1 Introduction

Ring signatures, introduced in [37], are pseudonymous signatures that are issued in the name of a “ring” of users, and created by one of them without the participation of the others, in a way that preserves the instigator’s anonymity. The canonical application is for an individual “to leak a secret” non-repudiably on behalf of a crowd. Technically, ring signatures can be viewed as a witness-indistinguishable disjunction of regular signatures, but because of this, only people who have previously published a verification key are eligible to be conscripted into such a crowd. Ring signatures can thus only ever implicate individuals who, by the very act of publishing their key, are acquiescing to belonging in a ring scheme.

Mesh signatures generalize this notion from a mere disjunction to an arbitrarily complex monotone access structure, i.e., a logic formula with nested gates such as “And” (\(\wedge \)), “Or” (\(\vee \)), and “Threshold” (\(\ge _t\)), but without negation. The inputs to the formula are atomic statements of the form “User X says Y” to which we can assign the truth value “True” (\(\top \)) or “False” (\(\bot \)). We represent a monotone access structure formula as a tree, denoted \(\Upsilon \), where each leaf corresponds to one input atomic statement, each interior node including the root corresponds to one gate, and each node’s output link indicates the truth value of the subformula corresponding to the subtree that it defines (hence, the root node’s output link corresponds to the value of \(\Upsilon \)). Such an access structure can be satisfied using different combinations of input values, which is to say, different truth-value assignments to the input statements. The mesh signature asserts that the entire tree evaluates to \(\top \), without revealing anything else about the truth values of its inputs.

To create a mesh signature corresponding to a particular formula, one only needs a “satisfying set” of atomic signatures: Namely, a set of signatures on atomic statements that together suffice to satisfy the formula. Once created, a mesh signature does not reveal the particular set of atomic signatures that was used to create it. Furthermore, atomic signatures can be generated independently of each other and without regard to the formula(s) in which they are (or are not) intended to appear. In particular, atomic signatures need not be fresh: They can be reused indefinitely many times without the participation of the original signer—e.g., in a PKI, that would be the difference between merely having a signed certificate and having oracle access to a CA (certification authority).

The central result of this paper is thus a (constructive) proof of the following informal theorem: Suppose that a monotone formula \(\Upsilon \) can be satisfied merely by setting to true all the input wires corresponding to atomic statements known to be true (because for each, we have an atomic signature saying so). Then, this set of atomic signatures can be efficiently transformed into a “mesh signatures,” of size and complexity linear in the length of \(\Upsilon \), that signs \(\Upsilon \) without leaking any information about its genesis. (Technically, we also require that all the clauses of the formula take distinct signers, meaning that no two atomic statements referencing the same verification key can appear the inputs. We can mitigate this technicality by defining for each user a virtual signature key pair, consisting of a number of distinct but equivalent real key pairs. Signers would sign using all their keys, and a signature is accepted if it verifies under any one of the keys.)

1.1 Toy Examples

We give two simple examples showing that the added expressiveness of mesh signatures is useful in the context of ring signatures proper—whose purpose, we recall, is to sign a message under cover of anonymity of a larger crowd without seeking its consent [37].

As a first illustration, we show a way to satisfy this lofty goal even if the members of the crowd are deliberately avoiding “conscription” by not publishing their keys. With traditional ring signatures, only users whose public keys are on the record can be made part of a signing ring. With mesh signatures, we sidestep that restriction, with the simple device of faking both the missing keys and their entire certificate chains, all the way up to known certification authorities, as needed. The technique will be more apparent on a concrete example.

Example 1

(Conscription of unwilling and unwitting ring members)

$$\begin{aligned} \begin{aligned} \sigma = { \left[ {{ \textit{VK}_\textit{Alice}}\!:{ \textit{Msg}_1}}\right] \,\text {or}\, \left( { \left[ {{ \textit{VK}_\textit{CertAuth}}\!:{ \left( { ``\textit{Bob},'' \textit{VK}_\textit{Bob}}\right) }}\right] \,\text {and}\, \left[ {{ \textit{VK}_\textit{Bob}}\!:{ \textit{Msg}_2}}\right] }\right) }. \end{aligned} \end{aligned}$$

Here, Alice is able to create \(\sigma \) using only the private key corresponding to \(\textit{VK}_\textsf {Alice}\), because the whole formula can be satisfied merely by satisfying the left-hand disjunct. In creating the right-hand disjunct, she will want to reference an actual CA public key to serve as a verifiable “anchor,” but for Bob, she can make up a fake public key if she does not know his real one: The conjunction in \(\sigma \)’s right-hand disjunct attributes a certified public key to Bob and then uses it to authenticate Bob’s endorsement of \(\textit{Msg}_2\). We see that Alice has convincingly conscripted Bob in a ring-like signature, not only without needing Bob’s signature but even without Bob having ever had a private signing key to begin with.

Conversely, Bob could have created \(\sigma \) himself, by satisfying the right-hand disjunct by providing two atomic signatures, namely CertAuth’s signature on \(\textit{VK}_\textit{Bob}\) and Bob’s signature on \(\textit{Msg}_2\). Either way, our construction of \(\sigma \) ensures that it has the exact same distribution in either case, making it impossible for a third party to determine which one of Alice or Bob created it.

As a second illustration, we show how to facilitate the creation of anonymously signed messages with increased authority, e.g., for whistle-blowing purposes, by allowing endorsements that carry the weight of multiple signers.

Example 2

(Simple multiparty threshold ring signatures)

$$\begin{aligned} \begin{aligned}\sigma&= \,\text {2-out-of-3 in}\, \left\{ \left[ {{ \textit{CEO}}\!:{ \textit{secret-memo}}}\right] ,\, \left[ {{ \textit{CFO}}\!:{ \textit{secret-memo}}}\right] ,\right. \\&\quad \left. \left[ {{ \textit{COO}}\!:{ \textit{secret-memo}}}\right] \right\} . \end{aligned} \end{aligned}$$

The unconditional anonymity of mesh signatures guarantees that, as long as the whole signature \(\sigma \) is valid, there is no way to tell which two of the possible three atomic signatures were used to construct \(\sigma \), thereby protecting the identity of the leakers.

Naturally, threshold gates like this can be fed entire certificate chains as in the previous example, allowing “keyless users” to be conscripted into this kind of multiparty ring signatures.

In general, the added expressiveness of mesh signatures over ring signatures will have useful benefits, even if we restrict ourselves to the typical applications of the latter. For instance, the crucial ability, demonstrated in Example 1, of mesh-based ring signature to conscript anyone, even users with keys of record, provides two desirable consequences:

  1. 1.

    For the whistle-blower, archetypal user of ring signatures, mesh signatures remove perhaps the biggest obstacle to their practical use, which is that in the real world, people will generally have neither a key of record nor the desire to acquire one—especially if doing so puts them at risk of being suspected of subversive activities.

  2. 2.

    For the average citizen, the mere theoretic practicality of mesh signatures paradoxically removes the reason stated above for refusing to embrace cryptography for mundane purposes (such as routine message signing, which requires publishing a key). Indeed, since with mesh signatures anyone is susceptible to be conscripted into a ring signature without either knowledge or consent, it does no longer help to shun cryptography as a personal choice to skirt such a possibility.

To make the use of certificate chains truly believable, it is important that mesh signatures be “modular,” or constructible non-interactively from constituent atomic signatures reusable indefinitely. Indeed, if one plans to use an actual key certificate as part of a bigger signature (as Bob did in Example 1 above), one should be able (though not required) to reuse that same certificate more than once.

It is also important that the atomic signatures have nothing special about them specifically for mesh purposes, and furthermore be of compelling use sui generis, regardless of ring or mesh applications.

Anticipating on the subsequent sections, we note that our scheme satisfies both requirements. Specifically, atomic signatures are ordinary Boneh–Boyen “short signatures” [5] set in a common reference bilinear group (chosen at random, without secret or trapdoor, permanent or ephemeral). Naturally, each signer generates his or her own keys independently within that common group.

1.2 Related Work

The original ring signature primitive was defined in [37], to enable secret leaking that is at once authenticated (by a crowd) and anonymous (within the crowd). While that construction [37] was set in the ideal cipher model, a number of alternatives have subsequently been proposed, based on bilinear pairings [8], discrete logarithms [31], factoring (Strong RSA specifically) [24], or hybrids [1]; all these constructions are set in the random oracle model. Most have linear size in the ring membership count, except [24] which squeezes it all in constant size using accumulators in the random oracle model, and [15] which first managed to drop below the linear size in the standard model.

A number of existing protocols bear similarities with our new primitive. Perhaps the first such scheme is an anonymous authentication protocol of [23] that supports access structures and can be turned into a signature using the Fiat–Shamir heuristic. Another is an interactive anonymous authentication protocol, called deniable ring authentication [36], that combines the anonymity of ring signatures with the non-transferability of deniable authentication [26] and supports threshold and access structures. Among specific constructions in the random oracle model, we note the distributed ring signatures of [32] which let coalitions of users cooperate in an interactive signing protocol, and the hierarchical identity-based ring signatures of [42], which add signer ambiguity to the notion of hierarchical identity-based signature. Limited forms of identity-based ring signatures have also been studied in [3] and analyzed in [27].

In the category of ring signatures with expanded capabilities, we mention the threshold ring signatures of [12] the threshold identity-based signatures of [19] and the 1-out-of-n identity-based ring signature of [22]; the latter could be said to provide a mesh-like expressivity comparable to that of an n-ary disjunction of binary conjunctions. In general, identity-based ring signatures, by not requiring users to set up their key pairs in advance, do provide a flavor of forcible enrollment much closer to that of mesh signatures than that of (non-identity-based) ring signatures, as discussed in [20]. The main difference is that, in an identity-based ring scheme, all keys and certificates must emanate from the same central authority, which may stretch the limits of plausibility depending on the application. Additionally, we mention that mesh signatures could in principle be realized using signatures of knowledge [16], which allow the knowledge of a witness to an NP statement to serve as a signing key, in the common random string model.

Another related notion that has received much attention is that of group signatures, originally introduced in [17], which also provides for the anonymous creation of signatures on behalf of a crowd. The main difference is that group signatures require the anonymity to be revocable by a group manager, who also controls enrollment into the group. Group membership is often immutable although this restriction has been relaxed in [13]. There exist efficient constant-size group signature schemes, with random oracles [7], from interactive assumptions [2], and in the standard model [11]. See also [29] for a construction of theoretic interest with a strong proof of security.

Efficient ring signature constructions without random oracles have also been proposed recently, such as [4, 21], and [38]. The construction of [21] uses bilinear groups and is efficient, but relies on a curious hardness assumption for which no justification is offered. The results of [4] include a scheme of theoretic interest from non-interactive Zaps [25], but also two efficient constructions (based on [14] or [41] signatures) for rings of size two, and a discussion of security models for ring signatures. Last but not least, [15] manages to combine square root size and full anonymity in a basic ring signature construction.

Probably, the most closely related to the present work is the ring signature scheme of [38] which can efficiently create linear-size ring signatures in the “trusted parameters” model; unforgeability is based on computational Diffie–Hellman and anonymity on the decisional subgroup [9] assumption. Because of the latter, the scheme requires a bilinear map in a group of composite order with a hidden factorization; such a group is set up explicitly by a central authority, which afterward must erase the factorization to ensure anonymity. It is possible to tweak their scheme, using ideas from [30], to base anonymity on the decisional linear [7] assumption, which would no longer require secret-coin trusted parameters (TP) but only a public-coin common random string (CRS), as in our scheme; however, anonymity would still remain computational. The main advantage of [38] over our ring scheme is that unforgeability rests on a weaker assumption.

2 Definitions and Security Models

Intuitively, a mesh signature is a non-interactive witness-indistinguishable proof that some monotone boolean expression \(\Upsilon \) is true, where each input of \(\Upsilon \) is notionally labeled with a key and message pair and is true only if the mesh signer is in possession of a valid atomic signature on the stated message under the stated key.

A mesh signature scheme should satisfy two security properties. First, it should be anonymous (ideally, unconditionally so), i.e., it should not reveal what assignment to the inputs of \(\Upsilon \) caused it to be satisfied. Second, it should be unforgeable, i.e., the creation of a valid mesh signature must be predicated on the possession of a set of valid atomic signatures sufficient to satisfy \(\Upsilon \).

2.1 Recursive Mesh Signature Specification

We use \(\ell \) to denote the number of atomic clauses allowed in any given formula (in a ring signature, this would be equal to the maximum number of users in any given ring). Let \(\Upsilon \) be the expression generated by the following grammar, with propositional-logic semantics, under the restriction that, for each \(i = 1, \ldots , \ell \), the production \(\textsc {expr} {::}= L_i\) corresponding to the symbol \(L_i\) be used at most once (in other words, no \(L_i\) may appear more than once in the written expression of \(\Upsilon \)):

figure a

Equivalently, we call \(\Upsilon \) an “arborescent monotone threshold circuit” with \(\ell \) Boolean inputs \(L_1, \ldots , L_\ell \) and one Boolean output denoted \(\Upsilon ({ L_1, \ldots , L_\ell })\). It is apparent by induction that \(\Upsilon \) is always a non-trivial monotone function of its inputs and, in particular, \(\Upsilon ({ \bot , \ldots , \bot }) = \bot \) and \(\Upsilon ({ \top , \ldots , \top }) = \top \).

We use expressions of this form to state the meaning of mesh signatures. The signer specifies the circuit \(\Upsilon \) and assigns to each symbol \(L_j\) an atomic proposition \(\left[ {{ \textit{VK}}\!:{ \textit{Msg}}}\right] \) to convey the meaning: “This is \(\textit{Msg}\) signed under \(\textit{VK}\).” The mesh signature then simply expresses that \(\Upsilon ({ L_1, \ldots , L_\ell }) = \top \) holds for the stated interpretation of the \(L_i\) (without revealing their individual truth values). For the example in the introduction, \(\Upsilon = L_1 \vee ({ L_2 \wedge L_3})\) where \(L_1\) denotes \(\left[ {{ \textit{VK}_\textit{Alice}}\!:{ \textit{Msg}_1}}\right] \), etc.

Multiplicity of Keys. As mentioned, we require that no public key appears more than once in the clauses of \(\Upsilon \), i.e., for any two distinct \(L_i = \left[ {{ \textit{VK}_i}\!:{ \textit{Msg}_i}}\right] \) and \(L_j = \left[ {{ \textit{VK}_j}\!:{ \textit{Msg}_j}}\right] \) appearing in \(\Upsilon \), we have \(\textit{VK}_i \ne \textit{VK}_j\).

To mitigate this technicality, we expressly allow users to own multiple keys, which means that expressions \(\Upsilon \) with a multiple clauses involving the same signer can be constructed. This is perhaps primarily intended for certificate authorities, which could be asked to sign the same certificate under several published keys, any of which deemed sufficient for verification.

2.2 Anonymity Model

Since the motivating application of ring and mesh schemes is to leak secrets, it is crucial that anonymity be unconditional and everlasting, subsequently to the exposure of all secrets, for the long-term peace of mind of the signer. We thus insist on perfect (i.e., information-theoretic) anonymity, even upon prior disclosure of the signer’s and every user’s secret keys. Moreover, since a ring or mesh signature will normally refer to third-party keys (e.g., published keys from users conscripted into the ring), it is important that information-theoretic anonymity shall apply, even against an adversary who chooses third-party keys and knows the corresponding secret keys.

The strongest notion of anonymity defined in [4], “anonymity against full key exposure,” in the context of ring signatures, requires that the signer remain anonymous following full exposure of all the private keys, after their use. It is, however, insufficient for our requirements because it does not allow the keys to be chosen by the adversary and provides anonymity when the private keys are only revealed a posteriori.

We remedy this situation by proposing the following, very simple but very strong definitions of anonymity. The first definition captures all that a user could normally wish for. The second definition is even stronger and captures what we can actuallyachieve.

Definition 3

(Unconditional signer anonymity) Formally, we say that a ring (resp., mesh) signature scheme is unconditionally anonymous if the identity of the signer (resp., the signing coalition) is, conditionally on the signature formula and all the public keys and messages referenced in its clauses, statistically independent of the corresponding private keys and the common reference string.

Definition 4

(Ultimate signer anonymity) As an extreme strengthening of the anonymity definition, we say that a ring (resp., mesh) signature scheme is ultimately anonymous if, conditionally on the signature formula and the information (i.e., public keys and messages) contained therein, the identity of the signer (resp., signing coalition) is statistically independent of all information instantiated in the scheme (i.e., public or secret, permanent or ephemeral).

The latter version is very strong. It also paradoxically entails that the signers’ identities be (conditionally) independent of the very random coins used to make the signature—but could that be, as the coins do not merely leak but even “prove” who the signers are? The resolution is the information-theoretic nature of the definition. For each possible way to arrive at the observed signature, there exists a corresponding set of random coins “proving” it, either in reality or in counterfactually, that one could in principle divine—even though of course it may be computationally intractable to do so.

Another paradox, more germane to practical concerns, is that the strong information-theoretic definitions above only provide unassailable anonymity in the asymptotically long term and within the confines of the model. For example, leaked coins will always be deemed prima facie evidence of the true signers if it is indeed intractable to find coins providing a counterfactual explanation. More generally, side-channel evidence should be expected to remain convincing until such time as it is no longer unreasonable to consider that it might have been faked. These concerns, though important in practice, are out of scope of our discussion.

Anonymity, Unlinkability, and Randomization. A mesh signature \(\sigma \) is most generally constructed from a set of atomic signatures \(\sigma _i\) for the selected clauses \(\left[ {{ \textit{VK}_i}\!:{ \textit{Msg}_i}}\right] \) assigned the truth value \(\top \). As we will see, mesh signatures are not unique, in part because of the “extrinsic” randomization due to the mesh signing process, but also because the atomic signatures themselves bring to the table their own “intrinsic” randomization (which will have to be faked for all clauses set to \(\bot \)). Therefore, it is a legitimate concern to wonder how the intrinsic randomization associated with the atomic signatures interacts with the requirements of unconditional anonymity.

To fix ideas, suppose that a mesh signature \(\sigma \) contains a (valid or invalid) atomic signature on a clause \(\left[ {{ \textit{VK}_1}\!:{ \textit{Msg}_1}}\right] \) with intrinsic randomization \(t_1\). Later, someone exposes an atomic signature \(\sigma _1\) on the same clause and with the same randomization \(t_1\). Is this evidence that \(\sigma _1\) was used to construct \(\sigma \), thereby putting the anonymity of the mesh signer in jeopardy? The answer is ‘no,’ as long as the owner of \(\textit{VK}_1\) could have created \(\sigma _1\) after seeing \(t_1\). Conversely, if \(\sigma \) had been revealed subsequently to \(\sigma _1\), one could not infer that \(\sigma _1\) was used in the creation of \(\sigma \), as long as \(\sigma \) could plausibly have been created ex post facto to match the exposed randomization.

In general, if the intrinsic randomization of the atomic signature can be chosen freely and is conveyed in the clear, then matching randomization merely implies awareness and not linkability, i.e., it shows that the second signature was created with knowledge of the (randomization of the) first, but not that the two were actually created from each other, or by the same signer.

2.3 Unforgeability Model

The strongest notion of unforgeability defined in [4], “unforgeability with respect to insider corruption,” for ring signatures, gives the adversary the ability to corrupt users dynamically and include its own public keys when making ring signature queries. Since the point of mesh signatures is to implicate uncooperative users, it is judicious to allow them to choose their keys maliciously.

However, as a compromise for unconditional anonymity, we relax the fully dynamic corruption model into an enhanced static one, in which the honest users are static and created ahead of time by a challenger, and the corrupted users are under the full control of an adversary who can bring them to life dynamically. We also need to specify what constitutes a valid forgery. For ring signatures, a forgery is any signature by a ring without adversarially controlled users. For mesh signatures, however, this would be overly restrictive, since it would exclude such forgeries as,

$$\begin{aligned} \begin{aligned} \Upsilon = { ({ \left[ {{ U_1}\!:{ m_1}}\right] \wedge \left[ {{ U_3}\!:{ m_3}}\right] }) \vee ({ \left[ {{ U_2}\!:{ m_2}}\right] \wedge \left[ {{ U_4}\!:{ m_4}}\right] })}, \end{aligned} \end{aligned}$$

where \(U_1\) and \(U_2\) are honest users and \(U_3\) and \(U_4\) are corrupted. Since \(\Upsilon \) nominally entails \(\Upsilon ' = \left[ {{ U_1}\!:{ m_1}}\right] \vee \left[ {{ U_2}\!:{ m_2}}\right] \), a forger who signs \(\Upsilon \) lacking the imprimatur of both \(U_1\) and \(U_2\) should be deemed successful. The same reasoning would continue to apply if the forger legitimately obtained an atomic signature on \(\left[ {{ U_3}\!:{ m_3}}\right] \) even though \(U_3\) were honest. We capture these circumstances by deeming admissible any forgery on a statement \(\Upsilon \) if there exists a well-formed (and thus non-trivial) formula \(\Upsilon '\) that contains no clause under the forger’s control and such that \(\Upsilon \Rightarrow \Upsilon '\).

To see where this comes from, for all corrupted users and all issued atomic signatures, let us set the corresponding literal \(L_i \leftarrow \top \), which is the most that the adversary can do in legitimacy. If \(\Upsilon \) then evaluates to \(\top \), the forgery is inadmissible; otherwise, \(\Upsilon \) will reduce to some well-formed formula \(\Upsilon '\) that contains non-adversarial clauses exclusively. Hence, the existence of \(\Upsilon '\) simply demands that \(\Upsilon \) be unsatisfiable by the volition of the adversarial users alone. We distill all of this into the following existential unforgeability game and define the adversary’s advantage as the probability of outputting an admissible valid forgery.

Definition 5

(Existential unforgeability) We define the existential mesh signature unforgeability game as the following interaction between a challenger and an adversary.

  • Challenger setup: The challenger designates a number \(\ell \) of public keys, corresponding to the honest target users under the challenger’s control.

  • Interaction: The following occurs interactively, in any order, driven by the adversary.

    • Adversary setup: The adversary reveals polynomially many public keys, one at a time, corresponding to the users under the adversary’s control.

    • Mesh signature queries: The adversary makes up to q mesh signature queries on well-formed specifications \(\Upsilon _j\) that involve zero or more adversarial users and at least one honest user (the latter condition being imposed to avoid queries that the adversary could trivially answer completely by itself).

    • Atomic signature queries: The adversary also makes up to q atomic signatures queries on clauses \(\left[ {{ \textit{VK}_i}\!:{ \textit{Msg}_j}}\right] \) for every honest user. The challenger accepts or responds to each request before accepting the next one. The q mesh queries and the \(q \, \ell \) atomic queries may be interleaved arbitrarily.

  • Signature forgery: the adversary produces a forged signature whose specification \(\Upsilon \) satisfies \({ \forall j}, { \Upsilon \!\ne \! \Upsilon _j}\) and implies a well-formed formula \(\Upsilon '\) on the honest users, i.e., \({ \Upsilon ({ L_1, \ldots , L_\ell , \ldots }) \!\Rightarrow \! \Upsilon '({ L_1, \ldots , L_\ell })}\), obtained by setting to “true” (\(\top \)) every literal \(L_i\) whose clause \(\left[ {{ \textit{VK}_i}\!:{ \textit{Msg}_i}}\right] \) involves an adversarial key or matches an atomic query.

The adversary’s advantage at mesh unforgeability is the probability that it wins the foregoing game (for a random choice of common reference string (during/prior the challenger setup) if applicable).

In the adversary setup, one must recognize that the adversary might try to claim some of the challenger’s keys as its own (perhaps re-randomized to make it less obvious). Since the same is possible in the real world, and is readily detectable by the challenger, we take no step to forbid it, other than to require that all specifications be well formed.

Mesh Unforgeability vs. Ring Unforgeability. The mesh security model allows the forger to make arbitrary atomic signature queries on behalf of the honest users: This is because mesh signatures must be constructible from any satisfying set of atomic signatures (such as PKI certificates) without requiring the private keys.

For ring signatures, atomic signature queries are superfluous, and we can obtain a tighter proof of security without them, mainly because we reduce the number of queries from \(({ \ell + 1}) \, q\) to just q. Hence, we define existential unforgeability for ring signatures as for mesh signatures, but without atomic signature queries (also, regular signatures can always be emulated using rings of size one). We refer to [4] for ring signature unforgeability definitions with various security requirements.

3 Framework and Computational Assumption

We write \(\mathbb {F}_{p}\) for the finite field of prime order p and \(\mathbb {F}_{p}^\times = \mathbb {F}_{p} \setminus \{{ 0}\}\) for its multiplicative group of order \(p - 1\). We refer as a bilinear context to an algorithmically useful description of an efficiently computable and non-degenerate bilinear map \(\mathbf {e}\) between a set of groups \({\mathbb {G}}\) and \(\hat{\mathbb {G}}\) of some prime order p and given by the respective generators g and \(\hat{g}\), into a third group \({\mathbb {G}}_t\) of the same order. Let thus \(\mathbf {G} = ({ p, {\mathbb {G}}, \hat{\mathbb {G}}, {\mathbb {G}}_t, g, \hat{g}, \mathbf {e}})\) be a common bilinear context, where \(\mathbf {e}: {\mathbb {G}} \times \hat{\mathbb {G}} \rightarrow {\mathbb {G}}_t\) is a pairing [35]. We use the “hat-notation” (as in \(\hat{g}\)) to indicate that an element belongs to \(\hat{\mathbb {G}}\) rather than \({\mathbb {G}}\).

3.1 Review of the SDH Assumption

The complexity assumption we shall need is inspired by the Strong Diffie–Hellman assumption proposed in [5], which we now review. The \( q\)-SDH problem in a (bilinear) group \({\mathbb {G}}\) is stated:

  • (Original SDH) Given elements \(g,\, g ^{ \alpha },\, g ^{ \alpha ^{ 2}},\, \ldots ,\, g ^{ \alpha ^{ q}} \in {\mathbb {G}}\), choose \(w \in \mathbb {F}_{p}\) and output \(({ w,\, g ^{ 1 / ({ \alpha + w})}})\).

The SDH assumption then posits that the \( q\)-SDH problem above is intractable for \(q = \mathrm {O}({ \mathrm {poly}({ \kappa })})\). What makes this assumption special is that the problem admits not one but exponentially many “independent” solutions, which are all equally hard to find hence the modified \( q\)-SDH problem:

  • (Modified SDH) Given \(g,\, g ^{ \alpha } \in {\mathbb {G}}\) and \(q - 1\) pairs \(({ w_j,\, g ^{ 1 / ({ \alpha + w_j})}})\), output another \(({ w,\, g ^{ 1 / ({ \alpha + w})}})\).

It is known from [5] that if the original \( q\)-SDH problem is hard, then it is the modified problem.

Although the SDH problem statement does not require a bilinear group, it is because the bilinear map provides an efficient Decision Diffie–Hellman procedure [33] that the correctness of an SDH solution can be decided openly. Specifically, given g and \(g ^{ \alpha }\), deciding whether \(({ w,\, u}) = ({ c,\, g ^{ 1 / ({ \alpha + w})}})\) amounts to checking the equality \(\mathbf {e}({ u,\, \hat{g}^{ \alpha } \, \hat{g}^{ w}}) = \mathbf {e}({ g,\, \hat{g}})\) is basically a DDH test that anyone can perform from public information. The short signature scheme of [5] relies on this.

3.2 Poly-SDH: for Better Use of the Pairing

The verifiability of SDH solutions with a simple DDH test suggests that more general assumptions could be made, based on the observation that the pairing is a powerful tool that can be used to decide more complex relations that are not efficiently reducible to DDH. For example, a natural generalization of the SDH problem is that of finding \(\ell \) pairs \(({ w_i,\, u_i = g ^{ r_i / ({ \alpha + w_i})}})\) for \(i = 1, \ldots , \ell \), such that \(\sum _{ i = 1}^{ \ell } r_i = 1 \pmod { p}\). Purported solutions can then be verified using the equation,

$$\begin{aligned} \prod _{ i = 1}^{ \ell } { \mathbf {e}\left( { u_i,\, \hat{g}^{ \alpha } \, \hat{g}^{ w_i}}\right) } = \mathbf {e}\left( { g,\, \hat{g}}\right) . \end{aligned}$$
(1)

Clearly, when \(\ell = 1\), this is identical to the SDH problem. For larger values of \(\ell \), the adversary is given to spread the exponent inversion task across multiple pairs, by means of linear combination.

Unfortunately, for \(\ell > 1\), the problem is in fact trivial, because Eq. (1) admits spurious solutions that do not require the solver to know the secret \(\alpha \) and invert the exponent: For example, for \(\ell = 2\) the solution \({ w_1 = 1,\, u_1 = g,\, w_2 = 0,\, u_2 = g ^{ -1}}\) satisfies the equality regardless of \(\alpha \).

To remedy the preceding problem, we change the solver’s task slightly and ask that the \(\ell \) pairs to be output involve \(\ell \) independent secrets \(\alpha _1, \ldots , \alpha _\ell \) that appear once each, i.e., find,

$$\begin{aligned} \left( { \; w_i , \; u_i = { g ^{ \frac{ r_i}{ \alpha _i + w_i}}} \; }\right) \,{:}\, i = 1, \ldots , \ell , \quad \text {s.t.}\quad \sum _{ i = 1}^{ \ell } { r_i} = 1 \pmod { p}. \end{aligned}$$

To decide whether a solution \(({ ({ w_1,\, u_1}),\, \ldots ,\, ({ w_\ell ,\, u_\ell })})\) to the new problem is correct, one needs, besides the generators g and \(\hat{g}\), the \(\ell \) group elements \(({ \hat{g}_1,\, \ldots ,\, \hat{g}_\ell }) = ({ \hat{g}^{ \alpha _1},\, \ldots ,\, \hat{g}^{ \alpha _\ell }})\). The verification equation is then,

$$\begin{aligned} \prod _{ i = 1}^{ \ell } { \mathbf {e}\left( { u_i,\, { \hat{g}_i} \, { \hat{g}}^{ w_i}}\right) } = \mathbf {e}\left( { g,\, \hat{g}}\right) . \end{aligned}$$
(2)

Notice that (1) is a special case of (2) where \(\alpha _1 = \cdots = \alpha _\ell = \alpha \); however, for the security of the assumption it is important that the \(\alpha _i\) be independently and uniformly distributed. Despite the added variables, Eq. (2) is no more expensive to verify (but necessitates large public parameters).

Based on the previous observations, the \(( q, \ell )\)-Poly-SDH problem can be informally stated as:

  • (Poly-SDH) Given \(g,\, g ^{ \alpha _1},\, \ldots ,\, g ^{ \alpha _\ell } \in {\mathbb {G}}\) and \(q \, \ell \) pairs \(({ w_{i,j},\, g ^{ 1 / ({ \alpha _i + w_{i,j}})}})\) for \(1 \le i \le \ell \) and \(1 \le j \le q\), choose fresh \(w_1,\, \ldots ,\, w_\ell \in \mathbb {F}_{p}\) (i.e., such that \(w_i \not \in \{{ w_{i,1}, \ldots , w_{i,q}}\}\)) and output \(\ell \) pairs \(({ w_i,\, g ^{ r_i / ({ \alpha _i + w_i})}})\) such that \(\sum _{ i = 1}^{ \ell } { r_i} = 1\).

The \(\alpha _i\) and \(w_{i,j}\) in the instance are drawn from a uniform distribution. The \(w_i\) and \(r_i\) are chosen by the respondent. We require that \({ \forall i}, { \forall j}, { w_i \ne w_{i,j}}\), lest the task be easy. The exponents \(r_i\) need not be revealed, since Eq. (2) can establish that a solution is correct and thus that \(\sum _{ i} { r_i} = 1\), without having to see the \(r_i\).

We have chosen to state the \(( q, \ell )\)-Poly-SDH problem in a form analog to Modified SDH, rather than Original SDH. There are several justifications for this:

  • the modified form results in a weaker assumption (as Original SDH implies Modified SDH);

  • it has a clear input/output symmetry which simplifies the security reductions;

  • its instances are more concisely stated when more than one iterator is needed (i and j);

  • the modified problem form is impervious to a generic analysis described in [18], which relies on the availability of g, \(g ^{ \alpha }\), and \(g ^{ \alpha ^{ d}}\) for certain d, as in Original SDH instances.

The reason why there are no undesirably easy solutions to the \(( q, \ell )\)-Poly-SDH problem will become apparent as we prove generic hardness in Sect. 3.3. See also “Formal Poly-SDH Definitions” of Appendix for formal definitions.

3.3 Generic Hardness of Poly-SDH

We now take some time to explain why the Poly-SDH assumption based on Eq. (2) is plausible, unlike our first attempt from Eq. (1) that was so easily broken. We give a heuristic argument based on the impossibility of efficient generic attacks. Specifically, we show that finding a solution to the \(( q, \ell )\)-Poly-SDH problem will require, on expectation, \(\Omega ({ \sqrt{ {p}/{q \, \ell }}})\) generic-group operations.

The generic-group model [39] assumes the lack of any structure beyond that of an (Abelian) cyclic group, restricting all manipulations on group elements to the group operation and its inverse (i.e., multiplication and division if the group is written multiplicatively). In the bilinear version of the model [5], one can also compute a pairing \(\mathbf {e} : {\mathbb {G}} \times \hat{\mathbb {G}} \rightarrow {\mathbb {G}}_t\), as well as an isomorphism \(\psi : \hat{\mathbb {G}} \rightarrow {\mathbb {G}}\) (for “type-1” and “type-2” contexts) and its inverse \(\psi ^{-1} : {\mathbb {G}} \rightarrow \hat{\mathbb {G}}\) (for “type-1” only).

Let us assume that \({\mathbb {G}} = \hat{\mathbb {G}}\), which only makes the attack easier.Footnote 1 Recall that the Poly-SDH instance furnishes \(g,\, g ^{ \alpha _1},\, \ldots ,\, g ^{ \alpha _\ell }\), and a large number of pairs \(({ w_{i,j},\, u_{i,j} \!=\! g ^{ { 1}/{ ({ \alpha _i + w_{i,j}})}}})\). Based on this information, the attacker must output \(\ell \) pairs \(({ w_i,\, u_i \!=\! g ^{ {r_i}/{ ({ \alpha _i + w_i})}}})\) such that \(\sum _{ i} { r_i} \!=\! 1\), where \(w_i\) is distinct from all \(w_{i,j}\) with the same index i.

First, notice that the pairing \(\mathbf {e}\) is useful to verify a solution, but not really to find one. This is because \(\mathbf {e}\) maps to \({\mathbb {G}}_t\), and once we have landed in \({\mathbb {G}}_t\) we can never leave it. Also, \(\psi \) and \(\psi ^{-1}\) just model the identity function since we have already assumed that \({\mathbb {G}} = \hat{\mathbb {G}}\). We can thus focus on multiplication and division in the multiplicative group \({\mathbb {G}}\) of prime order p.

Next, observe that all the group elements that can be created from g, \(\{{ g ^{ \alpha _i}}\}\), and \(\{{ g^{ {1}/{({ \alpha _i + w_{i,j}})}}}\}\) are of the form \(g ^{ \frac{ \pi ({ \alpha _1, \ldots , \alpha _\ell })}{ \Delta }}\), where \(\pi \in \mathbb {F}_{p}[\alpha _1,\ldots ,\alpha _\ell ]_{q\ell +1}\) is any multivariate polynomial in \(\alpha _1, \ldots , \alpha _\ell \) of total degree at most \(q \, \ell + 1\), and where \(\Delta \) is the common denominator \(\Delta = \prod _{ i = 1}^{ \ell } { \prod _{ j = 1}^{ q} { ({ \alpha _i + w_{i,j}})}}\). (Here, we use the notation \(\mathbb {F}_{p}[x,y]\) to denotes the ring of polynomials in x and y over \(\mathbb {F}_{p}\), and use the shorthand notation \(\mathbb {F}_{p}[x]_d\) to denote the set of polynomials in x and y of total degree d or less.)

We need to produce \(\ell \) elements \(u_i = g ^{ { r_i}/{ ({ \alpha _i + w_i})}}\) and the corresponding \(w_i\). Our task is thus to find \(\ell \) polynomials \(\pi _1,\, \ldots ,\, \pi _\ell \in \mathbb {F}_{p}[\alpha _1,\ldots ,\alpha _\ell ]_{q\ell +1}\) such that \(\pi _i / \Delta = r_i / ({ \alpha _i + w_i})\) for some \(\sum _{ i} { r_i} = 1\), i.e., such that,

$$\begin{aligned} \sum _{ i = 1}^{ \ell } { ({ \alpha _i + w_i}) \, \pi _i} = \Delta = \prod _{ i = 1}^{ \ell } { \prod _{ j = 1}^{ q} { \left( { \alpha _i + w_{i,j}}\right) }}. \end{aligned}$$

We show that there can be no such polynomials \(\pi _i\) using a linear change of variable. For all \(i = 1, \ldots , \ell \) and \(j = 1, \ldots , q\), we define \(\alpha '_i = \alpha _i + w_i\) and \(w'_{i,j} = w_{i,j} - w_i\). Notice that all \(w'_{i,j} \ne 0\). Our new task becomes to find \(\ell \) polynomials \(\pi '_1,\, \ldots ,\, \pi '_\ell \) of degree \(\le q \, \ell + 1\) in the variables \(\alpha '_1, \ldots , \alpha '_\ell \), such that,

$$\begin{aligned} \sum _{ i = 1}^{ \ell } { \alpha '_i \, \pi '_i} = \Delta = \prod _{ i = 1}^{ \ell } { \prod _{ j = 1}^{ q} { \left( { \alpha '_i + w'_{i,j}}\right) }}. \end{aligned}$$

Clearly, all the monomials in the left-hand side have degree in \(\alpha '_1, \ldots , \alpha '_\ell \) at least 1. On the other hand, all \(w'_{i,j}\) are nonzero, so the right-hand side yields a non-vanishing independent (degree-0) term equal to \(\prod _{ i} { \prod _{ j} { w'_{i,j}}} = \prod _{ i} { \prod _{ j} { ({ w_{i,j} - w_i})}} \ne 0\), which is a contradiction.

The contradiction shows that the equations above cannot be satisfied identically in \(\mathbb {F}_{p}[\alpha '_1,\ldots ,\alpha '_\ell ]\) or \(\mathbb {F}_{p}[\alpha _1,\ldots ,\alpha _\ell ]\), which proves that the polynomials \(\pi '_i\), and thus, \(\pi _i\) cannot exist. A standard argument then shows that the equations can only be satisfied in \(\mathbb {F}_{p}\) for certain assignments of \(\alpha _1,\, \ldots ,\, \alpha _\ell \in \mathbb {F}_{p}\): the polynomial roots. Since the \(\alpha _i\) are chosen at random, we can bound the probability of hitting those roots. We find that, if \(q \, \ell < \mathrm {O}({ \root 3 \of { p}})\), it will take \(q_{\scriptscriptstyle {G}} = \Omega ({ \sqrt{ \epsilon \, p / {q \, \ell }}})\) operations to solve \(( q, \ell )\)-Poly-SDH with probability \(\epsilon \) in generic groups of order p.

We give a precise theorem and a complete proof based on this argument in “Generic-Group Complexity of Poly-SDH” of Appendix.

3.4 Pluri-SDH: A Weaker Assumption

Although we will need the Poly-SDH assumption to prove security of mesh signatures, ring signatures can be based on a slightly weaker assumption, due to the lack of atomic signature queries. Recall that in the \(( q, \ell )\)-Poly-SDH problem, we are given \(\ell \) generators \(g ^{ \alpha _i}\) as well as \(\ell \) series of q solution pairs \(({ w_{i,j},\, u_{i,j} = g ^{ { 1}/{ \alpha _i + w_{i,j}}}})\). Our weaker assumption is similar, except that we only give out a single series of solution pairs, conventionally for an extra generator of index \(i = 0\).

We define the \(( q, \ell , 1)\)-Pluri-SDH problem as a relaxed version of \(( q, \ell + 1)\)-Poly-SDH:

  • (Pluri-SDH) Given generators \(g,\, g ^{ \alpha _0},\, \ldots ,\, g ^{ \alpha _\ell } \in {\mathbb {G}}\) and q pairs \(({ w_{0,j},\, g ^{ 1 / ({ \alpha _0 + w_{0,j}})}})\) for \(1 \le j \le q\), choose fresh \(w_0,\, \ldots ,\, w_\ell \in \mathbb {F}_{p}\) and output \(\ell + 1\) pairs \(({ w_i,\, g ^{ r_i / ({ \alpha _i + w_i})}})\) such that \(\sum _{ i = 0}^{ \ell } { r_i} = 1\).

See also “Formal Pluri-SDH Definitions” of Appendix for formal definitions, including that of the \(( q, \ell , \ell ')\)-Pluri-SDH problem which is stated in an obvious way for \(\ell ' \ge 1\).

Generic Complexity. Regarding generic complexity, we can show that for \(q \, \ell < \mathrm {O}({ \root 3 \of { p}})\), a generic algorithm can solve the \(( q, \ell , 1)\)-Pluri-SDH problem with constant probability \(\epsilon \) in a generic group of prime order p only by performing \(q_{\scriptscriptstyle {G}} = \Omega ({ \sqrt{ \epsilon \, p / q}})\) generic-group operations on expectation.

A precise theorem for \(( q, \ell , 1)\)-Pluri-SDH and \(( q, \ell , \ell ')\)-Pluri-SDH is given in “Generic-Group Complexity of Pluri-SDH” of Appendix.

3.5 Comparing SDH with Pluri-SDH and Poly-SDH

An interesting fact about the \(( q, \ell , 1)\)-Pluri-SDH problem in generic bilinear groups is that it is quantitatively as difficult as the (modified) \( q\)-SDH problem: In particular, the generic lower bounds are essentially the same as those found in [5] and do not strongly depend on \(\ell \). In other words, allowing the opponent to make \(\ell \)-wise linear combinations has little adverse effect on generic security, provided that care has been taken to structure the problem to rule out all of the trivial solutions. A similar comparison can be made for the full \(( q, \ell )\)-Poly-SDH problem, except that the relevant benchmark here is the \( q \ell \)-SDH problem. Although we appear to lose a factor \(\ell \) in the number of allowed queries with respect to SDH, it will be a wash if the security reduction of interest allows \(\ell \) times as many queries, which will be the case of our mesh unforgeability simulator.

The main difference between SDH and Pluri-SDH/Poly-SDH is thus not one of hardness. It is that the former is useful in any “Gap-DH” group where the Diffie–Hellman problem has a decision procedure, while Pluri-SDH and Poly-SDH require a group with an actually computable pairing (or at least an oracle for comparing products of pairings) in order to verify its solutions.

4 Special Case: Ring Signatures

We first describe a ring signature based on Pluri-SDH as a special case of our technique. It is more efficient than most other provably secure ring signature schemes without random oracles, and the first of those schemes to offer unconditional anonymity. It is set in the “public-coin” common random string model, i.e., requiring only minimal trust for setup. The scheme is in fact very close to a ring scheme from [21], but not the proof.

  • Initialization: Given a security parameter \(\kappa \) and a public random string \(K \in \{{0,1}\}^{ \mathrm {poly}({ \kappa })}\), the parties generate from K a common bilinear instance \(\mathbf {G} = ({ p,\, {\mathbb {G}},\, \hat{\mathbb {G}},\, {\mathbb {G}}_t,\, g,\, \hat{g},\, \mathbf {e}}) \leftarrow \mathcal {G}({ 1 ^{ \kappa }; K})\) and a collision-resistant hash function \({H} : \{{0,1}\}^* \rightarrow \mathbb {F}_{p}\) shared by all. Since \(\mathbf {G}\) has prime order and no hidden structure, it can safely be generated from public coins.

    The string K is also used to generate three random elements \(\hat{A}_0\), \(\hat{B}_0\), and \(\hat{C}_0\) in \(\hat{\mathbb {G}}\). These elements define a public verification key “in the sky” whose matching signing key is undefined.

    For notational convenience, we suppose for now that the isomorphism \(\psi : \hat{\mathbb {G}} \rightarrow {\mathbb {G}}\) is efficiently computable in the instance \(\mathbf {G}\), and we let \(A_0 = \psi ({ \hat{A}_0})\), \(B_0 = \psi ({ \hat{B}_0})\), and \(C_0 = \psi ({ \hat{C}_0})\) in \({\mathbb {G}}\). This temporary restriction will be lifted later in this section.

  • Key generation: To create a key pair, User #i draws a triple \(({ a_i,\, b_i,\, c_i}) \in ({ \mathbb {F}_{p}^\times }) ^{ 3}\) as signing key and posts \(({ A_i,\, B_i,\, C_i,\, \hat{A}_i,\, \hat{B}_i,\, \hat{C}_i}) = ({ g ^{ a_i},\, g ^{ b_i},\, g ^{ c_i},\, \hat{g}^{ a_i},\, \hat{g}^{ b_i},\, \hat{g}^{ c_i}}) \in {\mathbb {G}}^{ 3} \times \hat{\mathbb {G}}^{ 3}\) as verification key.

    In case \(\psi : \hat{\mathbb {G}} \rightarrow {\mathbb {G}}\) is easy to compute, users publish only \(({ \hat{A}_i,\, \hat{B}_i,\, \hat{C}_i})\) to avoid redundancy.

  • Ring signature: To create a ring signature on message \(m_1, \ldots , m_\ell \in \mathbb {F}_{p}\) attributed to a ring of \(\ell \) users, any member of the ring would proceed as follows. W.l.o.g., suppose that the signer is User #\(\ell \) in the ring \(R = ({ 1, \ldots , \ell })\). The signer selects \(2 \, \ell + 1\) random integers \(s_0, s_1, \ldots , s_{\ell -1}, t_0, t_1, \ldots , t_\ell \in \mathbb {F}_{p}\) and outputs the signature,

    $$\begin{aligned} \sigma= & {} \left( { \; g ^{ s_0} , \; \ldots , \; g ^{ s_{\ell -1}} , \; \left( { { g} \cdot { \prod _{ i = 0}^{ \ell - 1} { \left( { A_i \, B_i ^{ m_i} \, C_i ^{ t_i}}\right) ^{ - s_i}}}}\right) ^{ \frac{ 1}{ a_\ell + b_\ell \, m_\ell + c_\ell \, t_\ell }} , \; t_0 , \; \ldots , \; t_\ell \;}\right) \\&\;\in \; { {\mathbb {G}}^{ \ell + 1}} \times { \mathbb {F}_{p}^{ \ell + 1}} , \end{aligned}$$

    where \(m_1, \ldots , m_\ell \) are the messages to be signed, and \(m_0 = {H}({ ({ 1, m_1}), \ldots , ({ \ell , m_\ell })})\), a collision-resistant hash of the statement expressed by the signature.

  • Ring verification: To verify a signature \(\sigma = ({ S_1,\, \ldots ,\, S_\ell ,\, t_1,\, \ldots ,\, t_\ell })\), test the equality,

    $$\begin{aligned} \prod _{ i = 0}^{ \ell } { \mathbf {e}\left( { S_i,\, \hat{A}_i \, \hat{B}_i ^{ m_i} \, \hat{C}_i ^{ t_i}}\right) } = \mathbf {e}\left( { g,\, \hat{g}}\right) , \end{aligned}$$

    where \(R = ({ 1, \ldots , \ell })\) is the signature ring, \(m_1, \ldots , m_\ell \) are the messages being signed, and \(m_0 = {H}({ ({ 1, m_1}), \ldots , ({ \ell , m_\ell })})\).

Consistency of the algorithms is readily verified. Note that the scheme is trivially modified to force all messages \(m_1, \ldots , m_\ell \) to be the same, as in the traditional definition of ring signatures.

The purpose of including in the final signature a collision-resistant hash \(m_0\) of the ring and all the messages, ostensibly binding \(m_0\) to the public key “in the sky,” is to prevent outsiders from appending new components to an existing signature, which would otherwise give an easy forgery (though perhaps a rather benign one). The second reason is that the key “in the sky” is useful in the security proof, and lets us rely on a weaker assumption.

4.1 Anonymity

Independently of setup assumptions, our ring signatures have irrevocable or everlasting, perfect, unconditional anonymity (i.e., with forward security against coerced disclosure of the long-term signing keys, and the randomness that created them, of all users in the system).

Theorem 6

The ring signature has everlasting perfect anonymity.

Proof

See “Anonymity of the Ring Scheme” of Appendix. \(\square \)

4.2 Unforgeability

We then have existential unforgeability in the common random string model based on our computational assumption. More precisely, we can give two alternative reductions: One establishes security in the ring forgery game provided that the \(( q, \ell , 1)\)-Pluri-SDH problem is hard; the other proves security in the more demanding mesh forgery game from the hardness of \(( q, \ell + 1)\)-Poly-SDH. Here, we recall from Sect. 2.3 that a mesh forger can also make atomic signature queries to the honest users in addition to mesh (or ring) queries, whereas a ring forger makes no atomic queries.

We now state the ring result, which is the most appropriate in the context of ring signatures. In “Unforgeability of the Ring Scheme” of Appendix, however, we shall state and prove the stronger result instead, because parts of that proof will be reused when proving security of the full mesh scheme of Sect. 5.

Theorem 7

The ring signature is existentially unforgeable under an adaptive attack, against a static adversary that makes no more than q adaptive ring signature queries, provided that the \(( q, \ell , 1)\)-Pluri-SDH assumption holds in \(\mathbf {G}\), in the common random string model.

Proof

See “Unforgeability of the Ring Scheme” of Appendix \(\square \)

4.3 Bilinearity Without Isomorphism

Since the most general types of bilinear instance \(\mathbf {G}\) may fail to provide both an efficient isomorphism \(\psi : \hat{\mathbb {G}} \rightarrow {\mathbb {G}}\) and an efficient sampling procedure in \(\hat{\mathbb {G}}\), it is useful to modify the ring scheme in order to relax these requirements. Although it is typically safe to rely on either one or the other [28], it is easy to eliminate both requirements at once in the following way.

  • First, we redefine the random key “in the sky” to consist just of \(A_0\), \(B_0\), and \(C_0\), to be sampled directly in \({\mathbb {G}}\) from the common random seed K (skipping \(\hat{\mathbb {G}}\) altogether).

  • Next, we modify the group element of index 0 in the signature, replacing \(g ^{ s_0} \in {\mathbb {G}}\) with \(\hat{g}^{ s_0} \in \hat{\mathbb {G}}\). The signature becomes, e.g., with User #\(\ell \) as the signer: \(\sigma = ({ \hat{S}_0,\, \ldots ,\, S_\ell ,\, t_0,\, \ldots ,\, t_\ell }) =\)

    $$\begin{aligned}&\left( { \; \hat{g}^{ s_0} , \; g ^{ s_1} , \; \ldots , \; g ^{ s_{\ell -1}} , \; \left( { { g} \cdot { \prod _{ i = 0}^{ \ell - 1} { ({ A_i \, B_i ^{ m_i} \, C_i ^{ t_i}}) ^{ - s_i}}}}\right) ^{ \frac{ 1}{ a_\ell + b_\ell \, m_\ell + c_\ell \, t_\ell }} , \; t_0 , \; \ldots , \; t_\ell \;}\right) \\&\quad \;\in \; { \hat{\mathbb {G}}} \times { {\mathbb {G}}^{ \ell }} \times { \mathbb {F}_{p}^{ \ell + 1}}, \end{aligned}$$

  • Last, we exchange the arguments under the pairing of index 0 and amend the verification equation into,

    $$\begin{aligned} { { \mathbf {e}\left( { A_0 \, B_0 ^{ m_0} \, C_0 ^{ t_0},\, \hat{S}_0}\right) } \cdot \prod _{ i = 1}^{ \ell } { \mathbf {e}\left( { S_i,\, \hat{A}_i \, \hat{B}_i ^{ m_i} \, \hat{C}_i ^{ t_i}}\right) }} = \mathbf {e}\left( { g,\, \hat{g}}\right) . \end{aligned}$$

It is easy to see that the security theorems continue to hold in the modified ring signature scheme. On the one hand, anonymity is unconditional and thus insensitive to the existence of some efficient algorithm for \(\psi \) or for sampling in \(\hat{\mathbb {G}}\). On the other hand, unforgeability relies no more on the presence of such algorithms than on their absence, as an inspection of the proof would show.

4.4 The Key “In the Sky”

A (tenuous) argument can be made that having a public key “in the sky” entails a stronger flavor of CRS than the mere sharing of a bilinear instance \(\mathbf {G}\) and a collision-resistant hash function H.

The crux of the argument is that, for someone who controls the CRS, it is much easier to implant a trapdoor into the public key \(\textit{VK}_0\) than to prepare \(\mathbf {G}\) for the subsequent efficient computation of discrete logarithms: The former can be done by constructing \(\textit{VK}_0\) from an explicit signing key (as the simulator does in the unforgeability proof), whereas the latter might involve the infeasible pre-computation of an exponential-size lookup table for the baby-step giant-step algorithm in \(\mathbf {G}\). A counterargument is that if the CRS is truly random, then all of this is equally hard for everyone.

Either way, both flavors of the CRS model—with or without a plausible trapdoor—seem more palatable than the TP model—with its inescapable third-party secrets (ephemeral or permanent). We can even eliminate the “key in the sky” \(\textit{VK}_0\) altogether, but omit the details.

5 General Case: Mesh Signatures

We now describe our mesh signature scheme, based on the Poly-SDH assumption. We proceed in stages: We first define a few useful notions, which we then use to describe the actual system.

5.1 Flattened Mesh Representation

Recall that a mesh signature is characterized by an expression \(\Upsilon \) generated by the grammar,

$$\begin{aligned}&\Upsilon {::}= \,N \\&N {::}=\, L_1 ~|~ \ldots ~|~ L_\ell ~|~ \ge _t\{{ N_1, \ldots , N_m}\} ~|~ \wedge \{{ N_1, \ldots , N_m}\} ~|~ \vee \{{ N_1, \ldots , N_m}\}. \end{aligned}$$

To harmonize the notation with the scheme description, we need to consider an extra literal \(L_0\) whose meaning is unimportant for now, and let \({\tilde{\Upsilon }}\) be as above with \(\ell + 1\) input literals \(L_0, \ldots , L_\ell \).

We show how to convert the recursive expression of \({\tilde{\Upsilon }}\) into a representation as a list of \(\ell + 1\) polynomials in \(\ell + 1\) variables (or fewer, depending on the structure of \({\tilde{\Upsilon }}\)), akin to linear secret sharing structures [34, 40].

The principle is as follows. To each input symbol \(L_i\), we associate a degree-1 homogeneous polynomial \(\pi _i = \sum _{ j = 0}^{ \ell } { y_{i,j} \, Z_j}\), where the variables \(Z_0, \ldots , Z_\ell \) are common to all polynomials and the coefficients \(y_{i,j}\) are elements of \(\mathbb {F}_{p}\). The polynomials are such that if the formula \({\tilde{\Upsilon }}\) is satisfied by setting some subset of symbols to \(\top \), then the span of the corresponding polynomials will contain the pure monomial \(Z_0\); conversely, any set of polynomials whose span contains the monomial \(Z_0\) indicates a satisfying assignment.

The following algorithm computes such a representation from \({\tilde{\Upsilon }}\). Proceeding recursively, it assigns temporary polynomials to the interior nodes as it walks down the tree from the root to the leaves (i.e., from the output gate to the input symbols):

  1. 1.

    Initialize a counter \({k_\mathrm {c}} \leftarrow 0\).

    The counter \({k_\mathrm {c}}\) is used for allocating new variables, so that each \(Z_{k+k_c}\) is always a “fresh” variable that is never used before or after in the algorithm.

  2. 2.

    Label the root node \(N_0\) with the polynomial \(\pi _{N_0} \leftarrow Z_0\).

  3. 3.

    Select a non-leaf node N with non-empty label \(\pi _{N} \ne \emptyset \).

    1. (a)

      Denote by \(N_1, \ldots , N_m\) the \(m \ge 2\) children of N.

    2. (b)

      If N is \(\vee \{{ N_1, \ldots , N_m}\}\), then \(\forall i = 1, \ldots , m\) let \(\pi _{N_i} = \pi _{N}\).

    3. (c)

      If N is \(\wedge \{{ N_1, \ldots , N_m}\}\), then \(\forall i = 1, \ldots , m\) let \(\pi _{N_i} = \pi _{N} + \sum _{ k = 1}^{ m - 1} { l_{i,k} \, Z_{k+{k_\mathrm {c}}}}\) where \(l_{i,k} \in \mathbb {F}_{p}\). The selection of \(l_{i,k}\) is explained below.

    4. (d)

      If N is \(\ge _t\{{ N_1, \ldots , N_m}\}\), then \(\forall i = 1, \ldots , m\) let \(\pi _{N_i} = \pi _{N} + \sum _{ k = 1}^{ t - 1} { l_{i,k} \, Z_{k+{k_\mathrm {c}}}}\) where \(l_{i,k} \in \mathbb {F}_{p}\). The selection of \(l_{i,k}\) is explained below.

    5. (e)

      Label each child \(N_i\) with the polynomial \(\pi _{N_i}\).

    6. (f)

      Unlabel node N, i.e., set \(\pi _{N} \leftarrow \emptyset \).

    7. (g)

      Increment \({k_\mathrm {c}} \leftarrow {k_\mathrm {c}} + t - 1\) (using \(t = 1\) for an \(\vee \)-gate, and \(t = m\) for an \(\wedge \)-gate).

    8. (h)

      Continue at step 3 if an eligible node remains, otherwise skip to step 4.

  4. 4.

    Let \(\vartheta \leftarrow {k_\mathrm {c}}\) and output the polynomials \(({ \pi _0, \ldots , \pi _\ell })\) associated with the leaf nodes \(L_0, \ldots , L_\ell \).

    Each polynomial \(\pi _i\) is represented as a vector of coefficients \(({ y_{i,0}, \ldots , y_{i,\vartheta }}) \in { \mathbb {F}_{p}^{ \vartheta + 1}}\) such that \(\pi _i = \sum _{ k = 0}^{ \vartheta } { y_{i,k} \, Z_k}\) is the result of the sequence of operations in steps 3b, 3c, and 3d.

We note that the only variables with nonzero coefficients in the output polynomials are \(Z_0, \ldots , Z_\vartheta \), where \(\vartheta = {k_\mathrm {c}}\) is the final counter value and may be equal to or lesser than \(\ell \).

In steps 3c and 3d, the coefficients \(l_{i,k}\) need to ensure that no linear relation exists within any set of \(\pi _{N_i}\) of size \(< m\) or \(< t\). (By construction, m or t of them will always be linearly dependent.) To achieve this property, we let \(\left( { l_{i,k}}\right) \) form a Vandermonde matrix in \(\mathbb {F}_{p}^{ m \times ({ m - 1})}\) or \(\mathbb {F}_{p}^{ m \times ({ t - 1})}\), i.e., set \(l_{i,k} = a_i ^{ k}\) for distinct \(a_i \in \mathbb {F}_{p}\); independence follows from the existence of polynomial interpolation. We also require that \(\left( { l_{i,k}}\right) \) be constructed deterministically, so that anyone can verify that the \(\pi _i\) faithfully encode \({\tilde{\Upsilon }}\) simply by reproducing the process.

The following lemma shows the equivalence between the recursive specification of \({\tilde{\Upsilon }}\) and its flattened representation. It is adapted from a classic result [34] for linear secret sharing structures and proven by induction on the structure of \({\tilde{\Upsilon }}\). We refer to the literature [40] for further details.

Lemma 8

[34]  Let \({\tilde{\Upsilon }}\) be an arborescent monotone threshold circuit, and \(\left. { \pi _0, \ldots , \pi _\ell }\right. \) a flattened representation of it per the above algorithm. A minimal truth assignment \(\chi : \{{ L_0, \ldots , L_\ell }\} \rightarrow \{{\bot ,\top }\}\) satisfies \({\tilde{\Upsilon }}({ \chi ({ L_0}), \ldots , \chi ({ L_\ell })}) = \top \) if and only if there exist in \(\mathbb {F}_{p}\) coefficients \(\left. { \nu _0, \ldots , \nu _\ell }\right. \) such that,

$$\begin{aligned} \sum _{ i = 0}^{ \ell } { \nu _i \, \pi _i} = Z_0 , \quad \text {and}\quad { \forall i} \,{:}\, { \nu _i = 0 \iff \chi ({ L_i}) = \bot }. \end{aligned}$$

In this context, a minimal assignment \(\chi \) with respect to some monotone boolean function \({\tilde{\Upsilon }}\) is one that satisfies \({\tilde{\Upsilon }}\) but ceases to do so when any literal of \(\chi \) is flipped from true to false.

Equivalently, if we expand the polynomials \(\pi _i\) into their coefficients \(y_{i,k}\), and write \(\delta _{0,k}\) for the Kronecker delta function, it holds that, \(\forall k = 0, \ldots , \theta \),

$$\begin{aligned} { \forall k = 0, \ldots , \theta } \,{:}\, { \sum _{ i = 0}^{ \ell } { \nu _i \, y_{i,k}} = \delta _{0,k}}. \end{aligned}$$

5.2 Information-Theoretic Blinding

In the signature scheme (yet to be described), we use both the polynomials \(({ \pi _0, \ldots , \pi _\ell })\) and the linear combination \(({ \nu _0, \ldots , \nu _\ell })\) from Lemma 8: the latter to create a signature and the former to indicate how to verify it. However, since the linear coefficients \(\nu _i\) reveal which of the \(L_i\) are true, they must be kept secret. In the actual signature, these coefficients appear not as integers but as exponents of elements of \({\mathbb {G}}\) and are thus already computationally hidden; however, this is not enough and we need to take an extra step to ensure information-theoretic hiding.

By Lemma 8, we know that \(\sum _{ i = 0}^{ \ell } { \nu _i \, \pi _i} = Z_0\), where each \(\nu _i \in \mathbb {F}_{p}\) and each \(\pi _i \in \mathbb {F}_{p}[Z_0,\ldots ,Z_\vartheta ]_1\). We hide the linear coefficients \(\nu _i\) using random blinding terms \(({ {h}_0, \ldots , {h}_\ell })\) such that \(\sum _{ i = 0}^{ \ell } { {h}_i \, \pi _i} = 0\). Since \(\sum _{ i = 0}^{ \ell } { ({ \nu _i + {h}_i}) \, \pi _i} = Z_0\), the blinded coefficients \(\nu _i + {h}_i\) still bear witness that \({\tilde{\Upsilon }}({ L_0, \ldots , L_\ell }) = \top \). However, these witnesses have been rendered information-theoretically indistinguishable, because the distribution of \(({ \nu _0 + {h}_0, \ldots , \nu _\ell + {h}_\ell })\) is conditionally independent of the truth values of the \(L_i\) given that \({\tilde{\Upsilon }}({ L_0, \ldots , L_\ell }) = \top \).

The difficulty is that no scalar \({h}_i\) will satisfy \(\sum _{ i = 0}^{ \ell } { {h}_i \, \pi _i} = 0\) when the \(\pi _i\) contain uninstantiated variables. However, given a specific set of \(\pi _i\), it is easy to build \({h}_i\) that have polynomial values.

  1. 1.

    Draw a random vector \(\mathbf {s} = ({ s_1, \ldots , s_\ell }) \in \mathbb {F}_{p}^{ \ell }\) of scalar coefficients.

  2. 2.

    For \(i = 1, \ldots , \ell \), define \({h}_i = { - s_i \, \pi _0}\), and set the remaining term \({h}_0 = \sum _{ j = 1}^{ \ell } { s_j \, \pi _j}\).

In the actual scheme, these polynomials are evaluated “in the exponent” for unknown assignments to the \(Z_k\), but regardless of their values, we have \(\sum _{ i = 0}^{ \ell } { {h}_i \, \pi _i} = ({ \sum _{ j = 1}^{ \ell } { s_j \, \pi _j}}) \, \pi _0 + \sum _{ i = 1}^{ \ell } { ({ - s_i \, \pi _0}) \, \pi _i} = 0\), and so the blinding terms \(({ {h}_0, \ldots , {h}_\ell })\) meet our requirements.

The random vector \(\mathbf {s}\) can be chosen independently of the \(\pi _i\). This is important for the actual signature scheme, where the relevant polynomials will have coefficients that involve discrete logarithms not known explicitly (in addition to the \(Z_k\) being instantiated as discrete logarithms of random group elements). In spite of this, we will be able to select a suitable vector \(\mathbf {s}\) and compute the blinding terms \({h}_i\) “in the exponent.”

5.3 Construction

The full mesh signature scheme can now be described as follows. (In this description, we shall provide a somewhat “wasteful” construction and defer to Sect. 5.5 for a discussion of simple but effective ways to optimize it.)

  • Initialization: This step is parameterized by a security parameter \(\kappa \) and a bound \(\lambda \) on the number of clauses that can be incorporated into a mesh. It also assumes an agreed-upon public random string \(K \in \{{0,1}\}^{ \mathrm {poly}({ \kappa })}\).

    Given the security parameter \(\kappa \) and the reference string K, all the participants generate a common bilinear instance \(\mathbf {G} \!=\! ({ p, {\mathbb {G}}, \hat{\mathbb {G}}, {\mathbb {G}}_t, g, \hat{g}, \mathbf {e}}) \leftarrow \mathcal {G}({ 1 ^{ \kappa }; K})\). Here, we require that the implied isomorphism \(\psi : \hat{\mathbb {G}} \rightarrow {\mathbb {G}}\) be efficiently computable.

    The security parameter \(\kappa \) and the string K are also used to obtain a common hash function \({H}: \{{0,1}\}^* \rightarrow \mathbb {F}_{p}\) from a collision-resistant family.

    Given the mesh size parameter \(\lambda \) and the string K, the participants then extract \(\lambda + 1\) common elements \(\hat{g}_0, \hat{g}_1, \ldots , \hat{g}_\lambda \) in \(\hat{\mathbb {G}}\), and the corresponding images \(g_0, g_1, \ldots , g_\lambda \) in \({\mathbb {G}}\) under \(\psi \). The extraction process must ensure that the discrete logarithms of the \(g_i\) are unknown.

    Finally, K defines \({ \lambda + 1}\) random triples \(({ \hat{A}_{0,k},\, \hat{B}_{0,k},\, \hat{C}_{0,k}}) \in \hat{\mathbb {G}}^{ 3}\) for \(k \in \{{ 0, \ldots , \lambda }\}\); these elements together constitute a public verification key “in the sky” with no known signing key. Using the map \(\psi \), everyone computes \(A_{0,k} \!=\! \psi ({ \hat{A}_{0,k}})\), \(B_{0,k} \!=\! \psi ({ \hat{B}_{0,k}})\), \(C_{0,k} \!=\! \psi ({ \hat{C}_{0,k}})\), in \({\mathbb {G}}\). We note that the public key “in the sky” is not well formed, in the sense that it satisfies none of the internal Diffie–Hellman relationships that regular user public keys, defined next, do.

  • Key generation: To create a key pair, User #i draws a triple \(({ a_i,\, b_i,\, c_i}) \in ({ \mathbb {F}_{p}^\times }) ^{ 3}\) as signing key. User #i computes for each \(k \in \{{ 0, \ldots , \lambda }\}\) the triple \(({ \hat{A}_{i,k},\, \hat{B}_{i,k},\, \hat{C}_{i,k}}) = ({ \hat{g}_k ^{ a_i},\, \hat{g}_k ^{ b_i},\, \hat{g}_k ^{ c_i}}) \in \hat{\mathbb {G}}^{ 3}\), and lets these \(3 \, ({ \lambda + 1})\) group elements constitute his or her verification key.

    For simplicity, we write \(({ A_{i,k},\, B_{i,k},\, C_{i,k}}) = ({ \psi ({ \hat{A}_{i,k}}),\, \psi ({ \hat{B}_{i,k}}),\, \psi ({ \hat{C}_{i,k}})}) = ({ g_k ^{ a_i},\, g_k ^{ b_i},\, g_k ^{ c_i}}) \in {\mathbb {G}}^{ 3}\), which anyone can compute from the verification key of User #i thanks to \(\psi \).

  • Mesh signature: Consider the following mesh signature prototype information:

    • \(\ell \) statements \(\left[ {{ \textit{VK}_i}\!:{ \textit{Msg}_i}}\right] \), assumed w.l.o.g. to involve the public keys of Users #\(1, \ldots , \ell \), and whose propositional truth values are denoted by the literals \(L_i\) for \(i = 1, \ldots , \ell \).

    • an arborescent monotone threshold circuit \(\Upsilon \) where each literal \(L_1, \ldots , L_\ell \) is an input leaf; and an assignment \(\chi : \{{ L_1, \ldots , L_\ell }\} \rightarrow \{{\bot ,\top }\}\) that satisfies \(\Upsilon ({ L_1, \ldots , L_\ell }) = \top \);

    • \(\forall i = 1, \ldots , \ell \) such that \(\chi ({ L_i}) = \top \), a valid Boneh–Boyen signature in \(\mathbf {G}\), given as a pair,

      $$\begin{aligned} \left( { \; { u_i = g ^{ \frac{ 1}{ a_i + b_i \, w_i + c_i \, t_i}}} , \; { t_i} \;}\right) , \quad \text {for some}\quad t_i \in \mathbb {F}_{p}, \end{aligned}$$

      where \(w_i = \textit{Msg}_i\) and \(({ a_i, b_i, c_i})\) is the signing key for the statement \(\left[ {{ \textit{VK}_i}\!:{ \textit{Msg}_i}}\right] \).

    • Optionally, a prescribed “random” value \(t_i \in \mathbb {F}_{p}\) for any index i such that \(\chi ({ L_i}) = \bot \).

    To create a mesh signature based on the preceding data, the signer firsts extends \(\Upsilon \) into a new specification that involves the verification key “in the sky”:

    1. 1.

      Hash the public mesh specification to get \(\textit{Msg}_0 = {H}( \left[ {{ \textit{VK}_1}\!:{ \textit{Msg}_1}}\right] , \ldots , \left[ {{ \textit{VK}_\ell }\!:{ \textit{Msg}_\ell }}\right] ,\!\! \Upsilon )\), and implicitly associate the literal \(L_0\) to the clause \(\left[ {{ \textit{VK}_0}\!:{ \textit{Msg}_0}}\!\right] \).

    2. 2.

      Construct \({\tilde{\Upsilon }} = L_0 \vee \Upsilon \), a well-formed arborescent monotone threshold circuit.

    3. 3.

      Extend \(\chi \) so that \(\chi ({ L_0}) = \bot \), as we lack the corresponding atomic signature.

    The signer then builds the mesh signature from the circuit \({\tilde{\Upsilon }}\), the assignment \(\chi \), and the atomic signatures \(({ u_i, t_i})\) known for such i that \(\chi ({ L_i}) = \top \), as follows:

    1. 4.

      Create a flattened representation of \({\tilde{\Upsilon }}\) and \(\chi \) as discussed in Sect. 5.1. Accordingly, let \(\pi _0, \ldots , \pi _\ell \in \mathbb {F}_{p}[Z_0,\ldots ,Z_\vartheta ]\) be public degree-1 multivariate polynomials that encode \({\tilde{\Upsilon }}\), and \(\nu _0, \ldots , \nu _\ell \in \mathbb {F}_{p}\) the secret scalar coefficients of a linear combination that expresses \(\chi \), as in Lemma 8. Compute the coefficients \(y_{j,k} \in \mathbb {F}_{p}\) of the polynomials \(\pi _j = \sum _{ k = 0}^{ \vartheta } { y_{j,k} \, Z_k}\).

    2. 5.

      Create a random blinding vector \(\mathbf {s} = ({ s_1, \ldots , s_\ell }) \in \mathbb {F}_{p}^{ \ell }\).

    3. 6.

      \({ \forall i \in \{{ 0, \ldots , \ell }\}}: { \chi ({ L_i}) = \bot }\), randomly draw \(t_i \in \mathbb {F}_{p}\), and arbitrarily fix \(u_i = g ^{ 0} = 1 \in {\mathbb {G}}\). Alternatively, instead of a random \(t_i\), a prescribed value can be used.Footnote 2

      (Recall that for \(\chi ({ L_i}) = \top \), the \(t_i\) and \(u_i\) are supplied with the atomic signatures.)

    4. 7.

      For all \(j = 0, \ldots , \ell \) and \(k = 0, \ldots , \vartheta \), calculate,

      $$\begin{aligned} v_{j,k} = \left( { A_{j,k} \, B_{j,k}^{ m_j} \, C_{j,k}^{ t_j}}\right) ^{ y_{j,k}}, \quad \text {setting}\quad m_j = \textit{Msg}_j. \end{aligned}$$

      (Note that if we instantiate \(Z_k = \mathop {\mathrm {dlog}}\nolimits _{ g}({ g_k})\), we get \(v_j := \prod _{ k = 0}^{ \vartheta } { v_{j,k}} = g ^{ ({ a_j + b_j \, m_j + c_j \, t_j}) \, \pi _j}\) for all j except \(j = 0\) since the key “in the sky” is ill formed.)

    5. 8.

      Compute, for \(i = 1, \ldots , \ell \), and \(k = 0, \ldots , \vartheta \), respectively,

      $$\begin{aligned} S_i = { { { u_i}^{ \nu _i}} \, { { { v_0}^{ - s_i}}}}, \quad P_k = { \prod _{ j = 1}^{ \ell } { { v_{j,k}}^{ s_j}}}. \end{aligned}$$

      (The value of any intervening \(u_i\) such that \(\chi ({ L_i}) = \bot \) is unimportant since then \(\nu _i = 0\); this is true in particular for the user “in the sky” of index 0.)

    6. 9.

      Output the mesh signature, consisting of the statement \(\Upsilon \) and the tuple,

      $$\begin{aligned} \sigma = ({ \; t_0 , \; \ldots , \; t_\ell , \; S_1 , \; \ldots , \; S_\ell , \; P_0 , \; \ldots , \; P_\vartheta \;}) \;\in \; { { \mathbb {F}_{p}^{ \ell + 1}} \times { {\mathbb {G}}^{ \ell + \vartheta + 1}}}. \end{aligned}$$

  • Mesh verification: A fully qualified mesh signature package consists of:

    • a list of \(\ell + 1\) propositions \(\left[ {{ \textit{VK}_0}\!:{ \textit{Msg}_0}}\right] , \ldots , \left[ {{ \textit{VK}_\ell }\!:{ \textit{Msg}_\ell }}\right] \) viewed as inputs to,

    • an arborescent monotone threshold circuit \({\tilde{\Upsilon }} : \{{ \bot , \top }\}^{ \ell + 1} \rightarrow \{{ \bot , \top }\}\),

    • a mesh signature \(\sigma = \left( { t_0, \ldots , t_\ell , S_1, \ldots , S_\ell , P_0, \ldots , P_\vartheta }\right) \in { { \mathbb {F}_{p}^{ \ell + 1}} \times { {\mathbb {G}}^{ \ell + \vartheta + 1}}}\).

    To verify such a signature, the verifier proceeds as follows:

    1. 1.

      Ascertain that \({\tilde{\Upsilon }}({ \top , \star , \ldots , \star }) = \top \), extract from \({\tilde{\Upsilon }}({ L_0, \ldots , L_\ell })\) the sub-circuit \(\Upsilon ({ L_1, \ldots , L_\ell })\) such that \({\tilde{\Upsilon }} = \Upsilon \vee L_0\), and verify that \(\textit{Msg}_0 = {H}({ \left[ {{ \textit{VK}_1}\!:{ \textit{Msg}_1}}\right] , \ldots , \left[ {{ \textit{VK}_\ell }\!:{ \textit{Msg}_\ell }}\right] , \Upsilon })\).

    2. 2.

      Recompute the polynomials \(({ \pi _0, \ldots , \pi _\ell })\) representing the formula \({\tilde{\Upsilon }}\) by reproducing the deterministic conversion of Sect. 5.1.

    3. 3.

      For \(i = 0, \ldots , \ell \), determine the coefficients \(y_{i,k} \in \mathbb {F}_{p}\) of the polynomials \(\pi _i = \sum _{ k = 0}^{ \vartheta } { y_{i,k} \, Z_k}\).

    4. 4.

      For \(i = 0, \ldots , \ell \) and \(k = 0, \ldots , \vartheta \), retrieve \(({ \hat{A}_{i,k}, \hat{B}_{i,k}, \hat{C}_{i,k}})\) from the key \(\textit{VK}_i\), and calculate,

      $$\begin{aligned} \hat{v}_{i,k} = \left( { \hat{A}_{i,k} \, \hat{B}_{i,k}^{ m_i} \, \hat{C}_{i,k}^{ t_i}}\right) ^{ y_{i,k}}, \quad \hat{v}_i = \prod _{ k = 0}^{ \vartheta } { \hat{v}_{i,k}}, \quad \text {setting}\quad m_i = \textit{Msg}_i. \end{aligned}$$
    5. 5

      Using the pairing, verify the equalities, for all \(k = 0, \ldots , \vartheta \),

      $$\begin{aligned} {{\mathbf {e}\left( { P_k,\, \hat{v}_0}\right) } \cdot { \prod _{ i = 1}^{ \ell } { \mathbf {e}\left( { S_i,\, \hat{v}_{i,k}}\right) }}} = {\left\{ \begin{array}{ll} \mathbf {e}({ g,\, \hat{g}_0}) &{} \text {for}\, k = 0 \\ 1 &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
    6. 6

      Accept the signature as valid if and only if all \(\vartheta + 1\) preceding equalities hold in \({\mathbb {G}}_t\).

  • (Optional) Probabilistic check: Mesh signatures can be verified using fewer total pairings, at the cost of some additional random bits and exponentiations. In the same setting as above, it suffices to replace the end of the verification algorithm from step 5 onward by the following:

    • \(5'\). Using the pairing, for \(d_0 \!=\! 1\) and random \(d_1, \ldots , d_\vartheta \!\in \! \mathbb {F}_{p}\), verify the single equality,

      $$\begin{aligned} {{\mathbf {e}\left( \,\,{ \prod _{ k = 0}^{ \vartheta } { P_k ^{ d_k}},\, \hat{v}_0}\right) } \cdot { \prod _{ i = 1}^{ \ell } { \mathbf {e}\left( { S_i,\, \prod _{ k = 0}^{ \vartheta } { \hat{v}_{i,k}^{ d_k}}}\right) }}} = \mathbf {e}({ g,\, \hat{g}_0}). \end{aligned}$$

    • \(6'\). Accept the signature as valid if and only if the preceding equality holds in \({\mathbb {G}}_t\).

The probabilistic verification incurs a negligible statistical error of accepting a signature that would not be accepted by the deterministic algorithm. It is however significantly faster.

5.4 Security

We state the correctness, anonymity, and unforgeability theorems for the mesh scheme. A corollary to the latter is also given, based on a weaker assumption, for the case where only a subset of the honest users are willing to answer atomic signature queries (e.g., certificate authorities).

Theorem 9

The mesh signature is consistent.

Proof

For any list of public polynomials \(\pi _0, \ldots , \pi _\ell \) and secret coefficients \(\nu _0, \ldots , \nu _\ell \) that, respectively, encode per Lemma 8 a well-formed mesh specification \({\tilde{\Upsilon }}\) and an assignment \(\chi \) that satisfies it, we need to show that a signature created by the above algorithm will be accepted by the same. A straightforward sequence of substitutions in the scheme description shows this to be the case. \(\square \)

Theorem 10

The mesh signature has everlasting perfect anonymity.

Proof

See “Anonymity of the Mesh Scheme” of Appendix \(\square \)

Theorem 11

The mesh signature is existentially unforgeable under an adaptive chosen message attack, against a static adversary that makes no more than q mesh signature queries, and no more than q atomic signature queries to each of the \(\ell \) honest users, adaptively, provided that the \(( q, \ell + 1)\)-Poly-SDH assumption holds in \(\mathbf {G}\), in the common random string model.

Proof

See “Unforgeability of the Mesh Scheme” of Appendix \(\square \)

Corollary 12

The mesh signature is existentially unforgeable under an adaptive chosen message attack, against a static adversary that makes no more than q mesh signature queries, and no more than q atomic signature queries to each of \(\ell '\) among a total of \(\ell + \ell '\) honest users, adaptively, provided that the \(( q, \ell , \ell ' + 1)\)-Pluri-SDH assumption holds in \(\mathbf {G}\), in the common random string model.

5.5 Optimizations for Shorter Keys and CRS

As previously mentioned, we can make both the ring and mesh signature schemes more compact and more efficient, by noting that there is no need for three secrets in the atomic signature triplets \((a_i, b_i, c_i)\). As we shall see, two of them would suffice, though one is not enough. We exploit this by arbitrarily anchoring all instances of private keys’ \(b_i\) to the constant 1 and accordingly fixing the corresponding public keys’ \(B_i\) to known values that need no longer be published. The justification for this will become apparent in “Ring Scheme Security Proofs” and “Mesh Scheme Security Proofs” of Appendices, wherein the simulators that we construct are always allowed to know the value of the \(b_i\), indicating that the latter do not actually contribute to security. Further anticipating from the security reductions, we note that we shall need to construct two different simulators, that will know either one of the remaining private-key secrets \(a_i\) and \(c_i\), and that is the reason why we cannot shrink the private keys further. In summary, in both the mesh and the ring schemes, we can set \(b_i = 1\) wherever it appears and omit the publication of any instance of \(\hat{B}_{i,k} = \hat{g}_k ^{ b_i} = \hat{g}_k\). This results in public keys (including the key “in the sky”) being shrunken to \({ 2}/{ 3}\) of their original size. The scheme also becomes more computationally efficient as a result.Footnote 3

A second way to achieve optimizations is further to compress the key “in the sky” to just two elements of \(\hat{\mathbb {G}}\). This is based on the observation that, for \({\tilde{\Upsilon }} = \Upsilon \vee L_0\), the encoding algorithm of Sect. 5.1 always gives \(\pi _0 = Z_0\), i.e., \(y_{0,0} = 1\) and \(y_{0,k} = 0\) for \(k \ne 0\). This means that the tuples \(({ \hat{A}_{0,k}, \hat{B}_{0,k}, \hat{C}_{0,k}})\) for \(k \ne 0\) are in fact never used. Since it is safe to set \(\hat{B}_{0,0} = \hat{g}\) as discussed above, the key “in the sky” can thus shrink to a mere pair \(({ \hat{A}_{0,0}, \hat{C}_{0,0}})\) of random elements.

6 Conclusion

We have introduced mesh signatures as a generalization of ring signatures with a richer language for expressing signer ambiguity. Mesh signatures scale to large crowds with many cosigners and independent certificate authorities; they can even implicate unwilling individuals who, by withholding their ring public key, would have otherwise remained out of reach. Because in principle mesh signatures require no central authority and only a minimal-trust CRS, they provide a credible answer to the question of how to leak a secret authoritatively.

We have constructed a simple and practical mesh signature scheme in prime-order bilinear groups, which achieves everlasting unconditional anonymity, and existential unforgeability in the common random string model. To obtain this result, we introduced a new complexity assumption, which we prove sound in the generic model; it is in the spirit of the SDH assumption, but better exploits the group structure of the values computed by pairing. Incidentally, we obtain a very efficient and the first unconditionally anonymous ring signature without random oracles as a special case of our construction.