Another active body of work in privacy-preserving signatures focuses on developing methods for realizing signers’ accountability. Let us name that desirable
feature accountable privacy. Among the earliest and most well-known accountably
private systems are group signatures [13], in which a designated authority can
trace the signer of any valid signature. Subsequent works have refined the tracing
function in various directions: “who can trace” [31,52], “whether to trace” [54,32],
“when to trace” [11,22], and more recently, “what can be traced” [39,48]. Nevertheless, all these systems share a common characteristic: the signer has no control
over which private information can be learned by others (either the public or
the tracing authorities) after outputting signatures.
Motivations. This work aims to address the limitations of the advanced signature primitives mentioned above. Let us start with several motivating examples.
Consider a conference that implements a double-blind reviewing process and
that allows authors to declare Conflicts of Interest (CoI) with reviewers according to some certified policies. For instance, the IACR has different policies to
determine CoI 3
, that can be used for IACR conferences. While such a CoI declaration system seems to work well over the years, there has not been implemented
any privacy-preserving mechanism:
(i) For preventing false declarations by dishonest authors (who could attempt
to avoid having their papers reviewed by some non-conflicting reviewers);
(ii) For the author to provide more information on a declared CoI, should the
need arise at a later point while retaining the author’s privacy
