Compact Structure-Preserving Signatures with Almost Tight Security

Abe, Masayuki; Hofheinz, Dennis; Nishimaki, Ryo; Ohkubo, Miyako; Pan, Jiaxin

doi:10.1007/s00145-023-09477-z

Compact Structure-Preserving Signatures with Almost Tight Security

Research Article
Open access
Published: 10 August 2023

Volume 36, article number 37, (2023)
Cite this article

Download PDF

You have full access to this open access article

Journal of Cryptology Aims and scope Submit manuscript

Compact Structure-Preserving Signatures with Almost Tight Security

Download PDF

Masayuki Abe¹,
Dennis Hofheinz²,
Ryo Nishimaki¹,
Miyako Ohkubo³ &
…
Jiaxin Pan⁴

1184 Accesses
Explore all metrics

Abstract

In structure-preserving cryptography, every building block shares the same bilinear groups. These groups must be generated for a specific, a priori fixed security level, and thus, it is vital that the security reduction in all involved building blocks is as tight as possible. In this work, we present the first generic construction of structure-preserving signature schemes whose reduction cost is independent of the number of signing queries. Its chosen-message security is almost tightly reduced to the chosen-plaintext security of a structure-preserving public-key encryption scheme and the security of Groth–Sahai proof system. Technically, we adapt the adaptive partitioning technique by Hofheinz (Eurocrypt 2017) to the setting of structure-preserving signature schemes. To achieve a structure-preserving scheme, our new variant of the adaptive partitioning technique relies only on generic group operations in the scheme itself. Interestingly, however, we will use non-generic operations during our security analysis. Instantiated over asymmetric bilinear groups, the security of our concrete scheme is reduced to the external Diffie–Hellman assumption with linear reduction cost in the security parameter, independently of the number of signing queries. The signatures in our schemes consist of a larger number of group elements than those in other non-tight schemes, but can be verified faster, assuming their security reduction loss is compensated by increasing the security parameter to the next standard level.

Compact Structure-Preserving Signatures with Almost Tight Security

Improved (Almost) Tightly-Secure Structure-Preserving Signatures

Improved Structure Preserving Signatures Under Standard Bilinear Assumptions

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

1.1 Background

A structure-preserving signature (SPS) scheme [4] is designed over bilinear groups, and features public keys, messages, and signatures that only consist of source group elements. Furthermore, signature verification only uses group membership testing and relations that can be expressed as pairing product equations. Coupled with the Groth–Sahai non-interactive proof system [40] (GS proofs for short), SPS schemes are a powerful tool in constructing a wide range of cryptographic applications. Various SPS schemes based on compact standard assumptions exist in the literature [3,4,5, 22, 24, 25, 39, 46, 49, 53]. When looking at schemes from standard assumptions, the state-of-the-art scheme in [47] yields signatures as compact as consisting of six source group elements.

In this paper, we address the tightness of security proofs for SPS schemes with compact parameters, i.e., constant-size signatures and standard (non-q-type) assumptions. Formally, a security reduction constructs an adversary ${\mathcal {A}}$ on a computational assumption out of an adversary ${\mathcal {A}}'$ on the security of a cryptographic scheme. If we let $\epsilon $ and t denote the success probability and runtime of ${\mathcal {A}}$, and $\epsilon '$ and $t'$ the success probability and runtime of ${\mathcal {A}}'$, then we define the security loss of the reduction, or simply the reduction cost, as $(\epsilon ' t) / (\epsilon t')$ [26]. The reduction is tight if the security loss is a small constant or almost tight if it grows only (as a preferably small function) in the security parameter $\lambda $. In particular, we are concerned about security loss with less dependence to the number $q_s$ of ${\mathcal {A}}'$’s signing queries in a chosen-message attack that can be as large as $2^{30}$.

The only tightly secure SPS under compact assumptions is that by Hofheinz and Jager [43]. Their tree-based construction, however, yields unacceptably large signatures consisting of hundreds of group elements. For other SPS schemes under compact assumptions, the security is proven using a hybrid argument that repeat reductions in $q_s$. Thus, their security loss is $\mathcal {O}(q_s)$ [3, 53] or even $\mathcal {O}(q_s^2)$ [49], as shown in Table 1.

Table 1 Object sizes and loss of security among structure-preserving signature schemes with assumptions in the standard model

Full size table

Table 2 Comparison of factors relevant to computational efficiency against SPS schemes having smallest signature sizes

Full size table

The non-tightness of security reductions does not necessarily mean the existence of a forger with reduced complexity, but the security guarantees given by non-tight reductions are quantitatively weaker than those given by tight reductions. Recovering from the security loss by increasing the security parameter is not a trivial solution when bilinear groups are involved. The security in source and target groups should be balanced, and computational efficiency is influenced by the choice of curves, pairings, and parameters such as embedding degrees, and the presence of dedicated techniques. In practice, an optimal setting for a targeted security parameter is determined by actual benchmarks, e.g., [10, 31, 37], and only standard security parameters such as 128, 192, and 256 have been investigated. One would thus have to hop to the next standard security level to offset the security loss in reality. Besides, we stress that increasing the security parameter for a building block in structure-preserving cryptography is more costly than usual as it results in losing efficiency in all other building blocks using the same bilinear groups. Thus, the demand for tight security is stronger in structure-preserving cryptography.

Even in ordinary (i.e., non-structure-preserving) signature schemes, most of the constructions satisfying tight security are either in the random oracle model, e.g., [1, 16, 28, 48], rely on q-type or strong RSA assumptions, e.g., [20, 54], or lead to large signatures and/or keys, e.g., [27, 51]. Hofheinz presented the first tightly secure construction with compact signatures and keys under a standard compact assumption over bilinear groups [41]. However, his construction can only be used to sign integer messages (and not group elements or, e.g., its own public key), so it is not structure-preserving.

1.2 Our Contributions

We propose the first (almost) tightly secure SPS schemes with constant number of group elements in signatures. Our schemes are proven secure based on standard assumptions (e.g., the symmetric external Diffie–Hellman (SXDH) assumption). Concretely, we first present a generic construction of an almost tightly secure SPS scheme from a structure-preserving public-key encryption secure against chosen-plaintext attacks and the GS proof system. With ElGamal encryption and the GS proofs over asymmetric pairing groups, we obtain concrete SPS schemes with compact signature size whose unforgeability against adaptive chosen-message attacks (UF-CMA) is reduced from the SXDH assumption with security loss at most $\mathcal {O}(\lambda )$, which is independent of $q_s$.^{Footnote 1}

The primary benefit of our tightly secure SPS schemes is their availability in structure-preserving cryptography under the current standard security level. For a system modularly built with structure-preserving building blocks, a compact and tightly secure SPS scheme has been a missing piece, since other useful building blocks, such as one-time signatures and commitments, are known to be tightly secure. Plugging in our scheme, one can increase the proven security in applications of structure-preserving cryptography such as blind signatures [4], group signatures [53], and unlinkable redactable signatures [23] used in anonymous credential systems.

The second benefit of our result is the removal of $q_s$ from the security bound, which aims to simplify the systems design. With previous schemes, there are trade-offs among security, efficiency, and usability; if one desires stronger security guarantees without sacrificing efficiency, a rigid limitation has to be put on the number of signatures per public key, or, if more flexibility on the number of possible signatures is important in considered applications, one has to take the risk with weaker security guarantees or less efficiency. With our schemes, one no longer needs to fix $q_s$ in advance and can focus on desirable security and permissible efficiency for the targeted system.

Nevertheless, the performance as a stand-alone signature scheme is of a concern. We summarise several parameters that dominate the space and computation costs in Table 1 and 2. The bare numbers in the tables imply that our schemes are outperformed by those in the literature if they are used at the same security level. Taking the security loss into consideration, however, the tightness of our schemes offsets the difference in terms of computational complexity. We elaborate this point in the following. Though concrete complexity varies widely depending on platforms and implementations, it is safe to say that computing a pairing in the 192-bit security level is slowed by a factor of $\delta :=6$ to 7 on ordinary personal computers [13, 31] and $\delta :=9$ to 12 on processors for embedded systems [9, 38, 56] compared to those in the 128-bit security level. (This slowdown factor should increase if we take recent update of key sizes as suggested in [12].) According to the number of pairings in Table 2, our scheme for bilateral messages at the 128-bit security level verifies a signature with batch verification $4.6< \delta (n_1+n_2+ 14) / (n_1+n_2+18) < 9.3$ times faster than the KPW scheme at the 192-bit security setting for offsetting its security loss of 60 bits. Applying the same argument to the case of unilateral messages, ours in the 128-bit security level will be $2.2< \delta (n_1+6) / (n_1+16) < 4.5$ times faster compared to the JR scheme in the 192-bit security level. Even with plain verification, i.e., without batch technique, the advantage remains depending on the platform and the size of messages.

We note that the above simple argument ignores dedicated techniques for computing pairing products, e.g., [55], and costs for subtle computations. It may not be fair to ignore the concrete security loss in our schemes, which can be as large as 11 bits for at most $2^{40}$ signing queries, as mentioned in Sect. 4. Nevertheless, taking into account the fact that the performance gap between different security levels will be larger than those shown in the above benchmarks published previously [50] (i.e., slowdown factor $\delta $ in the above argument will be much larger), even the simple estimation is aimed to show the practical significance of tightly secure schemes.

1.3 Technical Overview

Eliminating any representation-dependent computation in the construction is a crucial technical challenge. Towards this goal, we adapt the “adaptive partitioning” technique of Hofheinz [42] (which in turn builds upon [27]) to the setting of structure-preserving signatures. Thus, in our security proof, we gradually transform the conditions necessary for a successful forgery until a valid forgery is impossible. This will require $\mathcal {O}(\log q_s)$ game hops.

Concretely, in the scheme itself, we require that every valid signature must carry an (encrypted) “authentication tag” $Z=X$, where $X\in \mathbb {G}$ is a fixed group element. We will gradually transform this requirement $Z=X$ into the following combination of requirements on the authentication tag $Z^*$ from a valid forgery:

(a)
We must have $Z^*=X\cdot \textsf{M}^*$, where $X\in \mathbb {G}$ is a fixed random group element, and $\textsf{M}^*\in \mathbb {G}$ is the signed message in the forgery.
(b)
Also, we must have $Z^*=X\cdot \textsf{M}_i$ for some previously signed message $\textsf{M}_i$.

Since we may assume $\textsf{M}^*\notin \{\textsf{M}_i\}$ in the (non-strong) existential unforgeability experiment, any attempted forgery will thus be invalid.

The key technique to establishing these modified requirements is a “partitioning argument” similar to the one from [42]. That is, in the proof, we will enforce more and more dependencies of the authentication tag Z on the bit representation of $\textsf{M}$. Note that this bit representation is not used in the real scheme; this would in fact be problematic in the context of structure-preserving constructions. For instance, to establish a dependence of Z on the k-th bit $b_{\textsf{M}}$ of the bit representation of $\textsf{M}$, we proceed as follows:

1.
First, we “partition” the set of all messages into two subsets, depending on $b_{\textsf{M}}$. This means that signatures issued by the experiment now carry (an encryption of) $b_{\textsf{M}}$ in a special component. The reason for this partitioning is that we can now, depending on the encrypted $b_{\textsf{M}}$, use different verification rules.
2.
We guess the encrypted bit $b^*$ from the forgery and change the encrypted Z in issued signatures for all $b_{\textsf{M}}\ne b^*$. (This change can be justified by setting up things such that Z can only be retrieved from a signature if the encrypted bit b is equal to $b^*$. If $b\ne b^*$, then Z is hidden and can hence be modified in issued signatures.) This introduces a dependence of Z in issued signatures on $b_{\textsf{M}}$.

However, the encrypted bit $b^*$ from the forgery is not necessarily identical to $b_{\textsf{M}^*}$ (since this property cannot be easily enforced in a structure-preserving way). As a consequence, we cannot force the adversary to respect the additional dependencies in his forgery. Yet, we will show that we can force the adversary to reuse one $Z=X\cdot \textsf{M}_i$ from a signing query. This leads to requirement (b) in verification forgeries, and requirement (a) will finally be enforced by a regular GS proof in signatures (that GS proof is simulated in all intermediate steps).

This line of reasoning borrows from Chen and Wee’s [27] general idea of establishing tight security through a repeated partitioning of the message space (resp. identity space in an identity-based encryption scheme) into two sets, each time adjusting signatures for messages from one of the two sets in the process. However, their approach, as well as other follow-up approaches (e.g., [11, 19, 34, 41, 52]), embeds the partitioning already in the scheme (in the sense that the scheme must already contain all potentially possible “partitioning rules,” for instance according to each message bit). Since these rules in the mentioned schemes are based on the message bits (or an algebraic predicate on the discrete logarithm of the message [41]), this would not lead to a structure-preserving scheme.

Instead, we adapt the “adaptive partitioning” (AP) technique of Hofheinz [42], in which the partitioning is performed dynamically, through an encrypted partitioning bit embedded in signatures. This allows us to separate partitioning from the way messages are bound to signatures in the scheme. We thus bind a message through an authentication tag, as mentioned above, that is more algebraic and admits structure-preserving GS proofs. The encrypted partitioning bit is fixed to a constant in the real scheme and turned into a variable only in the security proof where non-generic computations are allowed.

In adapting AP to our setting, we face two difficulties, however: the partitioning used in AP is bit-based (which is incompatible with our requirement of a structure-preserving scheme), and its complexity leads to comparatively complex schemes. More specifically, AP leads to several expensive “OR”-proofs in ciphertexts, resp. signatures. As a consequence, the (encryption) schemes in [42] are not competitive in complexity to non-tightly secure schemes, even when taking into account a potentially larger security level for non-tightly secure schemes. On the other hand, our signature schemes are carefully designed so that GS proofs in signatures are done only for less costly linear relations (except for one crucial “OR”-proof). We further use optimization techniques of Escala and Groth [32] to reduce the size of GS proofs in our instantiation.

Moreover, AP crucially relies on the bit representation of messages (resp. encryption tags that are hash values in [42]). In particular, the encryption scheme from [42] is not structure-preserving. For our purposes, we thus have to modify this technique to work with group elements instead of hash values. This leads to a very simple and clean structure-preserving signature scheme whose security proof still crucially uses the bit representation of group elements. We find this property surprising and conceptually interesting.

1.4 Difference to the Previous Version

The constructions in both the previous and current versions are the same, but here we apply a (slightly) different proof technique to improve the security loss of the scheme, namely, from $\mathcal{O}(\lambda )$ to $\mathcal{O}(\log q_s)$. Typically, we will have $q_s\ll 2^\lambda $ (e.g., $\lambda =128$ and $q_s\approx 2^{40}$), so this improvement might be significant. This proof technique is motivated by [35].

1.5 Follow-up Works and Open Problems

Our work is the first tightly secure SPS with compact public keys, and it laid the foundation for many follow-up schemes, such as [7, 8, 29, 35, 45]. Among them, [8, 45] use more efficient NIZK proof systems to implement our framework, while [7, 29, 35] construct tightly secure SPS schemes from compact and tightly secure message authentication code schemes.

While being compact and tightly secure, our concrete SPS schemes and the follow-up works contain a moderate number of group elements in a signature. We note that our scheme still has larger public key and signature sizes than the non-tight schemes, but it paved a way to the aforementioned, more efficient follow-up works. We suppose that eventually we will have a truly practical tightly secure scheme, and we leave this as an open problem. Another interesting open problem is to decrease the security loss from $\mathcal {O}(\log q_s)$ to $\mathcal {O}(1)$.

1.6 Organization

The rest of the paper is organized as follows. After introducing notations, security definitions, and building blocks in Sect. 2, we present our generic construction and its security proof in Sect. 3. We discuss an instantiation over asymmetric bilinear groups in Sect. 4.

2 Preliminaries

2.1 Notations

For an integer p, define ${\mathbb {Z}}_p$ as the residual ring ${\mathbb {Z}}/p{\mathbb {Z}}$. If ${\mathcal {B}}$ is a set, then $x \xleftarrow {\$}{\mathcal {B}}$ denotes the process of sampling an element x from set ${\mathcal {B}}$ uniformly at random. All our algorithms are probabilistic polynomial time (p.p.t. for short) unless stated otherwise. If ${\mathcal {A}}$ is an algorithm, then $a \xleftarrow {\$}{\mathcal {A}}(b)$ denotes the random variable, which is defined as the output of ${\mathcal {A}}$ on input b. To make the randomness explicit, we use the notation $a \leftarrow {\mathcal {A}}(b; r)$, meaning that the algorithm is executed on input b and randomness $r$. Note that ${\mathcal {A}}$’s execution is now deterministic. For an element $\mu \in {\mathbb {Z}}_p$, we denote by $\mu |_k \in \{0,1\} ^k$ the first k bits of $\mu $’s binary representation and by $\mu [k] \in \{0,1\} $ the k-th bit of $\mu $’s binary representation. An empty string is denoted by $\epsilon $.

We say that a function is negligible in security parameter $\lambda $ if, for all constant $c > 0$ and all sufficiently large $\lambda $, $\nu (\lambda ) < \lambda ^{-c}$ holds.

2.2 Pairing Groups and Diffie–Hellman Assumptions

Let $\textsf{PGGen}$ be an algorithm that on input security parameter $\lambda $ returns a description $\textsf{par}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,$ $G_1,G_2)$ of pairing groups, where p is a $\textsf{poly}(\lambda )$-bit prime, $\mathbb {G}_1$, $\mathbb {G}_2$, $\mathbb {G}_T$ are cyclic groups of order p, $G_1$ and $G_2$ are generators of $\mathbb {G}_1$ and $\mathbb {G}_2$, respectively, and $e: \mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T$ is an efficiently computable non-degenerate bilinear map. Pairing group $\textsf{par}$ is said to be a Type-III asymmetric pairing group if $\mathbb {G}_1\ne \mathbb {G}_2$, and there does not exist an efficiently computable isomorphism between $\mathbb {G}_1$ and $\mathbb {G}_2$. When distinction between source groups is not important, we use $\mathbb {G}$ and $G$ to represent $\mathbb {G}_1$ and/or $\mathbb {G}_2$, and their default generator, respectively. When a group element is given to an algorithm as an input, its membership to the intended group must be tested, but we make it implicit throughout the paper for conciseness of the description.

Our instantiation in Sect. 4 is based on the following standard assumption over asymmetric pairing groups.

Definition 2.1

(Decisional Diffie–Hellman assumption) The decisional Diffie–Hellman assumption ($\textrm{DDH}_s$) holds relative to $\textsf{PGGen}$ in group $\mathbb {G}_s$ ($s \in \{1,2,T\}$) if, for all p.p.t. adversaries ${\mathcal {A}}$, advantage function

$$\begin{aligned} \textrm{Adv}^{{\textsf{ddh}_{s}}}_{\textsf{PGGen}}({\mathcal {A}}):= |\Pr [{\mathcal {A}}(\textsf{par}, G_s^a,G_s^b,G_s^{ab})=1] - \Pr [{\mathcal {A}}(\textsf{par},G_s^a,G_s^b,G_s^c)=1]| \end{aligned}$$

is negligible in security parameter $\lambda $, where the probability is taken over $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda ), a,b,c \xleftarrow {\$}{\mathbb {Z}}_p$. The $\textrm{SXDH}$ assumption holds relative to $\textsf{PGGen}$ if for all p.p.t. adversaries ${\mathcal {A}}$, advantage function $\textrm{Adv}^{{\textsf{sxdh}}}_{\textsf{PGGen}}({\mathcal {A}}):= \max (\textrm{Adv}^{{\textsf{ddh}_{1}}}_{\textsf{PGGen}}({\mathcal {A}}), \textrm{Adv}^{{\textsf{ddh}_{2}}}_{\textsf{PGGen}}({\mathcal {A}}))$ is negligible.

2.3 Structure-Preserving Signatures

Definition 2.2

(Structure-Preserving signature scheme) An SPS scheme $\textsf{SPS}$ with respect to $\textsf{PGGen}$ is a tuple of algorithms $\textsf{SPS}= (\textsf{Gen}, \textsf{Sign}, \textsf{Ver})$:

The key generation algorithm $\textsf{Gen}(\textsf{par})$ takes $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda )$ as input and returns a public/secret key pair, $(\textit{pk},\textit{sk})$, where $\textit{pk}\in \mathbb {G}^{n_{\textit{pk}}}$ for some $n_{\textit{pk}} \in \textsf{poly}(\lambda )$. Message space ${\mathcal {M}}:=\mathbb {G}^{n}$ for some constant $n \in \textsf{poly}(\lambda )$ is implicitly determined by $\textit{pk}$.
The signing algorithm $\textsf{Sign}(\textit{sk},\textsf{M})$ returns a signature $\sigma \in \mathbb {G}^{n_{\sigma }}$ for some $n_{\sigma } \in \textsf{poly}(\lambda )$.
The deterministic verification algorithm $\textsf{Ver}(\textit{pk}, \textsf{M},\sigma )$ solely evaluates pairing product equations and returns 1 (accept) or 0 (reject).

(Perfect correctness.) For all $(\textit{pk},\textit{sk})\xleftarrow {\$}\textsf{Gen}(\textsf{par})$, all messages $\textsf{M}\in {\mathcal {M}}$, and all $\sigma \xleftarrow {\$}\textsf{Sign}(\textit{sk},\textsf{M})$, $\textsf{Ver}(\textit{pk},\textsf{M},\sigma )=1$ holds.

Though our final goal is to achieve security against adaptive chosen-message attacks, we use the following slightly relaxed notion in the generic construction.

Definition 2.3

($\textsf{UF}\text{- }\textsf{XCMA}$ Security) A signature scheme $\textsf{SPS}$ is unforgeable against auxiliary chosen-message attacks ($\textsf{UF}\text{- }\textsf{XCMA}$-secure) for relation $\mathcal {R}$ if, for all p.p.t. adversaries ${\mathcal {A}}$, advantage function

$$\begin{aligned} \textrm{Adv}^{{\textsf{uf} \text{- } \textsf{xcma}}}_{\textsf{SPS}}({\mathcal {A}}):= \Pr \left[ \textsc {Ver}(\textsf{M}^*,\sigma ^*)=1 \left| \begin{array}{l} \,\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda );\\ (\textsf{M}^*,\sigma ^*) \xleftarrow {\$}{\mathcal {A}}^{\textsc {Init},\textsc {Sign}(\cdot ,\cdot )}(\textsf{par}) \end{array}\right. \right] \end{aligned}$$

is negligible in security parameter $\lambda $ where

$\textsc {Init}$ runs $(\textit{pk},\textit{sk}) \xleftarrow {\$}\textsf{Gen}(\textsf{par})$, initializes ${\mathcal {Q}}_{\textsf{M}}$ with $\emptyset $, and returns $\textit{pk}$ to ${\mathcal {A}}$,
$\textsc {Sign}(\textsf{M},\textsf{m})$ checks if $\mathcal {R}(\textsf{M},\textsf{m})=1$, runs $\sigma \xleftarrow {\$}\textsf{Sign}(\textit{sk},\textsf{M})$, adds the $\textsf{M}$ to ${\mathcal {Q}}_{\textsf{M}}$, and returns $\sigma $ to ${\mathcal {A}}$, and
$\textsc {Ver}(\textsf{M}^*,\sigma ^*)$ returns 1 if $\textsf{M}^* \notin {\mathcal {Q}}_{\textsf{M}}$ and $1= \textsf{Ver}(\textit{pk},\textsf{M}^*,\sigma ^*)$, or returns 0, otherwise.

As we are concerned with structure-preserving schemes, we fix $\mathcal {R}(\textsf{M},\textsf{m})$ to a relation that returns 1 iff $\textsf{M}= G^{\textsf{m}}$ where $G$ is a generator in a group. This relation is sufficient for our purpose, that is, combining with a partial one-time signature scheme described below. By letting $\mathcal {R}$ be a constant function $\mathcal {R}=1$, we obtain a standard notion of unforgeability against chosen-message attacks ($\textsf{UF}\text{- }\textsf{CMA}$-secure) and denote its advantage function by $\textrm{Adv}^{{\textsf{uf}\text{- } \textsf{cma}}}_{\textsf{SPS}}({\mathcal {A}})$. $\textsf{UF}\text{- }\textsf{XCMA}$ is slightly stronger than unforgeability against extended random message attacks ($\textsf{UF}\text {-}\textsf{XRMA}$) introduced by Abe et al. [3]. While $\textsf{UF}\text {-}\textsf{XRMA}$ is relative to a preliminary fixed algorithm that chooses messages to sign, it is the adversary that selects messages in $\textsf{UF}\text{- }\textsf{XCMA}$. Thus, $\textsf{UF}\text{- }\textsf{XCMA}$ implies $\textsf{UF}\text {-}\textsf{XRMA}$.

: In this paper, we focus on constructing $\textsf{UF}\text{- }\textsf{XCMA}$ secure structure-preserving signature and then, transform it to a $\textsf{UF}\text{- }\textsf{CMA}$ secure SPS by using a partial one-time signature (POS) scheme [3, 17] in the standard way [3, 49]. POS is also known as two-tier signature schemes and is a variation of one-time signatures where parts of keys are updated after every signing. Here, we recall useful definitions of POS and the transform.

Definition 2.4

(Partial One-Time Signature Scheme [17]) A partial one-time signature scheme $\textsf{POS}$ with respect to $\textsf{PGGen}$ is a set of polynomial-time algorithms $(\textsf{G},\textsf{Update}, \textsf{S}, \textsf{V})$ that, for $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda )$:

$\textsf{G}(\textsf{par})$ generates a long-term public key $\textit{pk}$ and secret key $\textit{sk}$, and implicitly defines the associated message space ${\mathcal {M}}_{o}$ and the one-time public key space ${\mathcal {K}}_{{\textit{opk}}}$.
$\textsf{Update}(\textsf{par})$ takes $\textsf{par}$ as input, and outputs a one-time key pair $(\textit{opk}, \textit{osk})$.
$\textsf{S}(\textit{sk}, \textit{osk}, \textsf{M})$ outputs a signature $\sigma $ on message $\textsf{M}$ based on $\textit{sk}$ and $\textit{osk}$.
$\textsf{V}(\textit{pk}, \textit{opk}, \textsf{M}, \sigma )$ outputs 1 for acceptance or 0 for rejection.

(Perfect correctness.) For all $(\textit{pk},\textit{sk})\xleftarrow {\$}\textsf{G}(\textsf{par})$, all $(\textit{opk},\textit{osk}) \xleftarrow {\$}\textsf{Update}(\textsf{par})$, all messages $\textsf{M}\in {\mathcal {M}}$, and all $\sigma \xleftarrow {\$}\textsf{S}(\textit{sk},\textit{osk},\textsf{M})$, $\textsf{V}(\textit{pk},\textit{opk},\textsf{M},\sigma )=1$ holds.

$\textsf{POS}$ is structure-preserving if $\textit{pk}$, $\textit{opk}$, $\textsf{M}$, and $\sigma $ consist only of elements in $\mathbb {G}$, and $\textsf{V}$ evaluates group membership testing and pairing product equations.

We require $\textsf{POS}$ to be unforgeable against one-time non-adaptive chosen-message attacks ($\textsf{OT}\text {-}\textsf{nCMA}$), which is defined as follows. Here “one-time” means an adversary cannot forge a second signature with respect to an $\textit{opk}$.

Definition 2.5

($\textsf{OT}\text {-}\textsf{nCMA}$ Security) A $\textsf{POS}$ scheme is unforgeable against one-time non-adaptive chosen-message attacks ($\textsf{OT}\text {-}\textsf{nCMA}$) if for any algorithm ${\mathcal {A}}$, the following advantage function $\textrm{Adv}^{{\textsf{ncma}}}_{\textsf{POS}}({\mathcal {A}})$ is negligible in $\lambda $,

$$\begin{aligned} \textrm{Adv}^{{\textsf{ncma}}}_{\textsf{POS}}({\mathcal {A}}):=\Pr \left[ \begin{array}{l} \textsc {Ver}(\textit{opk}^{*},\textsf{M}^{*}, \sigma ^{*}) = 1 \end{array} \,\left| \,\begin{array}{l} \,\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda );\\ (\textit{opk}^{*}, \sigma ^{*},\textsf{M}^{*}) \xleftarrow {\$}{\mathcal {A}}^{\textsc {Init}, \textsc {Sign}(\cdot )}(\textsf{par})\\ \end{array}\right. \right] \end{aligned}$$

where

$\textsc {Init}$ runs $(\textit{pk},\textit{sk}) \xleftarrow {\$}\textsf{G}(\textsf{par})$, initializes ${\mathcal {Q}}_{\textsf{M}}$ with $\emptyset $, and returns $\textit{pk}$ to ${\mathcal {A}}$.
$\textsc {Sign}(\textsf{M})$ runs $(\textit{opk},\textit{osk})\xleftarrow {\$}\textsf{Update}(\textsf{par})$ and $\sigma \xleftarrow {\$}\textsf{S}(\textit{sk},\textit{osk},\textsf{M})$, and then, returns $(\textit{opk},\sigma )$ to ${\mathcal {A}}$, and records $(\textit{opk},\textsf{M}, \sigma )$ to the list ${\mathcal {Q}}_{\textsf{M}}$.
$\textsc {Ver}(\textit{opk}^{*},\sigma ^{*},\textsf{M}^{*})$ returns 1 if there exists $(\textit{opk}^{*},\textsf{M},\sigma ) \in {\mathcal {Q}}_{\textsf{M}}$ and $\textsf{M}^{*} \ne \textsf{M}$ and $1= \textsf{V}(\textit{pk}, \textit{opk}^{*}, \textsf{M}^{*},\sigma ^{*})$, or returns 0, otherwise.

Let $\textsf{POS}:=(\textsf{G},\textsf{Update},\textsf{S},\textsf{V})$ be a structure-preserving partially one-time signature scheme with message space ${\mathcal {M}}$ and one-time public key space ${\mathcal {K}}_{{\textit{opk}}}$, and $\mathsf {{x}SPS{}}:=(\textsf{Gen}',\textsf{Sign}',\textsf{Ver}')$ be a structure-preserving signature scheme with message space ${\mathcal {K}}_{{\textit{opk}}}$. The transformed $\textsf{UF}\text{- }\textsf{CMA}$ secure SPS scheme, $\textsf{SPS}:=(\textsf{Gen},\textsf{Sign},\textsf{Ver})$, is defined as follows.

$\textsf{Gen}(\textsf{par})$:	$\textsf{Sign}(\textit{sk},\textsf{M})$:	$\textsf{Ver}(\textit{pk},\textsf{M},\sigma )$:
$(\textit{pk}_1,\textit{sk}_1)\xleftarrow {\$}\textsf{G}(\textsf{par})$	$(\textit{opk},\textit{osk}) \xleftarrow {\$}\textsf{Update}(\textsf{par})$	Parse $\sigma =(\textit{opk},\sigma _1,\sigma _2) $
$(\textit{pk}_2,\textit{sk}_2) \xleftarrow {\$}\textsf{Gen}'(\textsf{par})$	$\sigma _1 \xleftarrow {\$}\textsf{S}(\textit{sk}_1,\textit{osk},\textsf{M})$	If $ \textsf{V}(\textit{pk}_1,\textit{opk},\textsf{M},\sigma _1)=1$
$\textit{pk}:=(\textit{pk}_1,\textit{pk}_2)$	$\sigma _2 \xleftarrow {\$}\textsf{Sign}'(\textit{sk}_2,\textit{opk})$	$\wedge ~\textsf{Ver}'(\textit{pk}_2,\textit{opk},\sigma _2)=1$
$\textit{sk}:=(\textit{sk}_1,\textit{sk}_2)$	Return $(\textit{opk},\sigma _1,\sigma _2)$	then return 1
Return $(\textit{pk},\textit{sk})$		Else return 0

The correctness and structure-preserving property of $\textsf{SPS}$ are implied by those of $\textsf{POS}$ and $\mathsf {{x}SPS{}}$ in a straightforward way. The following theorem ([3, Theorem 3]) states $\textsf{UF}\text{- }\textsf{CMA}$ security of $\textsf{SPS}$.

Theorem 2.6

If $\textsf{POS}$ is $\textsf{OT}\text {-}\textsf{nCMA}$ secure and $\mathsf {{x}SPS{}}$ is $\textsf{UF}\text {-}\textsf{XRMA}$ secure, then $\mathsf {SPS{}}$ defined as above is $\textsf{UF}\text{- }\textsf{CMA}$ secure. In particular, for all adversaries ${\mathcal {A}}$ against $\textsf{UF}\text{- }\textsf{CMA}$ security of $\mathsf {SPS{}}$, there exist adversaries ${\mathcal {B}}$ against $\textsf{OT}\text {-}\textsf{nCMA}$ security of $\textsf{POS}$ and ${\mathcal {C}}$ against $\textsf{UF}\text {-}\textsf{XRMA}$ security of $\mathsf {{x}SPS{}}$ with running times $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {C}})$ and $\textrm{Adv}^{{\textsf{uf}\text{- } \textsf{cma}}}_{\mathsf {SPS{}}}({\mathcal {A}}) \le \textrm{Adv}^{{\textsf{ncma}}}_{\textsf{POS}}({\mathcal {B}}) + \textrm{Adv}^{{\textsf{uf} \text{- } \textsf{xrma}}}_{\mathsf {{x}SPS{}}}({\mathcal {C}})$.

2.4 Public-Key Encryption Schemes

Definition 2.7

(Public-key encryption) A Public-Key Encryption scheme (PKE) consists of algorithms $\textsf{PKE}:= (\mathsf {Gen_{PKE}},\textsf{Enc},\textsf{Dec})$:

The key generation algorithm $\mathsf {Gen_{PKE}}(\textsf{par})$ takes $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda )$ as input and generates a pair of public and secret keys $(\textit{pk},\textit{sk})$. Message space ${\mathcal {M}}$ is implicitly defined by $\textit{pk}$.
The encryption algorithm $\textsf{Enc}(\textit{pk},\textsf{M})$ returns a ciphertext $\textsf{ct}$.
The deterministic decryption algorithm $\textsf{Dec}(\textit{sk},\textsf{ct})$ returns a message $\textsf{M}$.

(Perfect correctness.) For all $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda )$, $(\textit{pk},\textit{sk})\xleftarrow {\$}\mathsf {Gen_{PKE}}(\textsf{par})$, messages $\textsf{M}\in {\mathcal {M}}$, and $\textsf{ct}\xleftarrow {\$}\textsf{Enc}(\textit{pk},\textsf{M})$, $\textsf{Dec}(\textit{sk},\textsf{ct})=\textsf{M}$ holds.

Definition 2.8

(${\textsf{IND}}-{\textsf{mCPA}}$ Security [14]) A PKE scheme $\textsf{PKE}$ is indistinguishable against multi-instance chosen-plaintext attack (${\textsf{IND}}-{\textsf{mCPA}}$-secure) if for any $q_e\ge 0$ and for all p.p.t. adversaries ${\mathcal {A}}$ with access to oracle $\textsc {Enc}$ at most $q_e$ times the following advantage function $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {A}})$ is negligible,

$$\begin{aligned} \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {A}}):= \left| \Pr \left[ b' = b \left| \begin{array}{l} \textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda ); (\textit{pk},\textit{sk})\xleftarrow {\$}\mathsf {Gen_{PKE}}(\textsf{par}); \\ b \xleftarrow {\$}\{0,1\}; b' \xleftarrow {\$}{\mathcal {A}}^{\textsc {Enc}(\cdot ,\cdot )}(\textit{pk}) \end{array}\right. \right] - \frac{1}{2} \right| , \end{aligned}$$

where $\textsc {Enc}(\textsf{M}_0,\textsf{M}_1)$ runs $\textsf{ct}^* \xleftarrow {\$}\textsf{Enc}(\textit{pk},\textsf{M}_b)$, and returns $\textsf{ct}^*$ to ${\mathcal {A}}$.

Some public-key encryption schemes, e.g., ElGamal encryption [30] and Linear encryption [21], are structure-preserving and satisfy ${\textsf{IND}}-{\textsf{mCPA}}$ security with tight reductions to compact assumptions such as $\textrm{DDH}$ and the Decision Linear assumption [21], respectively (cf. [43]).

2.5 The Groth–Sahai Proof System

We recall the Groth–Sahai proof system and its properties as a commit-and-prove scheme. We follow definitions by Escala and Groth in [32] in a simplified form that is sufficient for our purpose. For a given pairing group $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^{\lambda })$, the GS-proof system is a non-interactive zero-knowledge proof (NIZK) system for satisfiability of a set of equations over $\textsf{par}$. Let $\mathcal {L}_\textsf{par}$ be a family of NP languages defined over $\textsf{par}$. For a language $\mathcal {L}\in \mathcal {L}_\textsf{par}$, let $R_\mathcal {L}:= \{ (x,\omega ): x \in \mathcal {L}\text { and } \omega \in W(x) \}$ be a witness relation, where W(x) is the set of witnesses for $x\in \mathcal {L}$. As our construction fixes the language in advance, it is sufficient for our purpose to define the proof system to be specific to $\mathcal {L}$ as follows.

Definition 2.9

(The Groth–Sahai Proof System) The Groth–Sahai commit-and-prove system for $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^{\lambda })$ and $\mathcal {L}\in \mathcal {L}_{\textsf{par}}$ consists of p.p.t. algorithms $\textsf{GS}:= (\textsf{BG}, \textsf{Com},\textsf{P},\textsf{V})$ that:

$\textsf{BG}(\textsf{par})$ is a binding common reference string generation algorithm that outputs $\textbf{crs}$.
$\textsf{Com} (\textbf{crs}, \omega ; r)$ is a commitment algorithm that outputs a commitment $\textsf{c}$ for given witness $\omega $ with randomness $r\leftarrow \mathcal {R}_c$ and $\textbf{crs}$.
$\textsf{P}(\textbf{crs}, (x,\textsf{c}), (\omega ,r))$ is a prover algorithm that returns a proof $\rho $ on $(x,\omega ) \in R_\mathcal {L}\wedge \textsf{c}=\textsf{Com} (\textbf{crs},\omega ;r)$.
$\textsf{V}(\textbf{crs}, x, \textsf{c},\rho )$ is a deterministic verification algorithm that returns 0 (reject) or 1 (accept).

(Perfect correctness.) For all $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda )$, $\textbf{crs}\xleftarrow {\$}\textsf{BG}(\textsf{par})$, $(x,\omega ) \in R_\mathcal {L}$, and $r\in \mathcal {R}_c$, $\textsf{V}(\textbf{crs},x,\textsf{c},\textsf{P}(\textbf{crs},(x,\textsf{c}),(\omega ,r)))=1$ holds, where $\textsf{c}\leftarrow \textsf{Com} (\textbf{crs}, \omega ; r)$.

When witness $\omega $ consists of several objects and only part of them are committed to $\textsf{c}$, commitments for the remaining part of the witness is prepared by $\textsf{P}$ and included in the proof.

The following properties of the GS-proof system are used in this paper. For a fully formal treatment, we refer to [32].

Definition 2.10

(Security properties of the Groth–Sahai proof system) The following properties hold for all $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda )$,

Perfect Soundness: For all $\textbf{crs}\in \textsf{BG}(\textsf{par})$, all $x \notin \mathcal {L}$, all $\textsf{c}$, and all $\rho $, we have $\textsf{V}(\textbf{crs},x,\textsf{c},\rho )=0$.
CRS Indistinguishability: There exists a algorithm $\textsf{HG}$, called the hiding common reference string generator that, for all adversaries ${\mathcal {A}}$, the following advantage function is negligible,
$$\begin{aligned}{} & {} \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {A}}) \\{} & {} \quad := \left| \Pr \left[ b' = b \left| \begin{array}{l} \textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^\lambda );\\ \textbf{crs}_0\xleftarrow {\$}\textsf{BG}(\textsf{par}); (\textbf{crs}_1,\textsf{trap}) \xleftarrow {\$}\textsf{HG}(\textsf{par});\\ b \xleftarrow {\$}\{0,1\}; b' \xleftarrow {\$}{\mathcal {A}}(\textbf{crs}_b) \end{array}\right. \right] - \frac{1}{2} \right| . \end{aligned}$$
Dual-mode Commitment: For all $\textbf{crs}\in \textsf{BG}(\textsf{par})$, $\textsf{Com} $ is perfectly binding. Namely, for all $w_0\ne w_1$, we have $\{ \textsf{c}_0 \leftarrow \textsf{Com} (\textbf{crs},w_0; r_0) \} \bigcap \{ \textsf{c}_1 \leftarrow \textsf{Com} (\textbf{crs},w_1; r_1) \} = \emptyset $ (where the sets are taken over $r_0, r_1 \in \mathcal {R}_c$).

For all $(\textbf{crs},\textsf{trap}) \in \textsf{HG}(\textsf{par})$, $\textsf{Com} $ is perfectly hiding. Namely, for all $\omega _0\ne \omega _1$, the following two distributions are identical: $\{ \textsf{c}_0 \leftarrow \textsf{Com} (\textbf{crs}, \omega _0;r_0) \}$ and $\{ \textsf{c}_1 \leftarrow \textsf{Com} (\textbf{crs},\omega _1;r_1) \} $, where $r_0,r_1 \in \mathcal {R}_c$.
Perfect Zero-knowledge: There exists a simulator $\textsf{Sim}:= (\textsf{SimCom}, \textsf{SimP})$ such that, for all $(\textbf{crs},\textsf{trap}) \in \textsf{HG}(\textsf{par})$, and $(x,\omega ) \in R_\mathcal {L}$, the following two distributions are identical:
$$\begin{aligned}&\{ (\textsf{c}, \rho ) \,|\, r\xleftarrow {\$}\mathcal {R}_c; \textsf{c}\leftarrow \textsf{Com} (\textbf{crs},\omega ;r); \rho \xleftarrow {\$}\textsf{P}(\textbf{crs},(x,\textsf{c}),(\omega ,r)) \} {, and } \\&\{(\textsf{c}',\rho ')\,|\, (\textsf{c}',\gamma ) \xleftarrow {\$}\textsf{SimCom}(\textbf{crs},\textsf{trap}); \rho ' \xleftarrow {\$}\textsf{SimP}(\textbf{crs},\textsf{trap},\gamma ) \} . \end{aligned}$$
Since the above distributions are identical, it also holds for reused commitments and multiple adaptively chosen statements x that involve the same witness and commitment.

The GS-proof system is structure-preserving for proving satisfiability of linear multi-scalar multiplication equations (MSEs) and a nonlinear quadratic equation (QE). Regarding security, it is known that its CRS indistinguishability is tightly reduced to the $\textrm{SXDH}$ assumption (cf. Theorem 4.3).

3 Generic Construction

In this section, we focus on a generic construction of a $\textsf{UF}\text{- }\textsf{XCMA}$-secure SPS scheme, $\textsf{xSPS}$. By coupling it with an off-the-shelf structure-preserving POS scheme, we obtain a $\textsf{UF}\text{- }\textsf{CMA}$-secure SPS scheme via Theorem 2.6.

3.1 Scheme Description

Let $\textsf{par}\xleftarrow {\$}\textsf{PGGen}(1^{\lambda })$ be a set of system parameters. We represent a source group and its generator by $\mathbb {G}$ and $G$, respectively. Let $\textsf{PKE}:= (\mathsf {Gen_{PKE}},\textsf{Enc},\textsf{Dec})$ be a PKE scheme, and $\textsf{GS}:=(\textsf{BG},\textsf{Com},\textsf{P},\textsf{V})$ be the Groth–Sahai proof system for languages $\mathcal {L}_0$ and $\mathcal {L}_1$ defined below. Our SPS scheme $\textsf{xSPS}:=(\textsf{Gen},\textsf{Sign},\textsf{Ver})$ is defined in Fig. 1.

The correctness of $\textsf{xSPS}$ is implied by that of the Groth–Sahai proof system, and the structure-preserving property is implied by that of the PKE scheme and the Groth–Sahai proof system.

Remark 3.1

(Role of proof $\rho _0$) The main role is to bind a message into a signature. In the real scheme, it is just a proof of the signing key $x_0$ in $\textsf{ct}_0$ (and $\textsf{c}_0$) since $x_1$ is fixed to 0. Yet the proof is bound to message $\textsf{M}$ through randomness $r_1$ used for committing to $x_1$. In the security proof, it can be seen as an encrypted one-time message authentication code (MAC) of $\textsf{M}$ and forces the adversary to reuse given signatures since, intuitively, the adversary cannot generate a new MAC for hidden keys $x_0$ and $x_1$.

Remark 3.2

(Role of proof $\rho _1$) $\rho _1$ is used for partitioning. It proves that two ciphertexts $\textsf{ct}_0$ and $\textsf{ct}_1$ are consistent (namely, the same plaintext is encrypted) or the plaintext in the ciphertext $\textsf{ct}_2$ is committed to in $\textsf{c}_2$. In the real scheme, $\rho _1$ proves the consistency of double encryption $\textsf{ct}_0$ and $\textsf{ct}_1$. In the security proof, $\rho _1$ enables us to achieve two (seemingly incompatible) functionalities under a binding mode CRS. One is forcing the adversary to use consistent ciphertexts in its forgery. A simulator guesses $z^*_2$ in the forgery and makes $x_2 \ne z^*_2$ hold. The other is letting the simulator use inconsistent ciphertexts in a special situation achieved using a partitioning technique (see Sect. 3.2 for more details). In that situation, the simulator can make $x_2 = z_2$ hold and use a real witness of $\rho _0$.

Remark 3.3

(On the range of $z_2$) The range of $z_2$ is ${\mathbb {Z}}_p$ since $z_2$ is the plaintext of $\textsf{ct}_2$. Readers might think we should bind $z_2$ on $\{0,1\}$ by using a Groth–Sahai proof since the simulator in the security proof guesses $z_2^*$ in the forgery as explained in the previous remark. This is not the case. In fact, even if an adversary uses $z_2^*$ such that $z_2^* \notin \{0,1\}$, it has no advantage because the simualtor uses $x_2$ such that $x_2 \in \{0,1\}$ in the security proof. Value $z_2$ affects $\rho _1$. However, to make a valid forgery by using $x_2=z_2^*$ as a witness in $\rho _1$, adversaries have no choice but to use $z_2^* \in \{0,1\}$ as long as $x_2\in \{0,1\}$. Accordingly, we do not need to bind $z_2$ on $\{0,1\}$. This intuition is implemented formally in the proof of Lemma 3.20.

Remark 3.4

(On verifying correctness of $\textit{pk}$) Verifying correctness of commitment $\textsf{k}_i$ with respect to $\textit{sk}_i$ is not necessary for achieving $\textsf{UF}\text{- }\textsf{CMA}$ security where keys are generated honestly by definition. But it may have to be verified (once for all at the time of publishing $\textit{pk}$) if the scheme is used in an application where signers can be corrupted at the time of key generation.

Remark 3.5

(On XCMA and CMA security of $\textsf{xSPS}$.) We prove that $\textsf{xSPS}$ is $\textsf{UF}\text{- }\textsf{XCMA}$ for efficiency though, in fact, we can prove $\textsf{xSPS}$ is $\textsf{UF}\text {-}\textsf{CMA}$. When we prove $\textsf{UF}\text {-}\textsf{CMA}$, a simulator does not have exponents of queried messages, but the simulator must generate proofs $\rho _0$ for $x_1 \ne 0$ under the binding mode $\textbf{crs}_0$ in the security proof (see Sect. 3.3 for details). This is achievable if $\rho _0$ is generated as a proof of “pairing product equations (PPEs)” (in both the real and simulated schemes). If the simulator has exponents, then $\rho _0$ is generated as a proof of “(linear) multiscalar multiplication equations”, which is more efficient than that of PPEs. We not only upgrade $\textsf{UF}\text{- }\textsf{XCMA}$ to $\textsf{UF}\text {-}\textsf{CMA}$ but also achieve an SPS scheme for vector messages by combining our $\textsf{xSPS}$ with (partial) one-time signature at very low cost [3]. Thus, we select the $\textsf{UF}\text{- }\textsf{XCMA}$-secure scheme. See also Sect. 4 for efficiency.

3.2 Overview of Security Proof

Our main goal is to implement an additional check of ${\mathcal {A}}$’s forgery $\sigma ^* :=(\textsf{ct}^*_0,\textsf{ct}^*_1,\textsf{ct}^*_2, \rho ^*_0,\rho ^*_1)$. We not only verify Groth–Sahai proofs, but also check if $Z_0^* \in \{G^{x_0}\cdot \textsf{M}_{i}^{x_1} \}_{i=1}^{q_s} $ for $Z_0^*\leftarrow \textsf{Dec}(\textit{sk}_0,\textsf{ct}^*_0)$. That is, we will force ${\mathcal {A}}$ to reuse an $\textsf{M}_{i}$ in queried messages for $Z^*_0$ (we will set $x_1 :=1$ to achieve this during the game transitions). This explicit check will be introduced when $x_1=0$, so that only one fixed value of $Z^*_0=G^{x_0}$ is consistent with the language $\mathcal {L}_0$. In this case, with $\textbf{crs}_0$ for $\rho _0^*$ being still in perfect soundness mode, we will be able to establish this explicit check by relying on this perfect soundness. Once this explicit check is introduced, we can switch $\textbf{crs}_0$ to simulation mode to be able to prepare simulated signatures with simulated proofs $\rho _0$, and to eventually switch to $x_1=1$. Since ${\mathcal {A}}$ is not allowed to reuse a signed message in its forgery, this leads to a contradiction and ${\mathcal {A}}$ never wins.

To change the success forgery condition, we replace the value $z_0 :=x_0$ in signatures of the signing oracle and the additional forgery check with a value $z_0 :=\textbf{RF}_k (\mu {|_{k}})$ where $\textbf{RF}_k:\{0,1\}^{k} \rightarrow {\mathbb {Z}}_p$ is truly random, and $\mu {|_{k}}$ is the k-bit prefix of a binary encoding $\mu \in \{0,1\}^{L}$ of a signed message $\textsf{M}\in \mathbb {G}$, where $L$ is the smallest even integer that is equal to or larger than the bit size of p. Note that encoding $\mu $ appears only in the security proof (not in the real scheme). We start with $\textbf{RF}_0 (\epsilon ):=x_0$ for the empty string $\epsilon $. We will introduce more dependencies of $z_0$ on $x_2$ and $z_2^*$ in $\textsf{ct}^*_2$.

To increase the entropy of $z_0$ (this will make $z_0$ unpredictable for $\textsf{M}^*$ and force ${\mathcal {A}}$ to reuse $z_0$ from the signing oracle) and eventually set $z_0 :=\textbf{RF}_{L}(\mu )$, we replace $z_0 :=\textbf{RF}_k (\mu {|_{k}})$ with $z_0 :=\textbf{RF}_{k+1}(\mu {|_{k+1}})$ step by step. At each step, we partition the signature space into two halves according to the $(k+1)$-th bit of $\mu $. The partitioning bit is dynamically changed by $z_2^*$ hidden in $\textsf{ct}^*_2$. At the beginning of the game, the simulator guesses the bit $z_2^*$ used in a forgery and aborts if the guess is incorrect ($z_2^*$ is accessible with the decryption key $\textit{sk}_2$). Signature queries are created with a case distinction depending on the $(k+1)$-th bit $\mu [k+1]$ of $\mu $. If $\mu [k+1]$ is equal to the guessed $z_2^*$ from the forgery, nothing is changed in the signing process. However, if $\mu [k+1]$ is different from $z_2^*$, we use another independent random function $\textbf{RF}'_{k}$ and set $z_1 :=\textbf{RF}'_{k} (\mu {|_{k}})$ in the generated signature (i.e., more randomness is supplied).

Note that at this point, we want to change the encrypted values $z_0,z_1$ in the generated signature, while being able to decrypt the value $z_0^*$ from the forgery (to implement the additional check mentioned above). Intuitively, we can do so since the proved statement $(z_0-z_1)(x_2-z_2)=0$ guarantees a consistent double encryption with $z_0=z_1$ precisely when $x_2\ne z_2$. Hence, if we initially set up $x_2$ as $1-z_2^*$ (using our guess for $z_2^*$), it is possible for the simulator to generate inconsistent double encryptions (with $z_0\ne z_1$) whenever $\mu [k+1]=z_2\ne z_2^*$. On the other hand, a decryption key for either $z_0^*$ or $z_1^*$ can be used to implement the final check on the adversary’s forgery (since $z_0^*=z_1^*$). These observations enable a Naor-Yung-like double encryption argument to modify the $z_0,z_1$ values in all generated signatures with $\mu [k+1]\ne z_2^*$.

After the above transition is iterated, all signatures are generated with (or checked for) $z_0 :=z_1 :=\textbf{RF}_L (\mu )$ for a truly random function $\textbf{RF}_L$. At this point, we can replace $z_0$ and $z_1$ with $z_0 :=z_1 :=\textbf{RF}_L(\mu ) + \textsf{m}$ since $\textbf{RF}_L(\mu )$ is an independently and uniformly random element.

We can replace $z_0 :=z_1 :=\textbf{RF}_L(\mu ) + \textsf{m}$ with $z_0 :=z_1 :=x + \textsf{m}$ in a similar way to the case from $\textbf{RF}_0 (\epsilon ) = x$ to $\textbf{RF}_L (\mu )$ (see the proof for the detail). Thus, we can force ${\mathcal {A}}$ to reuse an $\textsf{M}_{i}$ in queried messages for $Z^*_0$, as we explained at the beginning of this section.

3.2.1 Improvement on the Security Loss

Motivated by [35], the above strategy can also be implement by using an index i (which denotes the i-th signing query from the adversary) as inputs to the random functions $\textbf{RF}_k$ and $\textbf{RF}_L$, since the encoding $\mu $ is not explicitly used in the scheme and we only require $q_s$-many random values to randomize the signatures in order to finish the transition from $z_0=x_0$ to random $z_0$. By doing this, we can only apply the hybrid argument on the length of the index i ($1\le i \le q_s$) and reduce the security loss from $\mathcal{O}(\lambda )$ to $\mathcal{O}(\lceil \log q_s\rceil )$. Note that $q_s$ is less or even much less than $2^\lambda $. In the following, we present our updated proof with security loss $\mathcal{O}(\lceil \log q_s\rceil )$ in details. The proof is almost the same as the previous one, but with less hybrid repetitions.

3.3 Security Proof

Theorem 3.6

If $\textsf{PKE}$ is ${\textsf{IND}}-{\textsf{mCPA}}$-secure and $\textsf{GS}$ is a Groth–Sahai proof system, then $\textsf{xSPS}$ (defined in Sect. 3.1) is $\textsf{UF}\text{- }\textsf{XCMA}$-secure. Particularly, for all adversaries ${\mathcal {A}}$, there exist adversaries ${\mathcal {B}}_1$ and ${\mathcal {B}}_2$ with running time $\textbf{T}({\mathcal {B}}_1) \approx \textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}_2)$ and

$$\begin{aligned} \textrm{Adv}^{{\textsf{uf} \text{- } \textsf{xcma}}}_{\textsf{xSPS}}({\mathcal {A}}) \le (8L+ 6) \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 12 L\cdot \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + \frac{4Lq_s}{p}, \end{aligned}$$

where $L:=\lceil \log q_s\rceil $ and $q_s$ the maximal number of signing queries from ${\mathcal {A}}$.

Proof

Let ${\mathcal {A}}$ be an adversary against $\textsf{UF}\text{- }\textsf{XCMA}$ security of $\textsf{xSPS}$. We prove Theorem 3.6 via Games $\textsf{G}_0 \text{- } \textsf{G}_3$ defined in Fig. 2. We use $\textrm{AdvG}_{\alpha }$ to denote the advantage of ${\mathcal {A}}$ in Game $\textsf{G}_\alpha $.

$\textsf{G}_0$ is the real attack game. We have lemmata below.

Lemma 3.7

$\textrm{AdvG}_{0} = \textrm{Adv}^{{\textsf{uf} \text{- } \textsf{xcma}}}_{\textsf{xSPS}}({\mathcal {A}})$.

Lemma 3.8

($\textsf{G}_0$ to $\textsf{G}_1$) There exist adversaries ${\mathcal {B}}_1$ against CRS indistinguishability of $\textsf{GS}$ and ${\mathcal {B}}_2$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running times $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}_1) \approx \textbf{T}({\mathcal {B}}_2)$ and $\textrm{AdvG}_{0} \le \textrm{AdvG}_{1} + (4L+ 3) \cdot \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6 L\cdot \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + \frac{2Lq_s}{p}$, where $L:=\lceil \log q_s\rceil $ and $q_s$ is the maximal number of signing queries from ${\mathcal {A}}$.

We prove Lemma 3.8 in Sect. 3.3.1.

Lemma 3.9

($\textsf{G}_1$ to $\textsf{G}_2$) $\textrm{AdvG}_{1} = \textrm{AdvG}_{2}.$

Proof

The changes in $\textsf{G}_2$ are:

Switching $x_1$ from 0 to 1: since $\textsf{c}_1$ is already simulated and is independent of $x_1$ in $\textsf{G}_1$, $\textit{pk}$ is distributed identically in both $\textsf{G}_1$ and $\textsf{G}_2$.
Switching $Z_0$ and $Z_1$ from $G^{\textbf{F}(j)}$ to $G^{\textbf{F}(j)} \cdot \textsf{M}_{j}$: since $\textbf{F}$ is a truly random function, $\{ G^{\textbf{F}({j})} \}_{j=1}^{q_s}$ and $\{ G^{\textbf{F}({j})} \cdot \textsf{M}_{j} \}_{j=1}^{q_s}$ are distributed identically.

Thus, games $\textsf{G}_1$ and $\textsf{G}_2$ are identical. $\square $

Lemma 3.10

($\textsf{G}_2$ to $\textsf{G}_3$) There exist adversaries ${\mathcal {B}}_1$ against CRS indistinguishability of $\textsf{GS}$ and ${\mathcal {B}}_2$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running times $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}_1) \approx \textbf{T}({\mathcal {B}}_2)$ and $\textrm{AdvG}_{2} \le \textrm{AdvG}_{3} + (4L+ 3) \cdot \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6 L\cdot \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + \frac{2Lq_s}{p} $, where $L:=\lceil \log q_s\rceil $ and $q_s$ is the maximal number of signing queries from ${\mathcal {A}}$.

After switching $z_{0,i}$ and $z_{1,i}$ from $\textbf{F}( i)$ to $\textbf{F}( i) +\textsf{m}_{i}$ in $\textsf{G}_2$, $\textsf{G}_3$ switches them from $\textbf{F}(i) +\textsf{m}_{i}$ to $x_0 + \textsf{m}_{i}$, which is exactly the step from $\textsf{G}_0$ to $\textsf{G}_1$, but in a reverse direction. The proof of Lemma 3.10 is similar to that of Lemma 3.8. The details are in Sect. 3.3.2.

Lemma 3.11

($\textsf{G}_3$) $\textrm{AdvG}_{3}=0.$

Proof

In $\textsf{G}_3$, $\textbf{crs}_0 \xleftarrow {\$}\textsf{BG}(\textsf{par})$ is in the binding mode. By the perfect soundness, $Z_0^* = G^{x_0} \cdot \textsf{M}^*$ if the GS-proof verification $\textsf{V}(\textbf{crs}_0,(\textit{pk}_0,\textsf{ct}^*_0,\textsf{M}^*), (\textsf{c}_0,\textsf{c}_1,\textsf{k}_3),\rho ^*_0)=1$. Since $\mathbb {G}_1$ is a prime-order cyclic group and $\textsf{M}^* \notin {\mathcal {Q}}_{\textsf{M}}$, $Z^*_0 \notin \{Z_{0,j} = G^{x_0} \cdot \textsf{M}_{j} \}_{j=1}^{q_s} $ always holds and $\textsc {Ver}(\textsf{M}^*,\sigma ^*)$ outputs 0. $\square $

Summarizing Lemmata 3.7-3.11, we have Theorem 3.6. $\square $

3.3.1 From $\textsf{G}_0$ to $\textsf{G}_1$: Proof of Lemma 3.8

In this section, we prove Lemma 3.8. The proof proceeds via Games $\textsf{H}_0 \text{- } \textsf{H}_3$ and $\textsf{H}_{4,0} \text{- } \textsf{H}_{4,L}$ defined in Figs. 3 and 4 gives an overview of the game transitions. The advantage of ${\mathcal {A}}$ in Game $\textsf{H}_\alpha $ is denoted by $\textrm{AdvH}_{\alpha }$.

We define $\textsf{H}_0:= \textsf{G}_0$ and have lemmata as follows.

Lemma 3.12

($\textsf{H}_0$) $\textrm{AdvH}_{0}=\textrm{AdvG}_{0}.$

Lemma 3.13

($\textsf{H}_0$ to $\textsf{H}_1$) $\textrm{AdvH}_{1} = \textrm{AdvH}_{0}$.

Proof

In $\textsf{H}_1$, $\textbf{crs}_0 \xleftarrow {\$}\textsf{BG}(\textsf{par})$ is in the binding mode and the $\textsf{GS}$ proof for $\mathcal {L}_0$ is perfectly sound. Then, $Z_0^* = G^{x_0}$ holds if $\rho _0$ is accepted. Thus, $\textsf{H}_1$ and $\textsf{H}_0$ are identical. $\square $

Lemma 3.14

($\textsf{H}_1$ to $\textsf{H}_2$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}}) $ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvH}_{2}-\textrm{AdvH}_{1}|$.

Proof

Games $\textsf{H}_2$ and $\textsf{H}_1$ only differ in the distribution of $\textbf{crs}_0$ returned by $\textsc {Init}$, namely, $\textbf{crs}_0$ is in the hiding or binding mode. From that, we obtain a straightforward reduction to CRS indistinguishability of $\textsf{GS}$. $\square $

Lemma 3.15

($\textsf{H}_2$ to $\textsf{H}_3$) $\textrm{AdvH}_{3}=\textrm{AdvH}_{2}$.

Proof

Instead of using the prover algorithm $\textsf{P}$, $\textsf{H}_3$ generates $\rho _0$ and relevant commitments with the zero-knowledge simulator, $\textsf{Sim}$. By the perfect zero-knowledge property, $\textsf{H}_3 = \textsf{H}_2$. $\square $

In $\textsf{H}_{4,0}$, we syntactically define $x_0$ by $\textbf{RF}_0(\epsilon )$, which is a fixed random element from ${\mathbb {Z}}_p$, and we have

Lemma 3.16

($\textsf{H}_3$ to $\textsf{H}_{4,0}$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability of $\textsf{GS}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}})$ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvH}_{4,0} - \textrm{AdvH}_{3}|$.

Proof

The only difference between $\textsf{H}_{4,0}$ and $\textsf{H}_{3}$ is the simulation of $\textbf{crs}_1$, which is generated by either $\textsf{BG}$ (in $\textsf{H}_{3}$) or $\textsf{HG}$ (in $\textsf{H}_{4,0}$) since $\textbf{RF}_0 (\epsilon ) =x_0$ and ${j}|_0 = \epsilon $ for all $j\in [q_s]$. From that, we obtain a straightforward reduction to CRS indistinguishability of $\textsf{GS}$. $\square $

Lemma 3.17

($\textsf{H}_{4,k}$ to $\textsf{H}_{4,k+1}$) There exist adversaries ${\mathcal {B}}_1$ against CRS indistinguishability of $\textsf{GS}$ and ${\mathcal {B}}_2$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running times $ \textbf{T}({\mathcal {B}}_1) \approx \textbf{T}({\mathcal {B}}_2) \approx \textbf{T}({\mathcal {A}})$ and $\textrm{AdvH}_{4,k} - \textrm{AdvH}_{4,k+1} \le 4 \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + \frac{2 q_s}{p}$

Proof

We define the games between $\textsf{H}_{4,k}$ and $\textsf{H}_{4,k+1}$ in Fig. 5, and an overview of the game transitions is presented in Fig. 6.

Lemma 3.18

($\textsf{H}_{4,k}$ to $\textsf{H}_{4,k,1}$) $\textrm{AdvH}_{4,k,1} = \textrm{AdvH}_{4,k}.$

Proof

In $\textsf{H}_{4,k,1}$, $x_2$ is switched from 0 to $1-\beta $, where $\beta \xleftarrow {\$}\{0,1\}$. Though $x_2 \ne z_{2,i}$ may happen in $\textsf{H}_{4,k,1}$, still $z_{0,i} = z_{1,i}$ holds and hence, $\textsf{ins}_1$ is in $\mathcal {L}_1$ in both games. Thus, commitment $\textsf{c}_2 \xleftarrow {\$}\textsf{Com} (\textbf{crs}_1,x_2)$ and proofs $\rho _1$ distribute identically in both games due to the witness indistinguishability under $\textbf{crs}_1$ generated by $\textsf{HG}(\textsf{par})$. Thus, $\textrm{AdvH}_{4,k,1} = \textrm{AdvH}_{4,k}$. $\square $

Lemma 3.19

($\textsf{H}_{4,k,1}$ to $\textsf{H}_{4,k,2}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}}) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvH}_{4,k,2} - \textrm{AdvH}_{4,k,1}|$.

Proof

In $\textsf{H}_{4,k,2}$, $\textsf{ct}_2$ encrypts $Z_{2,i} = G^{{i}[k+1]}$, instead of $Z_{2,i} = G^0$. Observe that $\textit{sk}_2$ is used only in making commitment $\textsf{k}_2$ and proof $\rho _1$ with $\textbf{crs}_1$ generated by $\textsf{HG}(\textsf{par})$ in both games. Thus, we can construct a straightforward reduction to bound the difference by ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ by using perfect zero-knowledge simulator $\textsf{Sim}$ for making $\rho _1$ and relevant commitments. $\square $

Lemma 3.20

($\textsf{H}_{4,k,2}$ to $\textsf{H}_{4,k,3}$) $\textrm{AdvH}_{4,k,3} = \frac{1}{2} \textrm{AdvH}_{4,k,2}$.

Proof

In $\textsf{H}_{4,k,3}$, $\beta $ and $b$ are independent of adversary’s view and chosen uniformly at random. $\textsf{c}_2$ perfectly hides $\beta $ since $\textbf{crs}_1$ is generated by $\textsf{HG}(\textsf{par})$ and the simulation of $\textsc {Sign}$ is independent of $\beta $. Thus, the event $\textsc {Abort}$ is independent of adversary’s success event and

$$\begin{aligned} \Pr [\textsc {Abort}]= & {} \Pr [(z_2^* \in \{0,1\}) \wedge z_2^* =1-\beta ] + \Pr [z_2^* \notin \{0,1\} \wedge b=0] \\= & {} \frac{1}{2} \Pr [z^*_2 \in \{0,1 \}] + \frac{1}{2} (1-\Pr [z^*_2 \in \{0,1 \}]) =\frac{1}{2}, \end{aligned}$$

where $z_2^*$ is the discrete log of $Z^*_2$ based on $G$ and independent of b. This only halves ${\mathcal {A}}$’s advantage. We note that, for all accepted forgeries in Games $\textsf{H}_{4,k,3}$ to $\textsf{H}_{4,k,8}$, the following equation holds:

$$\begin{aligned} z_2^* \ne x_2. \end{aligned}$$

(1)

$\square $

In the following games, we define the random function for an integer $i \in {\mathbb {Z}}_p$:

$$\begin{aligned} \textbf{RF}_{k+1}(i{|_{k+1}}):= \left\{ \begin{array}{l} \textbf{RF}_k(i{|_k}) \\ \textbf{RF}'_{k}(i{|_k}) \end{array} \begin{array}{l} (i[k+1]= \beta ) \\ (i[k+1]= 1-\beta ) \end{array}\right. , \end{aligned}$$

(2)

where $\textbf{RF}_k$ and $\textbf{RF}'_k$ are two independent random functions from $\{0,1\}^k \rightarrow {\mathbb {Z}}_p$. As stated in Sect. 2.1, $i|_k \in \{0,1\} ^k$ denotes the first k bits of i’s binary representation and by $i[k] \in \{0,1\} $ the k-th bit of i’s binary representation. By the definition, we note that $\textbf{RF}_{k+1}: \{0,1\}^{k+1} \rightarrow {\mathbb {Z}}_p$ is a random function.

Lemma 3.21

($\textsf{H}_{4,k,3}$ to $\textsf{H}_{4,k,4}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}}) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvH}_{4,k,4} - \textrm{AdvH}_{4,k,3}|$.

Proof

In game $\textsf{H}_{4,k,4}$, $x_2 = z_{2,i} $ holds if $i[k+1]\ne \beta $; otherwise, $z_{0,i}=z_{1,i}$. If $i[k+1] = \beta $, then $z_{0,i} = z_{1,i} = \textbf{RF}_k(i|_k)$, otherwise $x_2 = z_{2,i} = 1-\beta $ by Eq. (2). Thus, in either case, $(z_{0,i} - z_{1,i}) (x_2 - z_{2,i}) =0$ holds and $\textsf{ins}_1 \in \mathcal {L}_1$. Another difference between $\textrm{AdvH}_{4,k,3}$ and $\textsf{H}_{4,k,4}$ is that $\textsf{ct}_1$ is a ciphertext either of $Z_{1,i} = G^{\textbf{RF}_{k+1}(i|_{k+1})}$ (in $\textsf{H}_{4,k,4}$) or $Z_{1,i} = G^{\textbf{RF}_k(i|_k)}$ (in $\textrm{AdvH}_{4,k,3}$). Moreover, $\textit{sk}_1$ is used only for making $\textsf{k}_1$ and $\rho _1$ with respect to $\textbf{crs}_1$ generated by $\textsf{HG}(\textsf{par})$ in both games. Thus, as well as Lemma 3.19, we can construct a straightforward reduction to bound this difference by ${\textsf{IND}}-{\textsf{mCPA}}$-security of $\textsf{PKE}$ using $\textsf{Sim}$ for simulating $\rho _1$ and relevant commitments. Lemma 3.21 is concluded. $\square $

Lemma 3.22

($\textsf{H}_{4,k,4}$ to $\textsf{H}_{4,k,5}$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability of $\textsf{GS}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}})$ and $2\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvH}_{4,k,5} - \textrm{AdvH}_{4,k,4}|.$

Proof

In $\textsf{H}_{4,k,5}$, $\textsc {Ver}$ rejects a forgery if $Z_{1-(k\,\textsf{mod}\,2)}^* \notin \{ G^{\textbf{RF}_k( j|_k)} \}_{j=1}^{q_s}$ instead of using $Z^*_{k\,\textsf{mod}\,2}$. In these games, Eq. (1) holds and we can switch $\textbf{crs}_1$ to be binding and argue that $Z_{k\,\textsf{mod}\,2}^* = Z_{1-(k\,\textsf{mod}\,2)}^*$ must hold by $z_2^* \ne x_2$ and the perfect soundness of $\textsf{GS}$ for language $\mathcal {L}_1$. More formally, we prove that via the game sequence in Fig. 7. Here, we only change the simulation of $\textsc {Init}$ and $\textsc {Ver}$, and the simulation of $\textsc {Sign}$ is the same as in $\textsf{H}_{4,k,4}$. As shown in Lemma 3.21, $\textsf{ins}_1$ is always in $\mathcal {L}_1$ and we can construct a straightforward reduction to show that there exists an adversary ${\mathcal {B}}$ against CRS indistinguishability of $\textsf{GS}$ with

$$\begin{aligned} \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |{\textrm{AdvH}'}_{1} - \textrm{AdvH}_{4,k,4}|. \end{aligned}$$

Since $\textbf{crs}_1$ is binding in both $\textsf{H}'_1$ and $\textsf{H}'_2$, by the perfect soundness of $\textsf{GS}$ and Eq. (1), $Z_{k\,\textsf{mod}\,2}^* =Z_{1-(k\,\textsf{mod}\,2)}^*$ holds if $\rho _1^*$ gets verified. Hence, the changes between $\textsf{H}'_1$ and $\textsf{H}'_2$ are only conceptual, and thus, ${\textrm{AdvH}'}_{2}= {\textrm{AdvH}'}_{1}.$ By the CRS indistinguishability of $\textsf{GS}$, we have $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |{\textrm{AdvH}'}_{3} -{\textrm{AdvH}'}_{2}|.$ It is clear that ${\textrm{AdvH}'}_{3} = \textrm{AdvH}_{4,k,5}$ $\square $

Lemma 3.23

($\textsf{H}_{4,k,5}$ to $\textsf{H}_{4,k,6}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}}) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvH}_{4,k,6} - \textrm{AdvH}_{4,k,5}|$.

Proof

In $\textsf{H}_{4,k,6}$, $z_{0,i}=z_{1,i}$ is used as $w_1$. It holds that $(z_{0,i} - z_{1,i}) (x_2 - z_{2,i}) =0$ and $\textsf{ins}_1 \in \mathcal {L}_1$ as the case in $\textsf{H}_{4,k,5}$. In the signing oracle of $\textsf{H}_{4,k,6}$, $\textsf{ct}_0$ encrypts $Z_{0,i} = G^{\textbf{RF}_{k+1}( i|_{k+1})}$ instead of $Z_{0,i} = G^{\textbf{RF}_{k}( i|_{k})}$. Observe that $\textit{sk}_0$ is used only in making $\textsf{k}_0$ and $\rho _1$ with $\textbf{crs}_1$ generated by $\textsf{HG}(\textsf{par})$ in both games. We thus can construct a straightforward reduction to bound the difference between $\textsf{H}_{4,k,5}$ and $\textsf{H}_{4,k,6}$ by ${\textsf{IND}}-{\textsf{mCPA}}$ security using zero-knowledge simulator $\textsf{Sim}$ for making $\rho _1$ and relevant commitments. $\square $

Lemma 3.24

($\textsf{H}_{4,k,6}$ to $\textsf{H}_{4,k,7}$) $\textrm{AdvH}_{4,k,6} \le \textrm{AdvH}_{4,k,7} + \frac{q_s}{p}.$

Proof

According to Eq. (2), the difference between $\textsf{H}_{4,k,6}$ and $\textsf{H}_{4,k,7}$ is that the accepted forgery with a $Z_{1-(k\,\textsf{mod}\,2)}^*$ in either:

$$\begin{aligned} {\mathcal {Z}}_6&:= \{ G^{\textbf{RF}_{k}({j}|_{k})} \}_{j=1}^{q_s} \\&= \underbrace{\{ G^{\textbf{RF}_{k}({j}|_{k})} : {j}[k+1] = \beta \}_{j=1}^{q_s}}_{=:{\mathcal {S}}_1} \cup \{ G^{\textbf{RF}_{k}({j}|_{k})} : {j}[k+1] = 1-\beta \}_{j=1}^{q_s} \\&\quad (\text {in }\textsf{H}_{4,k,6}) \end{aligned}$$

or

$$\begin{aligned} {\mathcal {Z}}_7:= \{ G^{\textbf{RF}_{k+1}({j}|_{k+1})} \}_{j=1}^{q_s} = {\mathcal {S}}_1\cup \{ G^{\textbf{RF}'_{k}({j}|_{k})}: {j}[k+1] = 1-\beta \}_{j=1}^{q_s} (\text {in }\textsf{H}_{4,k,7}). \end{aligned}$$

We note that, for the i-th messages $\textsf{M}$ where $i[k+1] =1-\beta $ and $i|_k \in {\mathcal {C}}{\mathcal {M}}:= \{ {j}|_k: {j}[k+1] = \beta \}_{j=1}^{q_s} $, the value $G^{\textbf{RF}_{k}(i|_{k})} \in {\mathcal {S}}_1$. Namely,

$$\begin{aligned} \mathcal {S}'&:= {\mathcal {S}}_1\bigcap \{ G^{\textbf{RF}_{k}({j}|_{k})} : {j}[k+1] = 1-\beta \}_{j=1}^{q_s} \\&= \{ G^{\textbf{RF}_{k}( j|_{k})} : j[k+1]= 1- \beta \wedge j|_k \in {\mathcal {C}}{\mathcal {M}}\}_{j=1}^{q_s}. \end{aligned}$$

We note that $\mathcal {S}'$ is not empty, since each element $G^{\textbf{RF}_{k}( j|_{k})}$ depends on the k-bit prefix of j. Thus, we can rewrite

$$\begin{aligned} {\mathcal {Z}}_6= {\mathcal {S}}_1\cup \underbrace{\{ G^{\textbf{RF}_k({j}|_k)}: {j}[k+1] = 1-\beta \wedge {j}|_k \notin {\mathcal {C}}{\mathcal {M}}\}_{j=1}^{q_s}}_{=:{\mathcal {S}}_2}. \end{aligned}$$

We define the following game $\textsf{H}_{4,k,6'}$ between $\textsf{H}_{4,k,6}$ and $\textsf{H}_{4,k,7}$. $\textsf{H}_{4,k,6'}$ simulates $\textsc {Init}$ and $\textsc {Sign}$ as in $\textsf{H}_{4,k,6}$, but differs in simulating $\textsc {Ver}$, where it only accepts forgery with $Z_{1-(k\,\textsf{mod}\,2)}^* \in {\mathcal {S}}_1$. Precisely, $\textsf{H}_{4,k,6'}$ simulates $\textsc {Ver}$ as follows:

Parse $\sigma ^*:=((\textsf{ct}^*_j)_{0\le j\le 2},\rho ^*_0,\rho ^*_1)$.
$Z_2^* \leftarrow \textsf{Dec}(\textit{sk}_2,\textsf{ct}^*_2)$. If $Z_2^* \ne G^{\beta }$, then return 0.
$Z_{1-(k\,\textsf{mod}\,2)}^* \leftarrow \textsf{Dec}(\textit{sk}_{1-(k\,\textsf{mod}\,2)},\textsf{ct}^*_{1-(k\,\textsf{mod}\,2)})$. If $Z_{1-(k\,\textsf{mod}\,2)}^* \notin {\mathcal {S}}_1$, then return 0.
Return $(\textsf{M}^* \notin {\mathcal {Q}}_{\textsf{M}}) \wedge (\textsf{Ver}(\textit{pk},\textsf{M}^*,\sigma ^*)=1)$.

We note that the value $\textbf{RF}_k(j|_k)$ is perfectly hidden from ${\mathcal {A}}$ for $j[k+1] = 1 - \beta $ and $j|_k \notin {\mathcal {C}}{\mathcal {M}}$ since ${\mathcal {A}}$ only learns $\textbf{RF}'_k(j|_k)$ from $\textsc {Sign}$ by Eq. (2) and $\textbf{RF}$ and $\textbf{RF}' $ are two independent random functions. Thus, even an unbounded adversary ${\mathcal {A}}$ can output a value in ${\mathcal {S}}_2$ with probability at most $q_s/p$ and the following holds,

$$\begin{aligned} \textrm{AdvH}_{4,k,6}-\textrm{AdvH}_{4,k,6'} \le \frac{q_s}{p}. \end{aligned}$$

Compared to $\textsf{H}_{4,k,6'}$, there are more valid forgeries in $\textsf{H}_{4,k,7}$ and we have

$$\begin{aligned} \textrm{AdvH}_{4,k,6'} \le \textrm{AdvH}_{4,k,7}. \end{aligned}$$

Thus, $\textrm{AdvH}_{4,k,6}-\textrm{AdvH}_{4,k,7}\le \frac{q_s}{p}$ and we conclude the lemma. $\square $

Lemma 3.25

($\textsf{H}_{4,k,7}$ to $\textsf{H}_{4,k,8}$) $\textrm{AdvH}_{4,k,8} = 2 \textrm{AdvH}_{4,k,7}$.

Proof

$\textsf{H}_{4,k,8}$ accepts a forgery no matter if $\textsc {Abort}=1$ or not. By the same argument as in Lemma 3.20, this doubles the advantage of ${\mathcal {A}}$. $\square $

Note that we have stopped using $\textit{sk}_2$ in $\textsf{H}_{4,k,8}$. In $\textsf{H}_{4,k,9}$, $\textsf{ct}_2$ encrypts $Z_{2,i} = G^0$ instead of $Z_{2,i} = G^{ i[k+1]}$. By the same argument as Lemma 3.19, we have

Lemma 3.26

($\textsf{H}_{4,k,8}$ to $\textsf{H}_{4,k,9}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}}) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvH}_{4,k,9} - \textrm{AdvH}_{4,k,8}|$.

Lemma 3.27

($\textsf{H}_{4,k,9}$ to $\textsf{H}_{4,k,10}$) $\textrm{AdvH}_{4,k,10} = \textrm{AdvH}_{4,k,9}$.

Proof

In $\textsf{H}_{4,k,10}$, $x_2$ is switched from $1-\beta $ to 0 and $\rho _1$ is generated by using $\textsf{P}$ instead of $\textsf{Sim}$. Since $\textbf{crs}_1$ is generated by $\textsf{HG}(\textsf{par})$, $\textsf{c}_2 \xleftarrow {\$}\textsf{Com} (\textbf{crs}_1,x_2)$ is distributed the same in both $\textsf{H}_{4,k,9}$ and $\textsf{H}_{4,k,10}$. So is $\rho _1$ by the perfect zero-knowledge property. Thus, $\textrm{AdvH}_{4,k,10} = \textrm{AdvH}_{4,k,19}$. $\square $

Lemma 3.28

($\textsf{H}_{4,k,10}$ to $\textsf{H}_{4,k+1}$) $\textrm{AdvH}_{4,k+1} = \textrm{AdvH}_{4,k,10} $.

Proof

$\textsf{H}_{4,k,10}$ simulates $\textsc {Init}$ and $\textsc {Ver}$ the same as in $\textsf{H}_{4,k}$ and $z_{0,i} = z_{1,i} $ $= \textbf{RF}_{k+1}( i|_{k+1})$. Thus, $\textrm{AdvH}_{4,k,10} = \textrm{AdvH}_{4,k+1}$. $\square $

From Lemmata 3.18 to 3.23, we have

$$\begin{aligned} \textrm{AdvH}_{4,k} - 2 \textrm{AdvH}_{4,k,6} \le |\textrm{AdvH}_{4,k} - 2 \textrm{AdvH}_{4,k,6}| \le 4 \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 5 \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) . \end{aligned}$$

From Lemmata 3.25 to 3.28, we have

$$\begin{aligned} 2 \textrm{AdvH}_{4,k,7} - \textrm{AdvH}_{4,k+1} \le |2 \textrm{AdvH}_{4,k,7} - \textrm{AdvH}_{4,k+1}| \le \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) . \end{aligned}$$

As $2 \textrm{AdvH}_{4,k,6} \le 2 \textrm{AdvH}_{4,k,7} + \frac{2q_s}{p} $ (Lemma 3.24), we conclude Lemma 3.17 as

$$\begin{aligned} \textrm{AdvH}_{4,k} - \textrm{AdvH}_{4,k+1} \le 4 \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6 \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + {2 q_s}/{p}. \end{aligned}$$

$\square $

We syntactically define $\textbf{F}({i}):= \textbf{RF}_{L}({i}) $ in $\textsf{G}_1$ since the binary representation of a group element is unique and have

Lemma 3.29

($\textsf{H}_{4,L}$ to $\textsf{G}_1$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability of $\textsf{GS}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}}) $ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvG}_{1} - \textrm{AdvH}_{4,L}|$.

Proof

We note that $L=\lceil \log q_s\rceil $ and thus, for every signing query $z_{0,i}= z_{1,i}=\textbf{F}(i)$ and $\textbf{F}: \{1,...,q_s\} \rightarrow {\mathbb {Z}}_p$ is a random function. The only difference between $\textsf{G}_{1}$ and $\textsf{H}_{4,L}$ is the simulation of $\textbf{crs}_1$, which is generated by either $\textsf{BG}$ (in $\textsf{G}_{1}$) or $\textsf{HG}$ (in $\textsf{H}_{4,L}$). From that, we obtain a straightforward reduction to the CRS indistinguishability of $\textsf{GS}$. $\square $

Combining Lemmata 3.12 to 3.17 and Lemma 3.29, we have $\textrm{AdvG}_{0} \le \textrm{AdvG}_{1} + 3 \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + L\cdot (4 \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6 \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + \frac{2q_s}{p})$ and conclude Lemma 3.8.

3.3.2 From $\textsf{G}_2$ to $\textsf{G}_3$: Proof of Lemma 3.10

The proof of Lemma 3.10 is essentially the same as Lemma 3.8, but the game sequence is defined in the reverse order. For completeness, we define the game sequence in Fig. 8. For the game sequence $\textsf{S}_{0,k}$, the index k starts with $L$ and decreases till 0. We use $\textrm{AdvS}_{i}$ to denote the advantage of ${\mathcal {A}}$ in Game $\textsf{S}_i$.

By defining $\textbf{RF}_{L}(i|_{L}):= \textbf{F}(i)$ and the same argument as in Lemma 3.16, we have

Lemma 3.30

($\textsf{G}_{2}$ to $\textsf{S}_{0,L}$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability of $\textsf{GS}$ with running times $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvS}_{0,L} - \textrm{AdvG}_{2}|$.

Lemma 3.31

($\textsf{S}_{0,k}$ to $\textsf{S}_{0,k-1}$) There exist adversaries ${\mathcal {B}}_1$ against CRS indistinguishability of $\textsf{GS}$ and ${\mathcal {B}}_2$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}_1) \approx \textbf{T}({\mathcal {B}}_2) $ and $\textrm{AdvS}_{0,k} - \textrm{AdvS}_{0,k-1} \le 4 \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) +6\,\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + 2\frac{q_s}{p}. $

Proof

The proof of Lemma 3.31 is essentially the same as the one of Lemma 3.17, but here we derandomize $z_{0,i}$ and $z_{1,i}$ from $\textbf{RF}_{k}({i}|_{k})$ to $\textbf{RF}_{k-1}({i}|_{k-1})$ instead of randomizing $z_{0,i}$ and $z_{1,i}$ from $\textbf{RF}_{k-1}({i}|_{k-1})$ to $\textbf{RF}_{k}({i}|_{k})$. We define the detailed games in Fig. 9 and sketch the proof as follows.

By the same arguments as in Lemmata 3.18 to 3.20, we have the following Lemmata.

Lemma 3.32

($\textsf{S}_{0,k}$ to $\textsf{S}_{0,k,1}$) $\textrm{AdvS}_{0,k,1} = \textrm{AdvS}_{0,k}.$

Lemma 3.33

($\textsf{S}_{0,k,1}$ to $\textsf{S}_{0,k,2}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}_1) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvS}_{0,k,2} - \textrm{AdvS}_{0,k,1}|$.

Lemma 3.34

($\textsf{S}_{0,k,2}$ to $\textsf{S}_{0,k,3}$) $\textrm{AdvS}_{0,k,3} = \frac{1}{2} \textrm{AdvS}_{0,k,2}$.

In the following games, for an integer $i \in {\mathbb {Z}}_p$ we define the random function:

$$\begin{aligned} \textbf{RF}_{k-1}(i{|_{k-1}}):= \textbf{RF}_k(i|_{k-1},\beta ), \end{aligned}$$

(3)

where $\beta $ is a random bit chosen in $\textsc {Init}$. We note that $\textbf{RF}_{k-1}: \{0,1\}^{k-1} \rightarrow {\mathbb {Z}}_p$ is a random function, since $\textbf{RF}_k$ is a random function.

Lemma 3.35

($\textsf{S}_{0,k,3}$ to $\textsf{S}_{0,k,4}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvS}_{0,k,4} - \textrm{AdvS}_{0,k,3}|$.

Proof

The proof is similar to that of Lemma 3.21. First observe that, in $\textsf{S}_{0,k,4}$, if $ i[k] = \beta $, then $z_{0,i} = z_{1,i} = \textbf{RF}_k( i|_{k-1},\beta ) + \textsf{m}_{i}$ by Eq. (3), otherwise, $x_2 = z_{2,i} = 1-\beta $. Thus, $(z_{0,i} - z_{1,i}) (x_2 - z_{2,i}) =0$ holds and $\textsf{ins}_1 \in \mathcal {L}_1$ in either case. By the perfect WI of $\textsf{GS}$, this difference is perfectly hidden from the adversary. Then, the difference between $\textsf{S}_{0,k,4}$ and $\textsf{S}_{0,k,3}$ is that $\textsf{ct}_1$ is a ciphertext either of $Z_{1,i} = G^{\textbf{RF}_{k-1}( i|_{k-1})} \cdot \textsf{M}_{i}$ (in $\textsf{S}_{0,k,4}$) or $Z_{1,i} = G^{\textbf{RF}_k( i|_k)} \cdot \textsf{M}_{i}$ (in $\textsf{S}_{0,k,3}$). Since $\textit{sk}_1$ is used only for making $\textsf{k}_1$ and $\rho _1$ with respect to $\textbf{crs}_1$ generated by $\textsf{HG}(\textsf{par})$ in both games, we can construct a straightforward reduction to bound this difference by ${\textsf{IND}}-{\textsf{mCPA}}$-security of $\textsf{PKE}$ using zero-knowledge simulator $\textsf{Sim}$ to make $\rho _1$ and relevant commitments. The lemma is concluded. $\square $

By the same arguments as in Lemmata 3.22 to 3.23, we have

Lemma 3.36

($\textsf{S}_{0,k,4}$ to $\textsf{S}_{0,k,5}$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability of $\textsf{GS}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $2\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvS}_{0,k,5} - \textrm{AdvS}_{0,k,4}|.$

Lemma 3.37

($\textsf{S}_{0,k,5}$ to $\textsf{S}_{0,k,6}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}})$ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvS}_{0,k,6} - \textrm{AdvH}_{0,k,5}|$.

Lemma 3.38

($\textsf{S}_{0,k,6}$ to $\textsf{S}_{0,k,7}$) $\textrm{AdvS}_{0,k,6} - \textrm{AdvS}_{0,k,7} \le \frac{q_s}{p}$.

Proof

Similar to Lemma 3.24, the difference between $\textsf{S}_{0,k,6}$ and $\textsf{S}_{0,k,7}$ is that the accepted forgery with a $Z_{1-(k\,\textsf{mod}\,2)}^*$ in either:

$$\begin{aligned} {\mathcal {Z}}_6&:= \{ G^{\textbf{RF}_{k}({j}|_{k})} \textsf{M}_{j} \}_{j=1}^{q_s} \\&= \underbrace{\{ G^{\textbf{RF}_{k}({j}|_{k-1}, \beta )} \textsf{M}_{j} : {j}[k]=\beta \}_{j=1}^{q_s}}_{=:{\mathcal {S}}_1} \cup \underbrace{\{ G^{\textbf{RF}_{k}({j}|_{k-1}, 1-\beta )} \textsf{M}_{j} : {j}[k]=1-\beta \}_{j=1}^{q_s}}_{=:{\mathcal {S}}_2} \\&\ (\text {in }\textsf{S}_{0,k,6}) \end{aligned}$$

or

$$\begin{aligned} {\mathcal {Z}}_7&:= \{ G^{\textbf{RF}_{k-1}({j}|_{k-1})} \textsf{M}_{j} \}_{j=1}^{q_s} \\&= {\mathcal {S}}_1\cup \underbrace{\{ G^{\textbf{RF}_{k}({j}|_{k-1}, \beta )} \textsf{M}_{j} : {j}[k]=1-\beta \}_{j=1}^{q_s}}_{=:{\mathcal {S}}_3} \ (\text {in }\textsf{S}_{0,k,7}) , \end{aligned}$$

according to Eq. (3).

We define the following game $\textsf{S}_{0,k,6'}$ between $\textsf{S}_{0,k,6}$ and $\textsf{S}_{0,k,7}$. $\textsf{S}_{0,k,6'}$ simulates $\textsc {Init}$ and $\textsc {Sign}$ as in $\textsf{S}_{0,k,6}$, but it differs in simulating $\textsc {Ver}$, where it only accepts forgery with $Z_{1-(k\,\textsf{mod}\,2)}^* \in {\mathcal {S}}_1$. More precisely, $\textsf{S}_{0,k,6'}$ simulates $\textsc {Ver}$ as follows:

Parse $\sigma ^*:=((\textsf{ct}^*_j)_{0\le j\le 2},\rho ^*_0,\rho ^*_1)$.
$Z_2^* \leftarrow \textsf{Dec}(\textit{sk}_2,\textsf{ct}^*_2)$. If $Z_2^* \ne G^{\beta }$, then return 0.
$Z_{1-(k\,\textsf{mod}\,2)}^* \leftarrow \textsf{Dec}(\textit{sk}_{1-(k\,\textsf{mod}\,2)},\textsf{ct}^*_{1-(k\,\textsf{mod}\,2)})$. If $Z_{1-(k\,\textsf{mod}\,2)}^* \notin {\mathcal {S}}_1$, then return 0.
Return $(\textsf{M}^* \notin {\mathcal {Q}}_{\textsf{M}}) \wedge (\textsf{Ver}(\textit{pk},\textsf{M}^*,\sigma ^*)=1)$.

From answers of $\textsc {Sign}$, adversaries ${\mathcal {A}}$ only learn value $\textbf{RF}_{k}({j}|_{k-1}, \beta )$ for all signing messages $\textsf{M}_{j}$. Thus, if $\textbf{RF}_{k}: \{0,1\}^k \rightarrow {\mathbb {Z}}_p$ is a random function, then values $\textbf{RF}_{k}({j}|_{k-1}, 1-\beta )$ are perfectly hidden from ${\mathcal {A}}$ until $\textsc {Ver}$ is asked. We have that, even for an unbounded adversary ${\mathcal {A}}$, it can only output a value in ${\mathcal {S}}_2$ with probability at most $\frac{q_s}{p}$ and the following holds

$$\begin{aligned} \textrm{AdvS}_{0,k,6} - \textrm{AdvS}_{0,k,6'} \le \frac{q_s}{p}. \end{aligned}$$

Compared to $\textsf{S}_{0,k,6'}$, there are more valid forgeries in $\textsf{S}_{0,k,7}$ and we have

$$\begin{aligned} \textrm{AdvS}_{0,k,6'} \le \textrm{AdvS}_{0,k,7}. \end{aligned}$$

Thus, $\textrm{AdvS}_{0,k,6}-\textrm{AdvS}_{0,k,7}\le \frac{q_s}{p}$ and we conclude the lemma. $\square $

Lemma 3.39

($\textsf{S}_{0,k,7}$ to $\textsf{S}_{0,k,8}$) $\textrm{AdvS}_{0,k,8} = 2 \textrm{AdvS}_{0,k,7}$.

Lemma 3.40

($\textsf{S}_{0,k,8}$ to $\textsf{S}_{0,k,9}$) There exists an adversary ${\mathcal {B}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{PKE}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}) \ge |\textrm{AdvS}_{0,k,9} - \textrm{AdvS}_{0,k,8}|$.

Lemma 3.41

($\textsf{S}_{0,k,9}$ to $\textsf{S}_{0,k,10}$) $\textrm{AdvS}_{0,k,10} = \textrm{AdvS}_{0,k,9}$.

Lemma 3.42

($\textsf{S}_{0,k,10}$ to $\textsf{S}_{0,k-1}$) $\textrm{AdvS}_{0,k-1} = \textrm{AdvS}_{0,k,10} $.

Summarizing the above lemmata, we have $\textrm{AdvS}_{0,k} - \textrm{AdvS}_{0,k-1} \le 4\, \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6\, \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + 2\frac{q_s}{p}$ and conclude Lemma 3.31. $\square $

By defining $\textbf{RF}_0(\epsilon ):= x_0 \xleftarrow {\$}{\mathbb {Z}}_p$, similar to Lemma 3.16, we have

Lemma 3.43

($\textsf{S}_{0,0}$ to $\textsf{S}_1$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability with running time $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvS}_{1}-\textrm{AdvS}_{0,0}|$.

Similar to Lemma 3.14 and 3.15, we have

Lemma 3.44

($\textsf{S}_1$ to $\textsf{S}_2$) $\textrm{AdvS}_{2}=\textrm{AdvS}_{1}$.

Lemma 3.45

($\textsf{S}_2$ to $\textsf{S}_3$) There exists an adversary ${\mathcal {B}}$ against CRS indistinguishability with running times $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}) \ge |\textrm{AdvS}_{3}-\textrm{AdvS}_{2}|$.

Observing that $\textbf{crs}_0 \xleftarrow {\$}\textsf{BG}(\textsf{par})$, $z_{0,i} = z_{1,i} = x_0 + \textsf{m}_{i}$ and $\rho _0 \xleftarrow {\$}\textsf{P}(\textbf{crs}_0, \textsf{ins}_0,w_0)$, we have $\textsf{G}_3 = \textsf{S}_3$ and

Lemma 3.46

($\textsf{S}_3$ to $\textsf{G}_3$) $\textrm{AdvG}_{3} = \textrm{AdvS}_{3}.$

Summarizing Lemmata 3.30 to 3.46, we have $\textrm{AdvG}_{2} \le \textrm{AdvG}_{3} + (4L+ 3) $ $ \textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {B}}_1) + 6 L\cdot \textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {B}}_2) + \frac{2Lq_s}{p}$.

We omit high level outlines of the game transitions in Lemma 3.10 and 3.31 since they are very similar to Fig. 3 and 6 for Lemma 3.8 and 3.17.

4 Instantiation

We instantiate our generic construction in Type-III bilinear groups under the SXDH assumption. Throughout this section, we denote group elements in $\mathbb {G}_1$ with plain upper-case letters, such as X, and elements in $\mathbb {G}_2$ such letters with tilde, such as $\tilde{X}$. Scalar values in ${\mathbb {Z}}_p$ are denoted with lower-case letters. We may also put a tilde to scalar values or other objects when they are related to group elements in $\mathbb {G}_2$ in a way that is clear from the context.

We begin with optimizations in Sect. 4.1 made on top of the generic construction. We then present a concrete scheme for signing unilateral messages in Sect. 4.2 and for bilateral messages in Sect. 4.3 followed by full details of the Groth–Sahai proofs in Sect. 4.4.

4.1 ElGamal Encryption with Common Randomness

Observe that relation $(z_0-z_1)(x_2-z_2)=0$ in $\mathcal {L}_1$ is a quadratic equation and it can be proved efficiently by a GS proof if $z_0$ and $z_1$ are committed in the same group and $z_2$ is committed in the other group. Relevant encryptions should follow the deployment of groups. We thus build the first two ciphertexts, $\textsf{ct}_0$ and $\textsf{ct}_1$ in $\mathbb {G}_1$, and $\textsf{ct}_2$ in $\mathbb {G}_2$.

To gain efficiency, we consider using the same randomness for making $\textsf{ct}_0$ and $\textsf{ct}_1$. For this to be done without spoiling the security proof, it is sufficient that one of the ciphertext $\textsf{ct}_b$ is perfectly simulated given the other ciphertext $\textsf{ct}_{1-b}$. Formally, we assume that there exists a function, say $\textsf{SimEnc}$, such that, for any key pairs $(\textit{pk},\textit{sk})\xleftarrow {\$}\mathsf {Gen_{PKE}}(\textsf{par})$ and $(\textit{pk}',\textit{sk}')\xleftarrow {\$}\mathsf {Gen_{PKE}}(\textsf{par})$, any messages m and $m'$ in the legitimate message space, and any randomness s, it holds that $\textsf{Enc}(\textit{pk}',m'; s) = \textsf{SimEnc}(\textit{sk}',m',\textsf{Enc}(\textit{pk}, m; s))$. In [15], Bellare et al. formally defined such a property as reproducibility. Given reproducible $\textsf{PKE}$ and its ciphertext $\textsf{ct}_b \xleftarrow {\$}\textsf{Enc}(\textit{pk}_b,G^{z_b}; s)$, we can compute another ciphertext $\textsf{ct}_{1-b} \xleftarrow {\$}\textsf{SimEnc}(\textit{sk}_{1-b},G^{z_{1-b}},\textsf{ct}_b)$ without knowing $\textit{sk}_b$ or s. All reduction steps with respect to the CPA security of $\textsf{PKE}$ go through using $\textsf{SimEnc}$ and simulated GS proofs. Precisely, we use $\textsf{SimEnc}$ in Lemma 3.21 to compute $\textsf{ct}_{0}$ from given $\textsf{ct}_{1}$. Similar adjustment applies to Lemma 3.23, 3.35 and 3.37.

As shown in [15], ElGamal encryption ($\textsf{EG}$) is reproducible. Let $(y, G^{y})$ and $(y', G^{y'}) \in {\mathbb {Z}}_p\times \mathbb {G}_1$ be two key pairs of ElGamal encryption. Given ciphertext $(M \cdot (G^{y})^{s}, G^{s})$ of message M with s and public key $G^{y}$, one can compute $(M' \cdot (G^{s})^{y'}, G^{s})$ for any $M'$ using secret key $y'$. It is exactly the same ciphertext obtained from the regular encryption with common randomness s. We thus encrypt $z_0$ and $z_1$ with ElGamal encryption in $\mathbb {G}_1$ using the same randomness and removing redundant $G^s$. For encrypting $z_2$, we also use ElGamal but in $\mathbb {G}_2$. Bellare et al. show that the multi-message chosen-plaintext security for each encryption holds under the DDH assumption in respective groups, which is directly implied by the SXDH assumption [14]. We thus have:

Theorem 4.1

For all adversaries ${\mathcal {A}}$ against ${\textsf{IND}}-{\textsf{mCPA}}$ security of $\textsf{EG}$, there exists an adversary ${\mathcal {C}}$ against the SXDH assumption with running time $\textbf{T}({\mathcal {C}}) \approx \textbf{T}({\mathcal {A}})$ and $\textrm{Adv}^{{\textsf{mcpa}}}_{\textsf{PKE}}({\mathcal {A}}) \le 2\,\textrm{Adv}^{{\textsf{sxdh}}}_{\textsf{PGGen}}({\mathcal {C}}) + \frac{1}{p}$.

4.2 Concrete Scheme for Unilateral Messages

We present a concrete scheme, $\textsf{SPS}\textsf{u1}$, for signing messages in $\mathbb {G}_1$. We use a structure-preserving one-time signature scheme, $\mathsf {\textsf{POS}{u1}}$, taken from the results of Abe et al. [3], and the SXDH-based instantiation of GS proof system. The description of $\mathsf {\textsf{POS}{u1}}$ is blended into the description of $\textsf{SPS}\textsf{u1}$. For the GS proofs, however, we only show concrete relations in this section and present details of computation in Sect. 4.4.

We use notations $[{x}]_{{i}}$ and $[\tilde{x}]_{{1}}$ as a shorthand of $\textsf{Com} (\textbf{crs}_i, x)$ and $\textsf{Com} (\widetilde{\textbf{crs}}_1, x)$, respectively. We abuse these notations to present witnesses in a relation. It is indeed useful to keep track which CRS and which source group is used to commit to a witness. This notational convention is used in the rest of the paper.

Scheme $\textsf{SPS}\textsf{u1}$: Let $\textsf{par}:=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e, G, \tilde{G})$ be a description of Type-III bilinear groups generated by $\textsf{PGGen}(1^\lambda )$.

: Generates $\textbf{crs}_0$, and $(\textbf{crs}_1,\widetilde{\textbf{crs}}_{1})$ as shown in (18). Picks $x_0 \xleftarrow {\$}{\mathbb {Z}}_p$ and set $x_1 = x_2 :=0$. Generates three ElGamal keys $\tilde{Y}_0 :=\tilde{G}^{y_0}$, $\tilde{Y}_1 :=\tilde{G}^{y_1}$, and $Y_2 :=G^{y_2}$ where $y_i \xleftarrow {\$}{\mathbb {Z}}_p$ for $i=0,1,2$. Then, computes commitments

$$\begin{aligned}&[{x_0}]_{{0}} :=\textsf{Com} (\textbf{crs}_0, x_0; r_{x_{00}}), \qquad [{x_1}]_{{0}} :=\textsf{Com} (\textbf{crs}_0, x_1; r_{x_{10}}), \\&[{y_0}]_{{0}} :=\textsf{Com} (\textbf{crs}_0, y_0; r_{y_{00}}), \qquad [\tilde{x_2}]_{{1}}:=\textsf{Com} (\widetilde{\textbf{crs}}_1, x_2; r_{x_{21}}), \\&[{y_0}]_{{1}}:=\textsf{Com} (\textbf{crs}_1, y_0; r_{y_{01}}), \qquad [{y_1}]_{{1}}:=\textsf{Com} (\textbf{crs}_1, y_1; r_{y_{11}}), \\&[\tilde{y_2}]_{{1}}:=\textsf{Com} (\widetilde{\textbf{crs}}_1, y_2; r_{y_{21}}) \end{aligned}$$

as shown in Eq. (19). Generates a persistent key pair of $\mathsf {\textsf{POS}{u1}}$ by $w\xleftarrow {\$}\mathbb {Z}_{p}^*$, $\gamma _i \xleftarrow {\$}\mathbb {Z}_{p}^*$, $\tilde{G}_r :=\tilde{G}^{w}$, and $\tilde{G}_i :=\tilde{G}_r^{\gamma _i}$ for $i=1,\dots , n_1$. Outputs $\textit{pk}$ and $\textit{sk}$ defined as $\textit{pk}:=(G, \tilde{G}, \textbf{crs}_0, \textbf{crs}_1, \widetilde{\textbf{crs}}_1, \tilde{Y}_0,\tilde{Y}_1,Y_2, [{x_0}]_{{0}}, [{x_1}]_{{0}}, [\tilde{x_2}]_{{1}}, [{y_0}]_{{0}}, [{y_0}]_{{1}}, [{y_1}]_{{1}}, [\tilde{y_2}]_{{1}},~ \tilde{G}_r, \tilde{G}_1, \dots , \tilde{G}_{n_1})$, and $\textit{sk}:=(x_0, y_0, y_1, y_2, r_{x_{00}}, r_{x_{10}}, r_{x_{21}}, r_{y_{00}}, r_{y_{01}}, r_{y_{11}}, r_{y_{21}}, w, \gamma _1,\dots ,\gamma _{n_1})$, where $\textsf{par}$ and $\textit{pk}$ are implicitly included in $\textit{pk}$ and $\textit{sk}$, respectively.

: Given $\textit{sk}$ as defined above and $\textsf{M}=: (M_1,\dots ,M_{n_1}) \in \mathbb {G}_1^{n_1}$, proceeds as follows.

Generate one-time $\mathsf {\textsf{POS}{u1}}$ key pair $\alpha \xleftarrow {\$}\mathbb {Z}_{p}^*$ and $\tilde{A}:=\tilde{G}^{\alpha }$, and compute a one-time signature, (Z, R), by
$$\begin{aligned} Z :=G^{\alpha - \rho \, w} \quad \text {and} \quad R :=G^{\rho } \prod _{i=1}^{n_1} M_i^{-\gamma _i}\; , \end{aligned}$$
(4)
where $w, \gamma _1,\dots ,\gamma _{n_1}$ are taken from $\textit{sk}$, and $\rho $ is chosen uniformly from ${\mathbb {Z}}_p$.
Encrypt $z_0 = z_1 :=x_0$, and $z_2 :=0 $ as $(\tilde{E}_{z_0}, \tilde{E}_{z_1}, \tilde{E}_s) :=(\tilde{G}^{z_0}\tilde{Y}_0^s,\; \tilde{G}^{z_1}\tilde{Y}_1^s,\; \tilde{G}^s)$ and $(E_{z_2}, E_t) :=(G^{z_2}Y_2^{t}, G^{t})$, where $s, t \xleftarrow {\$}{\mathbb {Z}}_p$.
Commit to $z_0$, $z_1$, and $z_2$ by $[{z_0}]_{{0}}$, $[{z_0}]_{{1}}$, $[{z_1}]_{{1}}$, and $[\tilde{z_2}]_{{1}}$, as described in Eq. (19).
Using $\textbf{crs}_0$, commitments $[{x_0}]_{{0}}$, $[{x_1}]_{{0}}$, and $[{y_0}]_{{0}}$ in $\textit{pk}$, and default commitment $[{1}]_{{0}}$ computed with randomness $0\in {\mathbb {Z}}_p$, as shown in Eq. (20), compute GS proofs $\rho _{0,0}$ and $\rho _{0,1}$ for relations
$$\begin{aligned}&\rho _{0,0}: \tilde{G}^{[{z_0}]_{{0}}} (\tilde{G}^{-1})^{[{x_0}]_{{0}}} (\tilde{A}^{-1})^{[{x_1}]_{{0}}} = 1, \text { and} \qquad (\text {linear MSE in}\ \mathbb {G}_2) \end{aligned}$$
(5)
$$\begin{aligned}&\rho _{0,1}: \tilde{E}_{z_0}^{[{1}]_{{0}}} (\tilde{G}^{-1})^{[{z_0}]_{{0}}} (\tilde{E}_{s}^{-1})^{[{y_0}]_{{0}}} = 1 \qquad (\text {linear MSE in}\ \mathbb {G}_2) \end{aligned}$$
(6)
that correspond to clauses $\tilde{G}^{z_0} = \tilde{G}^{x_0} \cdot \tilde{\textsf{M}}^{x_1}$ for $\tilde{\textsf{M}}:= \tilde{A}$ and $(\tilde{E}_{z_0}, \tilde{E}_s) \in \textsf{Enc}(\tilde{Y}_0,\tilde{G}^{z_0})$ in $\mathcal {L}_0$, respectively.
Similarly, using $(\textbf{crs}_1, \widetilde{\textbf{crs}}_1)$ and default commitments $[{1}]_{{1}}$ and $[\tilde{1}]_{{1}}$, computes GS proofs $\rho _{1,0}$, $\rho _{1,1}$, $\rho _{1,2}$, and $\rho _{1,3}$ for relations
$$\begin{aligned}&\rho _{1,0}: ([\tilde{x_2}]_{{1}} - [\tilde{z_2}]_{{1}}) ([{z_0}]_{{1}} - [{z_1}]_{{1}}) = 0, \qquad (\text {nonlinear QE}) \end{aligned}$$
(7)
$$\begin{aligned}&\rho _{1,1}: \tilde{E}_{z_0}^{[{1}]_{{1}}} (\tilde{G}^{-1})^{[{z_0}]_{{1}}} (\tilde{E}_{s}^{-1})^{[{y_0}]_{{1}}} = 1, \qquad (\text {linear MSE in}\ \mathbb {G}_2) \end{aligned}$$
(8)
$$\begin{aligned}&\rho _{1,2}: \tilde{E}_{z_1}^{[{1}]_{{1}}} (\tilde{G}^{-1})^{[{z_1}]_{{1}}} (\tilde{E}_{s}^{-1})^{[{y_1}]_{{1}}} = 1, \text { and} \qquad (\text {linear MSE in}\ \mathbb {G}_2) \end{aligned}$$
(9)
$$\begin{aligned}&\rho _{1,3}: E_{z_2}^{[\tilde{1}]_{{1}}} (G^{-1})^{[\tilde{z_2}]_{{1}}} (E_{t}^{-1})^{[\tilde{y_2}]_{{1}}} = 1, \qquad (\text {linear MSE in}\ \mathbb {G}_1) \end{aligned}$$
(10)
that correspond to clauses in $\mathcal {L}_1$.
Output a signature $\sigma :=(\tilde{A}, Z, R,\tilde{E}_{z_0}, \tilde{E}_{z_1}, \tilde{E}_s, E_{z_2}, E_t, [{z_0}]_{{0}}, [{z_0}]_{{1}}, [{z_1}]_{{1}}, [\tilde{z_2}]_{{1}}, \rho _{0,0}, \rho _{0,1}, \rho _{1,0}, \rho _{1,1}, \rho _{1,2}, \rho _{1,3})$.

: Return 1 if all the following verifications are passed. Return 0, otherwise.

Verify signature (Z, R) of $\mathsf {\textsf{POS}{u1}}$ for $\textsf{M}=(M_1,\dots ,M_{n_1})$ with one-time key $\tilde{A}$ by
$$\begin{aligned} e(G, \tilde{A}) = e(Z, \tilde{G})\, e(R, \tilde{G}_r) \, \prod _{i=1}^{n_1} e(M_i, \tilde{G}_i). \end{aligned}$$
(11)
Verify all GS proofs $\rho _{0,0}, \rho _{0,1}, \rho _{1,0}, \rho _{1,1}, \rho _{1,2}, \rho _{1,3}$ with commitments $[{z_0}]_{{0}}$, $[{z_0}]_{{1}}$, $[{z_1}]_{{1}}$, $[\tilde{z_2}]_{{1}}$, and ciphertext $\tilde{E}_{z_0}$, $\tilde{E}_{z_1}$, $\tilde{E}_s$, $E_{z_2}$, $E_t$ in $\sigma $, using $[{x_0}]_{{0}}$, $[{x_1}]_{{0}}$, $[{y_0}]_{{0}}$, $[\tilde{x_2}]_{{1}}$, $[{y_0}]_{{1}}$, $[{y_1}]_{{1}}$, $[\tilde{y_2}]_{{1}}$ in $\textit{pk}$, as expressed in Eqs. (23) and (25). Default commitments $[{1}]_{{1}}$ and $[\tilde{1}]_{{1}}$ are built on-the-fly following Eq. (20).

This completes the description of $\textsf{SPS}\textsf{u1}$.

4.2.1 Performance

Keeping in mind that generators $G$ and $\tilde{G}$ are used commonly in the components, we assess the size of public-keys and signatures. By (a, b), we denote a and b elements in $\mathbb {G}_1$ and $\mathbb {G}_2$, respectively. A public-key consists of common reference string $(\textbf{crs}_0, (\textbf{crs}_1, \widetilde{\textbf{crs}}_1) )$ consisting of (7, 4) elements, commitments $([{x_0}]_{{0}},[{x_1}]_{{0}}, [{y_0}]_{{0}},[\tilde{x_2}]_{{1}}, [\tilde{y_2}]_{{1}}, [{y_0}]_{{1}}, [{y_1}]_{{1}})$ consisting of (10, 4) elements, three ElGamal public-keys $(\tilde{pk}_0, \tilde{pk}_1, \textit{pk}_2)$ consisting of (1, 2) elements, and a public-key $(\tilde{G}_r, \tilde{G}_1, \cdots , \tilde{G}_{n_1})$ for $\mathsf {\textsf{POS}{u1}}$ that contains $(0, n_1+1)$ elements. In total, a public- key consists of $(18, n_1+ 11)$ elements. A signature consists of commitments $[{z_0}]_{{0}}, [{z_0}]_{{1}}, [{z_1}]_{{1}}, [\tilde{z_2}]_{{1}}$ containing (6, 2) elements, four proofs, $\rho _{0,0}, \rho _{0,1}, \rho _{1,1}$, and $\rho _{1,2}$, for linear MSEs in $\mathbb {G}_2$ that costs $(0,1) \times 4$, proof $\rho _{1,0}$ of nonlinear QE consisting of (2, 2) elements, proof $\rho _{1,3}$ for a linear MSE in $\mathbb {G}_1$ that costs (1, 0), three ElGamal ciphertexts (of two ones share a randomness) consisting of (2, 3) elements, and a one-time public-key and signature of $\mathsf {\textsf{POS}{u1}}$ consisting of (0, 1) and (2, 0) elements, respectively. Summing up, a signature consists of (13, 12) group elements.

Since computational cost largely depends on available resources and implementation, we only show basic parameters that can be dominant factors in computation. First, for signature generation, the number of elements in a signature almost counts a number of scalar multiplications. To be slightly more accurate, we count the number of multi-scalar multiplications and add them as 1.5 scalar multiplications. Element R in $\mathsf {\textsf{POS}{u1}}$ and all elements in proofs $\rho _{0,0}, \rho _{0,1}, \rho _{1,1}$, $\rho _{1,2}$, $\rho _{1,0}$, $\rho _{1,3}$ that sum up to (4, 6) elements in total are computed through multi-scalar multiplications. The remaining (9, 6) elements in a signature are those in commitments and ElGamal encryptions for binary values and counted as scalar multiplications. Accordingly, we estimate the signing cost as $15 (=4 \times 1.5 + 9) $ and $15 (= 6 \times 1.5 + 6)$ scalar multiplications in $\mathbb {G}_1$ and $\mathbb {G}_2$, respectively. Computational workload for verification is much more implementation dependent. The number of equations and pairings are 15 and $n_1+57$, respectively, from simple counting in the description. With the most aggressive batch verification that wraps all equations into one, we merge pairings with respect to default generators $G$ and $\tilde{G}$, and CRSes. It reduces the number of pairings down to $n_1+16$ in exchange of increasing the number of multi-scalar multiplications (which is ignored in Table 2) for randomizing each element. Note that the size of randomness in batching is an additional statistical parameter for the soundness of verification. We consider full-size randomness for minimizing the loss.

4.2.2 Security

Regarding $\mathsf {\textsf{POS}{u1}}$ used in the above construction, the following statement is proven in [3].

Theorem 4.2

([3]) $\mathsf {\textsf{POS}{u1}}$ is $\textsf{OT}\text {-}\textsf{nCMA}$ secure if the $\textrm{DDH}_2$ assumption holds with respect to $\textsf{PGGen}$. In particular, for all polynomial-time algorithms ${\mathcal {A}}$, there exists a polynomial-time algorithm ${\mathcal {B}}$ with $\textbf{T}({\mathcal {A}}) \approx \textbf{T}({\mathcal {B}}) $ and $\textrm{Adv}^{{\textsf{ncma}}}_{\mathsf {\textsf{POS}{u1}}}({\mathcal {A}}) \le \textrm{Adv}^{{\textsf{ddh}_{2}}}_{\textsf{PGGen}}({\mathcal {B}}) +1/p$.

With asymmetric pairing groups, CRS indistinguishability of GS proof system is tightly reduced from the SXDH assumption. Namely, the following theorem holds.

Theorem 4.3

([40]) For all adversaries ${\mathcal {A}}$ against CRS indistinguishability of $\textsf{GS}$, there exists an adversary ${\mathcal {B}}$ with running time $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}})$ and $\textrm{Adv}^{{\textsf{crsind}}}_{\textsf{GS}}({\mathcal {A}}) \le 2 \cdot \textrm{Adv}^{{\textsf{sxdh}}}_{\textsf{PGGen}}({\mathcal {B}})$.

Combining Theorems 2.6, 3.6, 4.1, 4.2, and 4.3, we have the following theorem.

Theorem 4.4

$\textsf{SPS}\textsf{u1}$ is $\textsf{UF}\text{- }\textsf{CMA}$ if the $\textrm{SXDH}$ assumption holds with respect to $\textsf{PGGen}$. In particular, for any polynomial-time algorithm ${\mathcal {A}}$, there exists a polynomial-time algorithm ${\mathcal {B}}$ that runs in almost the same as ${\mathcal {A}}$ and

$$\begin{aligned} \textrm{Adv}^{{\textsf{uf}\text{- } \textsf{cma}}}_{\textsf{SPS}\textsf{u1}}({\mathcal {A}}) \le (40 L+ 13) \cdot \textrm{Adv}^{{\textsf{sxdh}}}_{\textsf{PGGen}}({\mathcal {B}}) + \frac{4L(q_s+ 3)+ 1}{p}. \end{aligned}$$

(12)

If we set the number of possible signing queries to $q_s = 2^{40}$, i.e., $L= \lceil \log _2 q_s \rceil = 40$, the security loss of $\textsf{SPS}\textsf{u1}$ is approximately in 11 bits ($2^{10.6}$).

4.3 Concrete Scheme for Bilateral Messages

To sign bilateral messages $(\textsf{M}_1, \textsf{M}_2) \in \mathbb {G}_1^{n_1} \times \mathbb {G}_2^{n_2}$, we use $\textsf{SPS}\textsf{u1}$ in the previous section to sign $\textsf{M}_1 \in \mathbb {G}_1^{n_1}$ and combine it with another POS, say $\mathsf {\textsf{POS}{u2}}$, that signs $\textsf{M}_2 \in \mathbb {G}_2^{n_2}$. Since a one-time public key of $\mathsf {\textsf{POS}{u2}}$ is in $\mathbb {G}_1$, it can be appended to $\textsf{M}_1$ and authenticated by $\textsf{SPS}\textsf{u1}$ by extending the message space to $\mathbb {G}_2^{n_1+1}$. We give the details below.

Scheme $\textsf{SPS}\textsf{b}$:

: Given $\textsf{par}$, proceeds with the same steps, except for generating keys for $\mathsf {\textsf{POS}{b}}$ instead of $\mathsf {\textsf{POS}{u1}}$.

Chooses $w, \mu $ randomly from $\mathbb {Z}_{p}^*$ and computes $\tilde{G}_r :=\tilde{G}^{w}$ and $G_r :=G^{\mu }$. For $i=1,\dots , n_1+1$, uniformly chooses $\gamma _i$ from ${\mathbb {Z}}_p$ and computes $\tilde{G}_i :=\tilde{G}_r^{\gamma _i}$. For $j=1,\dots , n_2$, uniformly chooses $\psi _j$ from ${\mathbb {Z}}_p$ and computes $G_j :=G_r^{\psi _j}$.
Outputs $\textit{pk}$ and $\textit{sk}$ defined as $\textit{pk}:=(G, \tilde{G}, \textbf{crs}_0, \textbf{crs}_1, \widetilde{\textbf{crs}}_1, \tilde{Y}_0,\tilde{Y}_1,Y_2, [{x_0}]_{{0}}, [{x_1}]_{{0}}, [\tilde{x_2}]_{{1}}, [{y_0}]_{{0}}, [{y_0}]_{{1}}, [{y_1}]_{{1}}, [\tilde{y_2}]_{{1}}, \tilde{G}_r, \tilde{G}_1, \dots , \tilde{G}_{n_1+1}, G_r, G_1,\dots , G_{n_2})$ and $\textit{sk}:=(x_0, y_0, y_1, y_2, r_{x_{00}}, r_{x_{10}}, r_{x_{21}}, r_{y_{00}}, r_{y_{01}}, r_{y_{11}}, r_{y_{21}},w, \gamma _1,\dots ,\gamma _{n_1+1}, \mu , \psi _1,\dots ,\psi _{n_2})$, where $\textsf{par}$ and $\textit{pk}$ are implicitly included in $\textit{pk}$ and $\textit{sk}$, respectively.

: Given $\textit{sk}$ as defined above and $\textsf{M}= (M_1,\dots ,M_{n_1},\tilde{M}_1,\dots ,\tilde{M}_{n_2}) \in \mathbb {G}_1^{n_1} \times \mathbb {G}_2^{n_2}$, proceeds as follows.

Generates $\mathsf {\textsf{POS}{u2}}$ one-time key pair $\zeta \xleftarrow {\$}\mathbb {Z}_{p}^*$ and $B :=G^{\zeta }$, and one-time signature $(\tilde{Z}, \tilde{R})$ by
$$\begin{aligned} \tilde{Z}:=\tilde{G}^{\zeta - \delta \mu } \quad \text {and} \quad \tilde{R}:=\tilde{G}^{\delta } \prod _{j=1}^{n_2} \tilde{M}_j^{-\psi _j}\; \end{aligned}$$
(13)
where $\mu , \psi _1, \cdots , \psi _{n_2}$ are taken from $\textit{sk}$, and $\delta $ is chosen uniformly from $\mathbb {Z}_{p}^*$.
Sets $M_{n_1+1} :=B$.
Generates one-time $\mathsf {\textsf{POS}{u1}}$ key pair $\alpha \xleftarrow {\$}\mathbb {Z}_{p}^*$ and $\tilde{A}:=G_2^{\alpha }$ and one-time signature (Z, R) by
$$\begin{aligned} Z :=G^{\alpha - \rho \, w}, \quad \text {and} \quad R :=G^{\rho } \prod _{i=1}^{n_1+1} M_i^{-\gamma _i}\; \end{aligned}$$
(14)
where $w, \gamma _1,\dots ,\gamma _{n_1+1}$ are chosen from $\textit{sk}$, and $\rho $ is chosen from ${\mathbb {Z}}_p$.
Then, creates ElGamal ciphertexts and GS proofs as well as those in $\textsf{SPS}\textsf{u1}$.
Outputs a signature $\sigma :=(B,\tilde{Z}, \tilde{R}, \tilde{A}, Z, R, \tilde{E}_{z_0}, \tilde{E}_{z_1}, \tilde{E}_s, E_{z_2}, E_t, [{z_0}]_{{0}}, [{z_0}]_{{1}}, [{z_1}]_{{1}}, [\tilde{z_2}]_{{1}}, \rho _{0,0}, \rho _{0,1}, \rho _{1,0}, \rho _{1,1}, \rho _{1,2}, \rho _{1,3} )$.

:

Returns 1 if all the following verifications are passed. Returns 0 otherwise.

Parses $\textsf{M}$ into $\textsf{M}= (M_1,\dots ,M_{n_1},\tilde{M}_1,\dots ,\tilde{M}_{n_2}) \in \mathbb {G}_1^{n_1} \times \mathbb {G}_2^{n_2}$.
Verifies signature $(\tilde{Z}, \tilde{R})$ of $\mathsf {\textsf{POS}{u2}}$ for $(\tilde{M}_1,\dots , \tilde{M}_{n_2})$ with one-time key B by
$$\begin{aligned} e(B, \tilde{G}) = e(G, \tilde{Z})\, e(G_r, \tilde{R})\, \prod _{j=1}^{n_2} e(G_j, \tilde{M}_j). \end{aligned}$$
(15)
Verifies signature (Z, R) of $\mathsf {\textsf{POS}{u1}}$ for $(M_1,\dots ,M_{n_1})$ and $M_{n_1+1}:=B$ with one-time key $\tilde{A}$ by
$$\begin{aligned} e(G, \tilde{A}) = e(Z, \tilde{G})\, e(R, \tilde{G}_r) \, \prod _{i=1}^{n_1+1} e(M_i, \tilde{G}_i). \end{aligned}$$
(16)
Verifies GS proofs as well as $\textsf{SPS}\textsf{u1}$.

4.3.1 Performance

The only difference compared to $\textsf{SPS}\textsf{u1}$ is extra $\mathsf {\textsf{POS}{u2}}$. It adds $(n_2+1,1)$ and (1, 2) elements and results in $(n_2+ 19, n_1+ 12)$ and (14, 14) elements in a public-key and a signature, respectively. Among (1, 2) elements newly added to a signature, only one in $\mathbb {G}_2$ is computed by multi-scalar multiplication. Hence, the cost for signature generation increases by 2.5 and 1 scalar multiplications in $\mathbb {G}_1$ and $\mathbb {G}_2$, respectively. In verification, the additional POS requires 1 more equation and $n_2+ 4$ pairings, resulting in 16 equations and $n_1+n_2+61$ pairings. Two of the new pairings include $G$ and $\tilde{G}$, they are merged with pairings with respect to those elements, and the remaining $n_2+2$ pairings are counted as an additional cost in the case of batch verification. Hence, we have $n_1+n_2+18$ pairings.

4.3.2 Security

Theorem 4.2 holds for $\mathsf {\textsf{POS}{u2}}$ under the $\textrm{DDH}_1$ assumption. Combining it with Theorem 4.4, we obtain the following.

Theorem 4.5

$\textsf{SPS}\textsf{b}$ is $\textsf{UF}\text{- }\textsf{CMA}$ if the $\textrm{SXDH}$ assumption holds with respect to $\textsf{PGGen}$. In particular, for any polynomial-time algorithm ${\mathcal {A}}$, there exists an algorithm ${\mathcal {B}}$ with $\textbf{T}({\mathcal {B}}) \approx \textbf{T}({\mathcal {A}})$ and

$$\begin{aligned} \textrm{Adv}^{{\textsf{uf}\text{- } \textsf{cma}}}_{\textsf{SPS}\textsf{b}}({\mathcal {A}}) \le (40 L+ 14) \cdot \textrm{Adv}^{{\textsf{sxdh}}}_{\textsf{PGGen}}({\mathcal {B}}) + \frac{4L(q_s+ 3) + 2}{p}. \end{aligned}$$

(17)

4.4 Specific Groth–Sahai Proofs under SXDH

Among wide variations of relations that are provable with GS proofs, our instantiation involves only three types of relations; linear multiscalar multiplication equations (MSEs) in $\mathbb {G}_1$ and $\mathbb {G}_2$, and nonlinear quadratic equations (QEs). Witnesses are committed in either $\mathbb {G}_1$ or $\mathbb {G}_2$ depending on the relations to prove. We summarize the space and computation complexity in Table 3 and give details in the sequel.

Table 3 Sizes and computational costs for GS proofs in the SXDH assumption setting for relations used in our construction

Full size table

CRS Generation: Our construction includes three independent common reference strings, $\textbf{crs}_0$ and $(\textbf{crs}_1, \widetilde{\textbf{crs}}_1)$ generated in the binding mode as

$$\begin{aligned} \textbf{crs}_0 :=\left( \begin{array}{cc} G&{}{Q}_0\\ {U}_0 &{}{V}_0 \end{array}\right) , \quad \textbf{crs}_1 := \left( \begin{array}{cc} G&{}{Q}_1\\ {U}_1 &{}{V}_1 \end{array}\right) , \quad \widetilde{\textbf{crs}}_1 :=\left( \begin{array}{cc} \tilde{G}&{}\tilde{Q}_1\\ \tilde{U}_1 &{}\tilde{V}_1 \end{array}\right) , \end{aligned}$$

(18)

where, for $\chi _0, \xi _0, \chi _1, \xi _1, \tilde{\chi }_1, \tilde{\xi }_1 \xleftarrow {\$}\mathbb {Z}_{p}^*$, ${Q}_i :=G^{\chi _i}$, ${U}_i :=G^{\xi _i}$, ${V}_i :=G^{\chi _i \, \xi _i}$ for $i=0,1$ and $\tilde{Q}_1 :=\tilde{G}^{\tilde{\chi }_1}$, $\tilde{U}_1 :=\tilde{G}^{\tilde{\xi }_1}$, $\tilde{V}_1 :=\tilde{G}^{\tilde{\chi }_1 \, \tilde{\xi }_1}$.

Scalar Commitments: To commit to $x \in {\mathbb {Z}}_p$ under $\textbf{crs}_i$, compute

$$\begin{aligned}{}[{x}]_{{i}} :=\textsf{Com} (\textbf{crs}_i, x; r) :=({U}_i^x \, G^{r}, ({V}_i\,G)^{x} \, {Q}_i^{r}), \end{aligned}$$

(19)

where $r \in {\mathbb {Z}}_p$ is a fresh randomness. A default commitment of $1 \in {\mathbb {Z}}_p$ uses $0 \in {\mathbb {Z}}_p$ as a randomness, namely,

$$\begin{aligned}{}[{1}]_{{i}} :=\textsf{Com} (\textbf{crs}_i, 1; 0) :=({U}_i, {V}_i\,G). \end{aligned}$$

(20)

When x is committed by using $\widetilde{\textbf{crs}}_1$, we denote it by $[\tilde{x}]_{{1}}$ and compute as

$$\begin{aligned}{}[\tilde{x}]_{{1}} =\textsf{Com} (\widetilde{\textbf{crs}}_1, x; r) :=(\tilde{U}_1^x\,\tilde{G}^{r}, (\tilde{V}_1\,\tilde{G})^{x}\, \tilde{Q}_1^{r}). \end{aligned}$$

(21)

Proof of Scalar MSE: Proof $\rho _{0,0}$ for relation (5) as a linear MSE in $\mathbb {G}_1$ consists of a single element $\pi _{0,0} \in \mathbb {G}_2$ computed as

$$\begin{aligned} \pi _{0,0} :=\tilde{G}^{r_{z_0}} (\tilde{G}^{-1})^{r_{x_0}} (\tilde{A}^{-1})^{r_{x_1}}, \end{aligned}$$

(22)

where $r_{z_0}$, $r_{x_0}$, and $r_{x_1}$ are random coins used to commit to $z_0$, $x_0$, $x_1$ by $[\tilde{z_0}]_{{0}}$, $[\tilde{x_0}]_{{0}}$, $[\tilde{x_1}]_{{0}}$, respectively. It is verified by evaluating

$$\begin{aligned} e({C}_{z_0,1}, \tilde{G})\, e({C}_{x_0,1}, \tilde{G}^{-1})\, e({C}_{x_1,1}, \tilde{A}^{-1})&=e(G, \pi _{0,0}), \text { and }\nonumber \\ e({C}_{z_0,2}, \tilde{G}) \, e({C}_{x_0,2}, \tilde{G}^{-1}) \, e({C}_{x_1,2}, \tilde{A}^{-1})&=e({Q}_0, \pi _{0,0}), \end{aligned}$$

(23)

where $(C_{\textsf{x},1},C_{\textsf{x},2}):= [{\textsf{x}}]_{{0}}$ for $\textsf{x} \in \{z_0, x_0, x_1\}$, and $\tilde{G}$ and ${Q}_0$ are taken from $\textbf{crs}_0$.

Proofs $\rho _{0,1}$, $\rho _{1,1}$, and $\rho _{1,2}$, are for linear MSEs in exactly the same form as Eq. (5). They are generated and verified in the same manner as above.

Proof of Nonlinear QE: Proof $\rho _{1,0}$ for nonlinear QE (7) consists of $(\theta _{1,0,1}, \theta _{1,0,2},$ $ \pi _{1,0,1},\pi _{1,0,2}) \in \mathbb {G}_1^2 \times \mathbb {G}_2^2$ that, $\psi \xleftarrow {\$}{\mathbb {Z}}_p$,

$$\begin{aligned} \theta _{1,0,1}&:={U}_1^{z_0(r_{x_2} - r_{z_2}) - z_1(r_{x_2} - r_{z_2})} \,G^{(r_{x_2} - r_{z_2}) (r_{z_0} - r_{z_1}) - \psi }, \nonumber \\ \theta _{1,0,2}&:=( {V}_1 G)^{z_0(r_{x_2} -r_{z_2}) - z_1(r_{x_2} - r_{z_2})} \,{Q}_1^{(r_{x_2} - r_{z_2}) (r_{z_0} - r_{z_1}) - \psi },\nonumber \\ \pi _{1,0,1}&:=\tilde{U}_1^{x_2(r_{z_0} - r_{z_1}) -z_2(r_{z_0} - r_{z_1})} \,\tilde{G}^{\psi }, \text { and}\nonumber \\ \pi _{1,0,2}&:=(\tilde{V}_1 \tilde{G})^{x_2(r_{z_0} - r_{z_1}) - z_2(r_{z_0} - r_{z_1})} \,\tilde{Q}_1^{\psi }, \end{aligned}$$

(24)

where $r_{\textsf{x}}$ is a random coin used to commit to $\textsf{x}$. The verification evaluates

$$\begin{aligned}&e({C}_{z_0,1} {C}_{z_1,1}^{-1}, \tilde{D}_{x_2,1})\, e({C}_{z_0,1} {C}_{z_1,1}^{-1}, \tilde{D}_{z_2,1}^{-1}) =e(G, \pi _{1,0,1})\, e(\theta _{1,0,1}, \tilde{G}), \nonumber \\&e({C}_{z_0,2} {C}_{z_1,2}^{-1}, \tilde{D}_{x_2,1})\, e({C}_{z_0,2} {C}_{z_1,2}^{-1}, \tilde{D}_{z_2,1}^{-1}) =e({Q}_1, \pi _{1,0,1})\, e(\theta _{1,0,2}, \tilde{G}), \nonumber \\&e({C}_{z_0,1} {C}_{z_1,1}^{-1}, \tilde{D}_{x_2,2})\, e({C}_{z_0,1} {C}_{z_1,1}^{-1}, \tilde{D}_{z_2,2}^{-1}) =e(G, \pi _{1,0,2})\, e(\theta _{1,0,1}, \tilde{Q}_1), \text { and} \nonumber \\&e({C}_{z_0,2} {C}_{z_1,2}^{-1}, \tilde{D}_{x_2,2})\, e({C}_{z_0,2} {C}_{z_1,2}^{-1}, \tilde{D}_{z_2,2}^{-1}) =e({Q}_1, \pi _{1,0,2}) \, e(\theta _{1,0,2}, \tilde{Q}_1), \end{aligned}$$

(25)

where $(C_{\textsf{x},1},C_{\textsf{x},2}):= [{\textsf{x}}]_{{1}}$ for $\textsf{x} \in \{z_0, z_1\}$, $(\tilde{D}_{\textsf{y},1},\tilde{D}_{\textsf{y},2}):= [\tilde{\textsf{y}}]_{{1}}$ for $\textsf{y} \in \{x_2, z_2\}$, and other group elements are taken from $(\textbf{crs}_1, \widetilde{\textbf{crs}}_1)$.

Batch Verification: The number of pairing computations in Eqs. (23) and (25) can be reduced when verifying proofs $\rho _{0,0}, \rho _{0,1}, \rho _{1,0}, \rho _{1,1}, \rho _{1,2}$ and $\rho _{1,3}$ at once by batch verification. By merging pairings with respect to $G$, $\tilde{G}$, ${Q}_0$, ${Q}_1$, $\tilde{Q}_1$, $\tilde{A}$, $\tilde{E}_{z_0}$, $\tilde{E}_{s}$, $\tilde{D}_{x_2,1}$, $\tilde{D}_{x_2,2}$, $\tilde{D}_{z_2,1}$, $\tilde{D}_{z_2,2}$, $\tilde{E}_{z_1}$, $E_{z_2}$, and $E_{t}$, we have a single pairing product equation consisting of 15 pairings. It will be merged further with the verification equations for the POS part that includes pairings involving $G$ and $\tilde{G}$. For $\textsf{SPS}\textsf{u1}$, the batch verification equation consists of $n_1+ 16$ pairings, of which $n_1+1$ pairings are from $\mathsf {\textsf{POS}{u1}}$. For $\textsf{SPS}\textsf{b}$, it consists of $n_1+ n_2+ 18$ pairings, of which $n_1+ n_2+ 3$ pairings are from $\mathsf {\textsf{POS}{b}}$.

Notes

The security loss in our previous version [6] is $\mathcal {O}(\lambda )$, and in this version we improve it to $\mathcal {O}(\log q_s)$ (which is $\mathcal {O}(\log \lambda )$ for any given polynomial-time adversary ${\mathcal {A}}$, although the constant may depend on ${\mathcal {A}}$).

References

M. Abdalla, P.-A. Fouque, V. Lyubashevsky, M. Tibouchi, Tightly-secure signatures from lossy identification schemes. in D. Pointcheval and T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, (Springer, Heidelberg, April 2012), pp. 572–590.
M. Abdalla, T. Lange, editors, PAIRING 2012, volume 7708 of LNCS. (Springer, Heidelberg, May 2013).
M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: Generic constructions and simple assumptions. J. Cryptol., 29(4), 833–878 (2016)
Article MathSciNet MATH Google Scholar
M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements. J. Cryptol., 29(2), 363–421, (2016)
Article MathSciNet MATH Google Scholar
M. Abe, J. Groth, K. Haralambiev, M. Ohkubo, Optimal structure-preserving signatures in asymmetric bilinear groups. in P. Rogaway, editors, CRYPTO 2011, volume 6841 of LNCS, (Springer, Heidelberg, August 2011), pp. 649–666.
M. Abe, D. Hofheinz, R. Nishimaki, M. Ohkubo, J. Pan. Compact structure-preserving signatures with almost tight security. in J. Katz, H. Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS, (Springer, Heidelberg, August 2017), pp. 548–580.
M. Abe, C.S. Jutla, M. Ohkubo, J. Pan, A. Roy, Y. Wang, Shorter QA-NIZK and SPS with tighter security. in S.D. Galbraith, S. Moriai, editors, ASIACRYPT 2019, Part III, volume 11923 of LNCS, (Springer, Heidelberg, December 2019), pp. 669–699.
M. Abe, C.S. Jutla, M. Ohkubo, A. Roy. Improved (almost) tightly-secure simulation-sound QA-NIZK with applications. in T. Peyrin and S. Galbraith, editors, ASIACRYPT 2018, Part I, volume 11272 of LNCS, (Springer, Heidelberg, December 2018), pp. 627–656.
T. Acar, K. Lauter, M. Naehrig, D. Shumow, Affine pairings on ARM. in M. Abdalla and T. Lange, editors, [2], pp. 203–209.
D.F. Aranha, L. Fuentes-Castañeda, E. Knapp, A. Menezes, F. Rodríguez-Henríquez. Implementing pairings at the 192-bit security level. in M. Abdalla and T. Lange, editors, [2], pp. 177–195
N. Attrapadung, G. Hanaoka, S. Yamada, A framework for identity-based encryption with almost tight security. in T. Iwata and J.H. Cheon [44], (2015), pp. 521–549.
R. Barbulescu, S. Duquesne, Updating key size estimations for pairings. J. Cryptol., 32, 1298-1336. (2018).
Article MathSciNet MATH Google Scholar
P.S.L.M. Barreto, C. Costello, R. Misoczki, M. Naehrig, G.C.C.F. Pereira, G. Zanon, Subgroup security in pairing-based cryptography. in K.E. Lauter, F. Rodríguez-Henríquez, editors, LATINCRYPT 2015, volume 9230 of LNCS, (Springer, Heidelberg, August 2015), pp. 245–265.
M. Bellare, A. Boldyreva, S. Micali. Public-key encryption in a multi-user setting: Security proofs and improvements. in B. Preneel, editor, EUROCRYPT 2000, volume 1807 of LNCS, (Springer, Heidelberg, May 2000), pp. 259–274.
Mihir.Bellare, A. Boldyreva, J. Staddon, Randomness re-use in multi-recipient encryption schemeas. in Public Key Cryptography - PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, January 6-8, 2003, Proceedings, (2003), pp. 85–99.
M. Bellare, P. Rogaway, The exact security of digital signatures: How to sign with RSA and Rabin. in U.M. Maurer, editor, EUROCRYPT’96, volume 1070 of LNCS, (Springer, Heidelberg, May 1996), pp. 399–416.
M. Bellare, S. Shoup, Two-tier signatures, strongly unforgeable signatures, and Fiat-Shamir without random oracles. in T. Okamoto, X. Wang, editors, PKC 2007, volume 4450 of LNCS, (Springer, Heidelberg, April 2007), pp. 201–216.
O. Blazy, G. Fuchsbauer, M. Izabachène, A. Jambert, H. Sibert, D. Vergnaud, Batch Groth-Sahai. in J. Zhou and M. Yung, editors, ACNS 10, volume 6123 of LNCS, (Springer, Heidelberg, June 2010), pp. 218–235.
O. Blazy, E. Kiltz, J. Pan, (Hierarchical) identity-based encryption from affine message authentication. in J.A. Garay, R. Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, (Springer, Heidelberg, August 2014), pp. 408–425.
D. Boneh, X. Boyen, Secure identity based encryption without random oracles. in M. Franklin, editor, [33], pp. 443–459.
D. Boneh, X. Boyen, H. Shacham, Short group signatures. in M. Franklin, editor, [33], pp. 41–55.
J. Camenisch, M. Dubovitskaya, K. Haralambiev, Efficient structure-preserving signature scheme from standard assumptions. in I. Visconti and R. De Prisco, editors, [57], pp. 76–94.
J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions. in T. Iwata, J.H. Cheon, editors, ASIACRYPT 2015, Part II, volume 9453 of LNCS, (Springer, Heidelberg, November / December 2015), pp. 262–288.
J. Cathalo, B. Libert, M. Yung, Group encryption: Non-interactive realization in the standard model. in M. Matsui, editors, ASIACRYPT 2009, volume 5912 of LNCS, (Springer, Heidelberg, December 2009), pp. 179–196.
M. Chase, M. Kohlweiss, A new hash-and-sign approach and structure-preserving signatures from DLIN. in I. Visconti and R. De Prisco, editors, [57], pp. 131–148.
S. Chatterjee, N. Koblitz, A. Menezes, P. Sarkar, Another look at tightness II: practical issues in cryptography. in Paradigms in Cryptology–Mycrypt 2016. Malicious and Exploratory Cryptology–Second International Conference, Mycrypt 2016, Kuala Lumpur, Malaysia, December 1-2, 2016, Revised Selected Papers, (2016), pp. 21–55.
J. Chen, H. Wee, Fully, (almost) tightly secure IBE and dual system groups. in R. Canetti, J.A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, (Springer, Heidelberg, August 2013), pp. 435–460.
B. Chevallier-Mames, An efficient CDH-based signature scheme with a tight security reduction. in V. Shoup, editor, CRYPTO 2005, volume 3621 of LNCS, (Springer, Heidelberg, August 2005), pp. 511–526.
G, Couteau, D. Hartmann, Shorter non-interactive zero-knowledge arguments and ZAPs for algebraic languages. in D. Micciancio, T. Ristenpart, editors, CRYPTO 2020, Part III, volume 12172 of LNCS, (Springer, Heidelberg, August 2020), pp. 768–798.
T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms. in G.R. Blakley, D. Chaum, editors, CRYPTO’84, volume 196 of LNCS, (Springer, Heidelberg, August 1984), pp. 10–18.
A. Enge, J. Milan, Implementing cryptographic pairings at standard security levels. in R.S. Chakraborty, V. Matyas, P. Schaumont, (eds), Security, Privacy, and Applied Cryptography Engineering - 4th International Conference, SPACE 2014, Pune, India, October 18-22, 2014. Proceedings, volume 8804 of Lecture Notes in Computer Science, (Springer, 2014), pp. 28–46.
A. Escala, J. Groth, Fine-tuning Groth-Sahai proofs. in H. Krawczyk, editor, PKC 2014, volume 8383 of LNCS, (Springer, Heidelberg, March 2014), pp. 630–649.
M. Franklin, editor, CRYPTO 2004, volume 3152 of LNCS. (Springer, Heidelberg, August 2004).
R. Gay, D. Hofheinz, E. Kiltz, H. Wee, Tightly CCA-secure encryption without pairings. in M. Fischlin, J.-S. Coron, editors, EUROCRYPT 2016, Part I, volume 9665 of LNCS, (Springer, Heidelberg, May 2016), pp. 1–27.
R. Gay, D. Hofheinz, L. Kohl, J. Pan, More efficient (almost) tightly secure structure-preserving signatures. in J.B. Nielsen, V. Rijmen, editors, EUROCRYPT 2018, Part II, volume 10821 of LNCS, (Springer, Heidelberg, April/May 2018), pp. 230–258.
R. Gennaro, M.J.B. Robshaw, editors. CRYPTO 2015, Part II, volume 9216 of LNCS. (Springer, Heidelberg, August 2015).
R. Granger, D. Page, N.P. Smart, High security pairing-based cryptography revisited. in F. Hess, S. Pauli, M.E. Pohst, editors, Algorithmic Number Theory, 7th International Symposium, ANTS-VII, Berlin, Germany, July 23-28, 2006, Proceedings, volume 4076 of Lecture Notes in Computer Science, (Springer, 2006), pp. 480–494.
G. Grewal, R. Azarderakhsh, P. Longa, S. Hu, D. Jao, Efficient implementation of bilinear pairings on ARM processors. in L.R. Knudsen, H. Wu, editors, SAC 2012, volume 7707 of LNCS, (Springer, Heidelberg, August 2013), pp. 149–165.
J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures. in Xuejia Lai and Kefei Chen, editors, ASIACRYPT 2006, volume 4284 of LNCS, (Springer, Heidelberg, December 2006), pp. 444–459.
J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups. SIAM J. Comput., 41(5), 1193–1232 (2012)
Article MathSciNet MATH Google Scholar
D. Hofheinz, Algebraic partitioning: fully compact and (almost) tightly secure cryptography. in E. Kushilevitz, T. Malkin, editors, TCC 2016-A, Part I, volume 9562 of LNCS, (Springer, Heidelberg, January 2016), pp. 251–281.
D. Hofheinz, Adaptive partitioning. in J.-S. Coron, J.B. Nielsen, editors, EUROCRYPT 2017, Part III, volume 10212 of LNCS, (Springer, Heidelberg, April/May 2017), pp. 489–518.
D. Hofheinz, T. Jager, Tightly secure signatures and public-key encryption. Des. Codes Cryptography, 80(1), 29–61 (2016)
Article MathSciNet MATH Google Scholar
T. Iwata, J.H. Cheon, editors, ASIACRYPT 2015, Part I, volume 9452 of LNCS. (Springer, Heidelberg, November/December 2015).
C.S. Jutla, M. Ohkubo, A. Roy, Improved (almost) tightly-secure structure-preserving signatures. in M. Abdalla, R. Dahab, editors, PKC 2018, Part II, volume 10770 of LNCS, (Springer, Heidelberg, March 2018), pp. 123–152.
C.S. Jutla, A. Roy, Improved structure preserving signatures under standard bilinear assumptions. Cryptology ePrint Archive, Report 2017/025, (2017). http://eprint.iacr.org/2017/025.
C.S. Jutla, A. Roy, Improved structure preserving signatures under standard bilinear assumptions. in Public-Key Cryptography–PKC 2017—20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28–31, 2017, Proceedings, Part II, (2017), pp. 183–209.
J. Katz, N. Wang, Efficiency improvements for signature schemes with tight security reductions. in S. Jajodia, V. Atluri, T. Jaeger, editors, ACM CCS 2003, (ACM Press, 2003), pp. 155–164.
E. Kiltz, J. Pan, H. Wee, Structure-preserving signatures from standard assumptions, revisited. in R. Gennaro, M.J.B. Robshaw, editors, [36], (2015), pp. 275–295.
T. Kim, R. Barbulescu, Extended tower number field sieve: A new complexity for the medium prime case. in M. Robshaw, J. Katz, editors, CRYPTO 2016, Part I, volume 9814 of LNCS, (Springer, Heidelberg, August 2016), pp. 543–571.
B. Libert, M. Joye, M. Yung, T. Peters, Concise multi-challenge CCA-secure encryption and signatures with almost tight security. in P. Sarkar, T. Iwata, editors, ASIACRYPT 2014, Part II, volume 8874 of LNCS, (Springer, Heidelberg, December 2014), pp. 1–21.
B. Libert, T. Peters, M. Joye, M. Yung, Compactly hiding linear spans—tightly secure constant-size simulation-sound QA-NIZK proofs and applications. in T. Iwata, J.H. Cheon, editors, [44], (2015), pp. 681–707.
B. Libert, T. Peters, M. Yung, Short group signatures via structure-preserving signatures: standard model security from simple assumptions. in R. Gennaro, M.J.B. Robshaw, editor, [36] (2009) pp. 296–316.
S. Schäge, Tight proofs for signature schemes without random oracles. in Kenneth G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, (Springer, Heidelberg, May 2011), pp. 189–206.
M. Scott, On the efficient implementation of pairing-based protocols. in L. Chen, editor, 13th IMA International Conference on Cryptography and Coding, volume 7089 of LNCS, (Springer, Heidelberg, December 2011), pp. 296–308.
R. Verma, Efficient implementations of pairing-based cryptography on embedded systems. PhD thesis, (Rochester Institute of Technology, New York, USA, 2015).
I. Visconti, R. De Prisco, editors. SCN 12, volume 7485 of LNCS. (Springer, Heidelberg, September 2012).

Download references

Acknowledgements

We thank Mehdi Tibouch and Taechan Kim for their valuable discussion on parameters settings for bilinear groups.

Funding

Open access funding provided by NTNU Norwegian University of Science and Technology (incl St. Olavs Hospital - Trondheim University Hospital)

Author information

Authors and Affiliations

NTT Social Informatics Laboratories, Tokyo, Japan
Masayuki Abe & Ryo Nishimaki
ETH Zurich, Zurich, Switzerland
Dennis Hofheinz
Security Fundamentals Laboratory, CSR, NICT, Tokyo, Japan
Miyako Ohkubo
Department of Mathematical Sciences, Norwegian University of Science and Technology, Trondheim, Norway
Jiaxin Pan

Authors

Masayuki Abe
View author publications
You can also search for this author in PubMed Google Scholar
Dennis Hofheinz
View author publications
You can also search for this author in PubMed Google Scholar
Ryo Nishimaki
View author publications
You can also search for this author in PubMed Google Scholar
Miyako Ohkubo
View author publications
You can also search for this author in PubMed Google Scholar
Jiaxin Pan
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiaxin Pan.

Additional information

Communicated by Daniele Micciancio.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A preliminary version appeared in the proceedings of CRYPTO 2017.

D. Hofheinz, supported by DFG Grants HO 4534/4-1 and HO 4534/2-2.

J. Pan, supported by DFG Grant HO 4534/4-1.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Abe, M., Hofheinz, D., Nishimaki, R. et al. Compact Structure-Preserving Signatures with Almost Tight Security. J Cryptol 36, 37 (2023). https://doi.org/10.1007/s00145-023-09477-z

Download citation

Received: 06 August 2018
Revised: 06 July 2023
Accepted: 07 July 2023
Published: 10 August 2023
DOI: https://doi.org/10.1007/s00145-023-09477-z

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

\(\textsf{Gen}(\textsf{par})\):	\(\textsf{Sign}(\textit{sk},\textsf{M})\):	\(\textsf{Ver}(\textit{pk},\textsf{M},\sigma )\):
\((\textit{pk}_1,\textit{sk}_1)\xleftarrow {\$}\textsf{G}(\textsf{par})\)	\((\textit{opk},\textit{osk}) \xleftarrow {\$}\textsf{Update}(\textsf{par})\)	Parse \(\sigma =(\textit{opk},\sigma _1,\sigma _2) \)
\((\textit{pk}_2,\textit{sk}_2) \xleftarrow {\$}\textsf{Gen}'(\textsf{par})\)	\(\sigma _1 \xleftarrow {\$}\textsf{S}(\textit{sk}_1,\textit{osk},\textsf{M})\)	If \( \textsf{V}(\textit{pk}_1,\textit{opk},\textsf{M},\sigma _1)=1\)
\(\textit{pk}:=(\textit{pk}_1,\textit{pk}_2)\)	\(\sigma _2 \xleftarrow {\$}\textsf{Sign}'(\textit{sk}_2,\textit{opk})\)	\(\wedge ~\textsf{Ver}'(\textit{pk}_2,\textit{opk},\sigma _2)=1\)
\(\textit{sk}:=(\textit{sk}_1,\textit{sk}_2)\)	Return \((\textit{opk},\sigma _1,\sigma _2)\)	then return 1
Return \((\textit{pk},\textit{sk})\)		Else return 0

Compact Structure-Preserving Signatures with Almost Tight Security

Abstract

Similar content being viewed by others

Compact Structure-Preserving Signatures with Almost Tight Security

Improved (Almost) Tightly-Secure Structure-Preserving Signatures

Improved Structure Preserving Signatures Under Standard Bilinear Assumptions

1 Introduction

1.1 Background

1.2 Our Contributions

1.3 Technical Overview

1.4 Difference to the Previous Version

1.5 Follow-up Works and Open Problems

1.6 Organization

2 Preliminaries

2.1 Notations

2.2 Pairing Groups and Diffie–Hellman Assumptions

Definition 2.1

2.3 Structure-Preserving Signatures

Definition 2.2

Definition 2.3

Definition 2.4

Definition 2.5

Theorem 2.6

2.4 Public-Key Encryption Schemes

Definition 2.7

Definition 2.8

2.5 The Groth–Sahai Proof System

Definition 2.9

Definition 2.10

3 Generic Construction

3.1 Scheme Description

Remark 3.1

Remark 3.2

Remark 3.3

Remark 3.4

Remark 3.5

3.2 Overview of Security Proof

3.2.1 Improvement on the Security Loss

3.3 Security Proof

Theorem 3.6

Proof

Lemma 3.7

Lemma 3.8

Lemma 3.9

Proof

Lemma 3.10

Lemma 3.11

Proof

3.3.1 From \(\textsf{G}_0\) to \(\textsf{G}_1\): Proof of Lemma 3.8

Lemma 3.12

Lemma 3.13

Proof

Lemma 3.14

Proof

Lemma 3.15

Proof

Lemma 3.16

Proof

Lemma 3.17

Proof

Lemma 3.18

Proof

Lemma 3.19

Proof

Lemma 3.20

Proof

Lemma 3.21

Proof

Lemma 3.22

Proof

Lemma 3.23

Proof

Lemma 3.24

Proof

Lemma 3.25

Proof

Lemma 3.26

Lemma 3.27

Proof

Lemma 3.28