relation for L is a subset R L ⊂ {0, 1}∗ ×
{0, 1}∗ such that
• There exists an algorithm that is polynomial-time in its first argument, that when
given ( x, w) ∈ {0, 1}∗ × {0, 1}∗ can recognize whether or not ( x, w) ∈ R L ,
• There exists a polynomial p such that x ∈ L if and only if there exists some
w ∈ {0, 1}∗ with |w| ≤ p(| x |) and ( x, w) ∈ R L .
Such a w is called a witness for membership, or just a witness, for x ∈ L.

The complexity class NP can then be defined as all formal languages L for which there
exists such a relation R L . That is, given a witness w for x it is easy to determine that
x ∈ L, but in the absence of such a witness it may be infeasible to decide if x ∈ L.
Fix a language L with relation R L , and suppose one party called the prover P knows a
witness w for x. A zero-knowledge proof is, informally, an interactive protocol that the
prover P can perform with some other party (called the verifier V ), in which the prover
uses the witness w for x in order to convince the verifier that x ∈ L. If both parties
follow the protocol then by the end the verifier is convinced that indeed x ∈ L, but if
x∈/ L (i.e., the prover is cheating) then it should not be able to convince the verifier with
any reasonable probability (this property is called soundness). Additionally, as stated
above, the protocol should be such that the verifier learns nothing that it could not have
computed by itself beforehand.
A zero-knowledge proof of knowledge is a zero-knowledge proof which is such that by
the end of the protocol, the verifier is not only convinced of the fact that x ∈ L, but also
that the prover knows the witness w which is such that ( x, w) ∈ R L . We will formalize
this by demanding that if the verifier can arbitrarily manipulate (i.e., has black-box access
to) the prover, then the witness w can be extracted from it. Notice that soundness follows
from this demand, since if a witness can be extracted from the prover, then this witness
apparently exists, so that ( x, w) ∈ R L and thus x ∈ L.
The definition is as follows.
Definition 5.17 (Black-box zero-knowledge proof of knowledge). Let L be a language
and let R L be a polynomially computable relation for L. An interactive protocol between
two interactive probabilistic polynomial-time algorithms P and V is a black-box zero-
knowledge proof of knowledge for R L ([GMR89], see also [CDM00; Gol00]) if there exists an
expected polynomial-time simulator S and a polynomial-time extractor χ, that satisfy
the following conditions:
Completeness For all x, w such that R L ( x, w) = 1,
Pr[P ( x, w) ↔ V ( x ) → 1] = 1.
Black-box zero-knowledge For any probabilistic Turing machine V ∗ that is polynomial-

time in its first argument, and for any auxiliary input a ∈ {0, 1}∗ , we have
{viewV ∗ (P ( x, w) ↔ V ∗ ( x, a))} x∈ L, a∈{0,1}∗

c (5.1)
≈ {viewV ∗ (S( x )→V ∗ ( x, a))} x∈ L, a∈{0,1}∗
for any w such that ( x, w) ∈ R L .

Black-box extraction Let x ∈ L. For any probabilistic Turing machine P ∗ that is
polynomial-time in its first argument, and for any auxiliary input a ∈ {0, 1}∗ ,
if
Pr[P ∗ ( x, a) ↔ V ( x ) → 1] ≥ e(| x |)
for some function e : N → [0, 1], then there exists a negligible function ν such that
Pr[P ∗ ( x, a)←χ( x ) → w : R( x, w) = 1] ≥ e(| x |) − ν(| x |).
In other words, if the prover convinces the verifier often that it knows some witness
for x ∈ L, then the extractor computes a witness for x almost as often.
Notice the symmetry in the definition: even if the verifier cheats then it can learn nothing
interesting, while even if the prover cheats then it cannot convince verifiers if it does not
know a witness (and if neither cheats, then the protocol works as expected).
We will sometimes use that the second property, black-box zero-knowledge, implies
(and is in fact equivalent to) the following: there exists a negligible function ν such that
for any x ∈ L, any w such that ( x, w) ∈ R, and any auxiliary input a:
Pr[P ( x, w) ↔ V ∗ ( x, a) → 1] − Pr[S( x )→V ∗ ( x, a) → 1] = ν(| x |). (5.2)
That is, if using a witness w the prover can get verifier V ∗ to accept, then the simulator S
can, given black-box access to the verifier, make him accept without knowing the witness
w. Indeed, suppose some machine V ∗ violates the formula above, i.e., there exist x, w, a
such that with non-negligible probability V ∗ ( x, a) outputs 0 when it interacts with S( x )

and 1 when interacting with P( x, w). Note that the output of V ∗ can be calculated
in polynomial time from its view. Consider then the distinguisher that, given such a
view, returns the output of V ∗ corresponding to this view. This distinguisher would
then, for these particular x, w, a, be able to distinguish viewV ∗ (P ( x, w) ↔ V ∗ ( x, a)) from
viewV ∗ (S( x )→V ∗ ( x, a)), violating equation (5.1).
5.5.4 Σ-protocols and other variations

The definition above is stated in terms of black-box simulators: for all verifiers there
exists one algorithm S that, when given black-box access to the possibly malicious
verifier V ∗ , interacts with V ∗ in a way that is indistinguishable from honest verifiers.
Since such an oracle Turing machine with black-box access to V ∗ can be thought of as
a Turing machine that depends on V ∗ , this implies a more general phrasing: for every
verifier V ∗ there exists a simulator SV ∗ whose interaction with V ∗ is indistinguishable
from those of honest provers. This version is indeed more general than the black-box
version, in the sense that not all zero-knowledge protocols are black-box [Bar01]. Such
non-black-box proofs will however not occur in this thesis.
For most purposes it is sufficient that the honest and simulated views are indistin-
guishable by polynomial-time algorithms. When the two are not only indistinguishable
but actually identically distributed, then the protocol is said to be perfect zero-knowledge.
The definition in the previous subsection guarantees security against dishonest veri-
fiers by demanding that for any verifier (i.e., even one that deviates from the protocol),
the simulator’s behavior is indistinguishable from honest users. There is an important
weaker variation in which the verifier is assumed to be honest-but-curious instead; that is,
it follows the protocol but may retain and study all data that it received afterwards. Pro-
tocols that are secure against such verifiers are called honest-verifier zero-knowledge.
Although they offer less security they are often much simpler, and therefore more ef-
ficient and easier to study. Additionally, there exist ways in which one can turn any
Σ-protocol (see Definition 5.19 below) into a full zero-knowledge protocol [Dam10].
Definition 5.18 (Honest-verifier zero-knowledge). An interactive proof system for a

language L and relation R L is an interactive protocol between a prover P and verifier V ,
such that
Completeness For any ( x, w) ∈ R L and any a ∈ {0, 1}∗ , we have
Pr[P ( x, w) ↔ V ( x, a) → 1] = 1.
/ L, any interactive algorithm P ∗ , and any a, w ∈ {0, 1}∗ , we have

Soundness For any x ∈
1
Pr[P ∗ ( x, w) ↔ V ( x, a) → 1] ≤ .
3
(Note that this probability can be lessened simply by executing the protocol a number
of times.)
Common information: P1 , . . . , Pn , K ∈ G; the group G

Prover Verifier
Qn ki
knows k i such that K = i =1 Pi
random w1 , . . . , wn ∈ R Z∗p
w
send W = P1 1 · · · Pnwn −→
←− send c ∈ R Z p
∀i ∈ [1, n] send zi = ck i + wi −→
? Qn z
verify K c W = i =1 Pi i
Figure 5.2. The Schnorr Σ-protocol for DL-representations.
An interactive proof system between a prover P and verifier V is honest-verifier zero-

knowledge if there exists a probabilistic polynomial-time algorithm S such that for any
w, the probability ensembles {viewV (P ( x, w) ↔ V ( x ))} x∈ L and {S( x )} x∈ L are compu-
tationally indistinguishable.
Notice the absence of a quantifier over all possible verifiers V ∗ : the output of the
simulator S is required to be indistinguishable only from the views of honest verifiers.
Clearly, black-box zero-knowledge proofs of knowledge are also honest-verifier zero-
knowledge but not vice versa.
An important class of honest-verifier zero-knowledge protocols is the following.
Definition 5.19 (Σ-protocols). An honest-verifier zero-knowledge protocol is called a

Σ-protocol if the following holds.
• It consists of three moves: first the prover sends a commitment W, then the chal-
lenger responds with a challenge c, after which the prover sends a reply z.
• For any x and any pair of accepting conversations (W, c, z), (W, c0 , z0 ) for x with
c 6= c0 , one can efficiently compute a w such that ( x, w) ∈ R L (this property, which
can be seen as a variant of black-box extractability, is called special soundness).
5.5.5 Examples
Example 5.20 (Σ-protocol for DL-representations). Let G be a cyclic group of prime or-
der p in which the DL-problem is intractable, and suppose the prover wants to prove
knowledge of the DL-representation (k1 , . . . , k n ) of K ∈ G with respect to the distinct
non-unit elements P1 , . . . , Pn ∈ G. Then the prover can follow the Σ-protocol in Fig-
ure 5.2 [Bra00]. If one takes n = 1 then it reduces to the Schnorr Σ-protocol for discrete
logarithms [Sch90]. It is easy to see that this is indeed a Σ-protocol:
• Given K ∈ G and base points P1 , . . . , Pn ∈ G, one can generate an accepting conver-

z
sation by taking arbitrary numbers c, z1 , . . . , zn ∈ Z p and setting W = K −c in=1 Pi i .
Q
Qn k
Such conversations are distributed identically to actual traces for K = i=1 Pi i .
• If (W, c, z1 , . . . , zn ), (W, c0 , z10 , . . . , z0n ) are two accepting traces of this protocol for
K, then we apparently have
n n
z 0 z0
K −c Pi i = W = K −c
Y Y
Pi i ,
i =1 i =1
which when solved to K yields

n
Y (zi0 −zi )/(c0 −c)
K= Pi .
i =1
This says that k i = (zi0 − zi )/(c0 − c) for i = 1, . . . , n is a valid witness for K.
Example 5.21 (BBZKPoK for DL-representations). Let G again be a cyclic group of

prime order p in which the DL-problem is intractable. We present a black-box zero-
knowledge proof of knowledge for proving knowledge of DL-representations in G that
is an optimization of the one from [CDM00]. When n = 1 is taken, it reduces to a zero-
knowledge proof of knowledge for discrete logarithms (although for that case [CDM00]
contains a more efficient protocol).
Recall that a trace (W, c, z) of the Schnorr Σ-protocol for K is valid if Pz = WK c .
Such a trace can be generated by choosing z, c randomly, setting W = Pz K −c , and
returning (W, c, z). Suppose now that the prover P wants to prove knowledge of the
k
DL-representation (k1 , . . . , k n ) of K = P1 1 · · · Pnkn with respect to P1 , . . . , Pn ∈ G, where
all Pi are distinct and unequal to 1. The proof consists of two parts, each having three
moves:
• V uses the simulator above for K with respect to P1 , obtaining (W, c, z). It sends W to
P , and executes the Schnorr Σ-protocol on the numbers c, z such that W = K −c P1z .
• P uses the OR-protocol from [CDS94] (a Σ-protocol consisting of 3 moves) to show
that it knows either numbers c0 , z0 such that (W, c0 , z0 ) is accepting for K (with P1 as
base point), or the DL-representation (k1 , . . . , k n ) of K, without revealing which.
The second and third moves of the first part can then be executed simultaneously
with the first and second moves of the second part, resulting in a protocol of 4 moves
with n + 6 exponentiations for the prover. The protocol is shown in Figure 5.3; for
readability the protocol has not been contracted there to 4 moves. We emphasize that in
implementations, moves 2 and 4 and moves 3 and 5 should be done simultaneously.
We briefly sketch the existence of a simulator and extractor for this protocol. First
we remark that the proofs from the first part and second part are both witness-hiding
[FS90].
The simulator uses its black-box access to the verifier to extract the numbers c, z from
the first part. Then it can use these in the OR-protocol in the second part to prove
that it either knows (c, z) or (k1 , . . . , k n ). Since the verifier cannot detect that it is
being rewinded and since the OR-protocol is witness-hiding, the verifier cannot
tell which of the two statements the simulator is proving. Therefore the simulator’s
behavior is indistinguishable from honest provers.
Common information: P1 , . . . , Pn , K ∈ G; the group G

Prover Verifier
Qn ki
knows k i such that K = i =1 Pi
Phase 1
c1 , e, z10 , z20 , w̄1 , . . . , w̄n ∈ R Z∗p c, z, w1 , w2 ∈ R Z∗p
w
←− send W = P1z K −c , W̃ = P1 1 K w2
send e −→
←− send z1 = w1 + ez, z2 = w2 − ec
z ?
verify P1 1 K z2 = W̃W e
Phase 2
z0 0 w̄
send W 0 = P1 1 K z2 W −c1 , W̄ = P1 1 · · · Pnw̄n −→
←− send c
set c2 = c − c1
∀i set z̄i = w̄i + c2 k i
send c1 , c2 , z10 , z20 , (z̄i )i=1,...,n −→
?
verify c = c1 + c2
z0 0 ?
verify P1 1 K z2 = W 0 W e
z̄ ?
verify P1 1 · · · Pnz̄n = W̄K c2
Figure 5.3. Black-box zero-knowledge proof of knowledge of a DL-representation.
The extractor runs the first part of the protocol normally. Then, using its black-box
access to P it can rewind P in the second part, and obtain either the DL-
representation (k1 , . . . , k n ) of K (in which case we are done), or numbers c0 , z0
such that (W, c0 , z0 ) is accepting for K (with P1 as base point). Suppose the latter
is the case. Since the Σ-protocol executed in the first part is witness-hiding, the
new trace (W, c0 , z0 ) will with overwhelming probability differ from the the trace
(W, c, z) that the extractor generated itself. Thus it sets k0 = (z − z0 )/(c − c0 ), so that
0
K = P1k . Now the extractor outputs (k0 , 0, . . . , 0) (which is also a DL-representation
of K with respect to P1 , . . . , Pn ).
Other black-box zero-knowledge proofs of knowledge that can be used for DL-represen-
tations are, for example, the one sketched in [Dam10, p. 16] which also has 4 moves, or
the protocol for discrete logs from [Lin11, p. 31], which is easily extended to a protocol
for DL-representations but has 5 moves.
5.6. Signature schemes 101

We will use the Camenisch-Stadler notation [CS97] for zero-knowledge proofs. For
example, if K, P1 , P2 are elements of some group then
k
PK (k1 , k2 ) : K = P1 1 P2k2

(5.3)
denotes a zero-knowledge proof of knowledge of the numbers k1 , k2 that satisfy the

k
relation K = P1 1 P2k2 . We will, however, not switch to Greek letters for the unknowns, as
is sometimes done, but we will consistently write all unknowns (e.g. k1 and k2 in (5.3))
on the right-hand side.
5.6 Signature schemes

A signature scheme is a set of protocols dealing with authenticity of digital messages.
A valid digital signature over some message should give a recipient (or verifier) reason
to believe that the message was created (or at least seen and approved) by a known
authority, who we shall call the signer. The purpose of a signature scheme is thus to use
the trust relationship between the signer and a verifier to certify messages. Signature
schemes are widely used throughout computer science and the internet, and they often
also serve as basis for credential schemes. We will in fact create a signature scheme, and
prove its unforgeability, for precisely that purpose in Section 9.2.3 on p. 157.
Signature schemes work as follows. First the signer creates two related pieces of
information called the secret key and public key. It keeps the secret key to itself but
publishes the public key. Then, given a message, the signer can create a digital signature
over that message using the secret key. After this anyone who knows the signer’s public
key and who is given the message and signature is able to verify that that signature is
valid over that particular message, using the public key.
The validity of a signature over a message with respect to a certain public key should
ensure the verifier that the signature was created by the signer. This means that the
trust between the verifier and signer can only be extended to the message if only the
signer, who holds the secret key that corresponds to its known public key, is able to
create signatures that will verify when using the public key. Therefore, when given only
a public key and a message, but not the secret key, it should be infeasible to produce a
signature over that message that will verify with the given public key (that is, the scheme
should be unforgeable).
Let us now turn to the formal definition of signature schemes.
Definition 5.22 (Signature schemes). A signature scheme consists of the following three
algorithms:
KeyGen (1` ) Given a security parameter ` in unary, this algorithm outputs two bit strings
PK, SK, as well as a description of a set M called the message space.
Sign SK (m) Given a secret SK key and message m ∈ M, this algorithm outputs a signa-
ture σ.
Verify PK (σ, m) Given a public key PK, signature σ and message m, this algorithm out-
puts valid or invalid.
The scheme should be correct, in the following sense: for every (SK, PK, M) ←
KeyGen (1` ) and every message m ∈ M, we have
Verify PK (SignSK (m), m) = valid.
Notice that this definition says nothing about unforgeability. For example, the scheme
where SignSK (m) = 0 and Verify PK (σ, m) = valid for all SK, PK, m, σ satisfies the def-
inition but is clearly not very useful. The definition above only specifies the syntax of
signature schemes. As is often done in cryptography, we separately define the security
notion in terms of a security game: a process consisting of a number of fixed moves, in
which we endow an interactive algorithm with some capabilities that it may use as it
sees fit. We call this algorithm the adversary. Its goal is to use these capabilities to output
a valid signature that was not created by the signer. If there exists no adversary that can
do this, then our signature scheme is unforgeable. There are many versions of this game,
differing in what capabilities they give to the adversary, and when the adversary is con-
sidered to have won the game. The one that is most often used is due to Goldwasser,
Micali and Rackoff [GMR88], and goes as follows.
Definition 5.23. The existential unforgeability game under adaptive chosen message
attacks for a signature scheme (KeyGen, Sign, Verify ) is a game between an adversarial
user A and a signer S , controlled by the challenger, and proceeds as follows.
Setup The challenger generates a private-public key pair (SK, PK ) = KeyGen (1` ). It
sends PK and the description of the message space to the adversary A.
Queries The adversary requests signatures on messages m1 , . . . , mq ∈ M that it may
choose adaptively (i.e., message mi may depend on messages m1 , . . . , mi−1 ). The
challenger responds to each query with a signature σi ← SignSK (mi ).
Output The adversary A outputs a pair (m, σ ) and wins the game if σ is a valid signature
over m, and m 6= mi for all 1 ≤ i ≤ q.
When no probabilistic polynomial-time algorithm can win this game with non-negligible
probability in `, then we say that the signature scheme is existentially unforgeable under
adaptive chosen-message attacks.
The signature scheme is said to be nondeterministic when the Sign algorithm uses
randomness, so that two signings of the same message may result in different signatures.
Notice that if the Sign algorithm is deterministic, then the secret key SK and message
m completely determine the resulting signature σ. If the Sign algorithm is probabilistic,
however, then it may return different signatures if it is run twice on the same secret
key and message. In such cases, the win condition for the adversary is sometimes
modified as follows: the adversary wins if (m, σ ) 6= (mi , σi ) for all i. That is, it wins if it
manages to output any new signature, even if it is over an already-seen message. This is
sometimes called strong unforgeability. Although this stronger notion of unforgeability
can sometimes be desirable, the weaker game leaves open the possibility to modify valid
signatures over some message into a new valid signature over the same message. In
5.7. Credential schemes 103
particular, self-blindable credential schemes (see Section 5.7 and Chapter 6) critically
depend on this ability.
Sometimes a similar game is used in which the adversary must present all of the mes-
sages that it wants signed at once, instead of being allowed to choose them adaptively. If
no adversary can win this game then the scheme is said to be weakly unforgeable under
(non-adaptively chosen) chosen-message attacks. It is clear that this is a weaker notion
of unforgeability, in the sense that any scheme which is unforgeable under adaptively-
chosen message attacks is also unforgeable in this sense, but not necessarily vice versa.
Nevertheless, this weaker notion will play an important role in Chapter 7 (see Defini-
tion 7.3 on p. 128).
Example 5.24 (BLS signatures). Consider the following deterministic signature scheme,
by Boneh, Lynn and Shacham [BLS04] but modified to Type 3 pairings [SV07b].
KeyGen (1` ) Generate a bilinear group pair e : G1 × G2 → GT of Type 3 (see Defini-

tion 5.11) where the order p of the three groups has length `, together with a hash
function13 H : {0, 1}∗ → G1 . Additionally, generate a number a ∈ Z∗p and a genera-
tor Q ∈ G2 , and set A = Q a . The public key is the description of e, G1 , G2 , GT and
H, along with A, Q ∈ G2 . The private key is a. The message space is M = {0, 1}∗ .
Sign a (m) Given a message m ∈ {0, 1}∗ , the signature is σ = H (m) a ∈ G1 .
Verify A (σ, m) The signature σ over the message m is valid only if
e(σ, Q) = e( H (m), A).
The correctness of this scheme is clear. Indeed, if σ = H (m) a then
e(σ, Q) = e( H (m) a , Q) = e( H (m), Q a ) = e( H (m), A).
One can prove that the scheme is unforgeable under adaptively chosen message attacks
under a generalization of the the CDH assumption (Definition 5.9) to Type 3 pairings, in
the random oracle model.14
5.7 Credential schemes

We now turn to the main topic of this part of the thesis: credential schemes. We have seen
in the previous section that signature schemes serve to use the trust relationship between
13A function H : {0, 1}∗ → G1 is a hash function if it is efficiently computable, and if it satisfies the following
properties. Given a h ∈ G1 it should be infeasible to find a bitstring x such that h = H ( x ) (preimage resistance);
given a bitstring x1 it should be infeasible to find a bitstring x2 such that H ( x1 ) = H ( x2 ) (second preimage
resistance); and it should be infeasible to find two bitstrings x1 and x2 such that H ( x1 ) = H ( x2 ) (collision
resistance). Since none of our own constructions in this thesis rely on hash functions, we will not spend more
attention on them here.
14A random oracle model is an idealized hash function that when given a message m for the first time returns a
random element from G, and then consistently returns the same element when queried on the same message
m. In the unforgeability proof, the adversary is given oracle access to this oracle, and it is controlled by the
challenger. Since our schemes will not use hash functions, we will have no need of this model (in which case
we say that we operate in the standard model).
a signer and a verifier in order to certify a message. In credential schemes there is also
such a trusted party (that we will now call the issuer), but the goal of credential schemes
is to extend the trust relationship between the issuer and verifier not to a message, but to
a user (for example, a person, or a computing device acting on behalf of a person). Thus,
a user can obtain a credential from an issuer, after which he can show it to a verifier. The
scheme should be such that if the verifier finds that the user’s credential is valid, then the
verifier can be sure that the user indeed obtained this credential from the issuer. Since
the issuer apparently deemed this user worthy of a credential, the verifier can trust the
user just as far as it trusts the issuer.
One thing that is immediately clear is that whatever process we use to show a credential
to a verifier is going to have to be more sophisticated than just handing over the credential
to the verifier (as is usually done in the case of a signature), because this would allow
the verifier to present the credential it just obtained to other verifiers (i.e., the verifier
could impersonate the user). If this would be possible then the second verifier could no
longer be sure that it is talking to an honest user instead of to an impersonator, so that no
trust relationship can be established. This suggests that in order to prevent these replay
attacks, the user and verifier should engage in some interactive protocol that hides the
credential at least partially, so that the verifier cannot replay the credential to others.
Notice also that like in signature schemes there is the following asymmetry: only the
issuer should be able to create credentials, while any verifier should be able to verify their
validity (as long as the user agrees to try to convince the verifier of this fact). Therefore
we will here too need private and public keys.
Apart from its validity, a credential may or may not contain information about its
owner. We might call schemes whose credentials do not contain such information boolean
credential schemes (since their credentials are either valid or not). We will study a number
of such schemes in Chapter 6. By contrast, attribute-based credentials (ABC’s) can contain
not one but several pieces of information (called attributes). The showing protocol of
these schemes is then such that the user can choose to show some of these attributes,
while hiding the others. This ability makes them very suitable for the kind of flexibility
and privacy-friendliness that we are looking for in identity-management schemes (see
p. xii). These schemes will be the topic of the final three chapters of this thesis.
Throughout this thesis we will write n for the maximum number of attributes that
an (instantiation of an) attribute-based scheme allows. Note that a boolean credential
scheme can be seen as an attribute-based credential schemes that allows zero attributes,
i.e., n = 0. For this reason we will in the remainder of this section focus on attribute-
based credential schemes; by taking n = 0 one obtains the definition and security
notions for boolean schemes.15 (The exception to this will be the unforgeability game;
we will use a separate notion of unforgeability for boolean schemes called malleability,
see Definition 6.4 on p. 116. For readability we will in Chapter 6, which is exclusively
concerned with boolean schemes, repeat the relevant definitions and security games
without reference to n or to attributes.)
Summarizing the discussion so far, we can now define credential schemes as follows.
15Notice, however, that even though the definitions below contain an n it will not make sense to try to use a
nonzero n for boolean schemes, and in the case of attribute-based schemes the security proofs may collapse if
one takes n = 0.
Definition 5.25 (Attribute-based credential schemes). An attribute-based credential

scheme consists of the following protocols. (We assume a single issuer, but this can
easily be generalized to multiple issuers.)
KeyGen (1` , n) This algorithm takes as input a security parameter ` and the number of
attributes n that the credentials will contain, and outputs the issuer’s private key
SK and public key PK, which must contain the number n, and a description of the
attribute space M.
Issue An interactive protocol between an issuer I and user P that results in a credential
c:
I( PK, SK, (k1 , . . . , k n )) ↔ P ( PK, k0 , (k1 , . . . , k n )) → c.
Here k0 is the user’s private key, that is to be chosen from the attribute space M by
the user; the Issue protocol should prevent the issuer from learning it. We assume
that before execution of this protocol, the issuer and user have reached agreement
on the values of the attributes k1 , . . . , k n . The secret key and attributes k0 , k1 , . . . , k n
are contained in the credential c.16
ShowCredential An interactive protocol between a user P and verifier V which is such
that, if c is a credential issued using the Issue protocol over attributes (k1 , . . . , k n ) us-
ing private signing key SK corresponding to public key PK, then for any disclosure
set D ⊂ {1, . . . , n} the user can make the verifier accept:
P ( PK, c, D) ↔ V ( PK, D , (k i )i∈D ) → 1.
We assume that here, too, the user has notified the verifier in advance of the
disclosure set D and disclosed attributes (k i )i∈D .
Notice that this syntax is fairly close to that of signature schemes: in both cases a private-
public key pair is generated; and in both cases the private one is used for the generation of
the object at hand, while the public one is used for verification. Because of this similarity
we can define unforgeability of credential schemes in a way that closely resembles that
of signature schemes (see the next section). Additionally, most of the credential schemes
in the literature consist of an underlying signature scheme, along with an interactive
protocol for issuing them and another for showing them. In fact, the schemes that we
will define in Chapters 7 and 9 also have this structure.
Some credential schemes additionally allow credentials to be revoked if they are lost
of stolen. In this case, there is also a revocation authority, and an interactive protocol
called Revoke between the user and the revocation authority. Additionally, during the
ShowCredential protocol the user must also convince the verifier that the credential that
he is presenting has not been revoked using the Revoke protocol. We will, however,
not concern ourselves with revocation in this thesis; instead we refer to [Lue+15] for a
revocation scheme that is suitable for attribute-based credential schemes such as those
from Chapters 7 and 9.
16We realize that in terms of terminology, it is rather unusual to include the secret key in the credential. We
do this mainly for notational convenience in the later chapters.
Apart from the properties already mentioned, we expect any credential scheme to
satisfy the following properties.
• Unforgeability (see the next section): no user can prove ownership of a credential
or of attributes that have not been issued to it by the issuer.
• Offline issuer: The issuer is not involved in the verification of credentials.
• Selective disclosure for attribute-based schemes: any subset of attributes contained
in a credential can be disclosed.
Some schemes additionally are such that multiple uses of the same credential cannot
be linked; this is called unlinkability. We will discuss this in more detail in Section 5.7.3
below.
Example 5.26. Consider the following simple example of a boolean scheme (that does
not offer unlinkability).
KeyGen (1` ) The issuer generates private and public keys for some signature scheme
that is unforgeable under adaptively chosen message attacks. Additionally, it
generates a cyclic group G of order p with | p| = `, in which the DL-problem is
intractable, along with a generator P ∈ G (by using the BLS signature scheme from
Example 5.24 on p. 103 the group G can also serve as the set of signatures).
Issue The user generates some k ∈ R Z p and sends K = Pk to the issuer, and performs
PK{(k) : K = Pk }
using a zero-knowledge proof of knowledge (see Section 5.5). If the proof is

successful, the issuer signs K and sends the resulting signature to the user.
ShowCredential The user sends K and the signature to the verifier, and performs
PK{(k) : K = Pk }
to prove knowledge of his private key k. The verifier accepts if the proof is suc-
cessful and if the signature over K is valid.
Because the user hides his secret key k from the verifier using the zero-knowledge proof,
the verifier is prevented from replaying the credential to others.

As mentioned above, we will write n for the amount of attributes that a scheme allows,
and we will index the attributes with the letter i. When discussing multiple creden-
tials (particularly in the unforgeability and unlinkability games and proofs) we index
credentials with j, and write m for the amount of credentials that are currently under
consideration. We will use the letter k for attributes. Thus, k i,j would denote the i-th
attribute of the j-th credential.
In the case of attribute-based credentials, we will write D ⊂ {1, . . . , n} for the index
set of the disclosed attributes, and
C = {1, . . . , n} \ D
for the index set of the undisclosed attributes. The index 0 of the secret key k0 is not
considered part of this set, as k0 is always kept secret.
5.7.2 Unforgeability
We define unforgeability of an attribute-based credential scheme in terms of the follow-
ing game (notice the resemblance with the game from Definition 5.23).
Definition 5.27 (Unforgeability game for ABC’s). The unforgeability game of an
attribute-based credential scheme between a challenger and an adversary A is defined
as follows.
Setup For a given security parameter `, the adversary decides on the number of at-
tributes n ≥ 1 that each credential will have, and sends n to the challenger. The
challenger then runs the KeyGen (1` , n) algorithm of the credential scheme and
sends the resulting public key to the adversary.
Queries The adversary A can make the following queries to the challenger.
Issue (k1,j , . . . , k n,j ) The challenger and adversary engage in the Issue protocol, with
the adversary acting as the prover and the challenger acting as the issuer, over
the attributes (k1,j , . . . , k n,j ). It may choose these adaptively.
ShowCredential (D , k1 , . . . , k n ) The challenger creates a credential with the spec-
ified attributes k1 , . . . , k n , and engages in the ShowCredential protocol with
the adversary, acting as the prover and taking D as disclosure set, while the
adversary acts as the verifier.
Challenge The challenger, now acting as the verifier, and the adversary, acting as the
user, engage in the ShowCredential protocol. The adversary chooses a disclosure set
D , and if it manages to make the verifier accept then it wins if one of the following
holds:
• If the adversary made no Issue queries then it wins regardless of the disclosure
set (even if D = ∅);
• Otherwise D must be nonempty, and if (k i )i∈D are the disclosed attributes,
then there must be no j such that k i = k i,j for all i ∈ D (i.e., there is no single
credential issued in an Issue query containing all of the disclosed attributes
(k i )i∈D ).
We say that the credential scheme is unforgeable if no probabilistic polynomial-time

algorithm can win this game with non-negligible probability in the security parameter
`.
5.7.3 Unlinkability
One feature that a credential scheme may or may not offer, and that will be of particular
interest to us, is that of unlinkability. A scheme is said to offer multi-show unlinkability
if whenever two credentials are shown (disclosing the same attributes with the same
values, in the case of attribute-based schemes), then the verifier cannot tell whether he
was shown one and the same credential twice, or two distinct credentials. In the case
of boolean schemes, this means that the user is completely anonymous within the set of
all other users of the scheme; in the case of attribute-based schemes the anonymity set
is the set of users who have credentials containing the same attributes as the disclosed
ones. For example, if a user discloses an attribute saying “I am over 18 years old”, then
he will be anonymous within the set of all people that also have this attribute.
Another possible kind of unlinkability that a credential scheme may offer (separately
or simultaneously with multi-show unlinkability) is issuer unlinkability. Consider a user
whose credential contains certain attributes. If this user then engages in the ShowCre-
dential protocol with the issuer, or with a verifier who sends the trace of the run to the
issuer afterwards, then of all credentials that the issuer issued with those attributes, the
issuer cannot tell which one was used. That is, the user is from the perspective of the
issuer anonymous within the set of people whose credentials have the same values for
the disclosed attributes.
We now define a single unlinkability game. Afterwards, we will argue that this game
implies both kinds of unforgeability.
Definition 5.28 (Unlinkability game for ABC’s). The unlinkability game of an attribute-
based credential scheme between a challenger and an adversary A is defined as follows.
Setup For a given security parameter `, the adversary decides on the number of at-
tributes n ≥ 1 that each credential will have, and sends n to the challenger. The
adversary then runs the KeyGen (1` , n) algorithm from the credential scheme and
sends the resulting public key to the challenger.
Queries The adversary A can make the following queries to the challenger.
Issue (k1,j , . . . , k n,j ) The adversary chooses a set of attributes (k1,j , . . . , k n,j ), and
sends these to the challenger. Then, acting as the issuer, the adversary engages
in the Issue protocol with the challenger, issuing a credential j to the challenger
having attributes (k1,j , . . . , k n,j ).
ShowCredential ( j, D) The adversary and challenger engage in the showing pro-
tocol on credential j, the challenger acting as the user and the adversary as
the verifier. Each time the adversary may choose the disclosure set D .
Corrupt( j) The challenger sends the entire internal state, including the secret key
k0 , of credential j to the adversary.
Challenge The adversary chooses two uncorrupted credentials j0 , j1 and a (possibly
empty) disclosure set D ⊂ {1, . . . , n}. These have to be such that the disclosed
attributes from credential j0 coincide with the ones from credential j1 , i.e., k i,j0 =
k i,j1 for each i ∈ D . It sends the indices j0 , j1 and D to the challenger, who checks
that this holds; if it does not then the adversary loses.
Next, the challenger flips a bit b ∈ R {0, 1}, and acting as the user, it engages in the
ShowCredential with the adversary on credential jb . All attributes whose index is
in D are disclosed.
Output The adversary outputs a bit b0 and wins if b = b0 .
We define the advantage of the adversary A as AdvA := |Pr[b = b0 ] − 1/2|. When no

probabilistic polynomial-time algorithm can win this game with non-negligible advan-
tage in the security parameter `, then we say that the credential scheme is unlinkable.
In this game the adversary plays the role of the issuer in the Setup phase and the
role of the verifier in the Challenge phase. This definition of unlinkability implies both
multi-show unlinkability and issuer unlinkability, as follows.
Multi-show unlinkability Suppose there exists a malicious verifier that can link two
transactions as in the Challenge phase of our unlinkability game, without itself
having issued the credentials from those transactions. Then there certainly also
exists an adversary that, by using this verifier, breaks blindness in the sense of
Definition 5.28. Thus unlinkability as in Definition 5.28 implies multi-show un-
linkability.
Issuer unlinkability Consider the following game for issuer unlinkability. The Setup
and Queries phases are as in Definition 5.28, but the Challenge and Output phases
are as follows:
Challenge The adversary chooses a credential j and a disclosure set D ⊂
{1, . . . , n}, and informs the challenger of its choice. The challenger flips a
bit b ∈ R {0, 1}, takes j0 ∈ R {1, . . . , m}, and sets j1 = j. Next it engages in
the ShowCredential protocol with the adversary on credential jb , acting as the
user. All attributes whose index is in D are disclosed.
Output The adversary outputs a bit b0 and wins if b = b0 .
If there exists an adversary that can win this game, then there also exists an
algorithm that breaks blindness in the sense of Definition 5.28: if an algorithm
can win this game with non-negligible probability, it means that it can distinguish
credential j = j1 from any other credential j ∈ R {1, . . . , m}, so that it could certainly
also distinguish j1 from a fixed j0 .
Essentially, the reason why these variations of the unlinkability game imply unlinkability
in the sense of Definition 5.28, is because in both of them the adversary is endowed with
less power. Indeed, in the first case it does not know the issuer’s secret key, and since it
did not issue the credentials it does not have access to the issuer’s view of the executions
of the Issue protocol; and in the second case it does not get to choose the credential j1 .
Chapter 6
Linkability and malleability in

self-blindable credentials
Self-blindable credential schemes allow users to anonymously prove ownership of cre-

dentials. This is achieved by randomizing the credential before each showing in such a
way that it still remains valid. As a result, each time a different version of the same cre-
dential is presented. A number of such schemes have been proposed, but unfortunately
many of them are broken, in the sense that they are linkable (i.e., failing to protect the
privacy of the user), or malleable (i.e., they allow users to create new credentials using
one or more valid credentials given to them). In this chapter we prove a general theorem
that relates linkability and malleability in self-blindable credential schemes, and that
can test whether a scheme is linkable or malleable. After that we apply the theorem to
a number of self-blindable credential schemes to show that they suffer from one or both
of these issues.
[HLR15] J.-H. Hoepman, W. Lueks, and S. Ringers. “On Linkability and Malleability
in Self-blindable Credentials”. In: Information Security Theory and Practice: 9th
IFIP WG 11.2 International Conference, WISTP 2015. Ed. by N. R. Akram and
S. Jajodia. Cham: Springer International Publishing, 2015, pp. 203–218.
The main theorem of this chapter and the corresponding article is my own work, based
on an initial, rough idea by Jaap-Henk Hoepman. My own contribution was to extend
and formalize this idea in the form of the theorem; to apply it to the credential schemes
that we treat in this chapter; and to write the text itself, with help from both Wouter
Lueks and Jaap-Henk Hoepman.
112 Chapter 6. Linkability and malleability in self-blindable credentials
6.1 Introduction
Unlinkable credential schemes (sometimes also called anonymous credential schemes)
are a promising technique for secure and privacy-friendly identity management. They
are given by an issuer to the user, who can then prove possession of it to other parties.
This showing should be multi-show unlinkable: that is, it is infeasible for the issuer, the
verifier or any other party to determine whether two transactions did or did not originate
from the same user. Additionally, credentials have to be unforgeable, in the sense that
the user cannot create his own credential, or modify one or more existing ones in order
to obtain a new credential (this kind of forgeability is called malleability and plays and
important role in this chapter). A number of such systems already exist; we mention, for
example, Idemix [CL01; IBM12]. This scheme is additionally attribute-based, meaning
that a credential may contain multiple attributes (which are pieces of information or
statements, generally about the owner of the credential). Such systems tend to be
complex, however, which is why considerable effort has gone into simpler credential
systems that have no attributes (for example [HJV10]; see also Example 6.2). Instead, such
(boolean) credentials are either valid or invalid, resulting in simpler constructions that
are easier to study and potentially more efficient, allowing for practical implementations
of such credentials on smart cards. Naturally, such credential schemes still have to be
unlinkable and unforgeable.
A simple boolean credential scheme is that of Example 5.26, where the user knows
(so can prove knowledge of) the private key corresponding to a public key that has been
signed by the issuer. A problem with this scheme, however, is that the user presents
the same public key and signature on each use, making all uses of the same credential
linkable. One technique for preventing such linkability is to modify the credential
before each showing, in such a way that it remains valid. This is called blinding, and
credential schemes that use this technique are called self-blindable credential schemes. The
first example of such a scheme was given by Verheul in the same paper that defines the
notion of self-blindability [Ver01]. The advantage of blinding credentials in such a way
is that it is easy for the user (blinding is usually cheap) and for the verifier (verifying a
blinded signature is generally not much different from verifying an ordinary signature).
In the past decade, a number of such self-blindable credential schemes have been
proposed [CL01; EMO09; HJV10; KT08; Ver01]. Unfortunately, many of them are broken,
in the sense that transactions are linkable or the credentials are malleable, or even both.
In this chapter we uncover a common theme in the cause of the problem of each of
these schemes: the dependence of the public key and signature on the private key
of the credential can often be exploited to achieve linkability or malleability. This
suggests there is a trade-off between the two. After having introduced and defined the
relevant concepts in Section 6.2, we show this by proving a general theorem in Section 6.3
that makes it easy to determine whether a self-blindable credential scheme is linkable.
The theorem exhibits an interesting and strong relationship between linkability and
malleability of the credential scheme. We then apply this theorem in Section 6.4 to show
that several proposed self-blindable schemes in the literature are linkable, and present
explicit counter-examples as well. The theorem also indicates in which directions to
look for self-blindable credential schemes that are both unlinkable and unmalleable.
6.2. Self-blindable credentials 113
6.2 Self-blindable credentials

In all self-blindable credential schemes that we know of, a credential consists of a private
key k, a corresponding public key K, and a signature S over the public key that the issuer
gives to the owner of the credential. That is, a credential C is of the form
C = (k, K, S) ∈ P × K × S
where P , K and S are the sets of private keys, public keys and signatures, respectively.
We shall write C for the product C = P × K × S . Let us say that an element (k, K, S) ∈
P × K × S is valid when k is the private key corresponding to K and S is a valid signature
over K with respect to the issuer’s signing key.
Self-blindable credentials, introduced by Verheul [Ver01], are credentials that the user
modifies each time before he shows it to a verifier, in such a way that it remains valid,
and such that multiple transactions cannot be linked to each other. We define this notion
as follows.1
Definition 6.1. A credential scheme is called self-blindable if
1. There exists a blinding-factor space B and an efficiently computable map
B : C × B → K × S,
such that if the credential C = (k, K, S) ∈ C is valid, then for any α ∈ B it holds
that if B(C, α) = (K̄, S̄) then S̄ is a valid signature over K̄;
2. In the ShowCredential protocol, the credential C is blinded to (K̄, S̄) = B(C, α) for
a random α ∈ R B , after which K̄ and S̄ are used as the public key and signature
respectively in the remainder of the ShowCredential protocol.
Most self-blindable credential schemes that we know of have a ShowCredential protocol
of the following form:
1. The user blinds K and S using the blinding map B and sends the blinded values K̄,
S̄ to the verifier, who then non-interactively checks that S̄ is a valid signature over
K̄.
2. Afterwards, the user and verifier engage in a (possibly zero-knowledge) proof
in which the user convinces the verifier that he knows the private key k and
blinding factor α from which he calculated K̄ (i.e., the first element from the tuple
(K̄, S̄) = B((k, K, C ), α)).
We purposefully do not include the private key in the blinded credentials (that is, we
do not demand that B(C, α) = (k̄, K̄, S̄), where k̄ is the private key corresponding to
K̄), because if such a map B were to exist then anyone can, given one credential, create
arbitrary new ones. That is, there would be no distinction between the creation of new
1In [Ver01], Verheul puts four extra demands on the blinding map B besides item 1 in our definition, that
are meant to exclude edge cases that could never lead to desirable properties in a credential schemes. Instead
of including these four extra properties, we describe the role of the blinding map B more directly in the second
item in Definition 6.1.
credentials by the issuer and blinding an existing credential. In terms of Definition 6.4,
the system would then be 1-malleable.
Example 6.2. As a first example we consider the self-blindable credential by Hoepman et

al. [HJV10], which is based on the original scheme by Verheul [Ver01]. Here we use the
Chaum–Pedersen [CP93] signature scheme, as follows. Consider an (additively written)
Type 1 pairing e : G1 × G2 → GT , with all groups of prime order p, and take generators P
and Q for G1 and G2 respectively. Then the private signing key of the issuer is a number
a ∈ Z p , and the corresponding public key is A = aQ ∈ G2 .
The space of private keys of credentials is P = Z p , and for a private key k ∈ Z p the
corresponding public key is K = kP ∈ G1 . The signature on K is then a Chaum–Pedersen
signature S = aK, which can be verified by
?
e(K, A) = e(S, Q).
Thus, we have K = S = G1 .
Blinding the public key is done by multiplying it by a random number α ∈ Z p , that
is, K̄ = αkP, and similarly for the signature: S̄ = αakP. The verification equation then
becomes
?
e(K̄, A) = e(S̄, Q).
If K̄ and S̄ are blinded by the same value α ∈ Z p , and if the unblinded signature is a valid
Chaum–Pedersen signature over the unblinded public key K, then this equation holds.
The problem of this system is not linkability, but malleability. Given a credential
(k, K, S) on its private key k the user can easily create a new credential (αk, αK, αS) on
any other private key αk. This means that a user that has access to the internals of his
credential can create a new credential over any private key k ∈ Z p , without involving
the issuer. (Hoepman et al. mitigate this attack by storing the private key on a smart
card, so that the user cannot access it directly. It is, however, still a problem, for example
because revocation in such a system would be impossible, because there is nothing that
binds the private key to the user.)
We will examine this form of forgeability more closely in Definition 6.4 and Exam-
ple 6.10. In this case, it is a consequence of the linearity of the Chaum–Pedersen signature
S in the private key k. Later on, in Example 6.8, we will see how using a signature scheme
that is nonlinear in k results in linkability.
This chapter is mostly concerned with how the blinded public key K̄ and blinded signa-
ture S̄ depend on the private key k and blinding factor α. Taking the blinded public key
K̄, we will denote the dependency of K̄ on k by writing
K̄ = PubKey(k, α)
for a certain function PubKey : P × B → K. Similarly,
S̄ = SigSK (k, α).

6.2. Self-blindable credentials 115
for a certain function SigSK : P × B → S . Here SK is the issuer’s private key. Using
these functions PubKey and SigSK , we can express the blinding map B as follows:
B((k, K, S), α) = (K̄, S̄) = (PubKey(k, α), SigSK (k, α)) .
We stress that these functions PubKey and SigSK need not correspond to any algorithm
that is run by one of the involved parties (typically, for example, the user will calculate
the blinded public key using the unblinded public key, not directly from the private
key). The purpose of these functions is purely to make the dependence on the private
key and blinding factor explicit.
6.2.1 Security properties

Having defined the basic structures and the notion of self-blindability, we next turn to
the security properties that we expect boolean credential schemes to satisfy. If we adapt
the unlinkability game for attribute-based schemes of Definition 5.28 to boolean schemes
by letting the amount of attributes be 0, we obtain the following game.
Definition 6.3 (Unlinkability). A boolean self-blindable credential scheme is unlinkable

if no adversary can win the following game with non-negligible advantage.
Setup The adversary runs the KeyGen (1` ) algorithm and sends the public key to the
challenger.
Queries For any j ∈ {1, . . . , m} the adversary may issue the following queries:
Issue The adversary, acting as the issuer, engages in the Issue protocol with the
challenger, issuing a credential to the challenger that we label with j.
ShowCredentials( j) The adversary acts as the verifier in the ShowCredential pro-
tocol for the credential j which has been issued in an Issue query, with the
challenger acting as the user. The adversary sees the same interaction as a
normal verifier would see.
Corrupt( j) The adversary requests the credential j from an Issue query to be cor-
rupted. The challenger gives him the internal state (k j , K j , S j ) of credential
j.
Challenge The adversary selects two uncorrupted credentials j0 , j1 from the set
{1, . . . , m} and informs the challenger of his choice. The challenger then picks
a bit b ∈ R {0, 1} at random, and runs ShowCredential on credential jb with the ad-
versary playing the role of the user while the adversary acts as the verifier. The
adversary outputs a bit b0 . He wins if b = b0 .
This definition of linkability includes a weaker notion of linkability where the adversary
only gets to see two traces, and has to decide whether they belong to the same user.
Given such an algorithm A0 we can then build an adversary A satisfying the definition
above by having it perform the following actions:
Setup A sets up the unlinkability game with his challenger.

Queries A performs m Issue queries. Next he chooses two credentials j0 and j1 at random
from the list of credentials {1, . . . , m} and performs a ShowCredential query on j0 .
He stores the trace of the protocol run.
Challenge A informs his challenger that he has chosen the credentials j0 and j1 from
the previous phase. He engages in the ShowCredential protocol on jb (where b is
chosen by the challenger) and stores the trace. Then, he uses the algorithm A0 to
compare the traces from j0 and jb . If A0 returns that j0 and jb have the same public
key then A outputs b0 = 0 as his guess; otherwise he outputs b0 = 1.
Then the adversary A satisfies Definition 6.3.
Definition 6.4 (m-malleability). Let {(k1 , K1 , S1 ), . . . , (k m , Km , Sm )} ∈ C m be a tuple of
m valid credentials. If there exists an efficiently computable map F : C m → C which
outputs a valid credential on a new private key (that is, if

(k, K, S) = F (k1 , K1 , S1 ), . . . , (k m , Km , Sm )
and (k, K, S) is valid and k 6= k j for all j = 1, . . . , m) then we say that the credential
scheme is m-malleable.
Although malleability is nothing more than a particular kind of forgeability, it warrants
a separate definition because it occurs in a number of existing credential schemes, and
because it plays an important role in the theorem below. The problem that the definition
above aims to capture is that new credentials can be made without the involvement or
knowledge of the issuer, if the user has m credentials. We see that the credential scheme
from Example 6.2 has 1-malleability: in that scheme, given a credential (k, K, S) and any
α ∈ Z p , the credential (αk, αK, αS) is a new valid credential. This is a problem, because
the blinded credential should still be bound to the original private key k.
Note, however, that if the scheme is not attribute-based but boolean, then malleability
is not necessarily a problem. Modifying an existing credential into a new one does not
change any of its key properties: it was valid and it remains valid, so nothing has really
changed. On the other hand, we can think of the following cases in which it would be a
problem.
• The public key K may contain meaningful information such as attributes (as is
the case in, for example, U-Prove). In this case, the user should not be able to
manipulate this meaningful data, so it should be impossible by exploiting the
malleability to obtain a new valid credential whose public key contains different
information. In particular, the user should not be able to create a credential whose
public key is K̄ when given a credential with public key K.
• In a self-blindable credential scheme that is not attribute-based (for example the
one from Example 6.2), issuers may issue multiple credentials (signed by different
keys) instead of a single credential with multiple attributes. For example, a public
key signed with private key a1 may mean that the user is over 18, while one signed
with private key a2 could mean that he is a German citizen. In such a setting it
should be impossible to combine credentials issued to different users. In this case,
an underage German citizen should not be able to use his foreign friend’s over 18
6.3. Relating malleability and linkability 117
credential to prove that he is both over 18 and a German citizen. Normally, such
a proof would show that the signed public keys in both credentials are identical,
thus preventing credentials from being combined. However, malleability might
make it possible to change a credential over one public key (say the foreign friend’s)
into another public key (say of the underage German citizen). This would make
credential pooling trivial.
• Similarly, the unchecked randomization of the signed public key can make revo-
cation, often an essential feature of anonymous credential systems, next to impos-
sible.
In the next section, we show that malleability has a strong link with linkability, and then
examine a number of credential schemes that suffer from these issues.
6.3 Relating malleability and linkability

In the credential schemes considered in this chapter, the public key K ∈ K depends
linearly on the private key k ∈ P . Any signature over K obviously depends on K, and
therefore also on k. Thus, when considering suitable signature schemes, if the set of
signatures is a group then we may take one that is either linear or not linear in k. The
theorem and its corollary below then say the following: if the signature scheme is not
linear in k, then there is linkability, while if it is linear in k then the scheme may be
malleable. Loosely speaking, this is because if the public key and the signature do not
depend on the user’s private key and the blinding factor in precisely the same way, then
this can be exploited. Let us now make this more precise.
We assume henceforth that K and S are groups, that we will write additively, and that
P is a field. From the corollary below and onwards it will, moreover, be the case that
the former two are vector spaces2 over P , meaning that elements from K and S can be
multiplied on the left by elements from P : for example, kK ∈ K for k ∈ P and K ∈ K.
We recall the following definition.
Definition 6.5. A map L : V → W, with V and W being vector spaces over P , is linear if
L(v + v0 ) = L(v) + L(v0 ) and L(kv) = kL(v) for all v, v0 ∈ V and k ∈ P .
We denote with Verify PK : K × S → {true, false} the verification function of the signature
scheme under consideration, where PK is the public key of the issuer. That is, Verify PK
is such that
Verify PK (PubKey(k, α), SigSK (k, α)) = true
for all k, α. On the other hand, whenever k 6= k0 or α 6= α0 (or both), we should have
Verify PK PubKey(k, α), SigSK (k0 , α0 ) = false.

2The theorem remains true when P is not a field but a ring, in which case K and S are not vector spaces,
but modules over P . As this is the case in none of the examples below, however, we will keep calling P a field
and K and S vector spaces for definiteness in the remainder of the chapter.
Theorem 6.6. Consider a self-blindable credential scheme. Suppose that for each k, k0 ∈ P and
α, α0 ∈ B there exist ` ∈ P and β ∈ B such that
PubKey(k, α) + PubKey(k0 , α0 ) = PubKey(`, β). (6.1)
If SigSK also has this property for the same `, β, that is,
SigSK (k, α) + SigSK (k0 , α0 ) = SigSK (`, β) (6.2)
but only when k = k0 , then there is linkability. On the other hand, if SigSK has this property for
any k, k0 , and
• the ShowCredential protocol allows the user to present (`, PubKey(`, β),
SigSK (`, β)) as a valid credential,
• the user can efficiently compute ` and β,
then there is 2-malleability.
Proof. Assume that SigSK has the stated property only when k = k0 , and that equa-
tion (6.1) holds for any k, k0 . Then if k = k0 we have SigSK (k, α) + SigSK (k0 , α0 ) =
SigSK (`, β) and similarly for PubKey, so
Verify PK PubKey(k, α) + PubKey(k0 , α0 ), SigSK (k, α) + SigSK (k0 , α0 )

= Verify PK (PubKey(`, β), SigSK (`, β)) = true.
On the other hand, if k 6= k0 , then SigSK (k, α) + SigSK (k0 , α0 ) does not evaluate to
SigSK (`, β). Therefore
Verify PK PubKey(k, α) + PubKey(k0 , α0 ), SigSK (k, α) + SigSK (k0 , α0 )

= false.
Thus, the function Verify PK returns true when applied to the sum of the two credentials
involved if and only if k = k0 , so that the scheme is linkable.
The second part of the statement is obvious: if the ShowCredential protocol does not
prevent the user from using (`, PubKey(`, β), SigSK (`, β)) as a valid credential then he
can present it to verifiers, even though SigSK (`, β) was not given to him by the issuer.
Corollary 6.7. Suppose the function PubKey is linear in both arguments. If SigSK is linear in the
second but not the first argument, then there is linkability. If SigSK is linear in both arguments,
then there is 1-malleability.
Proof. Suppose SigSK is linear in the second but not the first argument, and that k = k0 ∈
P . Then
PubKey(k, α) + PubKey(k0 , α0 )
= PubKey(k, α) + PubKey(k, α0 )
= PubKey(k, α + α0 ),
6.4. Broken self-blindable credential schemes 119
and since SigSK is also linear in the second argument, we will also have SigSK (k, α) +
SigSK (k0 , α0 ) = SigSK (k, α + α0 ). Thus SigSK (k, α + α0 ) will be a valid signature over
PubKey(k, α + α0 ).
On the other hand, if k 6= k0 then
PubKey(k, α) + PubKey(k0 , α0 )
= kPubKey(1, α) + k0 PubKey(1, α0 )
= kαPubKey(1, 1) + k0 α0 PubKey(1, 1)
= (kα + k0 α0 )PubKey(1, 1)
= PubKey(kα + k0 α0 , 1),
but now SigSK (k, α) + SigSK (k0 , α0 ) 6= SigSK (kα + k0 α0 , 1), because SigSK is not linear in its
first argument. Hence the verification function Verify PK over the sum of both credentials
will distinguish k = k0 and k 6= k0 , so that the credential scheme is linkable.
Concerning the second statement of the corollary, if both PubKey and SigSK are linear
in both arguments, then
PubKey(k, α) = αPubKey(k, 1) = PubKey(αk, 1),
and similarly SigSK (k, α) = SigSK (αk, 1), so that (αk, PubKey(k, α), SigSK (k, α)) is a valid
credential. Therefore, there is 1-malleability.
Essentially, the corollary implies that when the verification function is used directly in
the ShowCredential protocol, then it is very difficult to assure that it is neither linkable
nor malleable. Indeed, if the public key is linear in the private key while the signature
is not, then there is likely linkability through the verification equation of the signature
scheme. On the other hand, if they are both linear in the private key then it is likely that
the system suffers from malleability.
In spite of this difficulty it is certainly possible to create self-blindable credential
schemes that are neither malleable nor linkable; we will discuss this in more detail in
Section 6.5. In the next section, we discuss a number of self-blindable credential schemes,
that all suffer from one of these problems.
6.4 Broken self-blindable credential schemes

Example 6.8. For this example we reuse the PubKey function from Example 6.2, but this
time we use the weak Boneh–Boyen signature scheme instead (see Section 7.2 on p. 130
and [BB08]). In this scheme the public and private keys of the issuer are a ∈ Z p and
1
A = aQ ∈ G2 respectively, as before. A signature on k ∈ Z p is S = a+ k P. Setting
K = kQ ∈ G2 (note that now K ∈ G2 , contrary to Example 6.2), the signature S may be
?
verified by checking that e(S, A + K ) = e( P, Q).
We still blind the public key and signature by multiplying it with a random number
User Verifier
choose blinding α ∈ R Z p
send αK, αS, αA, αP, αQ −→ into K̄, S̄, Ā, P̄, Q̄
?
verify e(S̄, Ā + K̄ ) = e( P̄, Q̄)
PK{(κ ) : K̄ = κP} ←→
Figure 6.1. Self-blindable credential scheme from Example 6.2 modified to use the
Boneh–Boyen signature scheme.
α, i.e.,
K̄ = PubKey(k, α) = αkQ
and
α
S̄ = Sig a (k, α) = P.
a+k
In addition, the user will also have to send Ā = αA, P̄ = αP and Q̄ = αQ to the verifier.
The verification is done by checking
?
e(S̄, Ā + K̄ ) = e( P̄, Q̄).
The ShowCredential protocol of this scheme might look as in Figure 6.1.

In this case, if k = k0 then PubKey(k, α) + PubKey(k0 , α0 ) = PubKey(k, α + α0 ), and
similarly Sig a (k, α) + Sig a (k0 , α0 ) = Sig a (k, α + α0 ), so that Verify A will return true. On the
other hand, if k 6= k0 , then
PubKey(k, α) + PubKey(k0 , α0 ) = PubKey(αk + α0 k0 , 1)
while
Sig a (k, α) + Sig a (k0 , α0 ) 6= Sig a (αk + α0 k0 , 1)
so Verify A will return false. Thus, this system is linkable.
Example 6.9. Like the scheme from Example 6.2, the self-blindable credential scheme
from Kiyomoto and Tanaka [KT08] uses Chaum-Pedersen signatures, but this time on a
Type 1 curve (i.e., G1 = G2 = G and P = Q). The issuer’s public key is A = aP.
The private key here consists of two numbers (κ, κ 0 ) ∈ Z2p , where κ is random while
0
κ = mκ is a non-repudiation private key; here m is a number encoding some valuable
piece of information related to the user. This would discourage users from sharing their
credential, because if another party learns κ and κ 0 then it could recover m. Setting
k := κ + κ 0 , the corresponding public key and signature are K = kP and S = aK = akP.
The ShowCredential protocol of this scheme is shown in Figure 6.2.
This scheme suffers from a number of problems. First, the relation k = κ + mκ is
6.4. Broken self-blindable credential schemes 121
User Verifier
send αK, αS −→ into K̄, S̄
?
verify e(K̄, A) = e(S̄, P)
choose nonce η ∈ R Z p
into N ←− send ηP
send ακN, ακ 0 N −→ into M̄, M̄0
?
verify e( M̄ + M̄0 , P) = e(K̄, ηP)
run RevocationCheck(K̄, M̄)
Figure 6.2. Self-blindable credential scheme by Kiyomoto et al. [KT08] (simplified).
User Verifier
choose nonce η ∈ R Z p
into N ←− send ηQ
send αS, αkN, αA, αN, αP −→ into S̄, K̄, Ā, Q̄, P̄
verify e( P̄, A) = e( P, Ā)
verify e( P̄, ηQ) = e( P, Q̄)
verify e(S̄, η Ā + K̄ ) = e( P̄, Q̄)
run RevocationCheck( Ā, K̄, Q̄)
Figure 6.3. Self-blindable credential scheme by Emura et al. [EMO09] (simplified).
nowhere enforced by the ShowCredential protocol, in the sense that the user could use
λ, k − λ for some random λ ∈ Z p instead of κ, κ 0 . This means that users can easily share
credentials after all, without fear of disclosing the valuable information encoded by m.
Second, without going into the details of the revocation mechanism, we remark that
it relies on how k splits into k = κ + κ 0 , so that the problem above allows users to
present revoked credentials without problems. (In addition, the revocation mechanism
introduces linkability.)
Third, since both the public key K and signature S are linear in both the blinding
factor α and private key k, by Corollary 6.7 the scheme is 1-malleable. For any α and
valid credential ((κ, κ 0 ), K, S) the user can present the credential ((λ, αk − λ), αK, αS).
(Actually, because the public key A = aP ∈ G lives in the same group as the signatures
S = akP ∈ G, anyone can easily create his own credential by setting K = (κ + κ 0 ) P =: kP
for some random κ, κ 0 ∈ Z p , and S = kA – that is, the system is actually 0-malleable.)
Example 6.10. Some of the problems of the credential scheme above were pointed out by
Emura et al. [EMO09], who came up with an improved protocol that we will examine in
this example. In this protocol the malleability is solved through the use of Boneh–Boyen
signatures. Theorem 6.6 shows, however, that it is linkable. We explain the problem
here.
The ShowCredential protocol is shown in Figure 6.3. As in Example 6.8, the Boneh–
Boyen signature is of the form

Å ã
1
A, P, Q, S = P ,
a+k
where A = aQ and K = kQ. We include the values A, P and Q explicitly in the signature
because these are blinded as well in the ShowCredential protocol. The blinding factor is
(η, α), where η is chosen by the verifier and α by the user. The blinded signature is then
(αA, αP, αηQ, αS), while the blinded public key is αηK.
Theorem 6.6 is directly applicable to this scheme; we now describe the resulting
linkability attack. Suppose the ShowCredential protocol is executed twice, and let (η j , α j )
be the blinding factors used in two runs of the ShowCredential protocol, for j = 1, 2. Let
Ā j , P̄j , Q̄ j , S̄ j , K̄ j be the values that the user sends to the issuer. We take the sum of two
traces as follows:
Ā = η1 Ā1 + η2 Ā2 = (α1 η1 + α2 η2 ) A,

P̄ = P̄1 + P̄2 = (α1 + α2 ) P,
Q̄ = Q̄1 + Q̄2 = (α1 η1 + α2 η2 ) Q, (6.3)
S̄ = S̄1 + S̄2 = α1 S1 + α2 S2 ,
K̄ = K̄1 + K̄2 = α1 η1 K1 + α2 η2 K2 .
Now we put these values in the third verification equation as follows:
?
e(S̄, Ā + K̄ ) = e( P̄, Q̄). (6.4)
If K1 = K2 =: K, then also S1 = S2 =: S holds, and the lower two equations of (6.3)

become S̄ = (α1 + α2 )S, K̄ = (α1 η1 + α2 η2 )K. Then equation (6.4) will hold. On the
other hand, if K1 6= K2 then equation (6.4) will not hold. Thus, transactions are linkable
by the third verification equation.3
6.5 Do unmalleable, unlinkable self-blindable credential

schemes exist?
Let us briefly consider a number of ways in which the pitfall outlined by Theorem 6.6
might be avoided. Suppose first that both the public key and the signature are linear in
3Note, however, that only the verifier can calculate the element Ā = η1 Ā1 + η2 Ā2 (which is needed in order
to perform this linking attack), as it contains η1 , η2 which are never sent to the user. This differs from the
linkability described in Example 6.8, in which anyone that can eavesdrop on the communication between the
user and verifier can execute the attack. On the other hand, transactions can also be linked by checking the
following equation:
?
e(α1 P, α2 S2 ) = e( P̄1 , S̄2 ) = e( P̄2 , S̄1 ) = e(α2 P, α1 S1 )
which will hold if and only if S1 = S2 ; that is, when the signatures are the same. This attack can be done by
any eavesdropper.
6.5. Do unmalleable, unlinkable self-blindable credential schemes exist? 123
the private key, and that the sum of a trace of the ShowCredential protocol again constitutes
a valid public key and signature. Then this can only be abused by a malicious user if
he is able to calculate the corresponding private key. Therefore, if this is not feasible
(perhaps because the private key k can only be calculated by the issuer, or because not
all private keys are valid or allowable), then the system would not be malleable in the
sense of Definition 6.4.
As another approach, one might take a public key and signature scheme that are
both nonlinear in the private key k, or both nonlinear in the blinding factor α. In that
case neither of the statements of Theorem 6.6 would be applicable. Going further, the
ShowCredential protocol may be such that it is not necessary to send the public key to
the verifier at all, so that it can play no role in either linkability or malleability. (This
approach is taken in Idemix (see Example 6.11 below), and our own credential scheme
in Chapter 9.)
Finally, it is important to note that we have so far only considered deterministic
signature schemes (this is in fact implicitly enforced by our notations in this chapter).
Using nondeterministic signature schemes intuitively makes more sense for the purpose
of creating unlinkability, since in that case there no longer is a 1-to-1 correspondence
between the public key and its signature that could be exploited to link credentials. This,
too, is done both in Idemix and in our own scheme in Chapter 9.
Example 6.11. The Idemix credential scheme [CL01; IBM12] is an attribute-based cre-
dential scheme which is neither linkable nor malleable, and indeed, Proposition 6.6 does
not apply to Idemix. This is because the ShowCredential protocol is substantially differ-
ent from the ones of the other schemes discussed so far. In short, it goes as follows:
the user partially blinds the Camenisch–Lysyanskaya [CL02] signature ( A, e, v), result-
ing into ( Ā, e, v̄), and sends Ā to the verifier. After that, they engage in an interactive
zero knowledge-proof in which the user shows that he knows e, v̄, and his private key,
without disclosing any of these. This has the following consequences:
• There is no clear separation between the sending and verification of the public key
and signature on the one hand, and a proof of knowledge of the secret key on the
other hand. Both of these happen in a single interactive algorithm.
• In fact, the user does not directly send the public key to the verifier at all, blinded or
otherwise. As a result, the map PubKey does not play any role in the ShowCredential
algorithm.
• The map SigSK is not linear in the blinding factor.
The first two points will also apply to our credential scheme in Chapter 9. For more on
Idemix, see also Remark 9.9 on p. 159.
Summarizing, self-blindable schemes that are both unmalleable and unlinkable cer-
tainly do exist: our scheme in Chapter 9 is an example – and if we take a slightly broader
view of self-blindability then Idemix is an example as well. The margin for error seems
to be small, however.
6.6 Conclusion
Creating a self-blindable credential scheme which is neither malleable nor linkable is
hard, and indeed all self-blindable credential schemes that we have studied in this chap-
ter are broken. There is a common theme in their failures: the use of the verification
equation of the signature scheme in the ShowCredential protocol may cause linkability
or malleability. We believe that this observation in the form of Theorem 6.6 and Corol-
lary 6.7, together with the examples showing the consequences of this observation,
will be of help in the creation of new, secure and anonymous self-blindable credential
schemes.
Chapter 7
Partially blind Boneh–Boyen

signatures
In a partially blind signature scheme, one part of the message as well as the resulting
signature is hidden from the signer, while the other part of the message is visible to
the signer. In this chapter we present a partially blind signature scheme that is closely
related to Boneh–Boyen signatures, and prove its security in the standard model using
only standard hardness assumptions. As an application, we introduce a single-show
attribute-based credential scheme with short signatures.
An early version of the signing protocol of the signature scheme and the security
proofs is due to Wouter Lueks. My contribution was to extend the protocol to support
partial blindness, to formalize the security proofs, the single-show attribute-based cre-
dential scheme, and the majority of the text below, with many helpful improvements
and suggestions from Wouter Lueks and Jaap-Henk Hoepman.
7.1 Introduction
A blind signature scheme allows a signer to sign a message without learning the message
or the resulting signature. First introduced by Chaum [Cha83], blind signatures are used
in many privacy-sensitive applications, like electronic cash (e.g., [CFN90]), electronic
voting (e.g., [JC97]), and unlinkable credentials (e.g., [Bra00; Cha90]).
In these applications the blind signatures hide private information, for example the
user’s identity. The signer has no control over this information. However, in some
scenarios the signer needs to add information to the signature that it does control, for
example an expiry date. In these cases one could use a partially blind signature scheme.
These schemes were introduced by Abe and Fujisaki [AF96] and further formalized by
126 Chapter 7. Partially blind Boneh–Boyen signatures
Abe and Okamoto [AO00]. In such schemes one part of the message remains hidden
but another part is visible to the signer. The known part of the message, called common
information, can then be used for information that the signer and user agree upon in
advance.
The contribution of this chapter is twofold. Our first contribution is a partially blind
signing protocol for a signature scheme that is closely related to the Boneh–Boyen signa-
ture scheme [BB08], together with a full security proof in the standard model, using only
standard hardness assumptions. If no common information is included, our scheme re-
duces to a blind signature scheme for actual Boneh–Boyen signatures. This is the first
protocol for blindly signing Boneh–Boyen signatures (although a number of schemes
exist for closely related signature schemes; we review some of these in Section 7.6). The
Boneh–Boyen signature scheme produces very short signatures, and its security does
not rely on the random oracle model (ROM). This scheme has many applications, for ex-
ample, in attribute-based signatures [MPR11], group signatures [Gro07], and verifiable
random functions [DY05].
Our second contribution is a (single-show) attribute-based credential scheme that
makes use of our partially blind signature scheme. Our scheme is similar to U-Prove
[Bra00; PZ13], but unlike U-Prove, which does not have an unforgeability proof [BL13b],
our scheme is provably unforgeable in the standard model (i.e., without relying on the
random oracle model).
We first describe the Boneh–Boyen signature scheme itself in Section 7.2, after which
we define our partially blind signature scheme in Section 7.3. In Section 7.4, we prove that
our scheme is indeed partially blind and unforgeable. Next, in Section 7.5 we present
our single-show attribute-based credential scheme as a first example of our partially
blind signature scheme. Finally, in Section 7.6 we compare our scheme with a number
of other schemes from the literature.
In this chapter we use elements from Zn = Z/nZ for multiple values of n. For nota-
tional convenience we temporarily deviate from our previous conventions in this chapter,
and identify Zn with {0, . . . , n − 1}, that is, a ∈ Zn refers to the smallest nonnegative
representative of the equivalence class a mod n (instead of to the equivalence class it-
self). If m is a different integer and a ∈ Zn , this will allow us to write a mod m without
ambiguity. (Alternatively, we can consider “mod m” to be a map from Zn to Zm that
always acts on the lowest representative of its argument, and that happens to be a ring
homomorphism when m divides n.)
7.1.1 Partially blind signature schemes

A partially blind signature scheme [AO00; Cha83] is made up of three algorithms:
KeyGen, Sign, and Verify, for generating keys, signing messages, and verifying signatures,
respectively. These algorithms work as follows:
KeyGen(1` ) Given a security parameter `, this algorithm outputs a random key pair
(SK, PK ) together with a description of the message space M and the space of
common information I .
Sign This is an interactive protocol between the signer S and a user U that results in a
signature σ on the hidden message m ∈ M and common information k ∈ I :
S(SK, k) ↔ U ( PK, m, k) → σ.
Verify PK (m, k, σ) This algorithm takes a public key PK, a message m ∈ M, common
information k ∈ I , and a signature σ. It returns valid or invalid.
This differs from the usual syntax of signature schemes (see Definition 5.22 on p. 101)
in that the Sign algorithm is interactive, and that the Verify PK algorithm also takes the
common information k as argument.
The signature scheme should be correct, in the sense that a signature σ over (m, k )
signed with SK should verify with PK; i.e., if (SK, PK ) ← KeyGen (1` ) and S(SK, k) ↔
U ( PK, m, k) → σ then Verify PK (m, k, σ) outputs valid.
In the next two games, we define the security notions for partially blind signature
schemes. The blindness game follows the one by Abe and Okamoto [AO00], although
we have slightly simplified it by allowing the adversary full control over the common
information k.
Definition 7.1 (Blindness). We define blindness of a partially blind signature scheme
in terms of the following game. It is a game between an adversarial signer A and the
challenger who acts as two users. It proceeds as follows.
Setup Adversary A runs (SK, PK ) ← KeyGen (1` ), also obtaining the descriptions of
the spaces M and I . It chooses common information k ∈ I and two messages
m0 , m1 ∈ M, and sends the description of M and I along with PK, m0 , m1 and k
to the challenger.
Run The challenger chooses a bit d ∈ R {0, 1}, and simulates two users U0 and U1 . It
gives md and md¯ (where d¯ = 1 − d) to U0 and U1 respectively, and lets them perform
the signing protocol with the adversary.
Result If both users U0 and U1 output valid triples (md , k, σd ) and (md¯, k, σd¯) respectively,
then the challenger sends σ0 and σ1 to the adversary.
Guess Adversary A outputs his guess d0 ∈ {0, 1}. It wins if d = d0 and the signatures
σ0 and σ1 are valid.
We say that a signer e-breaks the blindness of a signature scheme if it can win this game
with advantage e.
Notice that the game guarantees unlinkability only if the common information k is the
same in both signing sessions, otherwise the adversary could use k to link the signature
with its view of the Sign protocol.
Our unforgeability game follows that of Abe and Okamoto [AO00], with the exception
that in our game the adversary has full control over the common information k. It is
clear that if no such adversary exists, then an adversary that allows the challenger to
partly control k also cannot exist.
Definition 7.2 (Unforgeability under chosen-message attacks). We define unforgeabil-
ity under chosen-message attacks of a partially blind signature scheme in terms of the
following game. It is a game between an adversarial user A and a signer S , controlled
by the challenger. The game proceeds as follows.
Setup The challenger generates a private-public key pair (SK, PK ) ← KeyGen (1` ). It
sends PK along with the descriptions of M and I to the adversary A.
Queries The adversary and challenger engage in the Sign protocol over at most q
message-pairs (m j , k j ) ∈ M × I that are chosen adaptively by the adversary.
In each query the adversary sends k j to the challenger, while keeping m j hidden.
Output For any k ∈ I , denote with qk the number of successfully completed queries in
which the common information was k (if k occurred in none of the queries, set qk =
0). The adversary A outputs some k ∈ I , together with qk + 1 pairs (m j , σj ), and
wins the game if each σj is a valid signature over (m j , k), and (m j1 , σj1 ) 6= (m j2 , σj2 )
for all 1 ≤ j1 , j2 ≤ qk + 1, j1 6= j2 .
We say that our signature scheme is (t, q, e)-existentially unforgeable under chosen
message attacks if there exists no probabilistic polynomial-time algorithm that can win
the above game with probability e, running in time at most t and making at most q
signature queries. In this game the adversary can let each message on which it queries
the challenger depend on the public key, and on the previous messages. Notice that it
suffices for the adversary to output just one extra pair (m, σ ); for example, it could be
that σ is a new signature over an already seen message m j , or perhaps the message is
new but σ = σj for some j. In these cases, the adversary still wins.
7.1.2 Weakly unforgeable signature schemes

We will reduce the unforgeability (in terms of the game above) of our partially blind
signature scheme to the unforgeability of weak Boneh–Boyen signatures. This signature
scheme satisfies a weaker form of unforgeability than unforgeability under adaptively-
chosen message attacks (see Definition 5.23 on p. 102), in the sense that the adversary has
to send the messages that it wants signed before it receives the public key; in particular,
it cannot choose them adaptively. The game is as follows [GMR88].
Definition 7.3 (Weak unforgeability under chosen message attacks). We define weak
unforgeability under chosen message attacks of a (non-blind) signature scheme in terms
of the following game. It is a game between an adversarial user A and a signer S , which
is controlled by the challenger. The game proceeds as follows.
Announcement The adversary A announces at most q messages m1 , . . . , mq ∈ M that

it wants signed.
Response The challenger generates a private-public key pair (SK, PK ) ← KeyGen (1` ).
It generates q signatures σi ← SignSK (mi ) over the messages mi that A chose earlier.
It sends PK and the signatures σi to A.
Output The adversary A outputs a pair (m, σ ) and wins the game if σ is a valid signature
over m, and (m, σ ) 6= (mi , σi ) for all 1 ≤ i ≤ q.
We say that our signature scheme is (t, q, e)-weakly existentially unforgeable under
chosen message attacks if there exists no probabilistic polynomial-time algorithm that
can win the above game with probability e, running in time at most t and sending at
most q messages in the announcement phase.
7.1.3 Paillier encryption

Our interactive signing protocol uses Paillier encryption, so we briefly introduce this
scheme here. Recall that a public-key encryption scheme consists of three probabilistic
polynomial-time algorithms (KeyGen, Encrypt, Decrypt) together with a message space
M, where
• KeyGen (1` ) Given a security parameter `, this algorithm outputs a private key SK,
a public key PK, and a description of the message space M.
• For every (SK, PK ) ← KeyGen (1` ) and every m ∈ M,
Decrypt(SK, Encrypt( PK, m)) = m.
One way to define security of a probabilistic public-key encryption scheme is to demand

that no adversary can distinguish between the ciphertexts of two known plaintexts. We
define this kind of indistinguishability below.
Definition 7.4 (IND-CPA). Let (KeyGen, Encrypt, Decrypt) be a probabilistic public-key
public-key encryption scheme. The IND-CPA game proceeds as follows.
Setup The challenger runs (SK, PK ) ← KeyGen (1` ) for some security parameter `, and
gives PK along with the description of M to the adversary.
Query The adversary chooses messages m0 , m1 ∈ M and sends these to the challenger.
The challenger chooses a bit d ∈ R {0, 1}, and sends Encrypt( PK, md ) to the adver-
sary.
Result The adversary returns his guess d0 . It wins if d0 = d.
We say that an encryption scheme is e-indistinguishable under chosen plaintext attacks,

or e-IND-CPA secure for short, if there exists no probabilistic polynomial-time algorithm
that can win this game with probability e. If e is negligible in the security parameter `,
then we just say the scheme is IND-CPA secure.
The Paillier encryption scheme [Pai99] is implemented as follows.
KeyGen(1` ) Choose two distinct prime numbers p and q such that n = pq is of length
`, and such that gcd(n, ( p − 1)(q − 1)) = 1. Compute λ = lcm( p − 1, q − 1),
and randomly select an integer g ∈ Z∗n2 such that n divides the order of g (for
example, one could take g = n + 1, whose order equals n and whose inverse is
n2 − n + 1). Return PK = (n, g) and SK = ( p, q, g). The message space of the
scheme is M = Zn .
Encrypt((n, g), m) Choose a random r ∈ Z∗n and return gm r n mod n2 .
Decrypt(( p, q, g), c) Compute λ and n from p and q, and return
L(cλ mod n2 )
m= mod n,
L( gλ mod n2 )
u −1
where1 L(u) = n .
1In the formula defining the Decrypt algorithm the division refers to division modulo n, while in the
Below we will write c = JmK if c ∈ Z∗n2 is such that Decrypt(λ, c) = m. The Paillier
encryption scheme is well-suited for our needs, because of the following reasons:
• It is additively homomorphic: that is, given the ciphertexts Jm1 K = gm1 r1n , Jm2 K =
gm2 r2n of two messages m1 and m2 , one can calculate Jm1 + m2 K by Jm1 KJm2 K =
gm1 +m2 (r1 r2 )n = Jm1 + m2 K.
• To a verifier that knows a ciphertext M = JmK but not m itself, one can prove
knowledge of m and the randomness r such that JmK = gm r n mod n2 ; that is, one
can prove
PKΣ {(m, r ) : M = gm r n mod n2 },
using the Σ-protocol from (the extended version of) [CDN01]. As this is a Σ-
protocol it is only honest-verifier zero-knowledge, but using standard techniques
[CDM00] it can be converted to a 4-move zero-knowledge proof of knowledge.
If n = pq with p, q two large primes and z is an integer, then we say that z is a n-residue
modulo n2 if there exists a y such that z = yn mod n2 . Pallier proved that his encryption
scheme is IND-CPA secure based on the following assumption [Pai99].
Definition 7.5 (Decisional Composite Residuosity Assumption (DCRA)). The DCRA
assumption states that there is no probabilistic polynomial-time algorithm that, given a
composite n and integer z, can decide whether z is an n-residue modulo n2 or not, with
a probability that is non-negligible in the size of n.
7.2 The Boneh–Boyen signature scheme

There are two versions of the Boneh–Boyen signature scheme [BB08]: a nondeterministic
one that is strongly unforgeable under adaptively-chosen message attacks (see Defini-
tion 5.23 and the following paragraph on p. 102), and a deterministic one that is weakly
unforgeable under chosen-message attacks (as in Definition 7.3). We describe the former
first, after which we show how it can be reduced to the latter.
KeyGen(1` ) Generate a Type 3 bilinear group pair ( G1 , G2 ), such that | p| = `, with p
the order of G1 and G2 . Pick two generators P ∈ G1 , Q ∈ G2 . Choose two private
keys a, b ∈ Z∗p , and set A = aP and B = bP. The public key is the description of G1
and G2 , together with ( p, e, P, Q, A, B), and the private key is ( a, b). The message
space is Z p .
Sign(a, b) (m) Choose a random value r ∈ Z p \ {− a+bm } and compute
1
S= Q; (7.1)
a + m + rb
the additions and inverses are calculated modulo p. The signature is the pair (S, r ).
definition of L, it refers to integer division. The latter is well-defined, because we have uλ = 1 mod n for any
u ∈ Z∗n2 due to Carmichael’s theorem. The demand that n divides the order of g ensures that the inverse of
L( gλ mod n2 ) modulo n always exists.
7.3. The partially blind Boneh–Boyen scheme 131
Verify( p, e, P, Q, A, B) (m) Using the bilinear pairing e, verify that e( A + mP + rB, S) =

e( P, Q). Return true if and only if this equation holds.
If the signature was correctly generated, then
Å ã
1
e( A + mP + rB, S) = e ( a + m + rb) P, Q = e( P, Q)
a + m + rb
so that the signature will verify.

We refer to this scheme as the strong Boneh–Boyen signature scheme. The weak
Boneh–Boyen signature scheme is obtained by setting r = 0 and removing b and B
from the private and public keys, respectively. Thus, a weak Boneh–Boyen signature
on the message m ∈ Z p would be S = a+1m Q. The weak scheme is weakly unforgeable
under chosen-message attacks in the sense of Definition 7.3. Boneh and Boyen prove
the unforgeability of their strong scheme by reducing it to that of their weak scheme.
The unforgeability of the weak scheme, in turn, relies on the Strong Diffie-Hellman
assumption.
Definition 7.6 (Strong Diffie-Hellman assumption). The q-Strong Diffie-Hellman as-
sumption holds in G1 , G2 if, when given as input a (q + 3)-tuple of ä ( P, xP, Q,
Ä elements
2 q 2 q +1 1
xQ, x Q, . . . , x Q) ∈ G1 × G2 , it is intractable to output a pair d, x+d Q ∈ Z p × G2
for a freely chosen value d ∈ Z p \ {− x }.
The Strong Diffie-Hellman (SDH) assumption is the unparameterized version of this
assumption, as follows. Let eα : G1,α × G2,α → GT,α be a family of pairings, such that
G1,α and G2,α are group families, as in Section 5.2. Then the SDH assumption holds in
{ G1,α , G2,α }α if for any positive polynomial q : Z → N, the q(|α|)-Strong Diffie-Hellman
assumption holds within G1,α and G2,α .
Like the whLRSW and (X)KEA assumptions from Chapter 9, the SDH assumption can
be proven to hold in the generic group model (see Section 9.5.2). For a more elaborate
description of the assumption, and of the signature scheme and its properties, we refer
to the original paper by Boneh and Boyen [BB08].
7.3 The partially blind Boneh–Boyen scheme

To include the common information k ∈ I , we use the following special case of the
Generalized Strong Boneh–Boyen (GSBB) signature scheme [Bha+09]. We take the strong
Boneh–Boyen signature scheme and include c ∈ Z∗p and C = cP in the private and public
keys, respectively, i.e.,
SK = ( a, b, c) and PK = ( p, e, P, Q, A, B, C ).
The message space M and common-information space I both are Z p . For m, k ∈ Z p , a

signature will be (S, r ) ∈ G2 × Z p , where
1
S= Q.
a + m + rb + kc
Common information: Boneh–Boyen public key (e, p, P, Q, A, B, C ), com-

mon information k ∈ I
User Signer
knows message m ∈ Z p knows secret keys a, b, c ∈ Z p
Phase 1
Generate Paillier ( p0 , q0 , g)
Choose β, r1 ∈ R Z∗p
send n = p0 q0 , g, JβK, Jβr1 K −→ into n, g, X, Y
PK{( β, δ) : X = JβK ∧ Y = JδK}
Phase 2
choose r2 ∈ R Z p
choose γ ∈ R {0, . . . , n − 2p2 − 3p3 }
into D ←− send X a+r2 b+kc Y b JγK
PKΣ {(ρ, b, γ) : D = X ρ Y b JγK mod n2 }
Phase 3
set s̃ ← Decrypt( D )
send s̃ + βm mod p −→ into ŝ
Phase 4
set s = ŝ − (γ mod p)
into S̄, r2 ←− send 1s Q, r2
Phase 5
set S = βS̄, r = r1 + r2
Verify PK (m, k, S)
return (S, r )
Figure 7.1. Our interactive partially blind signing protocol from Definition 7.7.
The signature is valid only if
e( A + mP + rB + kC, S) = e( P, Q).
Definition 7.7 (Partially blind signing protocol). To obtain a signature on a message m

and common information k (on which the user and signer agreed in advance), the user
and the signer (who knows the private keys a, b, c), interact in the following way2 (see
also Figure 7.1).
1. The user generates a new Paillier encryption system ( p0 , q0 , g) (we use accents to
prevent a notational clash with the modulus p of Z p ) such that n = p0 q0 exceeds p4 ,
and such that factoring n is infeasible. Then, it generates a blinding factor β ∈ R Z∗p
and a randomizer r1 ∈ R Z∗p for use in the resulting signature, and sets X = JβK and
2The private keys a, b, c of the signer, as well as the messages m, k and randomness r1 , r2 , of a signature are
all elements of Z p . In the protocol we embed these elements in the message space of the Paillier encryption
scheme, which is Zn (for some n that we will take to be much larger than p). This means that when adding
and multiplying these numbers in the protocol below, we refer to integer arithmetic (as opposed to arithmetic
within Z p ). In the third step of the protocol, there is a reduction modulo p that restores them as elements of
Zp .
7.3. The partially blind Boneh–Boyen scheme 133
Y = Jβr1 K. It sends n, g, X, Y to the signer, and proves that it knows the plaintexts
of X and Y:
PK{( β, δ) : X = JβK ∧ Y = JδK}.
2. If the proof is correct the signer generates randomness r2 ∈ R Z p and a blinding

term γ ∈ R {0, . . . , n − 2p2 − 3p3 } (this maximum value for γ ensures that no
reduction modulo n will occur). The signer calculates
D = X a+r2 b+kc Y b JγK mod n2 = Jβ( a + (r1 + r2 )b + kc) + γ mod nK.
It sends D to the user and proves that it constructed D correctly using a Σ-protocol:
PKΣ {(ρ, b, γ) : D = X ρ Y b JγK mod n2 }.
3. The user calculates
s̃ = Decrypt( D ) + βm mod n = β( a + m + (r1 + r2 )b + kc) + γ mod n,
and sends ŝ = s̃ mod p to the signer (here, the reduction modulo p is done by
taking the smallest positive representative of s̃).
4. The signer removes γ by calculating s = ŝ − γ mod p, and sends S̄ = 1s Q together
with r2 to the user.
5. Finally, the user unblinds the signature to obtain
1
S = βS̄ = Q.
a + m + (r1 + r2 )b + kc
Setting r = r1 + r2 , it accepts if (S, r ) is a valid signature on m and k.

The protocol is summarized in Figure 7.1. It consists of 9 moves. In the security proofs we
will need a simulator (against possibly dishonest verifiers) as well as an extractor for the
proof of knowledge performed by the user in step 1, so that it must be a zero-knowledge
proof of knowledge. However, for the proof of knowledge from step 2 performed by the
signer we need no such simulator but only an extractor, so that it suffices for this proof
to be a Σ-protocol.
Proposition 7.8. The blind Boneh–Boyen signature scheme as described in Definition 7.7 is
correct.
Proof. If both the user and the signer follow the protocol, then at the start of step 3 the
user calculates the value
s̃ = βρ + βr1 b + γ + βm mod n = β( a + m + (r1 + r2 )b + kc) + γ mod n. (7.2)
It is clear that this results in a valid signature if no modular reduction occurred, i.e., if
s̃ = β( a + m + (r1 + r2 )b + kc) + γ. We now show that this always the case. Consider the
expression β( a + m + (r1 + r2 )b + kc). The maximum value of each of these variables is
at most p − 1, hence β( a + m + (r1 + r2 )b + kc) < p( p + p + ( p + p) p + p2 ) = 2p2 + 3p3 .

Since γ is chosen from {0, . . . , n − 2p2 − 3p3 }, it follows that s̃ indeed equals β( a + m +
(r1 + r2 )b + kc) + γ and that no modular reduction occurred.
The purpose of the number γ is to make the number s̃ = d + γ := β( a + (r1 + r2 )b +

kc) + γ appear randomly distributed in Zn , so that it leaks no information about a, b and
c. This will be the case unless d + γ < 2p2 + 3p3 or d + γ > n − 2p2 − 3p3 . Denote with
E the event that either of those two happens. Recalling that n > p4 and that p > 2`−1
(where ` is the security parameter), we have
2(2p2 + 3p3 ) 8p3 8p3 8

P( E) = < < 4 = < 2−`+4 ,
n n p p
which is negligible in `.
7.3.1 Blind Boneh–Boyen signatures

If we include no common information by setting k = 0 and removing c and C from the
signer’s private and public key, then Figure 7.1 reduces to a blind signing protocol for
Boneh–Boyen signatures, and the theorems below then prove that this protocol is blind
and that the scheme is unforgeable.
7.4 Blindness and unforgeability

In this section we prove that the signer learns nothing about the message and signature
(blindness), and that an attacker cannot forge signatures even if it can use the interactive
signing protocol at will.
7.4.1 Blindness
We reduce the partial blindness of our signing protocol to the IND-CPA indistinguisha-
bility (as in Definition 7.4) of the Paillier encryption scheme. The idea of the proof hinges
on two facts. One, the adversary learns nothing about the values of β and βr1 because
they are Paillier encrypted. Two, the remaining values in the adversary’s view can cor-
respond to any signature. We prove the former for β by arguing that the advantage of
an adversarial signer cannot depend on the plaintext of X that it receives in the first step
of the signing protocol (see Definition 7.7). A similar argument then shows the same for
βr1 .
Definition 7.9. We say that a user sends the correct X in the first step of the signing
protocol when the plaintext β of X is the same β that occurs in the value ŝ = β( a + m +
rb + kc) + γ mod p that the user sends in step 3.
Lemma 7.10. Consider an adversarial signing algorithm whose advantage for winning the blind-
ness game (as in Definition 7.1) for our partially blind Boneh–Boyen signing algorithm is e+
7.4. Blindness and unforgeability 135
when both simulated users U0 and U1 send the correct X, and e− when both users do not send
the correct X. If Paillier is e-IND-CPA secure, then |e+ − e− |/2 < e.
Proof. Suppose that we have an adversary A whose advantage at the blindness game
is e+ when the users send the correct X, and e− when the users do not. We assume3
e+ > e− , and set (e+ − e− )/2 = e0 . We build an algorithm B that has an advantage e0
at winning the IND-CPA game. B will act as the adversary in the IND-CPA game, and
as the challenger in the blindness game. It proceeds as follows.
1. The challenger of B outputs a Paillier public key PK. B chooses β 0 , β 1 ∈ Z p and

sends these to his challenger, who responds by choosing d ∈ R {0, 1} and sending
Jβ d K to B .
2. The adversary A generates a partially blind Boneh–Boyen public-private keypair,
common information k ∈ I and messages m0 , m1 ∈ M. It sends the public key
and k, m0 , m1 to B .
3. Distinguisher B flips a bit b ∈ R {0, 1}, and gives mb to simulated user U0 and mb̄
to simulated user U1 . The users engage in the signing protocol with the adversary
A. In step 1, user U0 sends X = Jβ d K while user U1 sends X = Jβ d Kβ1 − β0 =
Jβ d + β 1 − β 0 K. Note that if d = 0 then they both send the correct X, while if d = 1
then both of them do not.
The users calculate Y honestly, i.e., Y = Jβ i r1 K for user Ui . They simulate the
zero-knowledge proof of step 1.
4. At the end of step 2, both users extract ρ, b, γ from the zero-knowledge proof
performed by A. Then, user U0 calculates

ŝ = β 0 (ρ + mb + r1 b) + γ mod p
and similarly for user U1 . They send this value for ŝ to A in step 3. Thus, the value
ŝ is what it would normally be (c.f. equation (7.2)), while X is either correct for
both users if the challenger chose d = 0, or incorrect for both users if d = 1.
5. Challenger A outputs a guess b0 . Distinguisher B outputs d0 = 0 if A wins (i.e.,
b = b0 ) and d0 = 1 if it loses.
We now calculate the probability that B outputs the correct answer. If d = 0 then B
outputs the correct guess d0 = 0 if A wins, which happens with probability 21 + e+ . If
d = 1, then B outputs the correct guess d0 = 1 if A loses, which happens with probability
1
2 − e− . The chance of B winning is thus
Å ã Å ã
1 1 1 1 1 1
+ e+ + − e− = + ( e+ − e− ),
2 2 2 2 2 2
meaning that the advantage of B at winning the IND-CPA game is (e+ − e− )/2 = e0 .
Thus, if Paillier encryption is e-IND-CPA secure, it follows that indeed e0 = (e+ −
e− )/2 < e.
3The opposite assumption does not make much sense, but with minor modifications the proof can then
still be made to work.
With small modifications in the reduction above, it is easy to prove a similar statement
where not both but just one of the users sends a correct X. Furthermore, it is clear that
the same arguments can be applied to Y = Jβr1 K.
Theorem 7.11. No adversary can break the partial blindness of the partially blind Boneh–Boyen
signature scheme with advantage e, provided that Paillier is (e/2)-IND-CPA secure.
Proof. The view of the signer of a signing is
D = {k, JβK, Jβr1 K, β(ρ + r1 b0 + m) + γ mod p, γ, r2 }.
We use a prime on the number b0 because it is nowhere enforced that it equals the
signer’s secret key b (we will discuss this subtlety shortly). Let us call the second, third
and fourth elements of this trace X, Y and ŝ respectively, so that D = {k, X, Y, ŝ, γ, r2 }.
By the lemma above, the adversary cannot use X or Y to his advantage, so we can leave
them out. In addition, the common information k has the same value, independent from
the choice for d that the challenger makes.
Therefore the only pieces of information that could possibly increase the adversary’s
advantage are the values ŝ, γ and r2 . Now as it is nowhere enforced in the signing protocol
that b0 = b, we must consider the possibility that the adversary chooses b0 = 0 mod p.
But then r1 vanishes from ŝ, and we have already shown that the adversary cannot use
Y = Jβr1 K, the only other element of its view that depends on r1 , to its advantage. It
follows that the value for r1 is completely hidden from the adversary, so that it has no
way of knowing which value for r2 would result in a valid signature. Thus the output
in this case is with overwhelming probability an invalid signature, so that the adversary
automatically loses.
We may therefore restrict our attention to the possibility that b0 6= 0 mod p. In that
case, however, for any valid tuple (m, k, r, S) there exist numbers β, r1 ∈ Z∗p such that
r = r1 + r2 and ŝ = β(ρ + r1 b0 + m) + γ mod p (even if b0 6= b mod p). Thus, any view
can correspond to any message-signature pair.
Theorem 7.12. If the weak Boneh–Boyen scheme is (q, e)-weakly unforgeable under chosen-
message attacks, then our Blind Boneh–Boyen scheme is (q, e0 )-unforgeable under chosen-message
attacks, where e0 − e is negligible.
Proof. Suppose we have an adversary A that breaks the unforgeability of our scheme
under chosen-message attacks. In order to prove the theorem, we will need to create
not one but three challengers B A , B B , BC for A. Our argument will run as follows:
challenger B A will either forge weak Boneh–Boyen signatures, or it will fail. But if it
succeeds, then we can use either challenger B B or BC to solve discrete logarithms. Since
none of these things can happen, it follows that our scheme must be unforgeable.
7.4. Blindness and unforgeability 137
In the proof below, the adversary A plays the unforgeability game for partially blind
signature schemes with algorithms B A , B B and BC , who on the one hand serve as chal-
lenger for A. On the other hand, these algorithms simultaneously act as the adversary in
the unforgeability game for weak Boneh-Boyen signatures; we will construct them such
that they use what they learn from adversary A to win this game. They act as follows.
Setup Challengers B A , B B and BC choose q messages w1 , . . . , wq ∈ Z p and send them

to their own challenger from the weak Boneh–Boyen unforgeability game as the
messages that it wants signed. In response, the weak Boneh–Boyen challenger
chooses a private-public key pair, that we will denote with ( a, A), (b, B) and (c, C )
for challengers B A , B B , BC respectively. The weak Boneh–Boyen challenger signs
the messages w1 , . . . , wq , resulting into signatures S1 , . . . , Sq , and sends these to
our challengers.
Next, our challengers create the two missing private-public key pairs (for example,
B B chooses a, c ∈ R Z∗p , and sets A = aP, C = cP). They then send A, B, C to the
adversary A.
Queries Proceeding adaptively, adversary A engages with our challengers in the blind
Boneh–Boyen signing algorithm for q message-pairs (m1 , k1 ), . . . , (mq , k q ). Our
three challengers all perform the following actions on the j-th query.
• At the end of step 1, our challenger extracts the values β, δ that A chose for
message m j from the zero-knowledge proof, and sets r1 = δ/β.
• In step 2, B A chooses a0 ∈ R Z p and acts as if this is the private key of his
challenger; similarly, B B fakes b and BC fakes c. In addition, they act as if
r2 = 0. It runs the zero-knowledge proof normally. As D is blinded by γ and
the zero-knowledge proof is hiding, A cannot detect these changes.
• In step 3, B A learns β( a0 + m j + r1 b + k j c). As it knows all variables except for
m j , it can solve this to learn m j . Challengers B B and BC can learn the message
m j in much the same way.
Our challengers now answer the adversary’s query as follows.
Challenger B A chooses r2 ∈ Z p such that m j + (r1 + r2 )b + k j c = w j mod p. For
this message it received a valid signature S j in the announcement phase.
Then, it sends ( β−1 S j , r2 ) back to A in step 4.
Challenger B B sets r2 = ( a + m j + k j c)/w j − r1 and S̄ = w j /( a + m j + k j c)S j , and
sends ( β−1 S̄, r2 ) to A in step 4. From the point of view of the adversary this
indeed results into a valid signature over its query:
e( A + mP + rB + kC, S̄)
mj + a + k j c wj
ÅÅ ã ã
= e a + mj + b + k j c P, Sj
wj a + mj + k j c
mj + a + k j c wj
ÅÅ ã ã
1
= e (b + w j ) P, Q
wj a + mj + k j c b + wj
= e( P, Q).
Challenger BC sets r2 = (kw j − m − a)/b − r1 and S̄ = k−1 S j , and sends ( β−1 S̄, r2 )
to A in step 4. From the point of view of the adversary this indeed results
into a valid signature over its query:
e( A + mP + rB + kC, S̄)
kw j − m − a
ÅÅ ã ã
1
= e a+m+ b + kc P, S j
b k
Å ã
1 1
= e (kw j + kc) P, Q = e( P, Q).
k c + wj
Output For reasons that will become clear shortly, it suffices here to consider only
challenger B A . If adversary A sends k ∈ I and qk + 1 tuples (m j , k, r j , S j ) to our
challengers, and if one of the tuples from the adversary is such that m j + r j b + kc 6=
wh for all 1 ≤ h ≤ q, then B A sends (m j + r j b + kc, S j ) to his challenger, otherwise
it aborts.
The output of B A will be correct if and only if that of A is correct. Thus it only remains
to show that there is a j such that m j + r j b + kc 6= wh for all k. We now show that this is
so with overwhelming probability.
Indeed, suppose that adversary A won the game. This implies that all qk + 1 tuples
(m j , r j , S j ) are distinct. Since (m j , k, r j ) uniquely determines S j , this means that all qk + 1
pairs (m j , r j ) must be distinct. But now suppose that there are two unequal numbers j, k
such that
m j + r j b + kc = wk = mh + rh b + k h c mod p. (7.3)
This means that b or c could be calculated by
m j − mh + c(k j − k h ) m j − m h + b (r j − r h )
b= mod p, c= mod p.
rh − r j kh − k
Notice that at least one of these will work:

• If k h 6= k then the right equation will result in c.
• If k h = k then rk 6= r j , otherwise not all pairs (m j , r j ) would be distinct by equa-
tion (7.3), so the left equation will give b.
By using the challengers B B or BC constructed above, so that we do not need to know b
or c in advance, this leads to a violation of the discrete logarithm problem. Additionally,
since B B and BC now know the private key of their weak Boneh–Boyen challenger, they
can easily win the weak Boneh–Boyen unforgeability game.
We conclude that there must with overwhelming probability be a j such that m j +
r j b + kc 6= wh . This means that in this case the output (m j + r j b + kc, S j ) of challenger B A
is new (i.e., unequal to all message-signature pairs that it received in the Setup phase), so
that B A wins the weak Boneh–Boyen unforgeability game. Therefore, if A has advantage
e, then the advantage of B A will be negligibly close to e.
7.5. Attribute-based credentials using our scheme 139
7.5 Attribute-based credentials using our scheme

In this section we show that we can use our new blind signature scheme to construct a
(single-show) attribute-based credential scheme that is similar to U-Prove. Our scheme
improves U-Prove by not relying on the random oracle model, and by being provably
unforgeable. Such an unforgeabilty proof is not known for U-Prove credentials; in fact,
it has even been suggested that no such proof exists under any standard intractability
assumption [BL13b]. We first explain how to extend our signatures to credentials by
including multiple attributes, after which we show how these attributes can be selectively
disclosed.
7.5.1 Signatures as credentials

In our credential scheme our partially blind Boneh–Boyen signatures become credentials.
The attributes are represented by several pieces of common information. To encode
these attributes, we replace the signer’s secret key c ∈ Z∗p by a tuple of numbers4
(c1 , . . . , cn ) ∈ (Z∗p )n (and the public key C by C1 = c1 P, . . . , Cn = cn P). Then the signer
can sign a hidden message m and a tuple k1 , . . . , k n by setting
n
X
D = X ρ Y b JγK with ρ = a + r2 b + k i ci
i =1
in step 2 of the Sign protocol (see p. 132). The resulting signature (S, r ) over (m, k1 , . . . , k n )
is then valid only if e A + mP + rB + in=1 k i Ci , S = e( P, Q).
P
This results in a partially blind signature scheme for GSBB signatures [Bha+09]. This
scheme reduces to the scheme from the previous sections for n = 1. It is not difficult to
adapt the unforgeability and blindness proofs to this scheme.
To issue a credential, the user and the issuer decide in advance on the attributes
k1 , . . . , k n that the credential will have. Then, the user runs the Sign protocol with the
issuer on (m, k1 , . . . , k n ), where the user chooses m ∈ R Z p . The user receives a signature
(S, r ) on the attributes (k1 , . . . , k n ) and message m. The credential then consists of the
message, the attributes and the signature. The partial blindness of the scheme ensures
that the issuer does not learn m, nor can it later recognize the resulting signature.
7.5.2 Showing a credential

The user can show such a credential as follows. Let D ⊂ {1, . . . , n} be the index set of
the attributes that the user wants to disclose, and let C = {1, . . . , n} \ D be the remaining
hidden attributes.
• The user sends S, r and the attributes (k i )i∈D that it wishes to disclose to the verifier,
P
together with D = mP + i∈C k i Ci .
4In the remainder of this chapter we will reuse the letter n to denote the number of attributes, for consistency
with the next chapters.
• The user performs a zero-knowledge proof of knowledge of the message m and

the hidden attributes:
ß X ™
PK (m, (k i )i∈C ) : D = mP + k i Ci . (7.4)
i ∈C
• The verifier checks that the signature (S, r ) is valid as follows:

Å ã
X ?
e A + rB + D + k i Ci , S = e( P, Q).
i ∈D
Theorem 7.12 (or rather its generalization to multiple pieces of common information, as
mentioned in the previous subsection) then guarantees unforgeability of these creden-
tials. In addition, as a consequence of Theorem 7.11, the scheme offers issuer unlinka-
bility (see Section 5.7.3 on p. 107).
The signatures (S, r ) of our scheme are about the same size as those of U-Prove in the
ECC setting. If we use standard Σ-protocols like U-Prove, then the showing protocols
are approximately equally efficient. Furthermore, contrary to U-Prove the proof of the
scheme does not rely on the random oracle model. Finally, if we do not want to assume
that the verifier is honest in the Σ-protocols then we can easily use a black-box zero-
knowledge proof of knowledge instead, such as for example the one from Example 5.21,
or the Schnorr Σ-protocol in the Fiat-Shamir heuristic.
Remark 7.13. It is interesting to note how the partially blind signature scheme resulted
in an attribute-based credential scheme almost for free. Broadly speaking, we only used
the following features of our scheme:
• It allows multiple pieces of common information k i , which can then serve as the
attributes of our credentials;
• The structure of the signatures allows the hiding of some of the contained attributes
through a proof of knowledge as in equation (7.4).
Other partially blind signature schemes that offer similar features may thus also result
in interesting attribute-based schemes in this fashion; it would be interesting to see if
one of them might also support unlinkability.
At the same time, it is important to note that this is definitely not the only route to un-
linkable attribute-based schemes. Indeed, in Chapter 9 we create an unlinkable scheme
whose Issue protocol (see p. 160) is not partially blind; instead, the unlinkability will
come from the ShowCredential protocol. We will return to this difference in Remark 9.17
on p. 167.
7.6 Related work

Introduced by Chaum [Cha83], blind signature schemes were formally defined by Juels,
Luby and Ostrovsky [JLO97]. Since then much work on the subject has been done, both
7.7. Conclusion 141
in the random oracle and standard models; for example, see [Bel+02; Bol02; CKW05;
Poi98].
Partially blind signature schemes were introduced by Abe and Fujisaki [AF96] and
further formalized by Abe and Okamoto [AO00]. The schemes of both of these papers
use the random oracle model, as well as those from [Cho+05; ZSS03]. A newer scheme
by Okamoto [Oka06] is secure in the standard model like our scheme. The issuing
protocol of this scheme is more efficient than ours, consisting of 4 moves (compared
to 9); on the other hand, his scheme uses a Type 2 pairing (i.e., there must exist an
efficiently computable homomorphism from G2 to G1 , see Section 5.4); our scheme uses
Type 3 pairings which are generally more efficient [GPS08]. Moreover, Okamoto bases
the unforgeability of his scheme on a nonstandard hardness assumption.
Belenkiy et al. [Bel+09] created a two-party computation protocol for computing weak
Boneh–Boyen signatures, that bears some resemblance to our issuing protocol. On the
one hand their protocol is slightly more efficient than ours; specifically, the message
space of the encryption scheme is smaller due to the simpler structure of the signatures
that are computed. On the other hand, because weak Boneh–Boyen signatures are
deterministic their protocol is unsuitable for (partially) blind signatures as well as an
application to attribute-based credentials as in Section 7.5.
A lesser attractive feature of our issuing protocol is that it consists of 9 moves, which
is far from optimal. We believe that this is because of the structure of Boneh–Boyen
signatures, in particular the modular inversion in equation (7.1), and indeed all schemes
that we know of that issue Boneh–Boyen like signatures have a similar amount of moves.
There are, however, signature schemes that allow issuing protocols of fewer moves: for
example, [Bla+13] introduces a blind issuing protocol for Waters signatures [Wat05]
of just two moves, and [FHS15] introduces a partially blind signature scheme in the
standard model, also of 2 moves.
As already mentioned, our attribute-based credential scheme from Section 7.5 im-
proves on U-Prove by being provably secure and not relying on the random oracle
model. We would also like to point out the single-show attribute-based credential
scheme by Baldimtsi and Lysyanskaya [BL13a], which is provably secure like ours, but
requires the random oracle model like U-Prove.
Finally, Weitenberg’s Master’s thesis [Wei12] also contains an interactive issuing pro-
tocol for Boneh–Boyen like signatures, as well as an application to attribute-based cre-
dentials. There are some differences between his and our signing protocol, however; he
did not include a convincing unforgeability proof; and while an unlinkable scheme was
aimed at, Weitenberg was not able to prove unlinkability.
7.7 Conclusion
We introduced a partially blind signing protocol for Boneh–Boyen-like signatures and
proved its security. This enables applications of these signatures in situations where
it is important that the issuer does not learn (part of) the message being signed nor
the resulting signature. As an example of the simplicity and flexibility of our scheme,
we introduced a single-show attribute-based credential scheme that improves on its
well-known predecessor U-Prove by being provably unforgeable without the use of

the random oracle model, using only standard hardness assumptions. The length of
these credentials is independent of the number of attributes, resulting in a very efficient
ShowCredential protocol.
In the next chapter, we show how credentials from the scheme from [HK14], in which
the length of the credentials is also constant, can be forged. Finally, Chapter 9 will
introduce a new scheme which is provably unforgeable and unlinkable, in which the
credential size is linear in n.
Chapter 8
The self-blindable U-Prove

scheme from FC’14 is forgeable
Recently an unlinkable version of the U-Prove attribute-based credential scheme was

proposed at Financial Crypto ’14 [HK14]. Unfortunately, the new scheme is forgeable:
if sufficiently many users work together then they can construct new credentials, con-
taining any set of attributes of their choice, without any involvement of the issuer. In
this chapter we show how they can achieve this, and we point out the error in the
unforgeability proof.

scheme from FC’14 is forgeable”. In: Financial Cryptography and Data Security
– FC’16 (2016). In print. url: https://eprint.iacr.org/2015/725.
The main idea of the attack that we describe in this chapter and the corresponding article
is due to Eric Verheul. The specifics of applying the attack to Hanzlink and Kluczniak’s
scheme is my own work, as well as the article and the text below.
8.1 Introduction
In all attribute-based credential schemes that we considered so far (notably the one from
Chapter 7 and U-Prove, both of which are defined in prime-order elliptic curves), the
length of the credentials does not depend on the amount of attributes n. In both of
these cases, this resulted in short signatures and efficient ShowCredential protocols, that
however do not offer multi-show unlinkability.
144 Chapter 8. The self-blindable U-Prove scheme from FC’14 is forgeable
In an attempt to fix this lack of unlinkability while retaining efficiency, L. Hanzlik and
K. Kluczniak proposed in [HK14] a new scheme that is based on U-Prove but uses a
different, self-blindable signature scheme, based on the self-blindable construction by
Verheul [Ver01]. Although [HK14] does contain an argument for the unforgeability of
their scheme, we show here that this argument contains an error, and that the proposed
construction is forgeable, in the sense that if sufficiently many users collude then they
can construct new credentials containing arbitrary attributes of their choice, without
involvement of the issuer.
8.2 The credential scheme

Hanzlik and Kluczniak [HK14] present their blindable U-Prove scheme as an extension
of the original U-Prove scheme, in the following sense: a self-blindable signature (based
on [Ver01]) is added to a U-Prove credential. When showing a credential, the user can
then choose to either show his credential using the original linkable U-Prove ShowCre-
dential protocol, or using a new protocol that uses the new self-blindable signature and
should offer unlinkability. Since we are concerned only with the forgeability of the
self-blindable construction, our description of the credential scheme will omit details
that are relevant only to the original construction.
The setup is as follows.1 q is a prime number of length k, and e : G1 × G2 → GT is a
bilinear pairing of Type 2 (see Section 5.4 on p. 91), where q is the order of G1 , G2 and
GT . The issuer’s public key is
(q, e, g0 , . . . , gn , p, p0 , p0 , p1 ),
where
• g0 , . . . , gn are random generators of G1 ,
• p and p0 are random generators of G2 ,
• p0 = ( p 0 ) z ,
• p1 = p f .
The tuple ( f , z) ∈ Z2q is the issuer’s secret key.
A credential consists of the tuple
(( x1 , . . . , xn ), (h, h2 , h3 , h4 , α, b1 , b2 ))
where
• x1 , . . . , xn ∈ Zq are the attributes,
• α, b1 , b2 ∈ Zq , chosen by the user during issuing of the credential,
x
• h = ( g0 g1 1 · · · gnxn )α ,
• h2 = h f ,
• h3 = hb1 h2b2 ,
1In this chapter we use the notations of the article by Hanzlik and Kluczniak, meaning that we deviate from
much of our earlier notational conventions.
8.3. Forging new credentials 145
• h4 = h3z = (hb1 h2b2 )z .
The validity of the credential can be checked by
? ?
e(h, p1 ) = e(h2 , p) and e ( h3 , p0 ) = e ( h4 , p 0 ).
Such a credential can be blinded into a new one as follows. Take random k, ` ∈ Z∗q , and
set (h̄, h̄2 , h̄3 , h̄4 ) = (hk , h2k , h3k` , h4k` ). Then
(( x1 , . . . , xn ), (h̄, h̄2 , h̄3 , h̄4 , αk, b1 `, b2 `))
is a new, valid credential over the same attributes. In [HK14] a ShowCredential protocol
for these credential is provided, in which the credentials are blinded as above. The
protocol should offer unlinkability but it is not proven that it does (and we have not
checked this).
8.3 Forging new credentials
8.3.1 Constructing signatures on the elements gi
We first show that if sufficiently many users work together, then for each i they can
f fz
compute a tuple gi , giz , gi , even though f and z are private to the issuer. Using these
tuples they can easily create new valid credentials over any set of attributes of their
choice. Since this will involve many credentials, we will write the elements from the
credential of user j with an extra subscript j:
(( x1,j , . . . , xn,j ), (h j , h2,j , h3,j , h4,j , α j , b1,j , b2,j )).
The element h j is of the form

x1,j xn,j
h j = ( g0 g1 · · · g n ) α j .
By blinding the credential with k = α− 1

j , ` = 1 (i.e., we raise all group elements of the
credential to the power α− 1
j ; note that these numbers are known to the users), we can
remove the number α from our considerations, so we will henceforth simply write
x1,j xn,j
h j = g0 g1 · · · g n .
f
Let us write g̃i = gi . Then we can write h3,j as
b1,j b2,j b1,j b2,j b1,j x1,j b2,j x1,j b xn,j b2,j xn,j
h3,j = h j h2,j = g0 g̃0 g1 g̃1 · · · gn1,j g̃n .
Setting x0,j = 1 and writing yi,j = b1,j xi,j and ỹi,j = b2,j xi,j , we get
y0,j ỹ0,j y1,j ỹ1,j yn,j ỹn,j

h3,j = g0 g̃0 g1 g̃1 · · · gn g̃n , (8.1)
where all numbers yi,j and ỹi,j are known to the user.
We know that h4,j = h3,j z , i.e., the discrete log of h
4,j with respect to h3,j is z. If we
raise h3,j to some power and we simultaneously raise h4,j to the same power, then the
resulting two elements will still have z as discrete log. The same holds if we multiply two
elements h3,j and h3,j0 together. In the remainder of this section we will take a number of
powers and products of the elements h3,j ; whenever we write such a power or product,
the same power or product for h4,j is implied.
Observe that when raising h3,j to the power 1/ỹn,1 we obtain a product of the generators
gi to certain exponents, where g̃n now has exponent 1. Thus two users 1 and 2 can work
1/ỹ 1/ỹ
together to form the element h3,1 n,1 h3,2 n,2 , which is of the form
1/ỹn,1
h3,1
1/ỹ
= g0v0 g̃0ṽ0 g1v1 g̃1ṽ1 · · · gnvn , (8.2)
h3,2 n,2
with vi = yi,1 /yn,1 − yi,2 /yn,2 , and similar for ṽi . Note that the right hand side no longer
contains g̃n . If two more users do the same and obtain a similar expression, then the four
users can collectively remove gn in exactly the same fashion, resulting in an expression
as above containing only the elements g0 , g̃0 , . . . , gn−1 , g̃n−1 .
Continuing in this fashion, 22n+1 users can find an element in G1 that is just g0 raised
to some power which is known and can easily be removed. If they apply all powers
and products in parallel to the corresponding h4,j , then they also obtain g0z . Similarly,
f fz
they can obtain g̃0 = g0 , and g̃0z = g0 . In fact, they can do this for all elements gi , g̃i ,
f fz
resulting finally in expressions for gi , giz and gi for all i. Using these elements, anyone
can calculate a valid credential over any set of attributes as explained below. The amount
of users that need to work together to achieve this (22n+1 ) is exponential in n (the amount
of attributes of the system) but not in the security parameter. Therefore, this can be done
in polynomial time.
Remark 8.1. An alternative explanation for why this is possible is as follows. Suppose
we are given m valid credentials, with h3,j of credential j given by (8.1). Notice that
the operations we apply to the elements h3,j and h4,j above correspond exactly to taking
linear combinations of the h3,j and h4,j (although linear combinations are usually written
additively instead of multiplicatively). So if we consider the elements gi , g̃i occurring
in h3,j as unknowns, then we can interpret equation (8.1) as one equation in 2n + 2
unknowns. Thus if we have 2n + 2 credentials, then we obtain 2n + 2 equations in as
many unknowns.
Using linear algebra over the field Zq = GF(q), then, we can solve this system of
fz
linear equations to the gi , g̃i , gi = g̃iz , as long as the (2n + 2) × (2n + 2) matrix of the
8.4. Analysis 147
coefficients,
···
â ì
y0,1 y0,2n+2
ỹ0,1 ··· ỹ0,2n+2
M := .. .. ..
. . .
yn,1 ··· yn,2n+2
ỹn,1 ··· ỹn,2n+2
is invertible (i.e., its determinant det M is unequal to 0). Since the numbers yi,j , ỹi,j are
under our control in a chosen-message attack, this should be easy to achieve. If we write
mi,j for the j-th entry of the i-th row of the inverse M−1 of M, we obtain
2n +2 2n +2 2n +2 2n +2
Y m2i+1,j Y m2i+2,j Y m2i+1,j Y m2i+2,j
gi = h3,j , g̃i = h3,j , giz = h4,j , g̃iz = h4,j .
j =1 j =1 j =1 j =1
This also shows that the scheme is already completely forgeable (in the sense that new
credentials with arbitrary attributes can be computed) with just 2n + 2 collaborating
users, instead of 22n+1 .
8.3.2 Constructing a forged credential

f fz
Using the elements gi , gi , giz , gi constructed above, a new credential with attributes
x1 , . . . , xn may be constructed as follows. Choose b1 , b2 ∈ R Zq randomly, and set
x
h = g0 g1 1 · · · gnxn ,
f f f
h 2 = g0 ( g1 ) x 1 · · · ( g n ) x n ,
b f b x f b x f
h3 = g01 ( g0 )b2 g11 1 ( g1 )b2 x1 · · · gn1 n ( gn )b2 xn ,
fz fz fz
h4 = ( g0z )b1 ( g0 )b2 ( g1z )b1 x1 ( g1 )b2 x1 · · · ( gnz )b1 xn ( gn )b2 xn .
Then
h2 = h f , h3 = hb1 h2b2 , h4 = (hb1 h2b2 )z
as required.
8.4 Analysis
8.4.1 The problem in the unforgeability argument
An argument for unforgeability is given in [HK14] in section 4, “Security Analysis”. The
argument is based on the appendix from [Ver01], in which it is argued that credentials
of the form
h, h2 = h f , h4 = (hb1 h2b2 )z (8.3)
are unforgeable. Here, as above, f and z are the issuer’s secret key, and the numbers b1 , b2
are part of the credential (i.e., known to the user). However, the difference with Verheul’s
system is that there h is randomly chosen from G1 , and in particular, no participant of
the system knows the discrete log of h with respect to any other element from G1 , or
any DL-representation of h (i.e., an expression of h in terms of powers of g0 , . . . , gn ,
such as (8.4)). By contrast, in Hanzlik and Kluczniak’s U-Prove scheme the user knows
numbers α, x1 , . . . , xn such that
x
h = ( g0 g1 1 · · · gnxn )α . (8.4)
where the elements g0 , . . . , gn are the same for all users. In this case, the argument
from [Ver01] does not apply, so that no argument can be based on it.
In addition, we wish to point out that the argument from the appendix in [Ver01] was
meant as a sketch, and in particular, there is the following subtlety. It is argued in the
appendix that if an adversary A manages to forge credentials of the form (8.3), i.e.

(h, h2 , h4 , b1 , b2 ) = A (h j , h2,j , h4,j , b1,j , b2,j ) j=1,...,m
where the output (h, h2 , h4 , b1 , b2 ) is valid (i.e., satisfying (8.3)), then either there must
exist a j and numbers k, ` ∈ Zq such that
k
(h, h2 , h4 , b1 , b2 ) = (hkj , h2,j k`
, h4,j , b1,j `, b2,j `)
or the adversary A can be used to solve discrete logarithms in G1 . However, the argument
mentions certain “transformation factors” which are numbers like k, ` from Zq , and the
algorithm sketched by [Ver01] that uses the adversary A to compute discrete logarithms
would need to know these numbers in order to be able to work. However, it is not clear
how to obtain these transformation factors from the adversary A, or even if A is aware
of them.
Notice, however, that a tuple (h, h2 , h4 , b1 , b2 ) is very close to being an LRSW-instance
(see Definition 9.1 on p. 155); indeed, if the number b1 would always equal 1 then this
would exactly be a LRSW-instance. For that reason, we believe that a (Type 1 version
of) the Known Exponent Assumption (KEA, see Section 9.5 on p. 173) can be used to
extract these numbers from the adversary, similar to how the difficulty of creating new
LRSW-instances can be proven from the XKEA assumption (Theorem 9.21). This would
result in a rigorous proof.
8.4.2 Why Theorem 6.6 is not applicable

In the notations of Theorem 6.6 on p. 118, we have the following.
• The space P of secret keys is the set of attributes Znp 3 ( x1 , . . . , xn ).

8.4. Analysis 149
x
• The space K of public keys consists of elements of the form g0 g1 1 · · · gnxn – that is,
K = G1 .
• The space B of blinding factors is Z2p 3 (k, `).
• The space S is G12 × Z2p 3 (h2 , h4 , b1 , b2 ). This set has a natural group structure,
namely the direct product: if ( A1 , A2 , r1 , r2 ), ( B1 , B2 , s1 , s2 ) ∈ S then
( A1 , A2 , r1 , r2 ) · ( B1 , B2 , s1 , s2 ) = ( A1 B1 , A2 B2 , r1 + s1 , r2 + s2 );
i.e., for each element in the tuple we use the group structure of the containing
group.
x
• The function PubKey : P × B → K is PubKey(( x1 , . . . , xn ), (k, `)) = ( g0 g1 1 · · · gnxn )k
(the number ` does not occur in the right hand side; it is used only in the function
Sig f ,z ).
• The function Sig f ,z : P × B → S is given by
Sig f ,z (( x1 , . . . , xn ), (k, `)) = (h f k , (hkb1 ` h f kb2 ` )z , b1 `, b2 `)

x
where h = g0 g1 1 · · · gnxn .
Let j = 1, 2, and let
(( x1,j , . . . , xn,1 ), (h j , h2,j , h3,j , h4,j , b1,j , b2,j )),

x1,j xn,j b1,j b2,j
h j = g0 g1 · · · g n , h3,j = h j h2,j
be two credentials. Translated to multiplicative notation, Theorem 6.6 studies in what

situations there exist (y1 , . . . , yn ) ∈ P and (α, β) ∈ B such that the two equations
PubKey((y1 , . . . , yn ), (α, β))

= PubKey(( x1,1 , . . . , xn,1 ), (k1 , `1 ))PubKey(( x1,2 , . . . , x1,2 ), (k2 , `2 )) (8.5)
SigSK ((y1 , . . . , yn ), (α, β))
= SigSK (( x1,1 , . . . , xn,1 ), (k1 , `1 ))SigSK (( x1,2 , . . . , x1,2 ), (k2 , `2 )) (8.6)
hold simultaneously. The reason why the theorem from [HLR15] does not apply in this
case is that if the upper equation holds then the lower equation never holds, as we now
show.
First we examine equation (8.5). Using the group structure of G1 on K = G1 ,

k
the right hand side of (8.5) evaluates to h11 h2k2 (and indeed it is not difficult to find
(y1 , . . . , yn ), (α, β) such that PubKey((y1 , . . . , yn ), (α, β)) = h1k1 h2k2 ). Now, the left hand
k
side of (8.6) is a signature with h11 h2k2 as its attribute commitment. The right hand side,
however, evaluates to (h2 , h4 , b1 , b2 ) with
k1 k2 k1 k2 f
h2 = h2,1 h2,2 = h1,1 h1,2 ,
b2,1 k1 `1 b1,2 b2,2 k2 `2 z

b
h4 = h11,1 h2,1 h2 h2,2 , (8.7)
b1 = `1 b1,1 + `2 b1,2 , b2 = `1 b2,1 + `2 b2,2 .
For this to be valid, h4 would have to be

z k z
k1 k2 `1 b2,1 +`2 b2,2
h4 = hb1 h2b2 = (h11 h2k2 )`1 b1,1 +`2 b1,2 (h2,1 h2,2 ) .
A polynomial-time algorithm can make the above expression for h4 match with (8.7)
only by matching the powers of the elements h1 , h2,1 , h2 , h2,2 . This gives
b1,1 k1 `1 = b1,1 k1 `1 + b1,2 k1 `2 , b1,2 k2 `2 = b1,2 k2 `2 + b1,1 k2 `1 ,

b2,1 k1 `1 = b2,1 k1 `1 + b2,2 k1 `2 , b2,2 k2 `2 = b2,2 k2 `2 + b2,1 k2 `1 .
which simplifies to
b1,2 k1 `2 = 0, b1,1 k2 `1 = 0,
b2,2 k1 `2 = 0, b2,1 k2 `1 = 0.
We may assume that none of the numbers b1,1 , b1,2 , b2,1 , b2,2 equal 0, as otherwise one or
both of the signatures on the right hand side of (8.6) would not be valid. Thus it follows
that at least one of the following must hold:
k1 = k2 = 0, k1 = `1 = 0, k2 = `2 = 0, `1 = `2 = 0.
By (8.7), the first and the last of these would result in h4 = 1 which is not valid, and the
middle two would completely remove one of the factors in the right hand side of (8.6),
making the equation trivial.
8.4.3 The attack

Our attack depends on the following two facts.
• As mentioned in the introduction of this chapter, all credentials share the same
base points g0 , . . . , gn .
• Since the prime order q of the group G1 that contains the elements g0 , . . . , gn and
h, h2 , h3 , h4 is known to all participants of the scheme (unlike in Idemix, where the
order of the group is the issuer’s private key), it is possible to invert exponents as
in equation (8.2).
The combination of these two facts results in the ability to create signatures on DL-
representations of successively less base elements, as in equation (8.2). In the unlinkable
scheme that we introduce in Chapter 9, we avoid susceptibility to this attack by essentially
letting each credentials have its own set of base points.
Chapter 9
An efficient self-blindable
attribute-based credential scheme
Recently full-fledged implementations of unlinkable attribute-based credential schemes

on smart cards have emerged. However, these need to compromise on the security level
to achieve reasonable transaction speeds. In this chapter we present a new unlinkable
attribute-based credential scheme. Defined on elliptic curves, the scheme involves bilin-
ear pairings but only on the verifier’s side, making it very efficient both in terms of speed
and size on the user’s side. We prove that the ShowCredential protocol of our scheme
is a zero-knowledge proof of possession of a valid credential, from which unlinkability
follows, and we provide two unforgeability proofs, one based on the LRSW assumption
and the other on the Known Exponent Assumption (together with an extension of the
discrete logarithm problem to Type 3 bilinear pairings). Finally, we briefly discuss the
performance of a preliminary implementation.
An early version of the credential scheme from this chapter, together with an unforge-
ability proof based on the XKEA assumption was created jointly by Eric Verheul and
myself, as an extension of Verheul’s earlier article on self-blindable credentials [Ver01].
The additional unforgeability proof based on the whLRSW assumption is my own work,
as well as the zero-knowledgeness and unlinkability proofs, and the implementation. I
have also written the text below, with many helpful improvements and suggestions from
Jaap-Henk Hoepman.
9.1 Introduction
As mentioned in the earlier chapters, the two most well-known attribute-based creden-
tial schemes are Idemix [CL01; IBM12] and U-Prove [Bra00; PZ13]. However, to date
152 Chapter 9. An efficient self-blindable attribute-based credential scheme
there is no provably secure scheme that is sufficiently efficient to allow truly secure im-
plementations on smart cards, while also providing unlinkability of transactions. For
example, since Idemix is based on the strong RSA-problem, one would want the keysize
to be at least 2048 bits and preferably even 4096 bits; the IRMA project1 has implemented
Idemix on smart cards using 1024 bits. On the other hand, U-Prove is more efficient but
does not provide unlinkability; in addition, its security is not fully proven, and it has
even been suggested that its unforgeability is unprovable under standard intractability
assumptions [BL13b].
In this chapter, we provide a new provably secure, efficient and unlinkable attribute-
based credential scheme, that is based on the concept of self-blindability [Ver01]: before
showing the credential, it is randomly modified into a new one (containing the same
attributes) that is still valid. This results in a showing protocol in which the verifier learns
nothing at all about the credential besides the attributes that are disclosed (and the fact
that the credential is valid). In fact, the showing protocol is a zero-knowledge proof of
knowledge. The scheme does not rely on the random oracle model (although usage of
this model can lead to a performance increase through the Fiat-Shamir heuristic [FS87]),
and it uses elliptic curves and bilinear pairings, allowing the same security level as RSA-
type groups at much smaller key sizes. Although computing a pairing is a much more
expensive operation than performing exponentiations on an elliptic curve, all pairings
occur on the verifier’s side. In addition, the kinds of pairing that we use (Type 3; see
Definition 5.11 on p. 91) involves two distinct groups of which one is more expensive
to do computations on. However, the user only needs to perform computations on the
cheaper of the two. As a consequence of these two facts the amount of work that the
user has to perform is limited, and indeed our scheme is cheaper for the user than any
comparable scheme that we know of.
Apart from the properties mentioned in Section 5.7, the credential scheme defined in
this chapter will offer the following two kinds of unlinkability (see also Definition 5.28
on p. 108).
• Multi-show unlinkability: If a verifier participates in the ShowCredential protocol

twice, in which the same credential was involved, it should be impossible for it
to tell whether both executions originated from the same credential or from two
different ones.
• Issuer unlinkability: If in a run of the ShowCredential protocol certain attributes were
disclosed, then of all credentials that the issuer issued with those attributes, the
issuer cannot tell which one was used.
We will achieve this by proving that our ShowCredential protocol is black-box zero-
knowledge (see Definition 5.17 on p. 96), which essentially means that the verifier learns
nothing at all besides the statement that the user proves. Since the verifier learns noth-
ing that it can use to link transactions, both kinds of unlinkability follow from this (see
Theorem 9.15).
The unforgeability of our credential scheme will be implied by the LRSW assump-
tion [CL04; Lys+00; Lys99] introduced by Lysyanskaya, Rivest, Sahai, and Wolf, and
1https://www.irmacard.org
used in many subsequent works (for example, [CL04; WY05; Wac+11; CHP07; ACM05]).
Actually, for our purposes a weaker (in particular, non-interactive and thus falsifiable
[Nao03]) version of this assumption called the whLRSW assumption [WY05] will suf-
fice. After having defined attribute-based credential schemes as well as unforgeability
and unlinkability in the next section, we will discuss these assumptions in Section 9.2.
In the same section we will introduce a signature scheme on the space of attributes, that
will serve as the basis for our credential scheme. In Section 9.3 we turn to our creden-
tial scheme, defining issuing and showing protocols, and proving that these provide
unlinkability and unforgeability for our scheme. This in turn implies the unforgeabil-
ity of the signature scheme. In Section 9.5 we prove a general theorem saying that the
whLRSW assumption is implied by (an extension of) the Known Exponent Assumption
(KEA), resulting in a second unforgeability proof for our scheme. In Section 9.4 we
will discuss the performance of our scheme, by counting the amount of exponentiations
that the user has to perform and by showing average runtimes of an implementation
of our scheme. First, we briefly review and compare a number of other attribute-based
credential schemes, in terms of features, efficiency and speed, and security.
9.1.1 Related work

The Idemix credential scheme [CL01; IBM12] by Camenisch and Lysyanskaya is prob-
ably the most well-known unlinkable attribute-based credential scheme, relying on the
difficulty of the strong RSA problem in the group of integers modulo an RSA modulus
n = pq, of recommended size at least 2048 bits. Although this credential scheme has a
lot of desirable properties (it is provably unlinkable and unforgeable), the large size of
the modulus means that, when implementing the user on smart cards, it is difficult to
get acceptable running times for the protocols. For example, in [VA13] the Idemix show-
ing protocol has been implemented with 4 attributes and n around 1024 bits (while n
should really be at least 2048 bits); there the running time for the ShowCredential protocol
ranged from 1 to 1.3 seconds, depending on the amount of disclosed attributes.
Another well-known credential scheme is U-Prove [Bra00; PZ13] by Brands. Based on
the difficulty of the discrete logarithm problem in a cyclic group, it can be implemented
using elliptic curves, and additionally the showing protocol is much less complicated
than that of Idemix, also resulting in more efficiency. However, in U-Prove two transac-
tions executed with the same credential are always linkable, and the showing protocol is
only honest-verifier zero-knowledge (i.e., there is no proof that dishonest verifiers can-
not extract or learn information about the undisclosed attributes). Moreover, there is no
unforgeability proof for U-Prove credentials, and it even seems that no such proof exists
under standard intractability assumptions [BL13b].
We also mention the “Anonymous Credentials Light” construction from [BL13a],
which can also be implemented on elliptic curves, but the credentials are not unlinkable;
and [HM13], which runs in RSA groups like Idemix.
The credential scheme from [CL04], also by Camenisch and Lysyanskaya, is much
closer to the scheme presented here: it is unlinkable, uses elliptic curves and (Type 1)
pairings, and uses the LRSW assumption. However, when showing a credential the user
has to compute an amount of pairings that is linear in the amount of disclosed attributes.
Finally, in Chapter 8 we showed an attack on the blindable U-Prove scheme from

[HK14]: if sufficiently many users collide then they can create new credentials containing
any set of attributes of their choice, without any involvement of the issuer.
9.2 Preliminaries
9.2.1 The LRSW assumptions
The unforgeability of the credential and signature schemes defined in this chapter will
depend on the whLRSW assumption [WY05], which as we will show below, is implied
by the LRSW assumption [Lys99; Lys+00] introduced by Lysyanskaya et al. The latter
assumption has been proven to hold in the generic group model [Sho97], and has been
used in a variety of schemes (for example, [CL04; WY05; Wac+11; CHP07; ACM05]).
Although this assumption suffices to prove unforgeability of our scheme, it is stronger
than we need. In particular, the LRSW assumption is an interactive assumption, in the
sense that the adversary is given access to an oracle which it can use as it sees fit. We prefer
to use the weaker whLRSW assumption, which is implied by the LRSW assumption but
does not use such oracles. Consequentially, unlike the LRSW assumption itself, and
like conventional hardness assumptions such as factoring and DDH, this assumption is
falsifiable [Nao03]. We describe both assumptions below; then we prove that the LRSW
assumption implies the whLRSW assumption. After this we will exclusively use the
latter assumption.
Let e : G1 × G2 → GT be a Type 3 pairing (see Section 5.4 on p. 91), where the order
p of the three groups is ` bits, and let a, z ∈ R Z∗p . If (κ, K, S, T ) ∈ Z∗p × G13 is such that
S = K a and T = K z+κaz , then we call (κ, K, S, T ) an LRSW-instance.
Definition 9.1 (LRSW assumption). Let e be as above, and let Oa,z be an oracle that,
when it gets κ j ∈ Z∗p as input on the j-th query, chooses a random K j ∈ R G1 and
z+κ j az
outputs the LRSW-instance (κ j , K j , K ja , K j ). The LRSW problem is, when given
( p, e, G1 , G2 , GT , Q, Q a , Qz ) where Q ∈ R G2 \ {1}, along with oracle access to Oa,z , to
output a new LRSW-instance (κ, K, K a , K z+κaz ) where κ has never been queried to Oa,z .
The LRSW assumption is that no probabilistic polynomial-time algorithm can solve the
LRSW problem with non-negligible probability in `. That is, for every probabilistic
polynomial-time algorithm A we have
h
Pr a, z ∈ R Z∗p ; Q ∈ R G2 \ {1};
σ ← ( p, e, G1 , G2 , GT , Q, Q a , Qz );
(κ, K, S, T ) ← AOa,z (σ) :
i
K ∈ G1 ∧ κ ∈ Z∗p ∧ κ ∈
/ L ∧ S = K a ∧ T = K z+κaz < negl(`),
where L is the list of oracle queries sent to Oa,z , and where the probability is over the
choice of a, z, Q, and the randomness used by A and the oracle Oa,z .
9.2. Preliminaries 155
Definition 9.2 (q-whLRSW assumption). Let e again be as above. Additionally, let

z+κ az
{(κ j , K j , K ja , K j j )} j∈[1,q] be a list of q LRSW-instances, where the κ j and K j are ran-
domly distributed in Z∗p and G1 , respectively. The q-whLRSW problem (for q-wholesale
LRSW [WY05]) is, when given this list along with ( p, e, G1 , G2 , GT , Q, Q a , Qz ), to output
a new LRSW-instance (κ, K, K a , K z+κaz ) where κ ∈ / {κ1 , . . . , κq }. The q-whLRSW assump-
tion is that no probabilistic polynomial-time algorithm can solve the q-whLRSW problem
with non-negligible probability in `. That is, for every probabilistic polynomial-time al-
gorithm A we have
h
Pr a, z, κ1 , . . . , κq ∈ R Z∗p ; K1 , . . . , Kq ∈ R G1 \ {1};
Q ∈ R G2 \ {1}; σ ← ( p, e, G1 , G2 , GT , Q, Q a , Qz );
z+κ j az
(κ, K, S, T ) ← A(σ, {κ j , K j , K ja , K j } j∈[1,q] ) : (9.1)
i
K ∈ G1 ∧ κ ∈ Z∗p ∧ κ ∈
/ {κ1 , . . . , κq } ∧ S = K a ∧ T = K z+κaz < negl(`),
where the probability is over the choice of a, z, κ1 , . . . , κq , K1 , . . . , Kq , Q, and the random-

ness used by A.
Finally we define an unparameterized version of the assumption above by allowing q to
be polynomial in `, in the same way as the SDH problem is the unparameterized version
of the q-SDH problem (see Definition 7.6 on p. 131). Intuitively, the reason that this
unparameterized assumption is implied by the LRSW assumption is simple: if there is
no adversary that can create LRSW-instances when it can (using the oracle) control the
κ’s of the LRSW-instances that it gets as input, then an adversary that can create them
without having control over the κ’s also cannot exist.
Definition 9.3. Let e, p and ` = | p| be as above. The whLRSW assumption states that for
all positive polynomials q : Z → N, the q(`)-whLRSW assumption holds.
Proposition 9.4. The LRSW assumption implies the whLRSW assumption.
Proof. Suppose that the whLRSW assumption does not hold, i.e., there is a polynomial
q and a probabilistic polynomial-time algorithm A such that if A is given a list of q(`)
LRSW-instances, then it can produce a new valid LRSW-instance with non-negligible
probability in `. Now we create an algorithm B that violates the LRSW assumption.
Algorithm B is given σ = ( p, e, G1 , G2 , GT , Q, Q a , Qz ) and oracle access to Q a,z , and it
operates as follows.
• It randomly chooses q(`) values κ j ∈ R Z∗p ;

• For each j, B calls Oa,z (κ j ), obtaining a set of q(`) valid LRSW-instances L j =
z+κ az
(κ j , K j , K ja , K j j );
• Algorithm B runs and returns the output of
A(σ, L1 , . . . , Lq(`) ).
Then B is a probabilistic polynomial-time algorithm whose success probability is the

same as that of A, which is non-negligible by assumption. This contradicts the LRSW
assumption.
Thus if we prove that our scheme is safe under the whLRSW asssumption, then it is also
safe under the LRSW assumption.
9.2.2 The discrete logarithm problem in bilinear group pairs

It is very common in cryptographic schemes to assume the difficulty of the discrete
logarithm (DL) problem (Definition 5.6 on p. 89), and the difficulty of this problem is
in fact implied by many other common hardness assumptions such as for example the
computational and decisional Diffie-Hellman assumptions. In that sense, taking the DL
assumption is one of the weakest assumption that one can take.
In our particular scheme, there are tuples ( P, P a , Q, Q a ) where P ∈ G1 , Q ∈ G2 . Thus
we find ourselves interested in the following variation of the discrete logarithm problem:
Given P, P a , Q, Q a with P ∈ G1 and Q ∈ G2 , compute a. (9.2)
It is clear that in order for our scheme to be secure, this problem must be hard. This
results in the following hardness assumption.
Definition 9.5 (BDL assumption). We say that the bilinear discrete logarithm-assumption,
or the BDL-assumption for short, holds in a Type 3 bilinear pairing e : G1 × G2 → GT ,
if there exists no probabilistic polynomial-time algorithm that can solve problem (9.2)
above with non-negligible probability in | p|, where p is the order of the three groups.
The BDL assumption implies the DL assumption in G1 , G2 and GT , since if computing
discrete logs in any of those groups would be easy then this problem would be easy
too. However, the combination of the DL assumption in G1 , G2 and GT does not seem to
imply the hardness of this problem.
We have not found this problem elsewhere in the literature. In a sense, however,
this problem is not new at all. For example, it is implied by the LRSW and whLRSW
assumptions; the q-SDH and the SDH assumptions (see [BB08], and Definition 7.6 on
p. 131); as well as the co-CDH* assumption (which, when given P, P a , Q, Q a as above
along with R ∈ G1 , asks for R a ), and a number of other pairing-specific variants of
the Diffie-Hellman problem (however, it is not implied by the XKEA assumption; see
Section 9.5.2). Indeed, such tuples P, P a , Q, Q a are present in many Type 3 schemes,
so this problem needs to be hard in all of those schemes when a is private. This
applies to, for example, the Boneh–Boyen signature scheme (see [BB08] and Chapter 7),
the BLS signature scheme when adapted to Type 3 pairings (see [BLS04; SV07a] and
Example 5.24 on p. 103), and the Boneh-Franklin identity-based encryption scheme in
the Type 3 pairing setting [BF01; Gal05]. For those reasons, this seems a very natural
assumption to take; indeed, it might be the weakest assumption that one can take in a
Type 3 setting that implies the DL assumption in both G1 and G2 simultaneously.2 We
2Alternatively, we could have used a Type 2 pairing instead of a Type 3 pairing, so that there would be an
9.2. Preliminaries 157
speculate that it has not yet received any attention because it is implied by many other
hardness assumptions, so that there is no need to explicitly consider it in schemes that
use these stronger assumptions (even though it is true in such schemes). In that sense,
the difficulty of this problem has been assumed all along.
For our purposes, the BDL assumption is important because of the following con-
sequence. Recall that the DL assumption implies the difficulty of creating non-trivial
DL-representations of 1 (see Proposition 5.7 on p. 89). The BDL assumption implies the
following similar statement, that can be proven using an identical proof.
Proposition 9.6. Let e : G1 × G2 → GT be a Type 3 pairing in which the BDL assumption
holds, let p be the order of the three groups, and let P, Q be generators of G1 , G2 respectively.
Let the tuple X1 , . . . , Xm ∈ R G1 and the tuple Y1 , . . . , Ym ∈ G2 be such that logP X j =
logQ Yj , i.e., e( P, Yj ) = e( X j , Q). Then no probabilistic polynomial-time algorithm can, on
input X1 , . . . , Xm , Y1 , . . . , Ym generate a non-trivial DL-representation of 1 ∈ G1 with respect
to ( X1 , . . . , Xm ).
Note that any non-trivial DL-representation of 1 with respect to ( X1 , . . . , Xm ) in G1 would
also be one with respect to (Y1 , . . . , Ym ) in G2 . The only difference with Proposition 5.7
is that the adversary now also has Y1 , . . . , Ym to work with.
9.2.3 A signature scheme on the space of attributes

In this section we introduce a signature scheme on the space of attributes. This signature
scheme will be the basis for our credential scheme, in the following sense: the Issue
protocol that we present in Section 9.3 will enable issuing such signatures over a set of
attributes to users, while the ShowCredential protocol allows the user to prove that it has
a signature over any subset of its signed attributes.
The Chaum-Pedersen signature scheme [CP93] serves as the basis for our signature
scheme on the attribute space, and works as follows. Let e : G1 × G2 → GT be a bilinear
group pair of Type 3, and let Q ∈ G2 be a generator. The issuer’s private and public keys
are a ∈ Z p and (e, A, Q) respectively, where A = Q a . A signature on a message K ∈ G1
?
is S = K a , and it is verified by e(S, Q) = e(K, A).
There are two immediate issues with this signature scheme. First, if (K, S) is a valid
message-signature pair and c ∈ Z p , then (K c , Sc ) is also valid. Second, if (K1 , S1 ) and
(K2 , S2 ) are both valid then (K1 K2 , S1 S2 ) is also valid. That is, given valid message-
signature pairs we can construct valid signatures on arbitrary powers and arbitrary
products of the messages, without knowing the secret key. This signature scheme, then,
is definitely not existentially unforgeable. On the other hand, this ability to modify valid
signatures into new ones will allow us to create a showing protocol for credentials that
is zero-knowledge in Section 9.3.
Definition 9.7 (Signature scheme on attribute space). The signature scheme is as fol-
lows.
efficiently computable isomorphism ψ : G2 → G1 . In that case the DL assumption in G2 would have sufficed;
in fact, it is easy to see that in this case the DL assumption in G2 implies the BDL assumption. However,
Type 3 pairings generally offer superior performance, and it has been suggested that most or all cryptographic
schemes that use Type 2 pairings can be converted to Type 3 pairings [SV07b].
KeyGen (1` , n) The issuer generates a Type 3 pairing e : G1 × G2 → GT , such that | p| = `

where p is the prime order of the three groups. Next it takes a generator Q ∈ R G2 ,
and numbers a, a0 , . . . , an , z ∈ R Z∗p and sets A = Q a , A0 = Q a0 , . . . , An = Q an ,
and Z = Qz . The public key is the tuple PK = ( p, e, Q, A, A0 , . . . , An , Z ) and the
private key is the tuple SK = ( a, a0 , . . . , an , z).
SignSK (k0 , . . . , k n ) The issuer chooses κ ∈ R Z∗p and K ∈ R G1 , and sets S = K a , S0 =
k
K a0 , . . . , Sn = K an , and T = (KSκ in=0 Si i )z . The signature is (κ, K, S, S0 , . . . , Sn , T ).
Q
k
Verify PK ((k0 , . . . , k n ), (κ, K, S, S0 , . . . , Sn , T )) Setting C = KSκ in=0 Si i , the signature is
Q
verified by checking that K, C 6= 1, as well as
? ?
e( T, Q) = e(C, Z ), e(S, Q) = e(K, A),
?
e(Si , Q) = e(K, Ai ) for each i = 0, . . . , n.
The numbers k n ∈ Z p are the attributes. Although p may vary each time the
KeyGen (1` , n) algorithm is invoked on a fixed security parameter `, the attribute space
Z p will always contain {0, . . . , 2`−1 }. In our credential scheme in section 9.3, the zeroth
attribute k0 will serve as the user’s secret key, but at this point it does not yet have a
special role.
k
Although the element C = KSκ in=0 Si i is, strictly speaking, not part of the sig-
Q
nature and therefore also not part of the credential (since it may be calculated from
κ, the attributes (k0 , . . . , k n ) and the elements (K, S, S0 , . . . , Sn )), we will often think
of it as if it is. Finally, we call a message-signature pair, i.e., a tuple of the form
((k0 , . . . , k n ), (κ, K, S, S0 , . . . , Sn , T )) where (κ, K, S, S0 , . . . , Sn , T ) is a valid signature over
(k0 , . . . , k n ), a credential.
Notice that if (k0 , . . . , k n ), (κ, K, S, S0 , . . . , Sn , T ) is a valid credential, then (k0 , . . . , k n ),
(κ, K α , Sα , S0α , . . . , Snα , T α ) for any α ∈ Z∗p is another valid credential having the same
attributes. That is, in the terminology of Verheul [Ver01] our credentials are self-blindable.
At the same time, it is not at all clear how to change the credential into another one over
different attributes, and indeed Theorem 9.8 essentially says that this is impossible. This
self-blindability is what makes this signature scheme suitable for the purpose of creating
an unlinkable ShowCredential protocol.
The number κ will play a critical role in the unforgeability proof of our signature and
credential schemes (Theorem 9.13).3
Once the issuer has chosen an amount of attributes n and computed his public key,
he can easily enlarge the maximum amount n of attributes that the scheme allows
by generating additional secret keys an+1 , . . . , an0 ∈ R Z∗p , and adding the elements
An+1 = Q an+1 , . . . , An0 = Q an0 to his public key. All credentials that have been com-
puted beforehand will remain valid under this modified public key, and their value for
the new attributes k n+1 , . . . , k n0 will be 0.4
3We could have eased the notation somewhat by denoting κ as an extra attribute k n+1 , but because it plays
a rather different role than the other attributes (it is part of the signature), we believe this would create more
confusion than ease.
4This means that the value 0 that the new attributes will have must not have any meaning; i.e., it should be
clear to all participants in the scheme that this value indicates that the attribute was not issued to the credential
9.3. The credential scheme 159
Table 9.1. Notation comparison between our signature scheme and the Camenisch-
Lysyanskaya signature scheme [CL02].
Object Ours CL Remarks

signature T A
attributes ki mi
randomizer κ v
prime e specific to CL-scheme
randomizer base point S S differs per credential in our scheme
attribute base points Si Ri differs per credential in our scheme
base point K Z differs per credential in our scheme
public key elements Q, A, Ai , Z specific to our scheme
Theorem 9.8. Our credentials are existentially unforgeable under adaptively chosen message
attacks (in the sense of Definition 5.23 on p. 102), under the whLRSW assumption.
We will prove this after we have proven unforgeability of our credential scheme (The-
orem 9.13). Unforgeability also follows from the XKEA and BDL assumptions, as they
together imply the whLRSW assumption (see Theorem 9.21).
Remark 9.9. Our signature scheme has a number of similarities with the Camenisch-
Lysyanskaya signature scheme [CL02] on which Idemix is built. Most of the ingredients
of our scheme have an analogue in Idemix that more or less serves the same purpose.
Although the comparison is not always perfect and thus should not be taken too literally,
we include a comparison of the various elements of both schemes in Table 9.1. Without
presenting all details, in the Camenisch-Lysyanskaya signature scheme, the attributes
are denoted with mi and a signature on a set of attributes is a triple ( A, e, v), which is
m −1 = ( Z −1 Sv Rm0 · · · Rmn )1/e . Here
such that Ae = Z/(Sv R0 0 · · · Rm n
n ), or equivalently A 0 n
e is a prime and Z, S, R0 , . . . , Rn are part of the issuer public key. Recall that in our
k
scheme, a signature is a tuple (κ, K, S, S0 , . . . , Sn , T ) such that T = (KSκ S00 · · · Snkn )z .
9.3 The credential scheme

In this section we present our credential scheme. The strategy is as follows: having
defined an unforgeable signature scheme on the set of attributes Znp (Definition 9.7),
we provide an issuing protocol, in which the issuer grants a credential to a user, and a
showing protocol, which allows a user to give a zero-knowledge proof to a verifier that
he possesses a credential, revealing some of the attributes contained in the credential
while keeping the others secret. The Issue protocol is shown in Figure 9.1, and the
ShowCredential protocol is shown in Figure 9.2. Here and in the remainder of the
chapter, we will write D ⊂ {1, . . . , n} for the index set of the disclosed attributes, and
C = {1, . . . , n} \ D
owner.
Common information: Attributes k1 , . . . , k n , issuer’s public key PK = ( p, e, Q,

A, A0 , . . . , An , Z )
User Issuer
knows secret key k0 knows SK = ( a, a0 , . . . , an , z)
choose K̄ ∈ R G1
←− send S̄ = K̄ a , S̄0 = K̄ a0
choose α, κ 0 ∈ R Z∗p
set S = S̄α , S0 = S̄0α
0 k
send S, S0 , R = Sκ S00 −→
0 k
PK{(κ 0 , k0 ) : R = Sκ S00 } ←→
set K = S1/a
1/a
verify S 6= S̄, K = S0 0
choose κ 00 ∈ R Z p
set Si = K ai ∀i ∈ [1, n]
00 k z
Ä ä
set T = KSκ R in=1 Si i
Q
←− send κ 00 , K, S1 , . . . , Sn , T
set κ = κ 0 + κ 00
Verify PK ((k0 , . . . , k n ), (κ, K, S, S0 , . . . , Sn , T ))
return (k0 , . . . , k n ), (κ, K, S, S0 , . . . , Sn , T )
Figure 9.1. The Issue protocol. In the protocol, the issuers sends two elements
S̄, S̄0 (having the appropriate relative discrete log) to the user, who blinds them
using a random number, and sends the blinded versions to the issuer. With respect
to these blinded elements, the user then proves that it knows its secret key k0
and its contribution κ 0 to the number κ. If the verifier is convinced, it chooses its
own contribution κ 00 to κ, and it computes the remaining elements K, S1 , . . . , Sn , T
such that (κ 0 + κ 00 , K, S, S0 , . . . , Sn , T ) is a valid signature over the attributes. These
elements are sent to the user who finally constructs the credential.
for the index set of the undisclosed attributes. We do not consider the index 0 of the
secret key k0 to be an element of C , as the secret key is always kept secret.
The Issue protocol is such that both parties contribute to κ and K with neither party
being able to choose the outcome in advance (unlike the signing algorithm of the signa-
ture scheme from the previous section, where the signer chooses κ and K on its own).
This ensures that these elements are randomly distributed even if one of the parties is
dishonest. Additionally, the issuer is prevented from learning the values of κ and the
secret key k0 .
As noted earlier, we assume that the user and issuer have agreed on the attributes
k1 , . . . , k n to be contained in the credential before executing this protocol. Similarly, we
assume that the user sends the dislosure set D and disclosed attributes (k i )i∈D to the
verifier prior to executing the ShowCredential protocol.
Remark 9.10. Although we have not explicitly denoted so in the protocols, it is important
(in both protocols) that whenever one party receives a group element (say, X = ( x, y)
Common information: Issuer’s public key PK = ( p, e, Q, A, A0 , . . . , An , Z ); disclosure

set D , undisclosed set C = {1, . . . , n} \ D ; disclosed attributes (k i )i∈D
User Verifier
knows K, S, S0 , . . . , Sn , κ, (k i )i∈C , C, T
choose α, β ∈ R Z∗p
set K̄ = Kα , S̄ = S̄i = Siα ∀i ∈ [0, n]
Sα ,
set C̃ = C −α/β , T̃ = T −α/β
send K̄, S̄, (S̄i )i=0,...,n , C̃, T̃ −→
−k −ki
set D = K̄ −1 i∈D S̄i i set D = K̄ −1
Q Q
i ∈D S̄i
k k
PK{( β, κ, k0 , k i )i∈C : D = C̃ β S̄κ S̄00 i∈C S̄i i } ←→
Q
?
verify e(K̄, A) = e(S̄, Q)
?
and e(K̄, Ai ) = e(S̄i , Q)∀i∈[0,n]
?
and e(C̃, Z ) = e( T̃, Q)
Figure 9.2. The ShowCredential protocol. We assume that the user has the element
C = KSκ S0k0 · · · Snkn stored so that it does not need to compute it every time the
protocol is run (see Section 9.4 for more such optimizations). In the protocol, he
user first blinds K, S and each Si with a random number, and C and T with a
different random number, resulting in new elements K̄, S̄, S̄i and C̃, T̃. These are
sent to the verifier. Then, the user proves that he knows the hidden attributes and
the number κ, as well as a number β which is such that C̃ β is of the required form
C̃ β = K̄ S̄κ S̄0k0 in=1 S̄iki . If the proof of knowledge is valid and the elements K̄, S̄
Q
and S̄i on the one hand and C̃, T̃ on the other hand have the appropriate relative
discrete logarithms (which the verifier checks by calculating a number of pairings),
then the verifier accepts.
from G1 or G2 ) from the other party, that it checks that X is indeed a valid element
from G1 or G2 . That is, it should be verified that the coordinates ( x, y) of X satisfy the
equation that defines the elliptic curve group. For example, if the curve is defined using
a Weierstrass equation with coefficients a, b, then
y2 = x3 + ax + b
must hold, in order to prevent invalid curve attacks such as for example those from
[Ant+02]. For the same reason, if the group G1 or G2 is a proper subgroup of some
elliptic curve group, then it must also be checked that the element is indeed a member
of this subgroup.
Mathematically, we can formalize what the ShowCredential protocol should do as

follows. Let K p,n be the set of all public keys having n attributes and where p is the
order of the groups G1 , G2 and GT . The common knowledge of the user and verifier
when running the ShowCredential protocol consists of elements of the following formal
language:

L= PK, D , (k i )i∈D | p, n > 0; p prime; PK ∈ K p,n ;
D ⊂ {1, . . . , n}; k i ∈ Z p ∀ i ∈ D . (9.3)
In addition, let the relation R be such that R( x, w) = 1 only if x = ( PK, D , (k i )i∈D ) ∈ L,

and w = ((k00 , . . . , k0n ), s) is a valid credential with respect to PK, with k0i = k i for i ∈ D
(i.e., the disclosed attributes (k i )i∈D are contained in the credential w.) Thus the equation
R( x, w) = 1 holds only if w is a valid credential having attributes (k i )i∈D .
In Theorems 9.11, 9.12 and 9.14 we will prove that our ShowCredential protocol is
a black-box zero-knowledge proof of knowledge (see Definition 5.17) for this relation.
From this fact unforgeability and unlinkability will follow.
Theorem 9.11. The showing protocol is complete with respect to the language L: if a user has a
valid credential then it can make the verifier accept.
Proof. If the user follows the ShowCredential protocol, then e(K̄, A) = e(K α , Q a ) =
e(K αa , Q) = e(Sα , Q) = e(S̄, Q), so the first verification that the verifier does will pass.
An almost identical calculation shows that the second and third verifications pass as
well. As to the proof of knowledge, setting C̄ = C α we have
k k k k −k i
S̄i i = C̄ −1 S̄κ S̄00 S̄i i = K̄ −1
Y Y Y
C̃ β S̄κ S̄00 S̄i = D, (9.4)
i ∈C i ∈C i ∈D
so the user can perform this proof without problem.
Lemma 9.12. With respect to the language L defined in (9.3), the ShowCredential protocol is
black-box extractable, in the sense of Definition 5.17 on p. 96.
Proof. By Definition 5.17, we must show the existence of an extractor χ satisfying the
following: for all x ∈ L, if a probabilistic polynomial-time algorithm P ∗ , acting as the
user, can successfully run the ShowCredential protocol with a verifier with probability
e(| x |), then there is an algorithm χ that, when given black-box access to P ∗ , extracts with
probability e(| x |) − ν(| x |) a valid credential from P ∗ , where ν(| x |) is some negligible
function.
As part of our ShowCredential protocol, the user performs a zero-knowledge proof of
k Q k
knowledge of the numbers β, κ, k0 and (k i )i∈C that are such that D = C̃ β S̄κ S̄00 i∈C S̄i i .
By Definition 5.17, then, there exists an extractor χ D that extracts these numbers from
this zero-knowledge proof that fails with negligible probability νD (| x |). Our extractor χ
uses this extractor χ D , as follows:
• first it stores the group elements K̄, S̄, (S̄i )i=0,...,n , T̃ that the user sends to it;
• it uses the extractor χ D to obtain the numbers β, κ, k0 and (k i )i∈C from the proof
of knowledge;
• it sets T̄ = T̃ − β ; note that if T was valid then we have T̄ = T α = C αz =
(K̄ S̄κ S̄0k0 in=0 S̄iki )z ,
Q
• it returns (k0 , . . . , k n ), (κ, K̄, S̄, S̄0 , . . . , S̄n , T̄ ).
The only action that χ performs that normal verifiers cannot perform is the extraction
of the numbers β, κ, k0 , (k i )i∈C from the proof of knowledge. Therefore, if the user P ∗
convinces normal verifiers with probability e(| x |), then χ will succeed with probability
e(| x |) − νD (| x |). Since νD is negligible by Definition 5.17, this proves the claim.
In the proof of the unforgeability theorem, we will need a tuple (K̂, Ŝ, Ŝ0 , . . . , Ŝn ) ∈ G1n+3
such that Ŝ = K̂ a and Ŝi = K̂ ai for all i. For that reason we will henceforth assume that
such a tuple is included in the issuer’s public key (we will need this tuple also when
proving unlinkability of our scheme in Theorem 9.14).5 Notice that the presence of this
tuple does not endow the adversary with any extra capabilities, as it could already obtain
such a tuple in an Issue query to the challenger.
Theorem 9.13. Our credential scheme is unforgeable under the whLRSW assumption, in the
sense of Definition 5.27 on p. 107.
Proof. Suppose that there exists an adversary A that can break unforgeability of our
scheme, using q I Issue queries and qS ShowCredential queries. Then we build an algorithm
B that contradicts the q-whLRSW assumption with q = q I + qS . As q must be polynomial
in ` (otherwise adversary A could not be polynomial-time), this in turn contradicts the
whLRSW assumption. Thus, adversary A plays the credential unforgeability game with
algorithm B , who acts as the challenger of A on the one hand and will use what it learns
from this game to violate the q-whLRSW assumption on the other hand.
The first thing to notice is that if we take a setup of n = 0 attributes, then credentials in
this setup are LRSW instances. The public key of such a setup would be Q, Ā = Q ā , Z =
Qz (where the reason for the bar on top of the second group element will become clear
shortly), and a valid credential would be κ̄, K, S̄ = K ā , T = (K S̄κ̄ )z = K z+κ̄ āz , which is
indeed an LRSW instance. Suppose that algorithm B is given a list of q = q I + qS such
LRSW-instances
κ̄ j z+κ̄ j āz
κ̄ j , K j , S̄ j , Tj = (K j S̄ j )z = K j ,
along with Q, Ā, Z. Algorithm B , acting as the challenger, engages in the unforgeability
game with A, acting as follows.
Setup Challenger B lets A decide on the number of attributes n. Next it generates

a, a0 , . . . , an ∈ R Z∗p and then sets A = Ā a and Ai = Ā ai for i = 0, . . . , n. Then it
5Note that credential owners already have such a tuple; verifiers can obtain one simply by executing the
ShowCredential protocol with a user that has a valid credential; and issuers can of course create such tuples
by themselves. Therefore in practice, each party participating in the scheme will probably already have such
a tuple, so that including it in the public key may not be necessary in implementations.
sends the public key
Q, A, A0 , . . . , An , Z
to A.
Queries Challenger B answers queries from A as follows. We use the index j here for
both kinds of queries; i.e., if either query is performed then j is incremented by 1.
Issue (k1,j , . . . , k n,j ): Challenger B engages in the issuing protocol with A on the
specified attributes. Using the LRSW-instance κ̄ j , K j , S̄ j , Tj , note that the challenger
can compute elements Si,j which are valid with respect to its public key by
a
S j = S̄ aj and Si,j = S̄ j i
for all j = 0, . . . , m. Using these elements it performs the issuing protocol normally,
but when the adversary proves knowledge of its private key k0,j and the number
κ 0 , B extracts these numbers from the proof of knowledge using the extractor
guaranteed to exist by Definition 5.17. Next, it solves the equation
n
X
κj a + k i,j ai = κ̄ j (9.5)
i =0
to κ j (i.e., it sets κ j = (κ̄ j − in=0 k i,j ai )/a), and uses the number κ j − κ 0 as the value
P
for κ 00 in the remainder of the protocol.
Notice that we then have
Pn n
κ̄ j κ j a+ i =0 k i,j ai κ Y k i,j
K j S̄ j = K j S̄ j = Kj Sj j Si,j ,
i =0
and
a āa
e(Si,j , Q) = e(S̄ j i , Q) = e(K j i , Q) = e(K j , Ā ai ) = e(K j , Ai ),
and similarly e(S j , Q) = e(K j , A). This means that (k0,j , . . . , k n,j ), (κ j , K j , S j , S0,j , . . . ,
Sn,j , Tj ) is a valid credential.
ShowCredential (D , k1,j , . . . , k n,j ): The challenger B embeds k1,j , . . . , k n,j in one of
its LRSW-instances as it does in Issue queries, randomly choosing a κ j and k0,j itself.
Next it performs the ShowCredential protocol with the adversary over (k i,j )i∈D as
requested.
Output When A and B engage in the ShowCredential protocol, B uses the extractor
guaranteed to exist by Lemma 9.12 above, obtaining a credential
(k0 , . . . , k n ), (κ, K, S, S0 , . . . , Sn , T ). (9.6)

Pn
Then B calculates κ̄ = κa + i =0 k i a i and outputs κ̄, K, S̄ = S1/a , T.
If the credential (9.6) that B extracts from A is valid, then S = K āa = S̄ a and Si = K āai =
Pn
S̄ ai . Also, setting κ̄ = κa + i =0 k i a i , T equals
n z Pn z
Y k z
T = KSκ Si i = K S̄κa+ i=0 ki ai = K S̄κ̄ = K z+κ̄ āz .
i =0
This implies that the tuple κ̄, K, S̄, T is a valid LRSW-instance. In order to derive
a contradiction with the q-whLRSW assumption, it remains to show that with non-
negligible probability κ̄ 6= κ̄ j for all j.
Suppose that there is a non-negligible chance that adversary A wins such that κ̄ = κ̄ j
for some j. Then we have for this j
n n
Y k
Y k i,j
Sκ Si i = S̄κ̄ = S̄κ̄ j = Sκ j Sj ,
i =0 i =0
or equivalently,
n
k i −k i,j
1 = S κ −κ j
Y
Si . (9.7)
i =0
Now there are two possibilities: either j corresponds to an Issue query or to a ShowCre-
dential query. If j was an Issue query, then it follows from the fact that A won that the
DL-representation (9.7) of 1 above is nontrivial, otherwise the output of A would not
have been a new credential. On the other hand, if j was a ShowCredential query, then
the value of κ and k0 that challenger B chose and used are information-theoretically
hidden from A. This means that the probability that A chose the values of κ, k i exactly
such that κ = κ j and k i = k i,j is negligible, so that the DL-representation above will
still be nontrivial with overwhelming probability. In both cases the DL-representation
is thus nontrivial with overwhelming probability. Now, since the elements Ŝ, Ŝ0 , . . . , Ŝn
have the same relative discrete logarithms as the elements S, S0 , . . . , Sn , this results in
the following non-trivial DL-representation:
n
k i −k i,j
1 = Ŝκ −κ j
Y
Ŝi . (9.8)
i =0
Notice that it is easy to check if this holds for some j even without knowledge of
the secret key a, a0 , . . . , an , z. We can therefore exploit this ability of the adversary
without knowledge of these numbers to contradict Proposition 9.6 as follows. Let
P, X0 , . . . , Xn+1 ∈ G1 , Q, Y0 , . . . , Yn+1 ∈ G2 be given, with e( P, Yi ) = e( Xi , Q). We
construct a non-trivial DL-representation of 1 with respect to X1 , . . . , Xn as follows.
• Set K̂ = P, Ŝ = X0 , Ŝi = Xi+1 , and A = Y0 , Ai = Yi+1 . Take z ∈ R Z∗p and set
Z = Qz .
• Play the unforgeability game with the adversary with respect to the public key
( p, e, Q, A, A0 , . . . , An , Z ) constructed above. In each query, generate a new valid
tuple (K, S, S0 , . . . , Sn ) by taking a random number r ∈ Z∗p and setting K = K̂ r ,
S = Ŝr , and Si = Ŝir for i = 0, . . . , n. At the end of the game, return the resulting
DL-representation (9.8) of 1.
As this would contradict Proposition 9.6, we conclude that we must have κ̄ 6= κ̄ j with
overwhelming probability. But then the output (κ̄, K, S̄, T ) of algorithm B would be a
new LRSW-instance, contradicting the q-whLRSW assumption.
The unforgeability of the credential scheme implies that of the underlying signature
scheme, as follows.
Proof of Theorem 9.8. Suppose that there exists an adversary A that can forge the signa-
ture scheme from Section 9.2.3. Then we create a forger B for our credential scheme as
follows. Forger B is the challenger of adversary A in the signature scheme unforgeabil-
ity game, and the adversary in the credential scheme unforgeability game. It operates
as follows.
Setup Forger B receives a public key from its challenger and forwards it to the adversary
A.
Queries Whenever adversary A requests a signature on a set of attributes (k0 , . . . , k n ),
B performs an Issue query on these attributes with its challenger. It sends the
resulting signature to A.
Output If A outputs a valid new credential then B uses this in the ShowCredential
protocol with its challenger.
Then the success probability of B will be the same as that of A.
9.3.2 Anonymity
In order to prove that our ShowCredential protocol is zero-knowledge with respect to
the language L from equation (9.3), we must show the existence of a simulator whose
behavior is from the perspective of a verifier indistinguishable from an honest user. In
order to achieve this, the simulator will need a pair (Ĉ, T̂ ) ∈ G12 such that T̂ = Ĉ z (as
well as the elements K̂, Ŝ, Ŝ0 , . . . , Ŝn that we added to the public key earlier). For that
reason, we will henceforth assume that such a pair is included with the public key PK
of the credential scheme. Note that one can view these elements K̂, Ŝ, Ŝ0 , . . . , Ŝn , Ĉ, T̂ as
an extra credential of which the numbers (κ, k0 , . . . , k n ) are not known. Therefore the
credential scheme remains unforgeable (in the sense that Theorem 9.13 still holds).
Theorem 9.14. The ShowCredential protocol is a black-box zero-knowledge proof of knowledge
with respect to the language L.
Proof. The ShowCredential protocol is complete (Theorem 9.11), and extractable (The-
orem 9.12), so by Definition 5.17 on p. 96 it remains to show here that there exists a
simulator whose behavior is indistinguishable from an honest user. This simulator S is
given the issuer’s public key, a disclosure set D , and a list of attributes k i for i ∈ D . We
have it proceed as follows.
• It chooses random α, β ∈ R Z∗p ;

• It sets K̄ = K̂ α , S̄ = Ŝα , S̄i = Ŝiα for i = 0, . . . , n, and C̃ = Ĉ β , T̃ = T̂ β ;
• It sends these values to the verifier, and then uses the simulator from the proof of
knowledge of the numbers β, κ, k0 , (k i )i∈C .
It remains to show that this behavior is indistinguishable from that of honest users, to
any verifier that is given any auxiliary information. First notice that for honest users and
the simulator alike, the elements K̄ and C̃ are always randomly distributed in G1 . Also,
again for both honest users and the simulator, the elements S̄, S̄i and T̃ are determined
by K̄ and C̃ respectively.
Notice that for any β ∈ Z∗p and any set C of undisclosed attributes, there exist numbers
κ, k0 , (k i )i∈C such that equation (9.4) holds. Thus the only difference between honest users
and the simulator is that an honest user knows these numbers and uses them to honestly
prove knowledge of them, while the simulator simulates this proof. However, by the
black-box zero-knowledge properties of the proof of knowledge over these numbers,
this cannot be detected by the verifier. Thus the verifier can behave no different than it
would have done if it had interacted with an honest user P .
Theorem 9.15. Let (KeyGen, Issue, ShowCredential ) be an attribute-based credential scheme

whose ShowCredential protocol is black-box zero-knowledge. Then the scheme is unlinkable in
the sense of Definition 5.28.
Proof. Let the auxiliary input to the verifier be whatever it learns in the Queries phase of
the unlinkability game. In the Challenge phase, instead of performing the showing pro-
tocol normally using credential jb , the challenger uses the simulator S whose existence
is guaranteed by the black-box zero-knowledge property of the ShowCredential protocol.
It is clear that in this case the adversary cannot have a non-negligible advantage. By
equation (5.2), then, it also cannot have a non-negligible advantage if the challenger uses
credential jb normally (i.e., without the help of the simulator S ).
Theorem 9.16. Our credential scheme is unlinkable.
Proof. Follows from Theorems 9.14 and 9.15.
Remark 9.17. Returning to Remark 7.13 on p. 140, notice that our scheme is unlinkable
even though the Issue protocol is not (partially) blind (in the sense of Definition 7.1 on
p. 127). For example, when given a credential (k0 , . . . , k n ), (κ, S, S0 , . . . , Sn , T ), the issuer
can use k0 and κ, and the numbers κ 00 from the logs of Issue executions to recalculate the
element R that would have been used during the Issue protocol, and try to match this R
with the ones from his logs.
However, when combined with the ShowCredential protocol, this protocol still results
in an (issuer and multi-show) unlinkable scheme. In this case, in contrast with the
partially blind issuing protocol from Chapter 7, the unlinkability comes not from the
Issue protocol but from the ShowCredential protocol: by being a zero-knowledge proof
of knowledge, the verifier learns nothing besides the fact that the user has a credential
containing the disclosed attributes. Consequentially, even if the verifier was the one
that issued the credential, the ShowCredential protocol hides so much that it cannot link
ShowCredential executions to Issue executions.
9.3.3 Combining credentials using the private key

Let a bilinear pairing e : G1 × G2 → GT be fixed, and let PK and PK 0 be two public keys
defined in these groups (not necessarily distinct). In this scenario multiple credentials
can be bound together using their private keys k0 . If a user has a credential valid with
respect to PK and another one valid with respect to PK 0 and the credentials have the same
secret key, then the user can simultaneously disclose attributes from both credentials, in
such a way that the verifier is assured that the two credentials are owned by one user, as
opposed to two colluding users. This works as follows.
Let w and w0 be the two credentials valid with respect to PK and PK 0 , such that w and
0
w have the same secret key:
w = ((k0 , k1 , . . . , k n ), (K, S, S0 , . . . , Sn , T )),

w0 = ((k0 , k01 , . . . , k0n ), (K 0 , S0 , S00 , . . . , Sn0 , T 0 )).
Now the user performs the ShowCredential credential once for each credential, but re-
places the two proofs of knowledge by the following combined proof of knowledge:
n
PK k0 , β, β0 , κ, κ 0 , (k i )i∈C , (k0j ) j∈C 0 :

0
Y k 0 0
o
k
S̄i i ∧ D 0 = (C̃ 0 ) β (S̄0 )κ (S̄00 )k0 (S̄i0 )ki
Y
D = C̃ β S̄κ S̄00
i ∈C i ∈C
This proves the same as the two separate proofs of knowledge, as well as the fact that
the two credentials have the same secret key k0 .
This assumes that the user can control the private key during the issuing process, and
this is indeed the case (see Figure 9.1). To ensure that each user has its own distinct secret
key k0 , the issuing protocol could be modified as follows. In one version, the issuer also
chooses a random k000 ∈ R Z∗p , and then sets and sends
n z
00 k 00

k
Y
T = KSκ S00 R Sk i
i =1
to the user together with κ 00 and k000 . The secret key of the new credential will then be
not k0 but k0 + k000 . In this way neither party can control the outcome of the secret key,
and the issuer is prevented from learning its final value.
In the other version, the following happens:
• The user and issuer together decide in advance on a public key PK (that may or
may not equal the issuer’s public key), and a (possibly empty) disclosure set D and
9.4. Performance 169
set of attributes (k i )i∈D ).

• The user first performs the ShowCredential protocol, with the issuer acting as ver-
ifier, on a credential w that is valid with respect to PK, disclosing the attributes
(k i )i∈D . If successful, the user and issuer perform the Issue protocol as in Fig-
ure 9.1. However, the user combines the proof of knowledge over the hidden
attributes with the proof of knowledge over k0 and κ in the Issue protocol, addi-
tionally showing that k0 coincides with the secret key from the credential that it
showed.
9.4 Performance
9.4.1 The Fiat-Shamir heuristic
The zero-knowledge proof from Figure 5.3 on p. 100 that is used for proving knowledge
of the numbers β, κ, k0 , (k i )i∈C consists of four moves. Although our scheme is thus far
defined and proven secure in the standard model, if one is willing to assume the random
oracle model, then we can apply the Fiat-Shamir heuristic [BR93; BPW12; FS87] to the
Schnorr Σ-protocol for DL-representations (see Figure 5.2 on p. 98) as follows: the user
receives a nonce η ∈ R Z∗p from the verifier, and uses the protocol from Figure 5.2 with
c = H (W, D, η ) (for a suitable hash function H). It is easy to see that in the random
oracle model, this 2-move protocol is a zero-knowledge proof of knowledge. This would
not only lower the amount of exponentiations for the user in the ShowCredential protocol
(with 6 in the case of the protocol from Figure 5.3), but also reduce the amount of moves
to just two: after receiving the nonce η from the verifier, the user can combine the
elements K̄, S̄, S̄0 , . . . , S̄n , C̃, T̃ and the proof of knowledge over η in a single message to
the verifier (such a message is called a disclosure proof ).
Concerns have been raised about the security of the random oracle model, however.
For example, there exist protocols that are secure in the random oracle model, but do
not have any secure standard model instantiation no matter which hash function is used
[CGH04; GK03].
9.4.2 Exponentiation count

Although exponentiations (or scalar multiples, if we had written our groups additively)
in elliptic curves are cheap compared to exponentiations in RSA groups, they are still
the most expensive action that the user has to perform. In this section we will therefore
count the number of exponentiations the user has to perform.
First note that
Y −k k
Y k
D = K̄ −1 S̄i i = C −α S̄κ S̄00 S̄i i .
i ∈D i ∈C
These expressions for D contain |D| and |C| + 3 exponentiations, respectively, so if

|C| + 3 < |D|, the user should use the right hand side to determine D. Moreover, if the
k
user stores the elements R := Sκ and Ri := Si i for i = 0, . . . , n, then it can calculate D by
Y − α Y α
D= K Ri = C −1 RR0 Ri (9.9)
i ∈D i ∈C
both of which take just one exponentiation.

Denote with pk(i ) the amount of exponentiations the user has to compute in the zero-
knowledge proof of knowledge when it presents a DL-representation of length i (in the
case of the protocol from Figure 5.3 on p. 100, we have pk(i ) = i + 6, while pk(i ) = i
for the Fiat-Shamir heuristic applied to the Schnorr Σ-protocol). Then the number of
exponentiations in G1 that the user has to do is
• n + |D| + pk(|C| + 3) + 5 exponentiations if |D| ≤ |C| + 3,
• n + |C| + pk(|C| + 3) + 8 exponentiations if |D| ≥ |C| + 3,
• n + pk(|C| + 3) + 6 if the user stores and uses R and Ri for i = 0, . . . , n.
The user performs no exponentiations in G2 and GT and computes no pairings. This
results in great efficiency for the prover, since elements from G2 are bigger and more
expensive to deal with than those from G1 (because generally G1 ⊂ E(Fq ) while G2 ⊂
E(Fqk )[ p], where k is the embedding degree of the curve).
Table 9.2 compares the amount of exponentiations in our scheme to those of [CL04],
U-Prove and Idemix. However, note that exponentiations in RSA-like groups, on
which Idemix depends, are significantly more expensive than exponentiations in el-
liptic curves. Also, the U-Prove showing protocol offers no unlinkability. As to the
scheme from [CL04], Camenisch and Lysyanskaya did not include a showing protocol
that allows attributes to be disclosed (that is, it is assumed that all attributes are kept
secret), but it is not very difficult to keep track of how much less the user has to do if he
voluntarily discloses some attributes. We see that the amount of exponentiations that
the user has to perform in the ShowCredential protocol of [CL04] is roughly 1.5 times
as large as in our scheme. Since, additionally, computing pairings is significantly more
expensive than exponentiating, we expect our credential scheme to be at least twice as
efficient.
9.4.3 Implementation
In order to further examine the efficiency of our credential scheme we have written a
preliminary implementation, using the high-speed 254-bit BN-curve and pairing imple-
mentation from [Beu+10]. The latter is written in C++ and assembly but also offers a Java
API, and it uses the GMP library from the GNU project6 for large integer arithmetic.
Table 9.3 shows the running times of our implementation along with those from the
Idemix implementation from the IRMA project.7 We have tried to make the comparison
as honest as possible by writing our implementation in Java and using the Fiat-Shamir
heuristic, like the IRMA Idemix implementation, which we have modified to also use
the GMP library for its large integer arithmetic. However, the comparison can still only
6See gmplib.org.
7See irmacard.org and github.com/credentials.
9.4. Performance 171
Table 9.2. Exponentiation and pairing count for the user of the ShowCredential
protocol of several attribute-based credential schemes. The columns GEC , GT and
GRSA show the amount of exponentiations in elliptic curves, the target group of a
bilinear pairing, and RSA groups respectively, while the column labeled e counts
the amount of pairings the user has to compute. The number n denotes the amount
of attributes, excluding the secret key, and the function pk(n) denotes the amount
of exponentiations necessary in order to perform a zero-knowledge proof of knowl-
edge of n numbers (in the case of the Fiat-Shamir heuristic applied to the Schnorr
Σ-protocol, which Idemix also uses, we have pk(n) = n). In the case of our own
scheme, we assume that the user calculates D in the ShowCredential protocol using
the elements Ri as in equation (9.9).
GEC GT e GRSA unlinkable

Our scheme n + pk(|C| + 3) + 6 0 0 0 yes
[CL04] 2n + 3 pk(|C| + 2) n+3 0 yes
Idemix 0 0 0 |C| + 3 yes
U-Prove |C| + 1 0 0 0 no
go so far, because the elliptic curve group that [Beu+10] offers is heavily optimized for
fast computations, from which our scheme profits because it allows multiple issuers to
use the same group. Such optimizations are not possible in Idemix because each Idemix
public key necessarily involves its own group. Moreover, the IRMA Idemix implemen-
tation is 1024-bits, which according to [LV01] corresponds to a 144 bit curve (see also
www.keylength.com), so that the two implementations do not offer the same level of
security.
For these reasons we will go no further than draw qualitative conclusions from the
data. Nevertheless, both remarks actually demonstrate the efficiency of our scheme: the
first means that our scheme can be optimized further than Idemix could, and Table 9.3
shows that even though our implementation offers a much higher level of security, it
is still significantly faster than the IRMA Idemix implementation. We believe therefore
that the conclusion that our scheme is or can be more efficient than Idemix – at least
for the user in the ShowCredential protocol – is justified. Apart from this, the table also
highlights the following differences between the two:
• In our scheme, verifying the validity of a disclosure proof tends to be two or three
times as expensive as creating one, as it involves calculating a number of pairings.
By contrast, in Idemix, verifying a disclosure proof is about as expensive as creating
one.
• Verifying the validity of a credential in Idemix is significantly cheaper than com-
puting or verifying disclosure proofs; while in our scheme verifying credential
validity is only slightly cheaper than verifying disclosure proofs (again, because
of having to compute pairings).
• When all but one attributes are disclosed (so that |C| = 1 is constant), the ShowCre-
dential protocol of our scheme becomes noticeably cheaper for the user. In Idemix,
however, the user cost stops growing at all as the total amount of attributes in-
Table 9.3. A comparison of the running times of various actions in the implementa-
tion of our credential scheme and the IRMA Idemix implementation, both of them
using the Fiat-Shamir heuristic. The columns labeled “computing proof” and “ver-
ifying proof” show how long it takes to compute and to verify a disclosure proof,
respectively, while the column labeled “verifying credential” shows how long it
takes to verify the signature of a credential. The left column shows the total num-
ber of attributes and, if applicable, the amount of disclosed attributes (this does
not apply to the “verifying credential” column). In the case of our own scheme,
we let the user calculate D in the ShowCredential protocol using the elements Ri as
in equation (9.9). The attributes were randomly chosen 253-bit integers, the same
across all tests, and the computations were performed on a dual-core 2.7 GHz Intel
Core i5. All running times are in milliseconds, and were obtained by computing
the average running time of 1000 iterations.
# attributes computing proof verifying proof verifying credential

total (discl.) This work Idemix This work Idemix This work Idemix
6 (1) 2.9 11.7 5.7 11.2 5.1 6.5
7 (1) 2.9 12.6 6.5 12.2 5.8 6.9
8 (1) 3.2 13.4 7.1 13.2 6.6 7.4
9 (1) 3.4 14.3 8.0 14.0 7.2 7.7
10 (1) 3.7 15.2 8.7 14.9 7.8 8.3
11 (1) 3.9 16.5 9.4 15.8 8.6 8.7
12 (1) 4.2 17.1 10.2 16.9 9.0 8.9
6 (5) 2.1 7.6 5.9 9.2
7 (6) 2.1 7.5 6.5 9.7
8 (7) 2.3 7.5 7.2 10.1
9 (8) 2.4 7.4 7.9 10.7
10 (9) 2.6 7.4 8.5 10.9
11 (10) 2.7 7.5 9.1 11.4
12 (11) 2.8 7.5 9.9 12.0
9.5. Proving unforgeability using the XKEA assumption 173
creases. Referring to Table 9.2, this is because the amount of exponentiations in

our scheme depends on n, while it does not in the case of Idemix. Verifying disclo-
sure proofs becomes slightly cheaper in our scheme, but not by much because the
amount of pairing stays the same; here too the differences are more pronounced
in Idemix.
9.5 Proving unforgeability using the XKEA assumption

In this section we show how the whLRSW assumption from Definition 9.3 can be proven
from (an extension of) the Known Exponent Assumption (KEA). Since the whLRSW
assumption implies the unforgeability of our credential scheme, this results in a second
unforgeability proof of our scheme.
9.5.1 The XKEA assumption

Let G be a cyclic group of prime order p, and let 1 6= K ∈ G. If an algorithm A is given
K, K a for some number a ∈ Z p , then it can generate a pair L, L a by raising K and K a to
any power, i.e., by setting ( L, L a ) = (K c , (K a )c ) for any c ∈ Z p . The KEA assumption
essentially states that this is the only way in which an algorithm can generate such a
pair. There are many versions of this assumption, differing in how many such pairs the
algorithm gets as input; if and how they are related; and if the algorithm is allowed
to get auxiliary input besides these pairs.8 The following version is the original one,
introduced by Damgård in [Dam91]. We use the following notation: if A and B are two
algorithms, then X ← (A k B)(σ ) indicates that A and B are given the same input σ and
the random tape, and that X contains their concatenated output.
Definition 9.18 (KEA assumption). Let G be a cyclic group, whose prime order p is `
bits, and let 1 6= K ∈ G and a ∈ Z∗p . The Knowledge of Exponent (KEA) assumption
holds in G, if for any probabilistic polynomial-time algorithm A that receives input K,
K a , there exists a probabilistic polynomial-time algorithm χA called the extractor, which
is such that if A gives as output L, L0 , then χA , when given the same input and random
coins of A returns c ∈ Z p such that
Pr[ L0 = L a ∧ L 6= K c ] < negl(`).
That is, more formally we have

h
Pr a ∈ R Z∗p ; K ∈ R G \ {1}; σ ← ( p, G, K, K a ); ( L, L0 , c) ← (A k χA )(σ) :
i
L0 = L a ∧ L 6= K c < negl(`),
8There are also differences in the names given to the assumption: the KEA assumption is sometimes
also called KEA1, SDHA-1 (for strong Diffie-Hellman), the KE assumption, or DHK (for Diffie-Helmann
Knowledge). Meanwhile, the XKEA assumption is sometimes referred to as GKEA (for Generalized KEA), or
n-KEA, or KEA3 when n = 2. The more recent papers seem to have settled on some variant of KEA.
where the probability is over the selection of a and K, and the randomness used by A
and χA .
The phrasing of the assumption leaves open the possibility that the output of A does
not have a as the relative discrete log (for example, A may output that it failed). When it
does, however, output a pair having a as relative discrete log, then the probability that
the extractor does not manage to find the discrete log of L with respect to K is negligible.
The KEA assumption and its various generalizations are used in areas such as (non-
interactive) zero-knowledge proofs [BP04a; Bit+14; Bit+12; Gro10], encryption [BP04b;
Dam91; WS08], 2-party computation [DFH12], and authentication and key-exchange
[DG09; DGK06; Kra05; WS07; YZ10]. It has been criticized because it seems harder to
disprove it than assumptions such as the discrete logarithm assumption, in the sense
that it is not falsifiable [Nao03]. On the other hand, like the LRSW assumption it can
be proven to hold in the generic group model, in which the adversary is oblivious of the
actual representation of the group elements and only performs generic group operations
such as multiplying, inverting, and testing for equality. In for example [Gro10] this is
proved even in the presence of bilinear pairings. We briefly expand on this in the next
subsection, but first we present the version of the assumption that we need.
This version is the same as that of, for example, [Bit+12] (although ours is less per-
missive in the auxiliary input to the adversary). It generalizes the assumption above by
allowing A to receive more than one pair of the form (K, K a ), and to a Type 3 pairing
setting.
Definition 9.19 (XKEA assumption). Let G1 × G2 → GT be a Type 3 bilinear pairing,
where the order p of the three groups is ` bits, and let and a ∈ Z∗p . Let A be a
probabilistic polynomial-time algorithm taking as input K1 , . . . , Km , K1a , . . . , Km
a ∈ G ,
1
Q1 , . . . , Qr ∈ G2 , where
• m and r are polynomial in `,
• the K1 , . . . , Km are uniformly randomly distributed while the Q1 , . . . , Qr may be
arbitrarily distributed (i.e., we do not impose any restriction on the distribution of
the Q1 , . . . , Qr ),
• K j 6= 1 for all j = 1, . . . , n.
The Extended Knowledge of Exponent (XKEA) assumption holds in G, if for any such
A there exists a probabilistic polynomial-time algorithm χA called the extractor which
is such that if A gives as output L, L0 , then χA , when given the same input and random
coins of A returns a tuple c1 , . . . , cn such that
c
Pr[ L0 = L a ∧ L 6= K11 · · · Km
cm
] < negl(`).
More formally, we have for any tuple Q1 , . . . , Qr of polynomial length r in `,

h
Pr a ∈ R Z∗p ; K1 , . . . , Km ∈ R G \ {1};
σ ← ( p, e, G1 , G2 , GT , K1 , . . . , Km , K1a , . . . , Km
a
, Q1 , . . . , Qr ); (9.10)
i
0 0 a c cm
( L, L , c1 , . . . , cm ) ← (A k χA )(σ) : L = L ∧ L 6= K11 · · · Km < negl(`),
where the probability is over the selection of a, K1 , . . . , Km and the randomness used by
A and χ A .
Notice that the KEA assumption does not imply the difficulty of the discrete logarithm
problem: in groups where the DL problem is easy, if ( L, L a ) ← A(K, K a ) then the
extractor that computes and returns logK L would be efficient. Thus, KEA can (and will)
also hold in groups in which DL is easy. For the same reason the XKEA assumption
does not imply the BDL assumption (see Section 9.2.2), so that we will have to separately
take the BDL assumption.
9.5.2 The XKEA assumption and the generic group model

The difficulty of solving a computational problem depends on how it is represented.
Consider for example the Decisional Diffie Hellman problem (DDH, see Definition 5.10
or Example 5.13). In Z p this is easy, but there exist many elliptic curves over Z p for
which DDH is believed to be hard, even though the two groups are isomorphic (the
isomorphism being a 7→ P a for any element P 6= 1). The generic group model is a way of
studying algorithms that cannot exploit the representation of group elements, but only
use the group structure.
In the context of the KEA assumption, this notion is usually formalized using tech-
niques proposed by Shoup [Sho97] (where it is also proven that the discrete logarithm
problem is hard in the generic group model). In this model, algorithms are not provided
direct access to group elements, but only to the images of group elements of a random
bĳection σ : Z p → Z p , together with oracle access to the following two functions:
add(σ( x ), σ (y)) = σ ( x + y),

inv(σ ( x )) = σ(− x ).
This also provides the ability to take random elements to the algorithm, by querying the
oracle on σ ( x 0 ) for any previously unseen x 0 . If there is a bilinear pairing, this can also be
modeled using such an oracle function. It is clear that in this situation, the attacker can
gain no advantage in solving a computational problem using the representation σ ( x ) of
an element x. In the case of the KEA assumption, if ( L, L a ) ← A(K, K a ), one can show
that with overwhelming probability the number c such that L = K c can be calculated by
observing the oracle calls made by A.
Let n denote the amount of pairs (Ki , Si = Kia ) that our algorithm receives. The first
two proofs along these lines seem to be from [Den06], where it is proved for n = 1,
and [AF07], where it is proved for n = 1, 2 in the presence of a symmetric (i.e. Type 1)
pairing. The latter proof can easily be modified into one that allows
• a Type 3 pairing instead of Type 1,
• n > 2 pairs of elements Ki , Kia ,
• any set of elements from G2 as auxiliary input,9
9Some papers allow the algorithm to additionally receive arbitrary auxiliary input ξ ∈ {0, 1}∗ . We are more
careful than that, because the statement in this form could impossibly hold for any group in which the discrete
logarithm problem is hard: if ξ = a, then from the program that takes a random C ∈ G1 and returns C, C a , no
coefficient can be extracted (besides a).
resulting in the version from Definition 9.19.
9.5.3 Unforgeability based on XKEA

First we need the following lemma. Recall that Propositions 5.7 on p. 89 and 9.6 on p. 157
state that when the (bilinear) discrete logarithm problem is hard, then no probabilistic
polynomial-time algorithm can create non-trival DL-representations of 1, with respect
to a set of uniformly randomly distributed base points. In the lemma below, half of the
base points are randomly distributed, while the other half of the base points is a fixed
power of the first half. It is easy to extend the proof of Proposition 5.7 to this case.
Lemma 9.20. Let e : G1 × G2 → GT be a Type 3 pairing in which the BDL assumption holds,
let p be the order of the three groups, and let P, Q be generators of G1 , G2 respectively. Let the
tuple X1 , . . . , Xm ∈ G1 and the tuple Y1 , . . . , Ym ∈ G2 be such that logP X j = logQ Yj , i.e.,
e( P, Yj ) = e( X j , Q).
In addition, suppose that m is even, and that
• X1 , . . . , Xm/2 ∈ G1 are randomly distributed,

• X j+m/2 = X ja for some a ∈ Z∗p and all j = 1, . . . , m/2 (and similarly Yj+m/2 = Yja ).
Then no probabilistic polynomial-time algorithm can, on input X1 , . . . , Xm , Y1 , . . . , Ym generate

a non-trivial DL-representation of 1 ∈ G1 with respect to ( X1 , . . . , Xm ).
Theorem 9.21. The XKEA and BDL assumptions imply the whLRSW assumption, as well as
the unforgeability of our credential scheme from Section 9.3 and our signature scheme from
Section 9.2.3.
Proof. Since the whLRSW assumption implies the unforgeability of our credential
scheme, the second part of the statement is clear. Suppose then that we have an al-
gorithm A that violates the whLRSW assumption, while the XKEA and BDL assump-
tions hold. That is, algorithm A is given ( p, e, G1 , G2 , GT , Q, Q a , Qz ), along with a list
z+κ j az
of LRSW-instances (κ j , K j , K ja , K j ) of polynomial length, and it outputs an LRSW-
instance with a new κ with non-negligible probability. We show that as a consequence
of the XKEA assumption, we can extract a set of numbers from A that will result in a
non-trivial DL-representation of 1. This will contradict the lemma above.
First, we must justify an application of the XKEA assumption to Algorithm A. We
know that A outputs K, S such that S = K a with non-negligible probability. However,
z+κ az
A needs elements κ j , Tj = K j j as input, besides the elements K j , S j (which indeed
have a as relative discrete log), while the XKEA assumption allows only elements from
G2 as extra input (see Definition 9.19). We now define a second algorithm B to which
the XKEA assumption does apply as above. (For the moment, the fact that A should
also output κ, T such that T = K z+κaz is not important, so we momentarily consider
them thrown away from the output of A.) Suppose that there exists no extractor for A
– that is, all algorithms are not an extractor for A: for all probabilistic polynomial-time
Algorithm 1 Algorithm B .

1: function B p, e, G1 , G2 , GT , {K j , S j } j , Q, A
2: z ∈ R Z∗p
3: Z ← Qz
4: for all j ∈ {1, . . . , m} do
5: κ j ∈ R Z∗p
κj
6: Tj ← (K j S j )z
7: end for
8: return A p, e, G1 , G2 , GT , {κ j , K j , S j , Tj } j , Q, A, Z
9: end function
algorithms χ, we must have

h
Pr a, z, κ1 , . . . , κm ∈ R Z∗p ; K1 , . . . , Km ∈ R G1 \ {1};
z+κ j az
Q ∈ R G2 ; A ← Q a ; Z ← Qz ; { Tj ← K j }j;
σ ← ( p, e, G1 , G2 , GT , {κ j , K j , K ja , Tj } j , Q, A, Z );
(K, S, c1 , . . . , cm ) ← (A k χ)(σ) :
i
c
S = K a ∧ K 6= K11 · · · Km cm
> negl(`), (9.11)
This says that the probability that our would-be extractor χ does not output coefficients
c cm
c1 , . . . , cm such that K = K11 · · · Km is not negligible; i.e., for all χ there is a significant
probability that it fails as an extractor for A. Now notice that the only thing algorithm
B does, besides executing algorithm A, is choosing the κ j and z, and calculating Z and
the Tj exactly as in the experiment in the first two lines of the probability above. This
means that using B we can write the probability above more concisely as follows: for all
probabilistic polynomial-time algorithms χ we have
h
Pr a ∈ R Z∗p ; K1 , . . . , Km ∈ R G1 \ {1}; Q ∈ R G2 , A ← Q a ;
σ ← ( p, e, G1 , G2 , GT , Q, A, K1 , . . . , Km , K1a , . . . , Km
a
);
(K, S, c1 , . . . , cm ) ← (B k χ)(σ) :
i
c
S = K a ∧ K 6= K11 · · · Km cm
> negl(`).
This directly contradicts equation (9.10). That is, this would imply that there exists no
XKEA-extractor for B , which cannot be by assumption. Therefore, our assumption (9.11)
cannot hold, meaning that there is in fact an extractor for A that can extract the numbers
c1 , . . . , cn . Notice that this extractor does not need to know or be given z as an argument,
even though algorithm B does know z.
The application of the XKEA assumption to Algorithm A relative to the secret key
z can be justified in the same way. Algorithm B now receives Ci , Ti for i = 1, . . . , m,
generates a ∈ R Z∗p and does the following in its for-loop:
κi ∈ R Z∗p
1/(1+ aκi )
Ki ← Ci
Si ← Kia .
Then Ti = Ciz = (Ki Si i )z as required, so that it can invoke algorithm A as above.

κ
Thus, we may conclude that we can indeed extract numbers c1 , . . . , cm and d1 , . . . , dm

from algorithm A which are such that
m m
Y cj Y cj
K= Kj , S= Sj ,
j =1 j =1
m m m
Y dj Y dj Y dj κj dj
T= Tj , C= Cj = Kj Sj .
j =1 j =1 j =1
On the other hand, notice that C should be equal to

m
Y c j κc j
C = KSκ = Kj Sj .
j =1
Comparing the right hand sides of the two equations gives

m m
Y dj κj dj Y c j κc j
Kj Sj = Kj Sj .
j =1 j =1
This results in a DL-representation of 1, namely

m
Y d j −c j κ j d j −κc j
1= Kj Sj . (9.12)
j =1
Next, we show that the numbers
dj − cj κ j d j − κc j (9.13)
are not all equal to 0, so that (9.12) is a nontrivial representation of 1. Suppose they do
all equal 0. This gives the following set of equations for all j:
dj = cj, κc j = κ j d j . (9.14)
These equations imply that for each j, we either have (c j , d j ) = (0, 0), or κ = κ j . There
must exist at least one pair (c j , d j ) unequal to (0, 0), otherwise we would have C = 1
which is not valid. Therefore, this contradicts the assumption that the adversary output
9.6. Conclusion 179
a credential with a new κ.

Thus the numbers (9.13) do not all equal 0, so that the DL-representation of 1 in equa-
tion (9.12) is nontrivial. Now if we let algorithm B defined above extract the numbers
c j , d j from A, then it can efficiently compute and return the DL-representation (9.12),
contradicting Proposition 9.20.
9.6 Conclusion
In this chapter we have defined a new self-blindable attribute-based credential scheme,
and given a full security proof in the standard model by showing that it is unforgeable
and unlinkable. The unforgeability of our scheme can be proven using a standard
hardness assumption as well as through the Known Exponent assumption. Based on the
fact that it uses elliptic curves and bilinear pairings (but the latter only on the verifier’s
side), on a comparison of exponentiation counts, and on a comparison of run times
with the IRMA Idemix implementation, we have shown it to be more efficient than
comparable schemes such as Idemix and the scheme from [CL04], achieving the same
security goals at less cost.
Although our scheme is unforgeable and self-blindable, it is not susceptible to the
problem that Theorem 6.6 on p. 118 expresses. Apart from the fact that the underlying
signature scheme is nondeterministic while it is deterministic in each of the schemes
that we studied in Chapter 6, in our ShowCredential protocol there is no public key that
is sent to the verifier separate from the signature and attributes. Since an application of
Theorem 6.6 critically depends on such public keys, it does not apply.
A significant difference between our scheme from this chapter (as well as the scheme
from [CL04]) on the one hand, and Idemix, U-Prove and our (linkable) scheme from
Chapter 7 on the other hand, is that the length of the signature grows with the number
of attributes n. The signature length of the forgeable scheme from Chapter 8 is also
constant. It is interesting to note that the reason that our scheme is not vulnerable to
the attack from that chapter is precisely that each credential in our scheme has its own
set of base points, which is what makes the signature length linear in n as opposed to
constant. These observations suggest that a scheme with fixed base points and known
prime group order cannot result in a scheme which is simultaneously unlinkable and
unforgeable. Intuitively, the relatively simple structure of the group seems to offer too
much freedom to modify the credentials. In that sense, our scheme from this chapter
may be the best that one can do using (prime-order) elliptic curve groups.
End Matter
Chapter 10
Summary and conclusions
10.1 Quantization using jet space geometry

Starting from the classical theory of a point particle on a smooth manifold, we have
seen two directions in which this can be generalized. In Chapter 1 we studied the
variational Schouten bracket on jet spaces, which specializes to the ordinary Schouten
bracket on manifolds. This bracket is an important part of the BV-formalism that we
studied in Chapter 2. Both of these chapters revolved around secondary calculus:
the idea that in generalized theories, the geometric machinery should have the same
physical meaning and role as they do in specialized theories. This attractive idea not
only highlights connections between mathematics and the physics that it can describe,
but also results in interesting relations and results purely within mathematics, while
simultaneously bringing more clarity and preciseness in the mathematical description
of physical theories.
Chapter 3 considered a generalization of the point particle in a manifold in an entirely
different direction, namely quantum mechanics. We saw that in the case of a Poisson
manifold there exists a star product on the ring of functions of the manifold, that unites
the pointwise product, the Poisson structure, and the dynamics of the particle in a single
object. We included an explicit description of this star product in the case of the duals
of Lie algebras, which carry a natural Poisson structure.
When considering generalizations of a notion or theory, one question that can be very
difficult to answer is in which direction it should be generalized. There are often many
candidates, that sometimes turn out to be the same (such as the multiple definitions of
the variational Schouten bracket from Chapter 1), while others turn out not to satisfy
all requirements. In Chapter 4 we examined three possible variational generalizations
of star products, all of which turned out to be unsuitable. Such a star product would
simultaneously generalize Chapters 1 and 2 on the one hand, and Chapter 3 on the other
184 Chapter 10. Summary and conclusions
hand. Physically, it could lead to a quantum mechanical theory of very general physical
configurations, so the question if a suitable variational star product exists and what it
looks like remains very interesting. Although the direction that we took did not lead to
success, we remain convinced that the setting of infinite jet bundles combined with the
framework of deformation quantization can lead to theories that are of great importance
to both mathematics and physics.
10.2 Identity management using credential schemes

Elliptic curves and bilinear pairings offer a remarkable combination of security, efficiency
and flexibility. In particular, the fact that the order of the groups involved is prime and
known to all participants of the scheme under consideration results in a rather simple
group structure, when compared to for example groups of composite order that are used
by RSA and Idemix. The difference between the two mathematical settings is somewhat
comparable to the differences between fields and rings. (Actually, this is no coincidence:
when raising group elements of a cyclic group G to a power, one uses the natural module
structure of the group over its own ring of coefficients Z/| G |Z. In the case of (subgroups
of) elliptic curves of prime order p, however, the ring of coefficients Z/pZ is indeed a
field, so that the curve becomes a 1-dimensional vector space over this field. This is not
the case for groups whose order is not a prime power, such as for example the group
that Idemix uses; in fact, such groups can impossibly be a vector space over any field.)
At the same time, this simple group structure endows all participants with more ways
to manipulate and relate the various group elements, so that it can be difficult to prevent
adversarial parties from breaking the security or anonymity objectives of the scheme.
We have seen this in Chapter 6, which showed that in certain circumstances there is a
trade-off between unforgeability and anonymity, in the form of unlinkability; and more
dramatically in Chapter 8, where we showed that a proposed attribute-based scheme
that was meant to unite high efficiency, unforgeability and unlinkability is not in fact
unforgeable.
We have examined a number of credential schemes in this part of the thesis which
progressively attained more of the four goals stated in the Introduction on p. xiv, namely
security, unlinkability, efficiency and support for attributes. In Chapter 7 we introduced a
provably secure attribute-based scheme in which the length of the credentials is constant,
resulting in great efficiency. However, the scheme did not provide unlinkability. The
unlinkable scheme from Chapter 8 also has credentials of constant length, but we found
that it is forgeable. Finally, in Chapter 9 we introduced an unforgeable and unlinkable
attribute-based credential scheme that demonstrates that it is in fact possible to unite
efficiency with unforgeability and anonymity (in the sense of issuer and multi-show
unlinkability) in this mathematical background. This scheme is not as efficient as the
linkable scheme from Chapter 7, highlighting that there indeed exists a trade-off between
efficiency versus anonymity. However, our scheme is the most efficient when compared
with all other unlinkable schemes that we know of, and it should be implementable on
smart cards.
In conclusion, to date there seems to be no unlinkable attribute-based credential
10.2. Identity management using credential schemes 185
scheme using elliptic curves in which the size of the signature of a credential not depend
on the amount of attributes. Although we have reason to believe that such a scheme
may not be possible at all, this would be a definite improvement on the scheme from
Chapter 9. For that reason, a scheme offering those features, or a proof that it does not
exist would be of great interest.
186 Chapter 10. Summary and conclusions
Inleiding en samenvatting
Dit hoofdstuk is een Nederlandse versie van de introductie en samenvatting die begint
op pagina vii.
Quantisatie met behulp van jet-bundels

Introductie
Als er iets is wat wiskundigen en natuurkundigen gemeen hebben, dan is het hun
waardering voor esthetiek: zowel de wiskundige als de natuurkundige streeft naar dat
perfecte bewĳs of die elegante theorie. Hoewel ze het er niet altĳd over eens zĳn wat
mooi is en wat niet, kunnen ze het in de overlappende gebieden vaak goed met elkaar
vinden. Dit kan leiden tot, en heeft ook geleid tot, interessante kruisbestuiving.
Het eerste deel van dit proefschrift draait om een thema wat door mensen uit beide
kampen gewaardeerd wordt, namelĳk specialisatie: het toepassen van een algemene
theorie op een welbekende, specifieke situatie. Het is vaak echter interessanter om
te proberen de andere kant op te gaan, en te proberen om een specifieke theorie te
veralgemeniseren naar meer situaties en toepassingen. Dit kan een constructief en
inspirerend principe zĳn in het zoeken naar en het begrĳpen van nieuwe theorieën. In
beide vakgebieden heeft dit pad geleid tot steeds algemenere en krachtigere theorieën.
Dit leidt tot de volgende vraag die in dit eerste deel een grote rol speelt: Hoe kunnen we de
concepten veralgemenisering en specialisatie gebruiken om ons begrip van de verbanden tussen
wiskunde en theoretische natuurkunde uit te breiden, in het bĳzonder binnen de geometrie van
jet-bundels en quantisatiemethoden, en tot in hoeverre kan dit leiden tot een vooruitgang in de
wiskundige zĳden van deze verbanden?
Een eerste voorbeeld hiervan is te vinden in hoofdstukken 1 en 2. De meeste partiële
differentiaalvergelĳkingen die men vindt in natuurkunde, en ook veel die afkomstig zĳn
uit de wiskunde, kunnen op elegante wĳze worden beschreven in termen van onein-
dige jet-bundels. De onafhankelĳke variabelen vormen samen de basisruimte, terwĳl
188 Inleiding en samenvatting
quantum h̄ → 0 / klassiek
jet-bundel jet-bundel
n=0 n=0
Hst. 4 Hst. 1, 2
h̄ → 0
quantum Hst. 3 / klassiek
variëteit variëteit
Figuur 1. Een schematisch overzicht van de hoofdstukken en hun onderwerp. De

tekst in de vertices geeft aan of de theorie quantummechanisch of klassiek is, en of
ze gaat over gladde variëteiten of jet-bundels. Een pĳl geeft aan dat men de theorie
aan het begin van de pĳl kan specialiseren naar de theorie aan het eind van de pĳl,
door de limiet te nemen die boven of naast de pĳl staat (n is de dimensie van de
basisruimte). Merk op dat de hoofdstukken in feite de andere kant opgaan.
de onbekendes de vezel vormen van een vezelbundel boven deze basisruimte. De dif-
ferentiaalvergelĳking zelf is dan een deelvariëteit van de oneindige jet-bundel van de
vezelbundel. Binnen de natuurkunde kan men hiermee bĳvoorbeeld de dynamica van
velden, golven en snaren beschrĳven. Echter, wanneer men deze machinerie toepast op
een puntdeeltje wordt de partiële differentiaalvergelĳking een gewone differentiaalver-
gelĳking, wordt de basisruimte een enkel punt, en wordt de oneindige jet-bundel een
(eindig-dimensionale) gladde variëteit. De natuurkunde van zo’n puntdeeltje is welbe-
kend, en wordt geformuleerd in termen van de geometrische structuren rond variëteiten,
zoals vectorvelden en de de Rham-differentiaal. Onder de “specialisatiefunctie” die een
algemene theorie stuurt naar het puntdeeltje kunnen we ons dan afvragen wat de in-
verse van deze geometrische machinerie is. Het idee dat zulke inverses bestaan, en dat
ze in de algemene theorie ongeveer dezelfde rol moeten spelen als in het speciale geval,
is daarmee de wiskundige versie van het idee dat de natuurkunde van een puntdeeltje
een speciaal geval is van algemenere theorieën. Dit idee wordt secundaire calculus ge-
noemd. Hoewel het in het hele eerste deel van dit proefschrift een grote rol speelt, is het
het meest aanwezig in hoofdstuk 2 (zie sectie 2.2 op p. 26).
In hoofdstuk 3 komt een tweede voorbeeld voor. In de natuurkunde draait de quan-
tummechanica om de constante van Planck, h̄ ≈ 1.055 × 10−34 Js. Quantummechanische
theorieën zĳn doorgaans zodanig dat (als we de constante aard van de constante van
Planck tĳdelĳk negeren) het nemen van de limiet h̄ → 0 resulteert in een klassieke the-
orie, die een benadering is van de quantummechanische. Wiskundig ligt het daarom
voor de hand om h̄ te beschouwen als een deformatieparameter, zodat de quantumme-
chanische theorie een deformatie van de klassieke theorie is. Dit is in essentie het idee
van deformatie-quantisatie. Daarin begint men met een klassiek theorie van een punt-
deeltje dat zich bevindt in een zekere variëteit M. De dynamica van het deeltje wordt
beschreven door een Poisson-structuur en een Hamiltoniaans vectorveld op M. Na-
tuurkundig gezien is de ring van functies C ∞ ( M) dan de ruimte van observabelen. De
quantummechanische ruimte van observabelen is dan een deformatie in h̄ van C ∞ ( M );
Quantisatie met behulp van jet-bundels 189
dit leidt tot een non-commutatief product op de machtreeksen over h̄ van C ∞ ( M ), die
het ster-product genoemd wordt. Dit product bevat op een bepaalde manier niet alleen
het oorspronkelĳke puntsgewĳze product op C ∞ ( M) maar ook de Poisson-structuur
in termen waarvan de dynamica wordt beschreven. Dit leidt tot een elegante quan-
tumtheorie van puntdeeltjes, die inderdaad zodanig is dat men de klassieke theorie
terugkrĳgt in de limiet h̄ → 0. (Deze methode van klassieke theorieën quantiseren is
zeker niet de enige; in de natuurkundige literatuur worden de BRST- en BV-formalismes
een stuk meer gebruikt, aangezien zĳ een belangrĳke rol spelen in het zeer succesvolle
standaardmodel).
Figuur 1 vat de verbanden tussen de hoofdstukken samen. We zien dat zowel hoofd-
stuk 2 als hoofdstuk 3 beginnen bĳ een klassieke theorie van een puntdeeltje op een
variëteit, en dat dan generaliseren naar andere onderwerpen dan puntdeeltjes (dus naar
jet-bundels), en tot een quantumtheorie (dus naar quantisatie-deformaties), respectieve-
lĳk. Dit leidt aan de ene kant tot een klassieke theorie die vele natuurkundige fenomenen
kan beschrĳven, en aan de andere kant tot een quantumtheorie van puntdeeltjes. Een
voor de hand liggende vraag is dan of deze twee uitersten beiden specialisaties zĳn van
een quantumtheorie van algemenere natuurkundige configuraties dan puntdeeltjes – dat
wil zeggen, van de theorie die zich zou bevinden in de linker bovenhoek van figuur 1.
Wiskundig gezien zou dit dan een theorie over deformatie-quantisaties op jet-bundels
zĳn. In hoofdstuk 4 gaan we kort op deze vraag in.
Samenvatting
Het eerste deel van het proefschrift bevat de volgende hoofdstukken.
Hoodstuk 1 introduceert eerst kort oneindige jet-bundels en een aantal gerelateerde

constructies, aangezien deze een grote rol spelen in het hele eerste deel. Daarna
beschrĳven we multivectoren op jet-bundels als een eerste toepassing van secun-
daire calculus. Deze vormen het domein van de variationele Schouten-haak, die
twee van zulke multivectoren neemt en een nieuwe teruggeeft; we beschrĳven hoe
deze haak een natuurlĳke generalisatie is van de Schouten-haak op gladde varië-
teiten. De variationele Schouten-haak is in de afgelopen decennia in verschillende
gedaantes voorgekomen in de wiskundige en natuurkundige literatuur, wat heeft
geleid tot een aantal verschillende beschrĳvingen van hetzelfde concept. In de laat-
ste sectie van dit hoofdstuk laten we zien hoe deze verschillende versies equivalent
zĳn. Dit hoofdstuk is gebaseerd op het volgende artikel.
[KR12] A. V. Kiselev en S. Ringers. “A comparison of definitions for the Schou-

ten bracket on jet spaces”. In: Proceedings of the Sixth International
Workshop “Group Analysis of Differential Equations and Integrable Systems”.
Larnaca, Cyprus, 2012, 15p. arXiv: 1208.6196.
Hoofdstuk 2 draait om het Batalin-Vilkovisky formalisme, een techniek voor het quanti-
seren van klassieke natuurkundige theorieën. Samen met de Schouten-haak uit het
vorige hoofdstuk is een belangrĳk ingredient van dit formalisme de BV-Laplaciaan:
een differentiaaloperator van orde twee die kwadrateert naar 0, en die samen met
de Schouten-haak een wiskundige structuur genaamd BV-algebra moet vormen.

Een probleem met deze BV-Laplaciaan zoals hĳ doorgaans gedefinieerd wordt,
echter, is dat er vaak “oneindige constantes” of deltafuncties in voorkomen, die
dan verwĳderd moeten worden door middel van regularisatie. Na de meetkunde
te hebben beschreven in termen van oneindige jet-bundels geïntroduceerd in het
vorige hoofdstuk, verkennen we kort een mogelĳke BV-Laplaciaan die geen onein-
dige constantes heeft. Echter, we zullen zien dat de voor de hand liggende manier
om dit te doen niet leidt tot een BV-algebra.
Hoofdstuk 3 draait om deformatie-quantisatie, wat een heel andere techniek is voor
het quantiseren van natuurkundetheorieën (maar alleen voor puntdeeltjes). We
beschrĳven eerst kort het klassieke natuurkundige formalisme van puntdeeltjes
in termen van Poisson-structuren en Hamiltoniaanse vectorvelden op gladde
variëteiten. Door middel van Kontsevich’ beroemde resultaat over deformatie-
quantisatie van Poisson-variëteiten kan zo’n theorie altĳd worden geconverteerd
tot een quantummechanische theorie, waarvan het belangrĳkste ingrediënt een
niet-commutatief maar associatief product is, die het sterproduct genoemd wordt.
Na dit concept te hebben gedefinieerd en Kontsevich’ resultaat kort te hebben be-
schreven, geven we een grondige uitwerking van dit formalisme toegepast op de
natuurlĳke Poisson-haak van de duale van een Lie-algebra.
Hoofdstuk 4 bestudeert kort een aantal manieren om secundaire calculus in de vorm
van oneindige jet-bundels te combineren met deformatie-quantisatie. Poisson-
structuren en Hamiltoniaanse vectorvelden hebben in het raamwerk van secun-
daire calculus generalisaties naar oneindige jet-bundels. We kunnen ons dan
afvragen of er zoiets is als variationele deformatie-quantisaties: een generalisatie
van sterproducten naar jet-bundels. Natuurkundig gezien zou zo’n theorie een
generalisatie kunnen zĳn van de methode die puntdeeltjes generaliseert naar meer
algemene structuren door middel van deformatie-quantisatie. Er zĳn meerdere
mogelĳke manieren waarop men zo’n generalisatie kan proberen, waarvan we in
dit laatste hoofdstuk laten zien dat een aantal van deze manieren niet werken.
Identiteitsbeheer met behulp van credentialschema’s

Introductie
In de afgelopen jaren is het belang van informatie in onze maatschappĳ enorm snel
toegenomen, vooral dankzĳ de introductie en alomtegenwoordigheid van computers
en het internet. Steeds meer van de dingen die we doen gebeurt online. Mensen
gebruiken bĳvoorbeeld het internet om in contact te blĳven met elkaar, om nieuwe
mensen te ontmoeten, om dingen te kopen of verkopen, om afspraken te maken, en
om hun belastingopgave in te dienen. Bĳ al deze acties wordt informatie gegenereerd,
die kan worden opgeslagen en geanalyseerd. Daarnaast heeft sinds een paar jaar bĳna
iedereen constant een smart phone bĳ zich, die meestal continu verbonden is met het
internet. Hiermee kunnen allerlei verschillende soorten data ten eerste continu worden
geregistreerd – bĳvoorbeeld, geluid, locatie en beweging, maar ook waar je op klikt, wat
je koopt en met wie je in contact staat – en ten tweede kan deze data snel en efficiënt
Identiteitsbeheer met behulp van credentialschema’s 191
over het internet worden verzonden. Tegelĳkertĳd nemen de kosten van het verzenden
en opslaan van data alsmaar af, en moderne databases kunnen gemakkelĳk enorme
hoeveelheden data opslaan en daar snel toegang toe bieden.
Informatie over eigenschappen en handelingen van individuen, kortweg persoonlĳke
informatie, is met name belangrĳk. In mĳn geval zĳn mĳn leeftĳd, naam en woonplaats
voorbeelden hiervan, maar ook dat ik hou van klassieke muziek, dat ik een aantal weken
terug een e-book heb gekocht, en ook dat ik een relatie heb. Eerder verrichte hande-
lingen behoren ook tot persoonlĳke informatie, samen met bĳbehorende gerelateerde
informatie zoals gesproken of geschreven tekst, financiële gegevens, of implicaties zoals
dat ik geïnteresseerd ben in cryptografie.
Gegeven het belang van dergelĳke informatie en het gemak waarmee het tegenwoor-
dig kan worden verzameld is het geen verrassing dat verschillende partĳen het zĳn
gaan verzamelen, op variërende manieren en voor verschillende doelen. Bĳvoorbeeld,
in essentie is het verdienmodel van zowel Facebook als Google het verzamelen van
persoonlĳke informatie van mensen om dat vervolgens te verkopen aan adverteerders;
daarnaast blĳken een aantal instituten voor nationale veiligheid zoveel mogelĳk infor-
matie van het internet af te tappen als ze aankunnen.
In sommige gevallen is een dergelĳke controle van gedrag en activiteiten – dat wil
zeggen, surveillance – wenselĳk. Belastingdiensten moeten bĳvoorbeeld op de hoogte zĳn
van het inkomen en spaargeld van mensen om hun werk te kunnen doen, en veel mensen
delen bewust regelmatig allerlei gegevens met de rest van de wereld op Facebook. Er
kan echter ook sprake zĳn van ernstige juridische of morele problemen, bĳvoorbeeld
wanneer een repressieve overheid surveillance gebruikt om kritiek te onderdrukken.
Mensen hebben ook niet altĳd de mogelĳkheid om iets aan surveillance te doen, ook al
zĳn ze het er niet mee eens: bĳvoorbeeld, als iemand die geen burger is van de Verenigde
Staten heb ik geen enkele juridische of democratische manier om te voorkomen of invloed
uit te oefenen op de informatie die de NSA over me verzamelt door het analyseren van
internetverkeer. Verder is men zich er vaak niet eens van bewust; de omvang van de
surveillance van de NSA en vergelĳkbare instituten was grotendeels onbekend voor
de onthullingen van Edward Snowden hierover in 2013, en de meeste mensen hebben
nauwelĳks door hoeveel informatie ze over zichzelf prĳsgeven wanneer ze gebruik
maken van het internet. Ook gebeurt het dat instituten of bedrĳven veel meer data
verzamelen dan ze nodig hebben voor hun doelen. Samenvattend is het duidelĳk dat
surveillance op vele manieren een bedreiging vormt voor de privacy van mensen, en
daarnaast is het in ieder geval vanwege de volgende drie redenen gevaarlĳk:
• Als alles wat je doet altĳd wordt opgeslagen door grote bedrĳven en overheids-
instellingen, dan zouden deze instellingen deze informatie later tegen je kunnen
gebruiken. Dit soort instellingen zeggen vaak dat ze te vertrouwen zĳn met deze
informatie, maar zelfs als dat zo is dan blĳft de vraag of ze dat in de toekomst nog
steeds zĳn. Misschien leven we over vĳftig jaar in een totalitaire staat; als zo’n staat
alles van iedereen weet zou er niet aan te ontkomen zĳn.
• Zodra data over wat je doet en wie je bent buiten je controle wordt opgeslagen, is
het vaak zeer moeilĳk om bĳ te houden waar en hoe het wordt opgeslagen, wat
ermee gedaan wordt, en wie er toegang toe heeft. Bĳvoorbeeld, privacy policy’s die
aangeven wat gedaan wordt met je data worden vaak zonder bericht gewĳzigd; de
overheid kan later (geheime) wetten of regelgeving invoeren die haar toegang tot
de data verschaft; en de data kan worden gelekt of gestolen. Aangezien dit soort
data tegenwoordig bĳna eindeloos kan worden opgeslaan is het risico dat dit soort
dingen gebeurt groot, en alledrie de genoemde voorbeelden zĳn intussen ook al
een aantal maal voorgekomen. Dit probleem vergroot ook de ernst van het eerste
punt hierboven.
• Wanneer mensen weten dat ze in de gaten gehouden worden doen ze misschien be-
paalde dingen niet die ze anders wel gedaan zouden hebben. Angst voor mogelĳke
consequenties leidt dan tot onderdrukking van kritische geluiden en handelingen,
resulterend in zelfcensuur. Dit staat volkomen haaks op het ideaalbeeld van een
open en democratische maatschappĳ.
In het kort: in een maatschappĳ waarin informatie hetzelfde is als geld en macht is
het onverstandig om je persoonlĳke informatie weg te geven. Het moet gezien en
behandeld worden als een soort grondstof. Daarom wordt het steeds belangrĳker dat
mensen zich bewust zĳn van en in controle zĳn van wie wat over ze weet. Er is,
met andere woorden, een noodzaak voor identiteitsbeheer: het verkrĳgen, gebruiken en
beschermen van persoonlĳke informatie, online of offline, vaak voor het verkrĳgen van
toegang tot services. We zĳn echter niet op zoek naar manieren om alle persoonlĳke
informatie constant verborgen te houden, omdat dit simpelweg niet mogelĳk zou zĳn:
bĳvoorbeeld, een klant in de slĳterĳ zal de kassamedewerker er op een of andere manier
van moeten overtuigen dat zĳ ouder is dan 18. Echter, de kassamedewerker hoeft niet
meer over haar te weten dan enkel dat feit om een alcoholische drank aan haar te kunnen
verkopen.
Feiten zoals dat de klant ouder is dan 18, of bĳvoorbeeld dat ze een abonnement heeft
op een krant, noemen we attributen. Een paspoort kan dan gezien worden als een lĳst
van zulke attributen die gemaakt is door de overheid op een onvervalsbare manier. Het
voorbeeld hierboven laat zien dat we in staat willen zĳn om zulke attributen selectief
te laten zien aan anderen, zodat de klant in de slĳterĳ kan bewĳzen dat ze inderdaad
ouder is dan 18, zonder haar precieze leeftĳd, naam of andere details prĳs te geven die
niet relevant zĳn voor de transactie.
In het tweede deel van dit proefschrift proberen we deze doelen te bereiken door
middel van cryptografische middelen genaamd attribuut-gebaseerde credentialschema’s. In
zulke schema’s krĳgen gebruikers een credential van een uitgever (Engels: issuer). Ieder
credential kan meerdere attributen bevatten (die een beperkte hoeveelheid informatie
bevatten), samen met een digitale handtekening gemaakt door de uitgever over deze
attributen. De gebruiker kan dan aan anderen selectief een aantal van deze attributen
laten zien, terwĳl de andere attributen verborgen blĳven. De ontvangende partĳ (ge-
naamd de controleur, Engels: verifier) kan de handtekening van de uitgever gebruiken
om zeker te weten dat het credential inderdaad gemaakt is door de uitgever. Als de
overheid bĳvoorbeeld dergelĳke attribuut-gebaseerde credentials zou uitgeven aan haar
burgers, zou ik ervoor kunnen kiezen om al mĳn persoonsgegevens vrĳ te geven bĳ
de douane in het vliegveld, of ik zou kunnen bewĳzen dat ik ouder ben dan 18 in een
winkel.
Sommige credentialschema’s hebben daarnaast een interessante eigenschap genaamd

multi-show onlinkbaarheid: wanneer een controleur twee credentials te zien krĳgt kan hĳ
onmogelĳk weten of hĳ twee keer hetzelfde credential zag, of twee verschillende (ten-
minste, zolang de vrĳgegeven attributen de credentials niet van elkaar onderscheiden).
Een credentialschema kan bovendien tegelĳkertĳd of apart daarvan uitgever-onlinkbaar
zĳn, wat betekent dat de uitgever het gebruik van een credential onmogelĳk kan koppe-
len aan een uitgifte van een credential.
We zullen ons met name bezig houden met de volgende eigenschappen die credenti-
alschema’s kunnen hebben.
Veiligheid. Om ervoor te zorgen dat de controleur er echt van overtuigd kan zĳn dat
de gebruiker een geldig credential heeft (in het bĳzonder dat hĳ dit credential
gekregen heeft van de uitgever), moet het bewĳsbaar zĳn dat gebruikers credentials
niet zonder kennis en toestemming van de uitgever kunnen maken. Ook wanneer
een schema bepaalde anonimiteitseigenschappen heeft moet dit bewĳsbaar zĳn.
Efficiëntie. Een credentialschema moet praktisch zĳn in gebruik. Een manier om dit
te bereiken zou kunnen zĳn het implementeren ervan op smart cards, die zeer
beperkte capaciteiten hebben. Daarom is het belangrĳk dat schema’s zo efficiënt
mogelĳk zĳn.
Attribuut-gebaseerd. Zoals hierboven beschreven wil men in verschillende situaties
verschillende attributen kunnen vrĳgeven. We zullen echter ook een aantal cre-
dentialschema’s bestuderen die niet attribuut-gebaseerd zĳn, of die zelfs helemaal
geen informatie op kunnen slaan.
Anonimiteit. Waar mogelĳk moet een credentialschema zoveel mogelĳk gegevens van
de gebruiker verbergen, of zoveel als de gebruiker wenst. Hoewel dit al gedeel-
telĳk bereikt kan worden door irrelevante attributen verborgen te houden, zullen
we vooral geïnteresseerd zĳn in schema’s die één maar liefst beide vormen van
onlinkbaarheid bieden.
We behandelen vooral schema’s die gebruik maken van bilineaire groep-paren: een
paar van twee priem-orde elliptische krommen dat een speciale afbeelding genaamd
de paring toelaat. Elliptische krommen bieden hoge veiligheid tegelĳkertĳd met kleine
groepselementen en efficiënte algoritmes voor de groepsoperaties, en met de paring
kunnen de relaties tussen specifieke groepselementen bestudeerd worden. Het tweede
deel van dit proefschrift gaat dan ook over de volgende vraag: Bestaat er, of kunnen we een
credentialschema maken die gebruik maakt van bilineaire groep-paren en die alle bovengenoemde
doelen haalt, inclusief onlinkbaarheid? Tot in hoeverre moet er een afweging gemaakt worden
tussen deze doelen?
De credentialschema’s die we bestuderen zullen steeds meer van de bovenstaande
doelen tegelĳk halen. In hoofdstukken 6 en 8 bestuderen we een aantal schema’s die effi-
ciënt, veilig en onlinkbaar tegelĳkertĳd hadden moeten zĳn, maar daar niet in slaagden.
Daarnaast zullen we inderdaad een afweging vinden tussen anonimiteit en efficiëntie,
in de schema’s van hoofdstukken 7 en 9; het ene hoofdstuk behandelt een zeer efficiënt
schema die geen onlinkbaarheid biedt, terwĳl het schema van het andere hoofdstuk wel-
iswaar minder efficiënt is, maar toch het eerste schema is dat allevier doelen tegelĳkertĳd
behaalt.
Samenvatting
Het tweede deel van dit proefschrift bevat de volgende hoofdstukken.
Hoofdstuk 5 behandelt enkele notaties en fundamentele concepten die in het hele

tweede deel van dit proefschrift van pas komen, waaronder: wanneer iets efficiënt
berekenbaar is; cyclische groepen en bilineaire paringen, zero-knowledge bewĳzen
en digitale handtekeningschema’s. Hier definiëren we ook credentialschema’s, het
hoofdonderwerp van de latere hoofdstukken.
Hoofdstuk 6 bestudeert een aantal (niet-attribuut-gebaseerde) credentialschema’s uit
de literatuur, die kapot zĳn in de zin dat ze niet de eigenschappen blĳken te
hebben die ze hadden moeten hebben. We bewĳzen een stelling die zegt dat het in
bepaalde omstandigheden moeilĳk is om onlinkbaarheid en onvervalsbaarheid te
verenigen in zulke schema’s. Dit hoofdstuk is gebaseerd op het volgende artikel.
[HLR15] J.-H. Hoepman, W. Lueks en S. Ringers. “On Linkability and Mallea-

bility in Self-blindable Credentials”. In: Information Security Theory and
Practice: 9th IFIP WG 11.2 International Conference, WISTP 2015. Red.
door N. R. Akram en S. Jajodia. Cham: Springer International Publis-
hing, 2015, p. 203–218.
Hoofdstuk 7 introduceert een interactief algoritme voor het tekenen van een generalisa-
tie van Boneh–Boyen handtekeningen, die een gedeelte van het bericht tegelĳkertĳd
met de resulterende handtekening verbergt voor de handtekening-uitgever. Door
dit toe te passen vinden we een attribuut-gebaseerd credentialschema, die eenvou-
dig en zeer efficiënt is maar die geen multi-show onlinkbaarheid biedt (hoewel het
wel uitgever-onlinkbaar is). Vergeleken met zĳn bekendste concurrent, U-Prove,
biedt ons schema vergelĳkbare efficiëntie maar sterkere veiligheidsgaranties.
Hoofdstuk 8 heeft het attribuut-gebaseerde credentialschema van Hanzlik en Klucz-
niak [HK14] als onderwerp. Dit schema had een multi-show onlinkbare variant
van U-Prove moeten zĳn (die, net als ons schema van hoofdstuk 7, niet multi-show
onlinkbaar maar zeer efficiënt is). We tonen een aanval op het schema van Hanz-
lik en Kluczniak, waarmee een aantal gebruikers samen een nieuw credential kan
maken met daarin attributen van hun keuze, zonder medewerking of kennis van
de uitgever. Daarnaast wĳzen we de fout in hun paper aan. Dit hoofdstuk is
gebaseerd op het volgende artikel.
[VRH16] E. Verheul, S. Ringers en J.-H. Hoepman. “The self-blindable U-Prove

scheme from FC’14 is forgeable”. In: Financial Cryptography and Data
Security – FC’16 (2016). In print. url: https://eprint.iacr.org/
2015/725.
Hoofdstuk 9 introduceert tenslotte een tweede attribuut-gebaseerd credentialschema

die wel multi-show onlinkbaar is, en die alle vier doelen uit de vorige sectie haalt.
Zĳn veiligheid volgt uit ons bewĳs dat hĳ onvervalsbaar is, en we laten ook zien dat
het schema onlinkbaar is, zodat de anonimiteit van de gebruiker goed beschermd
wordt. Hoewel dit schema niet zo efficiënt is als dat van hoofdstuk 7, is hĳ wel
efficiënter dan alle vergelĳkbare (in het bĳzonder onlinkbare) schema’s die ons
bekend zĳn. Aan het eind van het hoofdstuk vergelĳken we ons schema kort met
die van de eerdere hoofdstukken.
Acknowledgments
Try as I might, I can think of no way to convey the depth of my gratitude to my promotor,
Jaap Top, for everything that he has done for me and this project, and for the enormous
amount of faith he always had in me. He has supported and helped me in ways that I
had no reason to expect from him, and even if he had not, he would still have been an
excellent promotor. At times when I no longer saw solutions, he always saw ways to go
forward.
Secondly, I am very grateful to Arthemy Kiselev, my supervisor for the first part of this
thesis. He not only introduced me to the beautiful subjects of jet space geometry and
quantization, but I also learned much from him about, for example, writing scientific
articles and conducting oneself in the scientific community. Apart from this I have fond
memories of the many stories and anecdotes he told me, and of our animated discussions
in his dimly lit office.
I am equally grateful to my supervisor for the second part of this thesis: Jaap-Henk
Hoepman, for taking me in and having trust in me. Computer science, security and
privacy aspects have always been of great interest to me, and I am very happy to
have been given the chance to pursue these interests. His encouragement, his critical
attitude towards my work, and his focus on properly presenting your work has been
very important and helpful to me.
I am also very grateful to Bart Jacobs, for arranging the extension that allowed me
to work on the IRMA project, for introducing me to the IRMA project itself as well as
everything surrounding it, and for his advice and guidance in the last year. The extension
gave me some much-needed time to properly finish the second part of this project, and I
have very much enjoyed contributing to the IRMA project, of which the rather practical
nature was an excellent complement to the theoretical work of this thesis.
Thanks also to Klaas Landsman, for his advice at an important time, and his continued
interest in me and this project throughout its duration.
Next I wish to thank both the universities of Groningen and Nĳmegen for the warm
atmosphere they provided, allowing me to do this work; and my colleagues at both
198 Acknowledgments
universities, for their companionship and the many enjoyable lunches we had. Particular
thanks goes to the university of Groningen for giving me the opportunity to teach exercise
classes, as well as to design a course and lecture it. Some of the best moments of these
years were when I was teaching, and I am very happy to have learned how immensely
satisfying teaching can be.
Particular thanks go to the co-authors of my published papers: Arthemy Kiselev, Jaap-
Henk Hoepman, Wouter Lueks and Eric Verheul, for our constructive collaborations, for
those parts of our papers that they wrote, and for their many attentive suggestions and
corrections for the parts that I wrote. Fabian van den Broek also deserves mentioning
here; although he and I never published a paper together, we have enjoyed many months
of fruitful collaboration (together with Wouter) on the IRMA project.
Last but certainly not least, I am immensely thankful to my partner in life, Tomas
Harreveld, for his continuous support and encouragement through the highs and lows
of these five years; for sharing my interest in the second subject of this thesis; for all
the advice he gave me; for the faith that he always had in me, even at times when I
saw no reason for it; and for listening with great attention and interest to my endless
stories about both subjects of this thesis, and everything that transpired as it came about.
Vleuten, August 2016

Biography
Sietse Ringers was born in 1984. After having obtained his bachelor’s degree in Physics
and Astronomy, he graduated in Mathematical Physics at the University of Amsterdam
in 2011, under supervision of Robbert Dĳkgraaf. Since then he has been a PhD student
at the University of Groningen, studying the connections between differential geometry
and theoretical physics under supervision of Arthemy Kiselev, and identity management
and credential schemes under supervision of Jaap-Henk Hoepman.
In his spare time he enjoys programming (in particular on the IRMA project which
implements many of the techniques from the second part of this thesis), listening to
(classical) music and singing in choirs. He and his partner currently live in Vleuten in
The Netherlands.
200 Biography
Bibliography

[Bay+77] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “Quan-
tum mechanics as a deformation of classical mechanics”. In: Letters in Math-
ematical Physics 1.6 (1977), pp. 521–530 (cit. on pp. xii, 45).
[Bay+78a] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “Defor-
mation theory and quantization. I. Deformations of symplectic structures”.
In: Annals of Physics 111.1 (1978), pp. 61–110 (cit. on pp. xii, 45).
[Bay+78b] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “De-
formation theory and quantization. II. Physical applications”. In: Annals of
Physics 111.1 (1978), pp. 111–151 (cit. on pp. xii, 45).
[BRS75] C. Becchi, A. Rouet, and R. Stora. “Renormalization of the abelian Higgs-
Kibble model”. In: Commun. Math. Phys. 42 (June 1975), pp. 127–162 (cit. on
pp. xi, 11, 25).
[BRS76] C. Becchi, A. Rouet, and R. Stora. “Renormalization of gauge theories”. In:
Ann. Phys. 98 (June 1976), pp. 287–321 (cit. on pp. xi, 11, 25).
[BV81] I. A. Batalin and G. A. Vilkovisky. “Gauge algebra and quantization”. In:
Phys. Lett. B 102 (June 1981), pp. 27–31 (cit. on pp. xii, 11, 25).
[BV83] I. A. Batalin and G. A. Vilkovisky. “Quantization of gauge theories with
linearly dependent generators”. In: Phys. Rev. D 28 (10 Nov. 1983), pp. 2567–
2582 (cit. on pp. xii, 11, 25).
[CF00] A. S. Cattaneo and G. Felder. “A path integral approach to Kontsevich
quantization formula”. In: Commun. Math. Phys. 2012 (3 2000), pp. 591–611.
arXiv: math/9902090 (cit. on pp. 11, 26, 39, 41).
[CI] A. S. Cattaneo and D. Indelicato. “Formality and Star Products”. Lecture
notes of a course at PQR2003 Euroschool, 2003 (cit. on pp. 50, 57).
202 Bibliography
[Dit99] G. Dito. “Kontsevich Star Product on the Dual of a Lie Algebra”. In: Letters
in Mathematical Physics 48.4 (1999), pp. 307–322. arXiv: math/9905080 (cit. on
p. 67).
[Dor93] I. Dorfman. Dirac structures and integrability of nonlinear evolution equations.
Nonlinear science. Wiley & Sons, 1993 (cit. on p. 11).
[Fed94] B. V. Fedosov. “A simple geometrical construction of deformation quantiza-
tion”. In: J. Differential Geom. 40.2 (1994), pp. 213–238 (cit. on p. xii).
[GD80] I. M. Gel’fand and I. Dorfman. “The Schouten Bracket and Hamiltonian
operators”. In: Functional Analysis and Its Applications 14.3 (1980), pp. 223–
226 (cit. on p. 11).
[GR99] S. Gutt and J. Rawnsley. “Equivalence of star products on a symplectic
manifold; an introduction to Deligne’s Čech cohomology classes”. In: Journal
of Geometry and Physics 29.4 (1999), pp. 347–392 (cit. on p. 54).
[Gut83] S. Gutt. “An explicit *-product on the cotangent bundle of a Lie group”. In:
Letters in Mathematical Physics 7.3 (1983), pp. 249–258 (cit. on p. 67).
[Ham80] R. W. Hamming. “The unreasonable effectiveness of mathematics”. In: Amer.
Math. Monthly 87.2 (Feb. 1980). url: https://www.dartmouth.edu/~matc/
MathDrama/reading/Hamming.html (cit. on p. xi).
[HT92] M. Henneaux and C. Teitelboim. Quantization of gauge systems. Princeton,
NJ: Princeton University Press, 1992, pp. xxviii+520 (cit. on pp. 11, 25, 31).
[Kat00] V. Kathotia. “Kontsevich’s universal formula for deformation quantization
and the Campbell–Baker–Hausdorff formula”. In: International Journal of
Mathematics 11.4 (2000), pp. 523–551. arXiv: math/9811174 (cit. on p. 67).
[Kis12a] A. V. Kiselev. “Homological evolutionary vector fields in Korteweg-de Vries,
Liouville, Maxwell, and several other models”. In: J. Phys. Conf. Ser. 343.1
(Feb. 2012), p. 012058. arXiv: 1111.3272 (cit. on p. 25).
[Kis12b] A. V. Kiselev. “On the variational noncommutative Poisson geometry”. In:
Physics of Particles and Nuclei 43 (2012), pp. 663–665. arXiv: 1112.5784 (cit.
on p. 11).
[Kis12c] A. V. Kiselev. “The twelve lectures in the (non)commutative geometry of
differential equations”. 140p, preprint IHÉS M-12-13. 2012. url: http://
preprints.ihes.fr/2012/M/M-12-13.pdf (cit. on pp. xi, 3, 12, 24, 25, 38,
71, 72).
[KKV04] P. Kersten, I. Krasil’shchik, and A. Verbovetsky. “Hamiltonian operators
and l ∗ -coverings”. In: J. Geom. Phys. 50.1-4 (2004), pp. 273–302. arXiv: math/
0304245 (cit. on pp. 8, 11).
[Kon03] M. Kontsevich. “Deformation Quantization of Poisson Manifolds”. In: Let-
ters in Mathematical Physics 66.3 (2003), pp. 157–216. arXiv: q-alg/9709040
(cit. on pp. xii, 46, 50, 52, 53, 58, 61, 66).
Quantization using Jet Space Geometry 203
[Kon93] M. Kontsevich. “Formal (Non)-Commutative Symplectic Geometry”. In: The

Gelfand Mathematical Seminars, 1990–1992. Ed. by I. Gelfand, L. Corwin, and
J. Lepowsky. Birkhäuser Boston, 1993, pp. 173–187 (cit. on pp. 11, 24).
[KR12] A. V. Kiselev and S. Ringers. “A comparison of definitions for the Schouten
bracket on jet spaces”. In: Proceedings of the Sixth International Workshop
“Group Analysis of Differential Equations and Integrable Systems”. Larnaca,
Cyprus, 2012, 15p. arXiv: 1208.6196 (cit. on pp. x, 3, 189).
[KV11] I. S. Krasil’shchik and A. Verbovetsky. “Geometry of jet spaces and integrable
systems”. In: J. Geom. Phys. 61.9 (2011), pp. 1633–1674. arXiv: 1002.0077 (cit.
on pp. xi, 3, 11, 12, 19, 21, 26).
[KV99] I. S. Krasil’shchik and A. M. Vinogradov, eds. Symmetries and conserva-
tion laws for differential equations of mathematical physics. Vol. 182. Transla-
tions of Mathematical Monographs. Providence, RI: Amer. Math. Soc., 1999,
pp. xiv+333 (cit. on pp. xi, 3, 26, 71).
[Lic77] A. Lichnerowicz. “Les variétés de Poisson et leurs algèbres de Lie associées”.
In: Journal of Differential Geometry 12.2 (1977), pp. 253–300 (cit. on p. 11).
[Lic78] A. Lichnerowicz. “Les variétés de Poisson et leurs algèbres de Lie associées”.
In: J. Math. Pures Appl. 57 (1978), pp. 453–488 (cit. on p. 11).
[Nĳ55] A. Nĳenhuis. “Jacobi-type identities for bilinear differential concomitants of
certain tensor fields I”. In: Indag. Math. 17 (1955), pp. 390–403 (cit. on p. 11).
[Olv00] P. J. Olver. Applications of Lie groups to differential equations. Second Edition.
Vol. 107. Graduate Texts in Mathematics. New York: Springer-Verlag, 2000,
p. 541 (cit. on pp. xi, 3).
[OS98] P. J. Olver and V. V. Sokolov. “Integrable Evolution Equations on Associative
Algebras”. In: Communications in Mathematical Physics 193.2 (1998), pp. 245–
268 (cit. on pp. 11, 24).
[RS03] A. Reyman and M. A. Semenov–Tyan-Shansky. “Integrable systems: group-
theoretic approach”. In: Reg. Chaot. Dyn. (2003). in Russian (cit. on p. 11).
[RS94] A. G. Reyman and M. A. Semenov–Tian-Shansky. “Group-Theoretical Meth-
ods in the Theory of Finite-Dimensional Integrable Systems”. In: Dynamical
Systems VII. Ed. by V. I. Arnol’d and S. P. Novikov. Vol. 16. Encyclopaedia of
Mathematical Sciences. Springer Berlin Heidelberg, 1994, pp. 116–225 (cit.
on p. 11).
[Sch40] J. A. Schouten. “Über Differentialkonkomitanten zweier kontravarianten
Grössen”. In: Indag. Math. 2 (1940), pp. 449–452 (cit. on p. 11).
[Sch53] J. A. Schouten. “On the differential operators of the first order in tensor
calculus”. In: Convegno Int. Geom. Diff. Italia. (1953), pp. 1–7 (cit. on p. 11).
[Sch93] A. Schwarz. “Geometry of Batalin-Vilkovisky quantization”. In: Commun.
Math. Phys. 155 (July 1993), pp. 249–260. arXiv: hep- th/9205088 (cit. on
pp. 26, 29).
204 Bibliography
[Sch94] A. Schwarz. “Symmetry transformations in Batalin-Vilkovisky formalism”.

In: Letters in Mathematical Physics 31.4 (1994), pp. 299–301 (cit. on pp. 26, 29).
[Sch99] A. Schwarz. “Quantum Observables, Lie Algebra Homology and TQFT”.
In: Letters in Mathematical Physics 49.2 (1999), pp. 115–122. arXiv: hep- th/
9904168 (cit. on pp. 26, 29).
[Tyu75] I. V. Tyutin. “Gauge Invariance in Field Theory and Statistical Physics in
Operator Formalism”. Lebedev Physics Institute preprint 39. 1975 (cit. on
pp. xi, 11, 25).
[Vin01] A. M. Vinogradov. Cohomological Analysis of Partial Differential Equations and
Secondary Calculus. Vol. 204. Translations of Mathematical Monographs.
Amer. Math. Soc., 2001 (cit. on pp. xi, 3, 26).
[Vit09] L. Vitagliano. “Secondary calculus and the covariant phase space”. In: Jour-
nal of Geometry and Physics 59.4 (2009), pp. 426–447. arXiv: 0809.4164 (cit. on
p. 26).
[Vor02] T. Voronov. “Graded manifolds and Drinfeld doubles for Lie bialgebroids”.
In: Quantization, Poisson brackets and beyond (Manchester, 2001). Vol. 315. Con-
temp. Math. Providence, RI: Amer. Math. Soc., 2002, pp. 131–168. arXiv:
math/0105237 (cit. on p. 14).
[Wig60] E. P. Wigner. “The unreasonable effectiveness of mathematics in the natural
sciences”. In: Comm. Pure Appl. Math. 13 (Feb. 1960). url: https://www.
dartmouth.edu/~matc/MathDrama/reading/Wigner.html (cit. on p. xi).
[Wit90] E. Witten. “A note on the antibracket formalism”. In: Modern Phys. Lett. A
5.7 (1990), pp. 487–494 (cit. on pp. 11, 25).
[Zin75] J. Zinn-Justin. “Renormalization of gauge theories”. In: Trends in elementary
particle theory. Vol. 37. Lect. notes in phys. Berlin: Springer, 1975, pp. 1–39
(cit. on p. 11).
Identity Management using Credential Schemes

[ACM05] G. Ateniese, J. Camenisch, and B. de Medeiros. “Untraceable RFID Tags
via Insubvertible Encryption”. In: Proceedings of the 12th ACM Conference on
Computer and Communications Security - CCS ’05. New York, NY, USA: ACM,
2005, pp. 92–101. url: http://doi.acm.org/10.1145/1102120.1102134
(cit. on pp. 153, 154).
[Adj+15] G. Adj, A. Menezes, T. Oliveira, and F. Rodríguez-Henríquez. “Computing
Discrete Logarithms in F36·137 and F36·163 Using Magma”. In: Arithmetic of
Finite Fields. Ed. by Ç. K. Koç, S. Mesnager, and E. Savaş. Vol. 9061. Lecture
Notes in Computer Science. Springer International Publishing, 2015, pp. 3–
22 (cit. on p. 92).
[AF07] M. Abe and S. Fehr. “Perfect NIZK with Adaptive Soundness”. In: The-
ory of Cryptography. Ed. by S. P. Vadhan. Vol. 4392. LNCS. Springer Berlin
Heidelberg, 2007, pp. 118–136 (cit. on p. 175).
Identity Management using Credential Schemes 205
[AF96] M. Abe and E. Fujisaki. “How to date blind signatures”. In: Advances in
Cryptology — ASIACRYPT ’96. Ed. by K. Kim and T. Matsumoto. Vol. 1163.
LNCS. Berlin, Heidelberg: Springer Berlin Heidelberg, 1996, pp. 244–251
(cit. on pp. 125, 141).
[AHS11] G. Alpár, J. Hoepman, and J. Siljee. “The Identity Crisis. Security, Privacy
and Usability Issues in Identity Management”. In: CoRR abs/1101.0427
(2011). url: http://arxiv.org/abs/1101.0427 (cit. on p. xvii).
[Alp15] G. Alpár. “Attribute-Based Identity Management: Bridging the Crypto-
graphic Design of ABCs with the Real World”. PhD thesis. Radboud Uni-
versity, Nĳmegen, The Netherlands, 2015 (cit. on p. xvii).
[Ant+02] A. Antipa, D. Brown, A. Menezes, R. Struik, and S. Vanstone. “Validation of
Elliptic Curve Public Keys”. In: Public Key Cryptography – PKC 2003. Ed. by
Y. G. Desmedt. Vol. 2567. LNCS. Springer Berlin Heidelberg, 2002, pp. 211–
223 (cit. on p. 161).
[AO00] M. Abe and T. Okamoto. “Provably Secure Partially Blind Signatures”. In:
Advances in Cryptology – CRYPTO 2000. Ed. by M. Bellare. Vol. 1880. LNCS.
Springer Berlin Heidelberg, 2000, pp. 271–286 (cit. on pp. 126, 127, 141).
[Bar01] B. Barak. “How to Go Beyond the Black-Box Simulation Barrier”. In: 42nd
Annual Symposium on Foundations of Computer Science, FOCS 2001, 14-17
October 2001, Las Vegas, Nevada, USA. IEEE Computer Society, 2001, pp. 106–
115 (cit. on p. 97).
[BB08] D. Boneh and X. Boyen. “Short Signatures Without Random Oracles and the
SDH Assumption in Bilinear Groups”. In: J. Cryptology 21.2 (2008), pp. 149–
177 (cit. on pp. 119, 126, 130, 131, 156).
[Bel+02] M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko. “The Power
of RSA Inversion Oracles and the Security of Chaum’s RSA-Based Blind
Signature Scheme”. In: Financial Cryptography: 5th International Conference,
FC 2001. Ed. by P. Syverson. Vol. 2339. LNCS. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2002, pp. 319–338 (cit. on p. 141).
[Bel+09] M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, and
H. Shacham. “Randomizable Proofs and Delegatable Anonymous Creden-
tials”. In: Advances in Cryptology - CRYPTO 2009: 29th Annual International
Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceed-
ings. Ed. by S. Halevi. Vol. 5677. LNCS. Berlin, Heidelberg: Springer Berlin
[Beu+10] J. Beuchat, J. E. González-Díaz, S. Mitsunari, E. Okamoto, F. Rodríguez-
Henríquez, and T. Teruya. “High-Speed Software Implementation of the
Optimal Ate Pairing over Barreto-Naehrig Curves”. In: Pairing-Based Cryp-
tography - Pairing 2010. Ed. by M. Joye, A. Miyaji, and A. Otsuka. Vol. 6487.
Lecture Notes in Computer Science. Springer, 2010, pp. 21–39 (cit. on pp. 170,
171).
206 Bibliography
[BF01] D. Boneh and M. K. Franklin. “Identity-Based Encryption from the Weil

Pairing”. In: Advances in Cryptology - CRYPTO 2001. Ed. by J. Kilian. Vol. 2139.
LNCS. Springer, 2001, pp. 213–229 (cit. on p. 156).
[Bha+09] R. Bhaskar, K. Chandrasekaran, S. V. Lokam, P. L. Montgomery, R. Venkate-
san, and Y. Yacobi. “An Observation about Variations of the Diffie-Hellman
Assumption”. In: Serdica Journal of Computing 3 (2009) (cit. on pp. 131, 139).
[Bit+12] N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. “From Extractable Colli-
sion Resistance to Succinct Non-interactive Arguments of Knowledge, and
Back Again”. In: Proceedings of the 3rd Innovations in Theoretical Computer Sci-
ence Conference - ITCS ’12. Cambridge, Massachusetts: ACM, 2012, pp. 326–
349 (cit. on p. 174).
[Bit+14] N. Bitansky, R. Canetti, A. Chiesa, S. Goldwasser, H. Lin, A. Rubinstein, and
E. Tromer. “The Hunting of the SNARK”. In: IACR Cryptology ePrint Archive
2014 (2014). url: https://eprint.iacr.org/2014/580 (cit. on p. 174).
[BL13a] F. Baldimtsi and A. Lysyanskaya. “Anonymous Credentials Light”. In: Pro-
ceedings of the 2013 ACM SIGSAC Conference on Computer & Communications
Security. CCS ’13. Berlin, Germany: ACM, 2013, pp. 1087–1098 (cit. on pp. 141,
153).
[BL13b] F. Baldimtsi and A. Lysyanskaya. “On the Security of One-Witness Blind
Signature Schemes”. In: Advances in Cryptology - ASIACRYPT 2013. Ed. by
K. Sako and P. Sarkar. Vol. 8270. LNCS. Springer Berlin Heidelberg, 2013,
pp. 82–99 (cit. on pp. 126, 139, 152, 153).
[Bla+13] O. Blazy, G. Fuchsbauer, D. Pointcheval, and D. Vergnaud. “Short blind
signatures”. In: Journal of Computer Security 21.5 (2013), pp. 627–661 (cit. on
p. 141).
[BLS04] D. Boneh, B. Lynn, and H. Shacham. “Short Signatures from the Weil Pair-
ing”. In: J. Cryptology 17.4 (2004), pp. 297–319 (cit. on pp. 103, 156).
[BN06] P. S. L. M. Barreto and M. Naehrig. “Pairing-Friendly Elliptic Curves of
Prime Order”. In: Selected Areas in Cryptography. Ed. by B. Preneel and S.
Tavares. Vol. 3897. LNCS. Springer Berlin Heidelberg, 2006, pp. 319–331 (cit.
on p. 93).
[Bol02] A. Boldyreva. “Threshold Signatures, Multisignatures and Blind Signatures
Based on the Gap-Diffie-Hellman-Group Signature Scheme”. In: Public Key
Cryptography — PKC 2003. Ed. by Y. G. Desmedt. Vol. 2567. LNCS. Berlin,
Heidelberg: Springer Berlin Heidelberg, 2002, pp. 31–46 (cit. on p. 141).
[BP04a] M. Bellare and A. Palacio. “The Knowledge-of-Exponent Assumptions and
3-Round Zero-Knowledge Protocols”. English. In: Advances in Cryptology –
CRYPTO 2004. Ed. by M. Franklin. Vol. 3152. LNCS. Springer Berlin Heidel-
berg, 2004, pp. 273–289 (cit. on p. 174).
[BP04b] M. Bellare and A. Palacio. “Towards Plaintext-Aware Public-Key Encryption

Without Random Oracles”. English. In: Advances in Cryptology - ASIACRYPT
2004. Ed. by P. Lee. Vol. 3329. LNCS. Springer Berlin Heidelberg, 2004,
pp. 48–62 (cit. on p. 174).
[BPW12] D. Bernhard, O. Pereira, and B. Warinschi. “How Not to Prove Yourself: Pit-
falls of the Fiat-Shamir Heuristic and Applications to Helios”. In: Advances
in Cryptology – ASIACRYPT 2012. Ed. by X. Wang and K. Sako. Vol. 7658.
LNCS. Springer Berlin Heidelberg, 2012, pp. 626–643 (cit. on p. 169).
[BR93] M. Bellare and P. Rogaway. “Random oracles are practical: a paradigm for
designing efficient protocols”. In: ACM Conference on Computer and Commu-
nications Security. 1993, pp. 62–73 (cit. on p. 169).
[Bra00] S. Brands. Rethinking Public Key Infrastructures and Digital Certificates: Building
in Privacy. MIT Press, 2000 (cit. on pp. xvii, 88, 89, 98, 125, 126, 151, 153).
[BSS05] I. F. Blake, G. Seroussi, and N. P. Smart, eds. Advances in Elliptic Curve
Cryptography. Cambridge Books Online. Cambridge University Press, 2005
(cit. on p. 93).
[CDM00] R. Cramer, I. Damgård, and P. MacKenzie. “Efficient Zero-Knowledge Proofs
of Knowledge without Intractability Assumptions”. In: Public Key Cryptog-
raphy. Ed. by H. Imai and Y. Zheng. Vol. 1751. LNCS. Springer Berlin Hei-
delberg, 2000, pp. 354–372 (cit. on pp. 96, 99, 130).
[CDN01] R. Cramer, I. Damgård, and J. B. Nielsen. “Multiparty Computation from
Threshold Homomorphic Encryption”. In: Advances in Cryptology — EU-
ROCRYPT 2001. Ed. by B. Pfitzmann. Vol. 2045. LNCS. Extended version at
http://www.brics.dk/RS/00/14/BRICS-RS-00-14.pdf. Springer Berlin
[CDS94] R. Cramer, I. Damgård, and B. Schoenmakers. “Proofs of Partial Knowledge
and Simplified Design of Witness Hiding Protocols”. In: Proceedings of the
14th Annual International Cryptology Conference on Advances in Cryptology -
CRYPTO ’94. London, UK, UK: Springer-Verlag, 1994, pp. 174–187 (cit. on
p. 99).
[CFN90] D. Chaum, A. Fiat, and M. Naor. “Untraceable Electronic Cash”. English.
In: Advances in Cryptology — CRYPTO’ 88. Ed. by S. Goldwasser. Vol. 403.
LNCS. Springer New York, 1990, pp. 319–327 (cit. on p. 125).
[CGH04] R. Canetti, O. Goldreich, and S. Halevi. “The Random Oracle Methodology,
Revisited”. In: J. ACM 51.4 (2004), pp. 557–594 (cit. on p. 169).
[Cha83] D. Chaum. “Blind Signatures for Untraceable Payments”. In: Advances in
Cryptology. Ed. by D. Chaum, R. L. Rivest, and A. T. Sherman. Springer US,
1983, pp. 199–203 (cit. on pp. 125, 126, 140).
[Cha90] D. Chaum. “Showing credentials without identification transferring sig-
natures between unconditionally unlinkable pseudonyms”. In: Advances in
Cryptology — AUSCRYPT ’90. Ed. by J. Seberry and J. Pieprzyk. Vol. 453.
208 Bibliography
[Cho+05] S. S. M. Chow, L. C. K. Hui, S. M. Yiu, and K. P. Chow. “Two Improved

Partially Blind Signature Schemes from Bilinear Pairings”. In: Information
Security and Privacy: 10th Australasian Conference, ACISP 2005. Ed. by C. Boyd
and J. M. González Nieto. Vol. 3574. LNCS. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2005, pp. 316–328 (cit. on p. 141).
[CHP07] J. Camenisch, S. Hohenberger, and M. Ø. Pedersen. “Batch Verification of
Short Signatures”. In: Advances in Cryptology - EUROCRYPT 2007. Ed. by
M. Naor. Berlin, Heidelberg: Springer Berlin Heidelberg, 2007, pp. 246–263.
url: https://eprint.iacr.org/2007/172.pdf (cit. on pp. 153, 154).
[CJFE] Snowden Surveillance Archive. Canadian Journalists for Free Expression. url:
https://cjfe.org/snowden (cit. on p. xvii).
[CKW05] J. Camenisch, M. Koprowski, and B. Warinschi. “Efficient Blind Signatures
Without Random Oracles”. In: Security in Communication Networks: 4th In-
ternational Conference, SCN 2004. Ed. by C. Blundo and S. Cimato. Vol. 3352.
(cit. on p. 141).
[CL01] J. Camenisch and A. Lysyanskaya. “An Efficient System for Non-transferable
Anonymous Credentials with Optional Anonymity Revocation”. In: Ad-
vances in Cryptology — EUROCRYPT 2001. Ed. by B. Pfitzmann. Vol. 2045.
LNCS. Springer Berlin Heidelberg, 2001, pp. 93–118 (cit. on pp. xvii, 87, 112,
123, 151, 153).
[CL02] J. Camenisch and A. Lysyanskaya. “A Signature Scheme with Efficient Proto-
cols”. In: Security in Communication Networks, Third International Conference,
SCN 2002. Ed. by S. Cimato, C. Galdi, and G. Persiano. Vol. 2576. LNCS.
Springer, 2002, pp. 268–289 (cit. on pp. 123, 159).
[CL04] J. Camenisch and A. Lysyanskaya. “Signature Schemes and Anonymous
Credentials from Bilinear Maps”. English. In: Advances in Cryptology –
CRYPTO 2004. Ed. by M. Franklin. Vol. 3152. LNCS. Springer Berlin Heidel-
berg, 2004, pp. 56–72 (cit. on pp. 152–154, 170, 171, 179).
[CM11] S. Chatterjee and A. Menezes. “On cryptographic protocols employing
asymmetric pairings — The role of Ψ revisited”. In: Discrete Applied Mathe-
matics 159.13 (2011), pp. 1311–1322 (cit. on p. 92).
[CP93] D. Chaum and T. P. Pedersen. “Wallet Databases with Observers”. In: Ad-
vances in Cryptology - CRYPTO ’92. Ed. by E. F. Brickell. Vol. 740. LNCS.
Springer, 1993, pp. 89–105 (cit. on pp. 114, 157).
[CS97] J. Camenisch and M. Stadler. “Efficient group signature schemes for large
groups”. In: Advances in Cryptology — CRYPTO ’97. Ed. by B. S. J. Kaliski.
Vol. 1294. LNCS. Springer Berlin Heidelberg, 1997, pp. 410–424 (cit. on
p. 101).
[Dam10] I. Damgård. On Σ-protocols. CPT 2010, v.2. 2010. url: http://www.cs.au.
dk/~ivan/Sigma.pdf (cit. on pp. 97, 100).
[Dam91] I. Damgård. “Towards Practical Public Key Systems Secure Against Chosen
Ciphertext Attacks”. In: Advances in Cryptology - CRYPTO ’91. Ed. by J.
Feigenbaum. Vol. 576. LNCS. Springer, 1991, pp. 445–456 (cit. on pp. 173,
174).
[Den06] A. W. Dent. The Hardness of the DHK Problem in the Generic Group Model.
Cryptology ePrint Archive, Report 2006/156. https://eprint.iacr.org/
2006/156. 2006 (cit. on p. 175).
[DFH12] I. Damgård, S. Faust, and C. Hazay. “Secure Two-Party Computation with
Low Communication”. English. In: Theory of Cryptography. Ed. by R. Cramer.
Vol. 7194. LNCS. Springer Berlin Heidelberg, 2012, pp. 54–74 (cit. on p. 174).
[DG09] M. Di Raimondo and R. Gennaro. “New Approaches for Deniable Authen-
tication”. English. In: J. Cryptology 22.4 (2009), pp. 572–615 (cit. on p. 174).
[DGK06] M. Di Raimondo, R. Gennaro, and H. Krawczyk. “Deniable Authentication
and Key Exchange”. In: Proceedings of the 13th ACM Conference on Computer
and Communications Security - CCS ’06. Alexandria, Virginia, USA: ACM,
2006, pp. 400–409 (cit. on p. 174).
[DH76] W. Diffie and M. Hellman. “New directions in cryptography”. In: IEEE
Transactions on Information Theory 22.6 (1976), pp. 644–654 (cit. on p. 90).
[DSD07] A. J. Devegili, M. Scott, and R. Dahab. “Implementing Cryptographic Pair-
ings over Barreto-Naehrig Curves”. In: Pairing-Based Cryptography – Pair-
ing 2007. Ed. by T. Takagi, T. Okamoto, E. Okamoto, and T. Okamoto.
Vol. 4575. Lecture Notes in Computer Science. Springer Berlin Heidelberg,
2007, pp. 197–207 (cit. on p. 93).
[DY05] Y. Dodis and A. Yampolskiy. “A Verifiable Random Function with Short
Proofs and Keys”. In: Public Key Cryptography - PKC 2005. Ed. by S. Vaudenay.
p. 126).
[EMO09] K. Emura, A. Miyaji, and K. Omote. “A Certificate Revocable Anonymous
Authentication Scheme with Designated Verifier”. In: Proceedings of the The
Forth International Conference on Availability, Reliability and Security, ARES
2009. IEEE Computer Society, 2009, pp. 769–773 (cit. on pp. 112, 121).
[EUDPD] Data Protection Directive. Directive 95/46/EC of the European Parliament
and of the Council of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free movement of such
data. See also http://ec.europa.eu/justice/data- protection/. url:
http : / / eur - lex . europa . eu / legal - content / en / TXT / ?uri = CELEX :
31995L0046 (cit. on p. xvi).
[FHS15] G. Fuchsbauer, C. Hanser, and D. Slamanig. “Practical Round-Optimal Blind
Signatures in the Standard Model”. In: CRYPTO (2). Vol. 9216. Lecture Notes
in Computer Science. Springer, 2015, pp. 233–253 (cit. on p. 141).
210 Bibliography
[FS87] A. Fiat and A. Shamir. “How To Prove Yourself: Practical Solutions to Iden-
tification and Signature Problems”. In: Advances in Cryptology – CRYPTO’
86. Ed. by A. M. Odlyzko. Vol. 263. LNCS. Springer Berlin Heidelberg, 1987,
pp. 186–194 (cit. on pp. 152, 169).
[FS90] U. Feige and A. Shamir. “Witness Indistinguishable and Witness Hiding
Protocols”. In: Proceedings of the Twenty-second Annual ACM Symposium on
Theory of Computing - STOC ’90. Baltimore, Maryland, USA: ACM, 1990,
pp. 416–426 (cit. on p. 99).
[Gal05] D. Galindo. “Boneh-Franklin Identity Based Encryption Revisited”. In: Au-
tomata, Languages and Programming, 32nd International Colloquium, ICALP
2005. Ed. by L. Caires, G. F. Italiano, L. Monteiro, C. Palamidessi, and M.
Yung. Vol. 3580. LNCS. Springer, 2005, pp. 791–802 (cit. on p. 156).
[GK03] S. Goldwasser and Y. T. Kalai. “On the (In)security of the Fiat-Shamir
Paradigm”. In: 44th Symposium on Foundations of Computer Science - FOCS
2003. IEEE Computer Society, 2003, pp. 102–113 (cit. on p. 169).
[GKZ14] R. Granger, T. Kleinjung, and J. Zumbrägel. “Breaking ‘128-bit Secure’ Su-
persingular Binary Curves”. In: Advances in Cryptology – CRYPTO 2014. Ed.
by J. A. Garay and R. Gennaro. Vol. 8617. Lecture Notes in Computer Science.
Springer Berlin Heidelberg, 2014, pp. 126–145 (cit. on p. 92).
[GMR88] S. Goldwasser, S. Micali, and R. L. Rivest. “A Digital Signature Scheme
Secure Against Adaptive Chosen-message Attacks”. In: SIAM Journal on
Computing 17.2 (Apr. 1988), pp. 281–308 (cit. on pp. 102, 128).
[GMR89] S. Goldwasser, S. Micali, and C. Rackoff. “The Knowledge Complexity of In-
teractive Proof Systems”. In: SIAM Journal on Computing 18.1 (1989), pp. 186–
208 (cit. on p. 96).
[Gol00] O. Goldreich. Foundations of Cryptography: Basic Tools. New York, NY, USA:
Cambridge University Press, 2000 (cit. on pp. 83, 96).
[Gol04] O. Goldreich. Foundations of Cryptography: Volume 2, Basic Applications. New
York, NY, USA: Cambridge University Press, 2004 (cit. on p. 83).
[GPS08] S. D. Galbraith, K. G. Paterson, and N. P. Smart. “Pairings for cryptogra-
phers”. In: Discrete Applied Mathematics 156.16 (2008), pp. 3113–3121 (cit. on
pp. 93, 141).
[Gro07] J. Groth. “Fully Anonymous Group Signatures Without Random Oracles”.
In: Advances in Cryptology – ASIACRYPT 2007. Ed. by K. Kurosawa. Vol. 4833.
[Gro10] J. Groth. “Short Pairing-Based Non-interactive Zero-Knowledge Argu-
ments”. English. In: Advances in Cryptology - ASIACRYPT 2010. Ed. by M.
Abe. Vol. 6477. LNCS. Springer Berlin Heidelberg, 2010, pp. 321–340 (cit. on
p. 174).
[HJV10] J.-H. Hoepman, B. Jacobs, and P. Vullers. “Privacy and Security Issues in e-
Ticketing – Optimisation of Smart Card-based Attribute-proving”. In: Work-
shop on Foundations of Security and Privacy, FCS-PrivMod 2010. Ed. by V.
Cortier, M. Ryan, and V. Shmatikov. July 2010 (cit. on pp. 112, 114).
[HK14] L. Hanzlik and K. Kluczniak. “A Short Paper on How to Improve U-Prove
Using Self-Blindable Certificates”. In: Financial Cryptography and Data Secu-
rity: 18th International Conference, FC 2014. Ed. by N. Christin and R. Safavi-
Naini. Berlin, Heidelberg: Springer Berlin Heidelberg, 2014, pp. 273–282 (cit.
on pp. xvi, 142–145, 147, 154, 194).
[HLR15] J.-H. Hoepman, W. Lueks, and S. Ringers. “On Linkability and Malleability
in Self-blindable Credentials”. In: Information Security Theory and Practice:
9th IFIP WG 11.2 International Conference, WISTP 2015. Ed. by N. R. Akram
and S. Jajodia. Cham: Springer International Publishing, 2015, pp. 203–218
(cit. on pp. xvi, 111, 149, 194).
[HM13] J. Hajny and L. Malina. “Unlinkable Attribute-Based Credentials with Prac-
tical Revocation on Smart-Cards”. English. In: Smart Card Research and Ad-
vanced Applications. Ed. by S. Mangard. Vol. 7771. LNCS. Springer Berlin
[IBM12] IBM Research Zürich Security Team. Specification of the Identity Mixer Cryp-
tographic Library, version 2.3.0. Tech. rep. IBM Research, Zürich, Feb. 2012.
url: https://tinyurl.com/idemix-spec (cit. on pp. 112, 123, 151, 153).
[JC97] W.-S. Juang and L. Chin-Laung. “A secure and practical electronic voting
scheme for real world environments”. In: IEICE Transactions on Fundamentals
of Electronics, Communications and Computer Sciences 80.1 (1997), pp. 64–71
(cit. on p. 125).
[JLO97] A. Juels, M. Luby, and R. Ostrovsky. “Security of blind digital signatures”.
In: Advances in Cryptology — CRYPTO ’97. Ed. by B. S. Kaliski. Vol. 1294.
(cit. on p. 140).
[Jou00] A. Joux. “A One Round Protocol for Tripartite Diffie-Hellman”. In: Pro-
ceedings of the 4th International Symposium on Algorithmic Number Theory.
ANTS-IV. London, UK, UK: Springer-Verlag, 2000, pp. 385–394. url: http:
//dl.acm.org/citation.cfm?id=648185.749894 (cit. on p. 92).
[Kra05] H. Krawczyk. “HMQV: A High-Performance Secure Diffie-Hellman Proto-
col”. English. In: Advances in Cryptology – CRYPTO 2005. Ed. by V. Shoup.
p. 174).
[KT08] S. Kiyomoto and T. Tanaka. “Anonymous attribute authentication scheme
using self-blindable certificates”. In: IEEE International Conference on Intel-
ligence and Security Informatics, ISI 2008. IEEE, 2008, pp. 215–217 (cit. on
pp. 112, 120, 121).
212 Bibliography
[Len05] A. K. Lenstra. “Key Lengths”. In: Handbook of Information Security. Ed. by H.

Bidgoli. Wiley, 2005 (cit. on p. 91).
[Lin11] Y. Lindell. Sigma Protocols and Zero-Knowledge. Lecture notes from Winter
School on Secure Computation and Efficiency. 2011. url: http://u.cs.biu.
ac.il/~lindell/winterschool2011/lecture%205.pdf (cit. on p. 100).
[Lue+15] W. Lueks, G. Alpár, J.-H. Hoepman, and P. Vullers. “Fast Revocation of
Attribute-Based Credentials for Both Users and Verifiers”. In: ICT Systems
Security and Privacy Protection: 30th IFIP TC 11 International Conference, SEC
2015. Ed. by H. Federrath and D. Gollmann. Cham: Springer International
Publishing, 2015, pp. 463–478 (cit. on p. 105).
[LV01] A. K. Lenstra and E. R. Verheul. “Selecting Cryptographic Key Sizes”. In: J.
Cryptology 14.4 (2001), pp. 255–293 (cit. on pp. 91, 171).
[Lys+00] A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. “Pseudonym Systems”.
In: Selected Areas in Cryptography: 6th Annual International Workshop, SAC’99.
Ed. by H. Heys and C. Adams. Berlin, Heidelberg: Springer Berlin Heidel-
berg, 2000, pp. 184–199 (cit. on pp. 152, 154).
[Lys99] A. Lysyanskaya. “Pseudonym Systems”. MSc thesis. Massachusetts Insti-
tude of Technology, 1999. url: https : / / groups . csail . mit . edu / cis /
theses/anna-sm.pdf (cit. on pp. 152, 154).
[MNT01] A. Miyaji, M. Nakabayashi, and S. Takano. “New explicit conditions of
elliptic curve traces for FR-reduction”. In: IEICE transactions on fundamentals
of electronics, communications and computer sciences 84.5 (2001), pp. 1234–1243
(cit. on p. 93).
[MPR11] H. K. Maji, M. Prabhakaran, and M. Rosulek. “Attribute-Based Signatures”.
In: Topics in Cryptology – CT-RSA 2011. Ed. by A. Kiayias. Vol. 6558. LNCS.
[Nao03] M. Naor. “On Cryptographic Assumptions and Challenges”. In: Advances
in Cryptology - CRYPTO 2003. Ed. by D. Boneh. Berlin, Heidelberg: Springer
Berlin Heidelberg, 2003, pp. 96–109 (cit. on pp. 153, 154, 174).
[Oka06] T. Okamoto. “Efficient Blind and Partially Blind Signatures Without Random
Oracles”. In: Theory of Cryptography: Third Theory of Cryptography Conference,
TCC 2006. Ed. by S. Halevi and T. Rabin. Vol. 3876. LNCS. Berlin, Heidelberg:
[Pai99] P. Paillier. “Public-Key Cryptosystems Based on Composite Degree Resid-
uosity Classes”. In: Advances in Cryptology — EUROCRYPT ’99. Ed. by J.
Stern. Vol. 1592. LNCS. Springer Berlin Heidelberg, 1999, pp. 223–238 (cit.
on pp. 129, 130).
[Pap94] C. M. Papadimitriou. Computational complexity. Reading, Massachusetts:
Addison-Wesley, 1994 (cit. on pp. 83, 86).
[Poi98] D. Pointcheval. “Strengthened security for blind signatures”. In: Advances in
Cryptology — EUROCRYPT’98. Ed. by K. Nyberg. Vol. 1403. LNCS. Berlin,
Heidelberg: Springer Berlin Heidelberg, 1998, pp. 391–405 (cit. on p. 141).
[PZ13] C. Paquin and G. Zaverucha. “U-Prove Cryptographic Specification V1.1

(Revision 3)”. Released under the Open Specification Promise. Dec. 2013.
url: http://research.microsoft.com/apps/pubs/default.aspx?id=
166969 (cit. on pp. 126, 151, 153).
[RSA78] R. L. Rivest, A. Shamir, and L. Adleman. “A Method for Obtaining Digital
Signatures and Public-key Cryptosystems”. In: Commun. ACM 21.2 (Feb.
1978), pp. 120–126 (cit. on p. 87).
[Sch90] C. Schnorr. “Efficient Identification and Signatures for Smart Cards”. In:
Advances in Cryptology — EUROCRYPT ’89. Ed. by J.-J. Quisquater and J.
Vandewalle. Vol. 434. LNCS. Springer Berlin Heidelberg, 1990, pp. 688–689
(cit. on p. 98).
[Sho97] V. Shoup. “Lower Bounds for Discrete Logarithms and Related Problems”.
In: Advances in Cryptology — EUROCRYPT ’97. Ed. by W. Fumy. Vol. 1233.
LNCS. Springer Berlin Heidelberg, 1997, pp. 256–266 (cit. on pp. 154, 175).
[SV07a] N. P. Smart and F. Vercauteren. “On computable isomorphisms in efficient
asymmetric pairing-based systems”. In: Discrete Applied Mathematics 155.4
(2007), pp. 538–547. url: http://dx.doi.org/10.1016/j.dam.2006.07.
004 (cit. on p. 156).
[SV07b] N. Smart and F. Vercauteren. “On computable isomorphisms in efficient
asymmetric pairing-based systems”. In: Discrete Applied Mathematics 155.4
(2007), pp. 538–547 (cit. on pp. 103, 157).
[Tur37] A. M. Turing. “On Computable Numbers, with an Application to the
Entscheidungsproblem”. In: Proc. London Math. Soc. Ser. 2 (42 1937), pp. 230–
265 (cit. on pp. 83, 89).
[VA13] P. Vullers and G. Alpár. “Efficient Selective Disclosure on Smart Cards Using
Idemix”. In: Policies and Research in Identity Management. Ed. by S. Fischer-
Hübner, E. de Leeuw, and C. Mitchell. Vol. 396. IFIP Advances in Infor-
mation and Communication Technology. Springer Berlin Heidelberg, 2013,
pp. 53–67 (cit. on p. 153).
[Ver01] E. R. Verheul. “Self-Blindable Credential Certificates from the Weil Pairing”.
In: Advances in Cryptology - ASIACRYPT. Ed. by C. Boyd. Vol. 2248. LNCS.
Springer, 2001, pp. 533–551 (cit. on pp. 112–114, 144, 147, 148, 151, 152, 158).
scheme from FC’14 is forgeable”. In: Financial Cryptography and Data Security
– FC’16 (2016). In print. url: https://eprint.iacr.org/2015/725 (cit. on
pp. xvi, 143, 194).
[Wac+11] C. Wachsmann, L. Chen, K. Dietrich, H. Löhr, A.-R. Sadeghi, and J. Win-
ter. “Lightweight Anonymous Authentication with TLS and DAA for Em-
bedded Mobile Devices”. In: Information Security: 13th International Confer-
ence, ISC 2010. Ed. by M. Burmester, G. Tsudik, S. Magliveras, and I. Ilić.
Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 84–98. url: https:
//eprint.iacr.org/2011/101.pdf (cit. on pp. 153, 154).
214 Bibliography
[Wat05] B. Waters. “Efficient Identity-Based Encryption Without Random Oracles”.

In: EUROCRYPT. Vol. 3494. Lecture Notes in Computer Science. Springer,
2005, pp. 114–127 (cit. on p. 141).
[Wei12] E. Weitenberg. “Providing unlinkability of transactions with a single token
in U-Prove”. MSc thesis. University of Groningen, July 2012. url: http :
/ / scripties . fwn . eldoc . ub . rug . nl / scripties / Wiskunde / Masters /
2012/Weitenberg.E.R.A./ (cit. on p. 141).
[WS07] J. Wu and D. R. Stinson. “An Efficient Identification Protocol and the
Knowledge-of-Exponent Assumption”. In: IACR Cryptology ePrint Archive
2007 (2007), p. 479. url: https : / / eprint . iacr . org / 2007 / 479 (cit. on
p. 174).
[WS08] J. Wu and D. Stinson. On The Security of The ElGamal Encryption Scheme and
Damgård’s Variant. Cryptology ePrint Archive, Report 2008/200. 2008. url:
https://eprint.iacr.org/2008/200 (cit. on p. 174).
[WY05] V. K. Wei and T. H. Yuen. “More short signatures without random oracles”.
In: IACR Cryptology ePrint Archive 2005 (2005), p. 463. url: https://eprint.
iacr.org/2005/463 (cit. on pp. 153–155).
[YZ10] A. C. Yao and Y. Zhao. “Deniable Internet Key Exchange”. English. In:
Applied Cryptography and Network Security. Ed. by J. Zhou and M. Yung.
p. 174).
[ZSS03] F. Zhang, R. Safavi-Naini, and W. Susilo. “Efficient Verifiably Encrypted Sig-
nature and Partially Blind Signature from Bilinear Pairings”. In: Progress in
Cryptology - INDOCRYPT 2003. Ed. by T. Johansson and S. Maitra. Vol. 2904.
LNCS. Corrected version at https://www.uow.edu.au/~wsusilo/VESPBS.
pdf. Berlin, Heidelberg: Springer Berlin Heidelberg, 2003, pp. 191–204 (cit.
on p. 141).
List of notations

πBV π adjoined with its parity-reversed dual, p. 36
Uh̄ (g) U (g)Jh̄K with [ , ] rescaled to h̄[ , ], p. 65
∆ (BV) Laplacian, p. 28
J,K (variational) Schouten bracket, p. 16
Pb adjoint of module P, p. 9
λΣ antisymmetrization of cocycle λ, p. 58
π∞ bundle projection π∞ : J ∞ (π ) → M induced by π, p. 4
dC Cartan differential, p. 6
b (π )
κ covectors on J ∞ (π ), p. 7
|ξ | degree of multivector or field ξ, p. 13
Λ̄k (π ) differential forms, horizontal, of degree k on J ∞ (π ), p. 6
C k Λ(π ) differential forms, vertical, of degree k on J ∞ (π ), p. 6
U (g) enveloping algebra of g, p. 63
δq Euler operator w.r.t. fiber coordinates qα , p. 8
δ Euler operator, p. 7
π even part of the BV superbundle, p. 39
(q)
∂ϕ evolutionary vector field w.r.t fiber coordinates qα with generator ϕ, p. 6
κ (π ) evolutionary vector fields on J ∞ (π ), p. 6
M( π ) formal products of integral functionals, p. 34
XH Hamiltonian vector field associated with function H, p. 29
dH Hochschild differential, p. 56
216 List of notations
H̄ i (π ) horizontal i-forms modulo the horizontal differential d, p. 7

d horizontal differential, p. 6
Jπ∞ (ξ ) horizontal jet bundle of ξ over π, p. 8
h([q]) indicates dependence of h on jet coordinates qασ , p. 33
J ∞ (π ) infinite jet bundle induced by the bundle π, p. 4
jx∞ (s) jet of section s ∈ Γ(π ) evaluated at x ∈ M, p. 4
j∞ (s) jet of section s ∈ Γ(π ), p. 4
−
→
∂
∂bα,σ left derivative w.r.t. odd fiber coordinate bα,σ , p. 16
Π parity reversion operator of fiber bundles, p. 14
h̄ Planck constant, or: deformation parameter, p. 45
←−
∂
∂bα,σ right derivative w.r.t. odd fiber coordinate bα,σ , p. 16
F (π ) ring of smooth functions on J ∞ (π ), p. 4
Tmulti ( M ) shifted space of multivector fields, p. 56
? star product, p. 48
S (g) symmetric algebra of g, p. 64
Di total derivative w.r.t. base coordinate xi , p. 5
Dσ total derivatives w.r.t. multi-index σ, p. 5
C Diffk ( P, P0 ) total differential operator from P to P0 taking k arguments, p. 10
δ
δqα variational derivative w.r.t. fiber coordinate qα , p. 7

negl(`) a function negligible in `, p. 86
AO algorithm A has oracle access to oracle O, p. 86
A( x ) → y algorithm A outputs y on input x, p. 86
B→A algorithm B has black-box access to algorithm A, p. 95
A( x ) ↔ B(y) algorithms A and B interacting on inputs x and y respectively, p. 86
ki attribute i of an attribute-based credential, p. 106
k i,j attribute i of the j-th attribute-based credential, p. 106
e(· , ·) bilinear pairing, p. 91
PK{. . . } Camenisch-Stadler notation for zero-knowledge proofs, p. 101
c
X≈Y computational indistinguishability of X and Y, p. 94
SigSK function mapping secret keys and blinding factors to signatures, p. 115
PubKey function mapping secrets keys and blinding factors to public keys, p. 114
G group family, p. 86
D index set of disclosed attributes ⊂ {1, . . . , n}, p. 106
C index set of secret attributes ⊂ {1, . . . , n}, p. 106
List of notations 217
Zn integers modulo n, i.e., Z/nZ, p. 88

Issue issuing protocol for credential scheme, p. 105
KeyGen key generation algorithm (for signature, credential or encryption schemes),
p. 101
M message space of a signature scheme, p. 101
Z∗n multiplicative subgroup of integers modulo n, p. 88
P prover or user in zero-knowledge proofs or credential schemes, p. 95
` security parameter, p. 86
B set of blinding factors, p. 113
C set of credentials, p. 113
P set of private keys, p. 113
K set of public keys, p. 113
S set of signatures, p. 113
ShowCredential showing protocol for credential scheme, p. 105
SignSK signing algorithm of a signature scheme, p. 101
S simulator for zero-knowledge proofs, p. 96
Verify PK verification algorithm of a signature scheme, p. 101
V verifier in zero-knowledge proofs or credential schemes, p. 95
χ witness extractor for zero-knowledge proofs of knowledge, p. 96
218 List of notations
Index
C -spectral sequence, 7 quantization, 45

(first) Bernoulli numbers, 47 degree
of a variational multivector, 13
action, 26, 38 derivative
BV, 26 functional, 35
adjoint left, 15
module, 7, 9 right, 15
of total differential operator, 11 total, 5
antibracket, 11, see also variational Schouten variational, 7
bracket, 25 DGLA, see differential graded Lie algebra
antifield, 25, 39 differential graded Lie algebra, 56
antighost, 25, 39
Einstein summation convention, 5
Batalin-Vilkovisky Laplacian, see electromagnetism, 37
BV-Laplacian Euler operator, see also variational
Bernoulli numbers, 47, 67 derivative, 7, 35
BV superbundle, 39 Euler-Lagrange equation, 25, 36, 38
BV-algebra, 28 evolutionary vector field, 5
BV-Laplacian, 25, 39
field, 25
Cartan connection, 5 form
Cartan differential, 6 horizontal, 6
covectors, 7 vertical, 6
functional derivative, 35
deformable variational Poisson bivector, 71
deformation, 50 gauge invariance, 26
parameter, 45 gauge symmetry, 36
220 Index
gauge transformation (star products), 46, 53 P-manifold, 29

generating section path integral, 25, 30
of evolutionary vector field, 6 Poincaré-Birkhoff-Witt theorem, 63
ghost, 25, 39 point particle, 26, 69
ghost numbers, 39 Poisson bivector, 70
Gutt star product, see star product, Gutt Poisson sigma model, 41
Poisson-Lichnerowicz cohomology, 24
Hamiltonian, 7, 70
equation, 71 quantization, 45
formalism, 26, 46, 69 quantum BV-differential, 32
operator, 70 quantum master equation, 26, 31
vector field, 29, 46, 70 quantum observable, 31
Hochschild
cohomology, 46, 58
right derivative, 15
DGLA, 56
differential, 56
Schouten bracket, 15, 30
Hochschild-Kostant-Rosenberg theorem, 58
variational, 16
horizontal form, 6
secondary calculus, 26, 69, 71
horizontal differential, 6
skew-adjoint operator, 13
horizontal jet bundle, 8
SP-manifold, 30
horizontally equivalent sections, 8
star product, 46–48
infinite jet, 4 Gutt, 67
infinite jet bundle, 4 Kontsevich, 47, 52, 61–68, 72
integral functional, 7, 27, 30, 70 Moyal, 50, 53, 72
supermanifold, 26
Lagrangian, 7, 38 symplectic, see P-manifold
Laplace equation, 26 symmetric algebra, 47, 64
Laplacian, 28
left derivative, 15 total derivatives, 5
Leibniz rule, 47 total differential operator, 10, 12
Moyal star product, see star product, Moyal

variational, 27
multivector, 12
derivative, 7
evaluation of, 14
multivector, 12
noncommutative variational, 14
Schouten bracket, 16, 25, 36
variational, 12
vector, see evolutionary vector field
Noether symmetry, 38 vertical form, 6
Noether’s second theorem, 38
Yang-Mills theory, see also
observables, 26 electromagnetism, 41
Index 221
Σ-protocol, 98, 130, 133, 140 LRSW assumption, 154

LRSW-instance, 148, see also LRSW
adversary, 102 assumption, 154, 176
algorithm, see Turing machine
attributes, 104 malleability, 104, 112, 116
message space, 101
BDL assumption, 156, 175
bilinear pairing, 91 negligible function, 86
black-box access, 95 next-message function, 95
blindness, 127, 134
BLS signatures, 103, 156 Paillier encryption, 129
Boneh–Boyen signatures, 119, 126, 130, 136, private key, see secret key
156 probability ensemble, 94
prover (zero-knowledge proofs), 94
common information, 126 public key, 101, 104
computationally indistinguishable, 94, 96
credential scheme, 103 quadratic residue, 87
attribute-based, 104, 112, 139, 159
boolean, 104, 112 random oracle model, 103, 126, 139, 169
self-blindable, 112, 113, 144 relation for a formal language, 95, 162
unlinkable, see unlinkability replay attack, 104
revocation, 105
DL-representation, 89, 148, 157, 165, 176
secret key, 101, 104
extractable, 162 security game, 102
extractor, 95, 100, 133 security parameter, 86
self-blindability, 112, 144, 152, 158
Fiat-Shamir heuristic, 140, 152, 169
signature scheme, 101, 125, 157
finite field, 88
blind, 125, 134
formal language, 95, 162
nondeterministic, 102
generic group model, 131, 154, 174 partially blind, 125, 126, 131
signer, 101
hash function, 103, 169 simulator, 94, 99, 133
honest-but-curious, 97 standard model, 103, 126, 169
Idemix, 87, 150, 151, 153, 159 time complexity function, 85

impersonation attack, 104 transition function, 84
instance generator, 87 Turing machine, 83
interactive algorithm, 85 deterministic, 85
IRMA project, 152 interactive, 85
polynomial-time, 85
KEA assumption, see also XKEA probabilistic, 85
assumption, 173
U-Prove, 88, 126, 139, 151, 153
length, 85 unforgeability
linear, 117 blind signature schemes, 127, 136
222 Index
credential schemes, 107, 144, 152, 163, whLRSW assumption, see also LRSW
176 assumption, 155, 163, 173
signature schemes, 101, 128, 159, 166 witness for membership, 95
unlinkability, 106, 107, 112, 115, 152, 167
issuer, 108, 140, 152 XKEA assumption, 148, 156, 173
multi-show, 107, 112, 143, 152
verifier zero-knowledge proof, 94, 140

credential schemes, 95 black box, 96, 99, 152, 162, 166
signature schemes, 101 of knowledge, 95, 99, 130, 133, 140, 152,
zero-knowledge proofs, 94 162, 166

Thesis

Uploaded by

Copyright:

Available Formats

Thesis

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Thesis

Uploaded by

Copyright:

Available Formats

Quantization using Jet Space Geometry

Copyright © 2016 Sietse Ringers

Cover page: a Calabi-Yau manifold processed by a machine learning algorithm called

This work is licensed under the Creative Commons Attribution-

ISBN: 978-90-367-9113-7 (printed version)

to obtain the degree of PhD at the

This thesis will be defended in public on

Friday 7 October at 14:30 hours

I Quantization using Jet Space Geometry 1

II Identity Management using Credential Schemes 81

End Matter 181

Contents (detailed) iii

I Quantization using Jet Space Geometry 1

3 Deformation quantization and the dual of Lie algebras 45

4 How not to deform quantize on jet spaces 69

II Identity Management using Credential Schemes 81

5.7 Credential schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6 Linkability and malleability in self-blindable credentials 111

7 Partially blind Boneh–Boyen signatures 125

8 The self-blindable U-Prove scheme from FC’14 is forgeable 143

9 An efficient self-blindable attribute-based credential scheme 151

9.2 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

End Matter 181

Inleiding en samenvatting 187

List of notations 215

Part 1: Quantization using jet space geometry

principle in the construction and understanding of new theories. Physically, traversing

[KR12] A. V. Kiselev and S. Ringers. “A comparison of definitions for the

[Wig60] E. P. Wigner. “The unreasonable effectiveness of mathematics in the natural

[KV99] I. S. Krasil’shchik and A. M. Vinogradov, eds. Symmetries and conservation

[BRS75] C. Becchi, A. Rouet, and R. Stora. “Renormalization of the abelian Higgs-

[BV81] I. A. Batalin and G. A. Vilkovisky. “Gauge algebra and quantization”. In:

The origin of the concept of deformation quantization seems to be [Bay+77; Bay+78a;

[Bay+77] F. Bayen, M. Flato, C. Fronsdal, A. Lichnerowicz, and D. Sternheimer. “Quan-

Part 2: Identity management using credential schemes

Information about properties and activities of individuals, or personal information for

• If whatever you do is always recorded by large companies and national institutions,

Summarizing, in a society where information equals money and power, it is unwise

without the issuer’s knowledge or consent. Similarly, whenever a scheme claims

[VRH16] E. Verheul, S. Ringers, and J.-H. Hoepman. “The self-blindable U-Prove

Quantization using Jet Space

The Schouten Bracket

[KR12] A. V. Kiselev and S. Ringers. “A comparison of definitions for the Schouten

1.1 The geometry of jet space

1.1.1 The infinite jet bundle

More concretely, an element of J ∞ (π ) consists of a sequence θ = ( x, θk )k∈N such that

After a lot of generalizations this theorem has the following consequence.

F (π ) = { f : J ∞ (π ) → R | ∃k ∈ N such that f ∈ C ∞ ( J k (π ))} ∪ C ∞ ( M).

1.1.2 The Einstein summation convention

1.1.3 Tangent vectors and vector fields

In addition, if σ = (i1 , . . . , in ) is a multi-index we define Dσ = ( D1 )i1 ◦ ( D2 )i2 ◦ · · · ◦

vector field is of the form

(q) (q) (q)

1.1.4 Differential forms and covectors

We denote the space of all k-forms on J ∞ (π ) by Λk (π ). We say that a differential form

and we call C k−i Λ(π ) the space of vertical forms.

this it follows that in coordinates, these operators are

dC qσa = dqσa − qσa +1i dxi .

The variational derivative of a function h ∈ F (π ) is defined by

1.1.5 Horizontal jet bundles