Algebraic Partitioning: Fully Compact and (almost) Tightly Secure Cryptography
 24 Citations
 1.2k Downloads
Abstract
We describe a new technique for conducting “partitioning arguments”. Partitioning arguments are a popular way to prove the security of a cryptographic scheme. For instance, to prove the security of a signature scheme, a partitioning argument could divide the set of messages into “signable” messages for which a signature can be simulated during the proof, and “unsignable” ones for which any signature would allow to solve a computational problem. During the security proof, we would then hope that an adversary only requests signatures for signable messages, and later forges a signature for an unsignable one.
In this work, we develop a new class of partitioning arguments from simple assumptions. Unlike previous partitioning strategies, ours is based upon an algebraic property of the partitioned elements (e.g., the signed messages), and not on their bit structure. This allows to perform the partitioning efficiently in a “hidden” way, such that already a single “slot” for a partitioning operation in the scheme can be used to implement many different partitionings sequentially, one after the other. As a consequence, we can construct complex partitionings out of simple basic (but algebraic) partitionings in a very spaceefficient way.
As a demonstration of our technique, we provide the first signature and publickey encryption schemes that achieve the following properties simultaneously: they are (almost) tightly secure under a simple assumption, and they are fully compact (in the sense that parameters, keys, and signatures, resp. ciphertexts only comprise a constant number of group elements).
Keywords
Partitioning arguments Tight security proofs Digital signatures Publickey encryption1 Introduction
Partitioning Arguments. Many security reductions rely on a partitioning argument. Informally, a partitioning argument divides the parts of a large system into those parts that are under the control of the simulation, and those parts into which a computational challenge can be embedded. For instance, a partitioning argument for a signature scheme could divide the set of message into “signable messages” (for which a signature can be generated by the security reduction), and “unsignable messages” (for which any signature would solve an underlying problem). During the security reduction, we hope that an adversary only asks for the signatures of signable messages, but forges a signature for an unsignable one. Partitioning arguments are a popular means for proving the security of signature schemes (e.g., [17, 29, 35, 38]), identitybased encyption schemes (e.g., [9, 10, 14, 38]), or tightly secure cryptosystems (e.g., [6, 15, 32]).
The Complexity of Bitbased Partitioning. All of the above works (except for [10, 17], which use a programmable random oracle to implement a partitioning) partition messages or identities according to their bit representation. For instance, in the signature scheme from [29], messages are signable precisely if they do not start with a particular bit prefix. This nonalgebraic approach requires a certain preparation in the scheme itself: already the scheme must establish certain distinctions of messages based on their bit representation. For instance, the signature scheme of [38] uses a hash function of the form \(H(M)=h_0\prod _j h_{j,M _j}\), where \(M _j\) are the bits of the signed message \(M\), and \(h_0\) and the \(h_{j,b}\) are public group elements. This leads to comparatively large public parameters or keys, in particular because all potential distinctions (based on the values of the \(M _j\)) are already present in the scheme.
Our Contribution. In this work, we develop an entirely different partitioning approach: instead of partitioning based on the bit representation, we partition according to a simple algebraic predicate. Namely, we view a message \(M\) as above as a \(\mathbb {Z} _p\)element, and consider various Legendre symbols \(L_j=\big (\frac{f _j(M)}{p}\big ) \) for different affine functions \(f _j\). Taken together, sufficiently many \(L_j\) uniquely determine \(M\), but the computation of each \(L_j\) can be encoded as a series of \(\mathbb {Z} _p\)operations.^{1} Intuitively, this algebraic property allows to “internalize” and hide the computations of the \(L_j\), e.g., by hiding the \(f _j\) inside a homomorphic commitment. As a consequence, only one “universal” partitioning (according to a single \(L_j\)) needs to be performed in the scheme itself; in the analysis, several simple partitionings can then be implemented sequentially, by varying the \(f _j\).
Comparison with Previous Partitioning Techniques. Compared to previous, bitbased partitioning approaches, our new strategy has the advantage that it simultaneously leads to compact schemes and to a tight security reduction. Previous partitioning strategies were either based on more complex partitionings (such as [9, 29, 35, 38]) that lead to a nontight security reduction, or on a sequence of simple bitbased partitionings (such as [6, 15, 32]) that lead to large public parameters or keys. In contrast, we support many simple algebraic partitionings (and thus a tight security reduction), but we occupy only one “partitioning slot” in the public parameters. This leads to tightly secure and very compact applications, as we will detail next.
Applications. Specifically, we demonstrate the usefulness of our partitioning technique by describing the first (almost) tightly secure signature and PKE schemes that are fully compact, in the sense that parameters, keys, and signatures (resp. ciphertexts) only contain a constant number of group elements. Our security reduction loses only a factor of \(\mathbf {O} (k)\), where \(k\) is the security parameter. In particular, our security reduction does not degrade in the number of users or signatures, resp. ciphertexts. The security of our schemes is based upon the Decisional DiffieHellman (DDH) assumption in both preimage groups of a pairing. (This assumption is also called “Symmetric External DiffieHellman” or SXDH.) Tables 1 and 2 give a more detailed comparison with existing schemes.
In the following, we give more details on our techniques and results. To do so, we start with a little background concerning our applications.
Tight Security Reductions. To argue for the security of a given cryptographic scheme \(S\), we usually employ a security reduction. That is, we try to argue that every hypothetical adversary \(\mathcal {A} _S\) on \(S\) can be converted into an adversary \(\mathcal {A} _P\) on an allegedly hard computational problem \(P\). In that sense, the only way to break \(S\) is to solve \(P\). Of course, we are mostly interested in reductions to wellinvestigated problems \(P\). Furthermore, there are reasons to consider the tightness of the reduction: a tight reduction guarantees that \(\mathcal {A} _P\)’s success \(\varepsilon _P\) in solving \(P\) (in a reasonable metric) is about the same as \(\mathcal {A} _S\)’s success \(\varepsilon _S\) in attacking \(S\).
To explain the impact of a (non)tight reduction in more detail, consider a publickey encryption (PKE) scheme \(S\) that is deployed in a manyuser environment. In this setting, an adversary \(\mathcal {A} _S\) on \(S\) may observe, say, \(n_C \) ciphertexts generated for each of the, say, \(n_U\) users. Most known security reductions in this setting are nontight, in the sense that \(\varepsilon _P\le \frac{\varepsilon _S}{n_U\cdot n_C}\). As a consequence, keylength recommendations should also take \(n_U\) and \(n_C \) into account; no “universal” keylength recommendation can be given for such a scheme. This is particularly problematic in settings that grow significantly beyond initial expectations.
Tightly Secure Encryption and Signature Schemes. The construction of tightly secure cryptographic schemes appears to be a nontrivial task. For instance, although already explicitly considered in 2000 [3], tightly secure PKE schemes have only been constructed very recently [2, 6, 15, 28, 32].^{2} \(^,\) ^{3} Moreover, the schemes from [2, 28] have rather large ciphertexts, and the schemes induced by [6, 15] and from [32] require large parameters (but offer small keys and ciphertexts).
Comparison of different (at least almost) tightly EUFCMA secure signature schemes from simple\(^4\) assumptions in pairingfriendly groups. The parameters, verification key, and signature columns denote space complexity, measured in group elements. The reduction loss column denotes the (multiplicative) loss of the security reduction to the respective assumption. For the schemes from [6, 15], we assume the signature scheme induced by the presented IBE scheme. Furthermore, \(n=\varvec{\varTheta } (k)\) denotes the bitlength of the signed message (if the signed message is a bitstring and not a group element or an exponent). We note that [32] mention that their scheme can be generalized to the \(d\)LIN assumption (including \(1\)LIN=DDH). However, since they only give explicit complexities for the arising signatures (identical to the ones from [6]), we restrict to their DLINbased scheme. Finally, we remark that all of these schemes (except for [12]) imply tightly secure PKE schemes (cf. Table 2).
Scheme  Parameters  Verification key  Signature  Reduction loss  Assumption 

BMS03 [12]  \(0\)  \(k+3\)  \(k+1\)  \(\mathbf {O} (k)\)  CDH 
HJ12 [28]  \(2\)  \(28\)  \(8k+22\)  \(\mathbf {O} (1)\)  DLIN 
CW13 [15]  \(2d^2(2n+1)\)  \(d\)  \(4d\)  \(\mathbf {O} (k)\)  \(d\)LIN 
BKP14 [6]  \(d\)  \(d^2(2n+1)\)  \(2d+1\)  \(\mathbf {O} (k)\)  \(\mathcal {D}_d\)MDDH 
LJYP14 [32]  \(0\)  \(\mathbf {O} (d^2n)\)  \(2d+1\)  \(\mathbf {O} (k)\)  \(d\)LIN 
This work  \(14\)  \(6\)  \(25\)  \(\mathbf {O} (k)\)  DDH 
Comparison of different (at least almost) tightly INDCCA secure PKE schemes from simple\(^4\) assumptions. As in Table 1, the parameters, public key, and ciphertext columns denote space complexity, measured in group elements, and the reduction loss column denotes the (multiplicative) loss of the security reduction to the respective assumption. For the schemes from [6, 15], we assume the PKE scheme induced by the respective signature scheme when going through the construction of [28]. We note that [32] only describe a symmetricpairing version of their scheme, so their DDHbased scheme is not explicit. However, we expect that their DDHbased scheme has slightly more compact ciphertexts than ours.
Scheme  Parameters  Public key  Ciphertext  Reduction loss  Assumption 

HJ12 [28]  \(\mathbf {O} (1)\)  \(\mathbf {O} (1)\)  \(\mathbf {O} (k)\)  \(\mathbf {O} (1)\)  DLIN 
AKDNO13 [2]  \(\mathbf {O} (1)\)  \(\mathbf {O} (1)\)  \(\mathbf {O} (k)\)  \(\mathbf {O} (1)\)  DLIN 
CW13 [15]  \(\mathbf {O} (d^2k)\)  \(\mathbf {O} (d)\)  \(\mathbf {O} (d)\)  \(\mathbf {O} (k)\)  \(d\)LIN 
BKP14 [6]  \(\mathbf {O} (d)\)  \(\mathbf {O} (d^2k)\)  \(\mathbf {O} (d)\)  \(\mathbf {O} (k)\)  \(\mathcal {D}_d\)MDDH 
LJYP14 [32]  \(\mathbf {O} (1)\)  \(\mathbf {O} (d^2k)\)  \(\mathbf {O} (d)\)  \(\mathbf {O} (k)\)  \(d\)LIN 
LJYP14 [32]  \(3\)  \(24k+30\)  \(69\)  \(\mathbf {O} (k)\)  DLIN 
This work  \(15\)  \(2\)  \(60\)  \(\mathbf {O} (k)\)  DDH 
Thus, the difference between the \((i1)\)th and the \(i\)th hybrid is an additional dependency of used secret keys on the \(i\)th message bit \(M _i\). To progress from hybrid \(i1\) to hybrid \(i\), Chen and Wee first partition the message space in two halves (according to \(M _i\)). Then, using an elaborate argument, they consistently modify the secret keys used for messages from one half, and thus essentially decouple those keys from the keys used for messages from the other half. This creates an additional dependency on \(M _i\). After \(n=M \) such steps, each signature uses a different secret key (up to multiple signatures of the same message). In particular, \(\mathcal {A}\) gets no information about the secret key \( sigk _{M ^*_1,\dots ,M ^*_n}\) used to verify its own forgery, and existential unforgeability follows.
We would like to highlight the partitioning character of their analysis: in their proof, Chen and Wee introduce more and more dependencies of signatures on the corresponding messages, and each such dependency is based upon a different partitioning of the message space.^{6} Now observe that already regular signatures (as in (1)) feature distinctions based on all bits of \(M\). These distinctions provide the technical tool to introduce dependencies in the security proof. However, as a consequence, rather complex joint distributions need to be sampled during signature generation, which results in public parameters of \(\mathbf {O} (n)\) group elements.
“Either \(C \) encrypts the secret key \(X\), or \(f (M)\in \mathbb {Z} _p\) is a quadratic residue (or both).”
Here, \(p\) is the order of the underlying group, and \(f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\) is an affine function fixed (but hidden) in the verification key. Implicitly, this provides a single partitioning of messages into those for which \(f (M)\) is a quadratic residue, and those for which \(f (M)\) is not. However, since \(f\) is hidden, many partitionings can be induced (one after the other) by varying \(f\) during a proof.
In fact, during the security proof, this partitioning will fulfill the same role as the bitbased partitioning in the analysis of Chen and Wee. In particular, it will help to introduce additional dependencies of the signature on the message. More specifically, in the \(i\)th hybrid of the security proof, \(C \) will not encrypt \(X\), but a value \(X _{M}\) that depends on the \(i\) Legendre symbols \(\big (\frac{f _j(M)}{p}\big ) \) for randomly chosen (but fixed) affine functions \(f _1,\dots ,f _i\). Each new such dependency is introduced by first refreshing the affine function \(f\) hidden in \( vk \), and then modifying all values encrypted in signatures whenever possible (i.e., whenever \(f (M)\) is a quadratic residue).^{7} Observe that the single explicit partitioning in regular signatures is used several times (for different \(f _j\)) to introduce many dependencies of signatures on messages in the proof. The remaining strategy can then be implemented as in [15].
Our different strategy to partition the message space results in a very compact scheme. Namely, since only one explicit partitioning step is performed in the scheme, parameters, keys, and signatures comprise only a constant number of group elements. Specifically, parameters, keys, and signatures contain \(14\), \(6\), and \(25\) group elements, respectively. Besides, our scheme is compatible with GrothSahai proofs [26]. Hence, when used in the construction of [28], we immediately get the first compact (in the above sense) PKE scheme that is tightly INDCCA secure under a simple assumption.^{8}
Different Perspective: Our Scheme as a MAC. So far our highlevel discussion can be equally used to justify a similar message authentication code (MAC), in which verification is nonpublic. Such a MAC can then be converted into a signature scheme, e.g., using the technique of Bellare and Goldwasser [4].^{9} One could hope that this yields a more modular construction, possibly with a MAC as a simpler basic building block. (In particular, this approach was suggested by a reviewer.)
In this work, we still present our idea directly in terms of a signature scheme. One reason is that a MAC following the strategy described above would actually not be significantly less complex than a full signature scheme. In particular, already a MAC would require GrothSahai proofs. Moreover, a modular approach in the spirit of [4] would require “algebraically compatible” building blocks (to allow for an efficient and tightly secure overall scheme), and would seem to lead to a more complex presentation.
Open Problems. Besides of course obtaining more efficient (and compact) schemes, it would be interesting to apply similar ideas in the identitybased setting. Specifically, currently there is no fully compact identitybased encryption (IBE) scheme whose security can be tightly based on a standard assumption.^{10} However, it is not obvious how to use algebraic partitioning in the identitybased setting. Specifically, it is not clear how to “derive functionality” from valid signature proofs, in the following sense.
Namely, first note that IBE schemes can be interpreted as signature schemes, in a sense noted by Naor (cf. [11]): IBE user secret keys for an identity \(M\) correspond to signatures for message \(M\), and verification simply checks whether the alleged signature works as a decryption key for identity \(M\). It is natural to use the same interpretation to try to “upgrade” a signature scheme to an IBE scheme. For this strategy, however, one must find a way to make a signature \(\sigma \) act as a decryption trapdoor, and thus to “derive functionality from \(\sigma \)” (as opposed to just check \(\sigma \) for validity). In common discretelogbased IBE schemes, this functionality property is achieved by the fact that a pairing operation is used to pair IBE user secret keys with ciphertext elements. The result of this pairing operation is then a common secret that is shared between encryptor and decryptor.
Our strategy, however, crucially uses quadratic \(\mathbb {Z} _p\)equations in signatures (to implement the algebraic partitioning of messages). In particular, our signature scheme uses a pairing operation already to implement these quadratic equations (even though signatures in our scheme consist solely of group elements in the source group of the pairing). As a consequence, the pairing operation cannot be used anymore to derive a common secret shared with the encryptor. Hence, at least a straightforward way to turn our signature scheme into an IBE scheme fails.^{11}
Roadmap. After recalling some basic definitions, we present our signature scheme in Sect. 3. In Sect. 4, we give a direct construction of a PKE scheme derived from our signature scheme. In Sect. 5, we give more details on the exact GrothSahai equations arising from the consistency proofs of signatures and ciphertexts. In Appendix A, we provide additional illustrations for the proof of our signature scheme.
2 Preliminaries
Notation. Throughout the paper, \(k\in \mathbb {N} \) denotes the security parameter. For \(n\in \mathbb {N} \), let \([n]:=\{1,\ldots ,n\}\). For a finite set \(S\), we denote with \(s\leftarrow S\) the process of sampling \(s\) uniformly from \(S\). For a probabilistic algorithm \(A\), we denote with \(y\leftarrow A(x;R)\) the process of running \(A\) on input \(x\) and with randomness \(R\), and assigning \(y\) the result. We write \(y\leftarrow A(x)\) for \(y\leftarrow A(x;R)\) with uniformly chosen \(R\), and we write \(A(x)=y\) for the event that \(A(x;R)\) (for uniform \(R\)) outputs \(y\). If \(A\)’s running time is polynomial in \(k\), then \(A\) is called probabilistic polynomialtime (PPT). A function \(f:\mathbb {N} \rightarrow \mathbb {R} \) is negligible if it vanishes faster than the inverse of any polynomial (i.e., if \(\forall c\exists k_0\forall k\ge k_0:f(x)\le 1/k^c\)).
CollisionResistant Hashing. A hash function generator is a PPT algorithm \(\mathcal {H}\) that, on input \(1^k\), outputs (the description of) an efficiently computable function \(\mathrm {H}:\{0,1\}^*\rightarrow \{0,1\}^k\).
Definition 1
Signature Schemes. A signature scheme \(\mathrm {SIG}\) consists of four PPT algorithms \(\mathrm {SPars},\mathrm {SGen},\mathrm {Sig},\mathrm {Ver} \). Parameter generation \(\mathrm {SPars} (1^k)\) outputs public parameters \( spp \) that are shared among all users. Key generation \(\mathrm {SGen} ( spp )\) takes public parameters \( spp \), and outputs a verification key \( vk \) and a signing key \( sigk \). The signature algorithm \(\mathrm {Sig} ( spp , sigk ,M)\) takes public parameters \( spp \), a signing key \( sigk \), and a message \(M\), and outputs a signature \(\sigma \). Verification \(\mathrm {Ver} ( spp , vk ,M,\sigma )\) takes public parameters \( spp \), a verification key \( vk \), a message \(M\), and a potential signature \(\sigma \), and outputs a verdict \(b\in \{0,1\}\). For correctness, we require that \(1\leftarrow \mathrm {Ver} ( spp , vk ,M,\sigma )=1\) always and for all \(M\), all \(( vk , sigk )\leftarrow \mathrm {SGen} (1^k)\), and all \(\sigma \leftarrow \mathrm {Sig} ( spp , sigk ,M)\). For the sake of readability, we will omit the public parameters \( spp \) from invocations of \(\mathrm {Sig}\) and \(\mathrm {Ver}\) when the reference is clear.
Definition 2
 1.
\(\mathcal {A}\) specifies (in unary) the number \(n_U\in \mathbb {N} \) of desired scheme instances.
 2.
The experiment then samples parameters \( spp \leftarrow \mathrm {SPars} (1^k)\) as well as \(n_U\) keypairs \(( vk ^{(\ell )}, sigk ^{(\ell )})\leftarrow \mathrm {SGen} ( spp )\).
 3.
\(\mathcal {A}\) is invoked on input \((1^k, spp ,( vk ^{(\ell )})_{\ell =1}^{n_U})\), and gets access to signing oracles \(\mathrm {Sig} ( sigk ^{(\ell )},\cdot )\) for all \(\ell \in [n_U]\). Finally, \(\mathcal {A}\) outputs an index \(\ell ^*\in [n_U]\) and a potential forgery \((M ^*,\sigma ^*)\).
 4.
\(\mathcal {A}\) wins iff \(\mathrm {Ver} ( vk ^{(\ell ^*)},M ^*,\sigma ^*)=1\) and \(M ^*\) was not queried to \(\mathrm {Sig} ( sigk ^{(\ell ^*)},\cdot )\).
Let \(\mathrm {Adv}^{ eufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) denote the probability that \(\mathcal {A}\) wins in the above experiment. We say that \(\mathrm {SIG}\) is existentially unforgeable under chosenmessage attacks in the multiuser setting (EUFmCMA secure) iff \(\mathrm {Adv}^{ eufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) is negligible for every PPT \(\mathcal {A}\). Let \(\mathrm {Adv}^{ oteufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) be the probability that \(\mathcal {A}\) wins in the slightly modified experiment in which only one \(\mathrm {Sig}\)query to each scheme instance \(\ell \) is allowed. We say that \(\mathrm {SIG}\) is existentially unforgeable under onetime chosenmessage attacks in the multiuser setting (OTEUFmCMA secure) iff \(\mathrm {Adv}^{ oteufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) is negligible for every PPT \(\mathcal {A}\).
Publickey Encryption Schemes. A publickey encryption (PKE) scheme \(\mathrm {PKE}\) consists of four PPT algorithms \((\mathrm {EPars},\mathrm {EGen},\mathrm {Enc},\mathrm {Dec})\). The parameter generation algorithm \(\mathrm {EPars} (1^k)\) outputs public parameters \( epp \). Key generation \(\mathrm {EGen} ( epp )\) outputs a public key \( pk \) and a secret key \( sk \). Encryption \(\mathrm {Enc} ( epp , pk ,M)\) takes parameters \( epp \), a public key \( pk \), and a message \(M\), and outputs a ciphertext \(C \). Decryption \(\mathrm {Dec} ( epp , sk ,C)\) takes public parameters \( epp \), a secret key \( sk \), and a ciphertext \(C \), and outputs a message \(M\). For correctness, we require \(\mathrm {Dec} ( epp , sk ,C)=M \) always and for all \(M\), all \( epp \leftarrow \mathrm {EPars} (1^k)\), all \(( pk , sk )\leftarrow \mathrm {EGen} ( epp )\), and all \(C \leftarrow \mathrm {Enc} ( epp , pk ,M)\). As with signatures, we usually omit the public parameters \( epp \) from invocations of \(\mathrm {Enc}\) and \(\mathrm {Dec}\).
Definition 3
 1.
\(\mathcal {A}\) specifies (in unary) the number \(n_U\in \mathbb {N} \) of desired scheme instances.
 2.
The experiment samples parameters \( epp \leftarrow \mathrm {EPars} (1^k)\), and \(n_U\) keypairs through \(( pk ^{(\ell )}, sk ^{(\ell )})\leftarrow \mathrm {EGen} ( epp )\), and uniformly chooses a bit \(b\leftarrow \{0,1\}\).
 3.
\(\mathcal {A}\) is invoked on input \((1^k, epp ,( pk ^{(\ell )})_{\ell =1}^{n_U})\), and gets access to challenge oracles \(\mathcal {O}^{(\ell )} \) and decryption oracles \(\mathrm {Dec} ( sk ^{(\ell )},\cdot )\) for all \(\ell \in [n_U]\). Here, challenge oracle \(\mathcal {O}^{(\ell )} \), on input two messages \(M _0,M _1\), outputs an encryption \(C \leftarrow \mathrm {Enc} ( pk ^{(\ell )},M _b)\) of \(M _b\).
 4.
Finally, \(\mathcal {A}\) outputs a bit \(b'\), and the experiment outputs \(1\) iff \(b=b'\).
Quadratic Residues and Legendre Symbols. Let \(p\) be a prime. Then, \(\mathrm {QR} _p\subseteq \mathbb {Z} _p^*\) is the set of quadratic residues modulo \(p\), i.e., the set of all \(x\in \mathbb {Z} _p^*\) for which an \(r\in \mathbb {Z} _p^*\) with \(r^2=x~\mathrm{mod}~p\) exists. Given \(p\) and an \(x\in \mathrm {QR} _p\), such an \(r\) can be computed efficiently. For \(x\in \mathbb {Z} _p\), we let \(\big (\frac{x}{p}\big ) =x^{\frac{p1}{2}}\mathrm{mod}~p\) denote the Legendre of \(x\) modulo \(p\). We have \(\big (\frac{x}{p}\big ) \in \{1,0,1\}\), and in particular \(\big (\frac{x}{p}\big ) =1\,\Leftrightarrow \, x\in \mathrm {QR} _p\), as well as \(\big (\frac{x}{p}\big ) =0\,\Leftrightarrow \, x=0\), and \(\big (\frac{x}{p}\big ) =1\,\Leftrightarrow \, x\in \mathbb {Z} _p^*\setminus \mathrm {QR} _p\).

three groups \(\mathbb {G},\mathbb {\hat{G}},\mathbb {G}_T \) of the same prime order \(p\), along with \(p\), and generators \(g,\hat{g} \) of \(\mathbb {G},\mathbb {\hat{G}} \),

a bilinear map \(e:\mathbb {G} \times \mathbb {\hat{G}} \rightarrow \mathbb {G}_T \) that is nondegenerate in the sense of \(e (g,\hat{g})\ne 1\in \mathbb {G}_T \).
Occasionally, it will also be useful to consider a pairing generator \(\mathcal {P}\) as a group generator (that only outputs \((\mathbb {G},p,g)\) or \((\mathbb {\hat{G}},p,\hat{g})\)).
Assumption 1
ElGamal Encryption. The ElGamal encryption scheme \(\mathrm {PKE}_{\mathrm {eg}}\) is defined as follows, where we assume a suitable group generator \(\mathcal {G}\).

\(\mathrm {EPars}_{\mathrm {eg}} (1^k)\) runs \((\mathbb {G},p,g)\leftarrow \mathcal {G} (1^k)\) and outputs \( epp =(\mathbb {G},p,g)\).

\(\mathrm {EGen}_{\mathrm {eg}} ( epp )\) picks a uniform \( sk \leftarrow \mathbb {Z} _p\), sets \( pk =g^{ sk } \), and outputs \(( pk , sk )\).

\(\mathrm {Enc} ( pk ,M)\), for \(M \in \mathbb {G} \), picks an \(R \leftarrow \mathbb {Z} _p\), and outputs \(C =(g^{R}, pk ^{R}\cdot M)\).

\(\mathrm {Dec} ( sk ,C)\), for \(C =(C _1,C _2)\in \mathbb {G} ^2\), outputs \(M =C _2/C _1^{ sk }\).
The ElGamal scheme is tightly INDmCPA secure under the DDH assumption in \(\mathbb {G}\). Concretely, for every valid INDmCPA adversary \(\mathcal {A}\), there is a DDH adversary \(\mathcal {B}\) (of roughly the same complexity as the INDmCPA experiment with \(\mathcal {A}\)) with \(\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B}} (k)=\mathrm {Adv}^{ indmcpa }_{\mathrm {PKE}_{\mathrm {eg}},\mathcal {A}} (k)\).
GrothSahai Proofs. In a setting with a pairing generator, GrothSahai proofs [26] provide a very versatile and efficient way to prove the satisfiability of very general classes of equations over \(\mathbb {G}\) and \(\mathbb {\hat{G}}\). We will not need them in full generality, and the next definition only captures a number of abstract properties of GrothSahai proofs we will use. In particular, we will not formalize the exact classes of languages amenable to GrothSahai proofs. (For the exact languages used in our application, however, we give more details in Sect. 5.1.) Like [18, 19], we formalize GrothSahai proofs as commitandprove systems:
Definition 4
(GS Proofs [26]). The GrothSahai proof system for a given pairing generator \(\mathcal {P}\) consists of the following PPT algorithms, where \( gpp \) denotes group parameters sampled by \(\mathcal {P}\).

Common Reference Strings. \(\mathrm {HGen} ( gpp )\) and \(\mathrm {BGen} ( gpp )\) sample hiding, resp. binding common reference strings (CRSs) \(\mathrm {CRS}\).

Commitments. For a (hiding or binding) CRS \(\mathrm {CRS}\) and a \(\mathbb {G}\), \(\mathbb {\hat{G}}\), or \(\mathbb {Z} _p\)element \(v\), the commitment algorithm \(\mathrm {Com} ( gpp ,\mathrm {CRS},v;R)\) outputs a commitment C, where \(R\) denotes the used random coins.

Proofs. Let \(\mathrm {CRS}\) be a CRS, and let \(\mathcal {X}\) be a system of equations. Each equation may be over \(\mathbb {G}\), \(\mathbb {\hat{G}}\), or \(\mathbb {Z} _p\), and involve variables and constants. Let \((v _i)_i\) be a variable assignment that satisfies \(\mathcal {X}\), and let \((R _i)_i\) be a vector of random coins for \(\mathrm {Com}\). Then \(\mathrm {Prove} ( gpp ,\mathrm {CRS},\mathcal {X},(v _i,R _i)_i)\) outputs a proof \(\pi \).

Verification. For a CRS \(\mathrm {CRS}\), a system \(\mathcal {X}\) of equations, a commitment vector \((C_i)_i\) to an assignment of the variables in \(\mathcal {X}\), and a proof \(\pi \), the verification algorithm \(\mathrm {Verify} ( gpp ,\mathrm {CRS},\mathcal {X},(C_i)_i,\pi )\) outputs a verdict \(b\in \{0,1\}\).

Simulation. For a hiding CRS generated as \(\mathrm {CRS} \leftarrow \mathrm {HGen} ( gpp ;R _{\mathrm {CRS}})\), a system \(\mathcal {X}\) of equations, and a vector \((R _i)_i\) of commitment random coins, we have that \(\mathrm {Sim} ( gpp ,R _{\mathrm {CRS}},\mathcal {X},(R _i)_i)\) outputs a simulated proof \(\pi \).
As with signatures and encryption, we usually omit the group parameters \( gpp \) on invocations of \(C,\mathrm {Prove},\mathrm {Verify},\mathrm {Sim} \) when the reference is clear.
Theorem 1
(Properties of GS Proofs [26]). The algorithms from Definition 4 satisfy the following for all choices group parameters \( gpp \leftarrow \mathcal {P} (1^k)\) (unless noted otherwise):

Homomorphic Commitments. For any (hiding or binding) CRS \(\mathrm {CRS}\), any two given commitments \(\mathrm {Com} (\mathrm {CRS},v;R)\) and \(\mathrm {Com} (\mathrm {CRS},v ';R ')\) to \(\mathbb {G}\)elements \(v,v '\) allow to efficiently compute a commitment \(\mathrm {Com} (\mathrm {CRS},v \cdot v ';R \cdot R ')\) to \(v \cdot v '\). (Note that the corresponding random coins \(R \cdot R '\) can be efficiently computed from \(R\) and \(R '\).) The same holds for two commitments to \(\mathbb {\hat{G}}\)elements, and two commitments to \(\mathbb {Z} _p\)elements (where the homomorphic operation on \(\mathbb {Z} _p\)elements is addition).

DualMode Commitments. Consider a commitment \(C\leftarrow \mathrm {Com} (\mathrm {CRS},v;R)\). If \(\mathrm {CRS}\) is binding, then C uniquely determines \(v\), and if \(\mathrm {CRS}\) is hiding, then the distribution of C does not depend on \(v\).
 CRS Indistinguishability. For every PPT adversary \(\mathcal {A}\), there are PPT adversaries \(\mathcal {A} _1\) and \(\mathcal {A} _2\) withwhere the probability is over \( gpp \leftarrow \mathcal {P} (1^k)\), and the random coins of \(\mathrm {HGen}\), \(\mathrm {BGen}\), and \(\mathcal {A}\).$$\begin{aligned}&\left \Pr \left[ {\mathcal {A} (1^{k},\mathrm {HGen} ( gpp ))=1}\right]  \Pr \left[ {\mathcal {A} (1^{k},\mathrm {BGen} ( gpp ))=1}\right] \right \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \le \left \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {A} _1} (k) \right + \left \mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {A} _2} (k) \right , \end{aligned}$$

Perfect Completeness. For every (hiding or binding) CRS \(\mathrm {CRS}\), every system \(\mathcal {X}\) of equations, every satisfying assignment \((v _i)_i\) of \(\mathcal {X}\), and every possible vector \((C_i)_i\) of commitments generated through \(C_i\leftarrow \mathrm {Com} (\mathrm {CRS},v _i;R _i)\), we have \(\mathrm {Verify} (\mathrm {CRS},\mathcal {X},(C_i)_i,\mathrm {Prove} (\mathrm {CRS},\mathcal {X},(v _i,R _i)_i))=1\) with probability \(1\).

Perfect Soundness. For every binding CRS \(\mathrm {CRS}\), every system \(\mathcal {X}\) of equations that is not satisfiable, and every \((C_i)_i\) and \(\pi \), \(\mathrm {Verify} (\mathrm {CRS},\mathcal {X},(C_i)_i,\pi )=0\) always.
 Perfect Simulation. For every hiding CRS \(\mathrm {CRS} \leftarrow \mathrm {HGen} ( gpp ;R _{\mathrm {CRS}})\), and every system \(\mathcal {X}\) of equations that is satisfied by a variable assignment \((v _i)_i\), the following two distributions are identical:(The probability space consists of the \(R _i\) and the coins of \(\mathrm {Prove}\) and \(\mathrm {Sim}\).)$$\begin{aligned} \bigl ( (C_i)_i,\;\mathrm {Prove} (\mathrm {CRS},\mathcal {X},(v _i,R _i)_i) \bigr )&\quad \text {for}\,\, C_i\leftarrow \mathrm {Com} (\mathrm {CRS},v _i;R _i) \,\mathrm{and~fresh} R _i, \\ \bigl ( (C_i)_i,\;\mathrm {Sim} (R _{\mathrm {CRS}},\mathcal {X},(R _i)_i) \bigr )&\quad \text {for}\,\, C_i\leftarrow \mathrm {Com} (\mathrm {CRS},1;R _i) \,\mathrm{and~fresh} R _i. \end{aligned}$$
Since simulation is perfect (in the sense above), it also holds for reused commitments (i.e., when multiple adaptively chosen statements \(\mathcal {X}\) that involve the same variables and commitments are proven, see also [18]). Besides, perfect simulation directly implies perfect witnessindistinguishability (under a hiding CRS): for any two vectors \((v _i)_i\) and \((v '_i)_i\) of satisfying assignments of a given system \(\mathcal {X}\) of equations, the corresponding commitments and proofs \(((C_i)_i,\pi )\) and \(((C'_i)_i,\pi ')\) are identically distributed. Again, this holds even if the same commitments are used in several proofs for adaptively generated statements \(\mathcal {X}\).
3 The Signature Scheme
3.1 Scheme Description

A pairing generator \(\mathcal {P}\) that outputs groups \(\mathbb {G} =\langle g \rangle \) and \(\mathbb {\hat{G}} =\langle \hat{g} \rangle \) of prime order \(p>2^{k}\) and an asymmetric pairing \(e:\mathbb {G} \times \mathbb {\hat{G}} \rightarrow \mathbb {G}_T \). We make the DDH assumption in both \(\mathbb {G}\) and \(\mathbb {\hat{G}}\).

The ElGamal encryption scheme (given by algorithms \(\mathrm {EGen}_{\mathrm {eg}},\mathrm {Enc}_{\mathrm {eg}},\mathrm {Dec}_{\mathrm {eg}} \)) over \(\mathbb {G}\). (That is, we will use \(\mathcal {P}\) in place of \(\mathrm {EPars}_{\mathrm {eg}}\) to generate the group \(\mathbb {G}\) for ElGamal.)

A GrothSahai proof system for \(\mathcal {P}\) (see Definition 4), given by algorithms \(\mathrm {HGen},\mathrm {BGen},\mathrm {Com},\mathrm {Prove},\mathrm {Verify},\mathrm {Sim} \).
Correctness. The completeness of GrothSahai proofs implies the correctness of \(\mathrm {SIG}\).

The public parameters consist of \(8\) \(\mathbb {G}\) and \(6\) \(\mathbb {\hat{G}}\)elements, plus the group parameters \( gpp \).

Each verification key contains \(2\) \(\mathbb {G}\) and \(4\) \(\mathbb {\hat{G}}\)elements.

Each signing key contains \(7\) \(\mathbb {Z} _p\)exponents.

Each signature contains \(11\) \(\mathbb {G}\) and \(14\) \(\mathbb {\hat{G}}\)elements.
3.2 Security Analysis

\(\pi _1\) proves that either \(C _0\) and \(C _1\) encrypt the same value or that the signed message satisfies a special property \(S 2\) (or both). In the scheme, all messages are special in this sense (because \(f (M)=0\) for all \(M\)). However, in the proof, we can adjust \(f\) and, e.g., partition the set of messages into special and nonspecial ones in a random and roughly balanced way. Intuitively, this provides a means to make the double encryption \((C _0,C _1)\) inconsistent (and subsequently change the encrypted values) in signatures for special messages. At the same time, any valid adversarial forgery on a nonspecial message (that does not satisfy \(S 2\)) must carry a consistent double encryption \((C _0,C _1)\).

In the scheme, \(\pi _2\) ties the plaintext encrypted in \(C _0\) to the master secret \(Z\). In the simulation, we will remove that connection by simulating \(\pi _2\). Specifically, recall that \(\pi _1\) and \(\pi _2\) are independently generated, using independently generated GrothSahai commitments to the respective witnesses. Thus, in the proof, we can simulate \(\pi _2\) without witness (by choosing a hiding \(\mathrm {CRS} _2\) and using \(\mathrm {Sim} \)), while preserving the soundness of \(\pi _1\) (assuming \(\mathrm {CRS} _1\) is binding). This simulation of \(\pi _2\) will be instrumental in changing the message encrypted in \(C _0\) (when the signed message is special in the above sense).
Theorem 2
Proof Outline. The proof starts with a number of preparations for the core argument. Our main goal during this phase will be to implement an additional and explicit check of \(\mathcal {A}\) ’s forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) for \(\mathrm {Dec}_{\mathrm {eg}} ( sk _0,C _0^*)=g^{X^{*}} \). (Note that in the default key setup, this explicit check is redundant, since valid signatures must fulfill statement \(S 3\) from (3).)
In the core argument (from Game 4 to Game 5, detailed in Lemma 1), we replace the value \(X\) used in generated signatures and the additional forgery check with a value \({\mathcal {H}}(M)\) that depends on the signed message. We start with a constant function \({\mathcal {H}}(M)=X \) (which corresponds to Game 4), and then introduce more and more dependencies of \({\mathcal {H}}(M)\) on the Legendre symbols \(\big (\frac{f _j(M)}{p}\big ) \) for independently and randomly selected (invertible) affine functions \(f _j\).
Each such dependency is introduced as follows. We start by committing to (the coefficients of) a new random function \(f ^*\) in \(C_{\alpha },C_{\beta } \). This change allows us to modify the messages \(Z _0,Z _1\) encrypted in generated signatures for all \(M\) with \(f ^*(M)\in \mathrm {QR} _p\cup \{0\}\) (and only for those \(M\)), by proving \(S 2\) (and not \(S 1\)) in signatures. We will also abort if \(\mathcal {A}\) ’s forgery satisfies \(f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}\), and we will keep enforcing our forgery check on \(C _0^*\). Hence, from \(\mathcal {A}\) ’s point of view, an additional dependency on \(\big (\frac{f ^*(M)}{p}\big ) \) is consistently introduced on all signatures. More importantly, this dependency is also enforced during the additional forgery check.
After sufficiently many such dependencies are introduced (for several different \(f ^*\)), all signatures are consistently generated with (or checked for) \(Z _0=Z _1=\mathcal {R}(M)\) for a truly random function \(\mathcal {R}\). At this point, \(\mathcal {A}\) has to predict a truly random function \(\mathcal {R}\) on a fresh input \(M ^*\) in order to produce a valid forgery. Hence, \(\mathcal {A}\) ’s forgery success must be negligible.
Figures 1 and 2 (on page 27 and page 28) give a more technical summary of the game transitions of the proof (also taking into account the notation for the multiuser case). The remainder of this section is devoted to a detailed proof.
Proof
(Proof of Theorem 2 ) We proceed in games. Let \( out _{i}\) denote the output of Game i.

All signatures generated for \(\mathcal {A}\) contain encryptions \(C _0,C _1\) of exponents \(Z _0=Z _1=\mathcal {R}^{{(\ell )}}(M)\) (encoded as \(g^{Z _0},g^{Z _1} \)) instead of \(Z _0=Z _1=X^{(\ell )} \), where \(M\) is the signed message. As in Game 4, the corresponding proof \(\pi \) is generated using witnesses for \(S 1\) and \(S 3\) from (3).

Any forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) for a (fresh) message \(M ^*\) from \(\mathcal {A}\) is considered valid only if \(\pi _1^*\) and \(\pi _2^*\) are valid and \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {R}^*(M ^*)\) holds. Otherwise, the game outputs \(0\). (Again, we use the shorthand notation \(\mathcal {R}^*=\mathcal {R}^{({\ell ^{*}})}\) for the challenge instance \(\ell ^*\).)
Hence, it remains to relate Game 4 and Game 5:
Lemma 1
Before we prove Lemma 1, we remark that putting together (5–10), we obtain (4), which is sufficient to show Theorem 2.
Proof
 We initially uniformly and independently choose \(i\) invertible affine functions \(f _j:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\) (for \(j\in [i]\)). The \(f _j\) define a “partial fingerprint” function \(\mathcal {L}_{i}:\mathbb {Z} _p\rightarrow \{1,0,1\}^i\) throughFor every scheme instance \(\ell \in [n_U]\), let \(\mathcal {H} ^{(\ell )}_{i}:\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*\) be the composition of \(\mathcal {L}_{i} \) with a truly random function \(\mathcal {R}^{{(\ell )}}_{i} :\{1,0,1\}^i\rightarrow \mathbb {Z} _p^*\) (so that \(\mathcal {H} ^{(\ell )}_{i}(M)=\mathcal {R}^{{(\ell )}}_{i}(\mathcal {L}_{i} (M))\)).$$\begin{aligned} \mathcal {L}_{i} (M) = \left( \left( \frac{f _1(M)}{p}\right) , \dots , \left( \frac{f _i(M)}{p}\right) \right) . \end{aligned}$$(11)

Signatures for \(\mathcal {A}\) contain encryptions \(C _0,C _1\) of exponents \(Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\).

Any forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) for a (fresh) message \(M ^*\) from \(\mathcal {A}\) is considered valid only if \(\pi _1^*\) and \(\pi _2^*\) are valid and \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {H} ^{(\ell )}_{i}(M ^*)\).
Lemma 2
For \(n=2\lceil \log _2(p)\rceil +k\), the function \(\mathcal {L}_{n} \) from (11) is injective, except with probability \(1/2^k\) (over the choice of the invertible affine functions \(f _j:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\)).
We postpone a proof of Lemma 2 for now.
Our goal will be to use the functions \(\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}\) for messages \(M\) satisfying \(f ^*(M)\notin \mathrm {QR} _p\), \(f ^*(M)=0\), and \(f ^*(M)\in \mathrm {QR} _p\), respectively. (Hence the symbols \({\mathcal {Z}}\) and \({\mathcal {Q}}\).)This will be conceptually identical to using a single function \(\mathcal {H} ^{(\ell )}_{i+1}\) for all messages of a given scheme instance \(\ell \). At this point, however, we can only partially implement this strategy, since we can only replace the messages encrypted in \(C _1\), but not those from \(C _0\). (Indeed, \( sk ^{*} _0\) is still required to implement the additional forgery check in Game 4.i.3.)

For signature queries with \(f ^*(M)=0\), we encrypt \(Z _1=\mathcal {Z} ^{(\ell )}_{i}(M)\) (instead of \(Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\)) in the ciphertext \(C _1\) of the generated signature.

For signature queries with \(f ^*(M)\in \mathrm {QR} _p\), we encrypt \(Z _1=\mathcal {Q} ^{(\ell )}_{i}(M)\) in \(C _1\).
Our next step will be to replace the values encrypted in \(C _0\) in a similar way. To do so, however, we need some preparations, since Game 4.i.3 still knows the secret keys \( sk ^{(\ell )} _0\) (to finally implement the forgery check). Fortunately, however, we can alternatively use the \( sk ^{(\ell )} _1\) to implement this check. (To see why this yields the same functionality, recall that by our abort rule from Game 1, we may restrict to forgeries with \(f ^*(M ^*)\notin \mathrm {QR} _p\cup \{0\}\). However, by (3), a valid forgery for such a message must contain \(C _0^*\) and \(C _1^*\) that encrypt the same message.)

For queries with \(f ^*(M)\notin \mathrm {QR} _p\), we encrypt \(Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\) in \(C _0\) and \(C _1\).

For queries with \(f ^*(M)=0\), we encrypt \(Z _0=Z _1=\mathcal {Z} ^{(\ell )}_{i}(M)\) in \(C _0\) and \(C _1\).

For queries with \(f ^*(M)\in \mathrm {QR} _p\), we encrypt \(Z _0=Z _1=\mathcal {Q} ^{(\ell )}_{i}(M)\) in \(C _0\) and \(C _1\).
Step 3: Clean Up. Now in Game 4.i.6, we handle both signature queries and \(\mathcal {A}\) ’s forgery with either \(\mathcal {H} ^{(\ell )}_{i}\), \(\mathcal {Z} ^{(\ell )}_{i}\), or \(\mathcal {Q} ^{(\ell )}_{i}\), depending on the Legendre symbol \(\big (\frac{M}{p}\big ) \) of \(M\). This is equivalent to handling all messages with a single function \(\mathcal {H} ^{(\ell )}_{i+1}\) by the definition of \(\mathcal {H} ^{(\ell )}_{i}\) (see also (11)). Hence, we already “almost” implement the rules of Game 4.(\(i + 1\)), and we only need to clean up things a little.
It remains to prove Lemma 2:
Proof
4 Compact and (almost) Tightly Secure PublicKey Encryption
Our signature scheme \(\mathrm {SIG}\) from Sect. 3 is “almost” automorphic (in the sense of [1]). Namely, while its verification can be expressed as a system of equations that is compatible with GrothSahai proofs, its messages are exponents (as opposed to group elements). However, our scheme can still be used in the generic construction of [28]. This yields an (almost) tightly secure publickey encryption scheme with compact parameters, keys and ciphertexts. (Here, “compact” means “comprised of only a constant number of group elements or exponents.”)
But although compact in the above sense, the resulting encryption scheme would be rather inefficient (in particular since it would use nested GrothSahai proofs). Thus, here we describe an optimized and more compact (almost) tightly secure publickey encryption scheme \(\mathrm {PKE}\).

An OTEUFmCMA secure signature scheme with message space \(\mathbb {Z} _p\), given by algorithms \(\mathrm {OPars},\mathrm {OGen},\mathrm {OSig},\mathrm {OVer} \). For concreteness, in all of the following, we assume the onetime signature scheme \(\mathsf {TOTS}\) from [28] in \(\mathbb {G}\). Its OTEUFmCMA security can be tightly reduced to the discrete logarithm assumption in \(\mathbb {G}\) (which is implied by the DDH assumption in \(\mathbb {G}\)).

A generator \(\mathcal {H}\) of collisionresistant hash functions \(\mathrm {H}:\{0,1\}^*\rightarrow \{0,1\}^k\). We will interpret \(\mathrm {H}\)outputs as \(\mathbb {Z} _p\)elements in the natural way. (Recall that \(p>2^k\).)
All ingredients can be instantiated under the DDH assumptions in \(\mathbb {G}\) and \(\mathbb {\hat{G}}\).
Finally, \(\mathrm {EPars}\) chooses parameters \( opp \leftarrow \mathrm {OPars} (1^k)\) and a hash function \(\mathrm {H}\), and outputs \( epp =( gpp ,\mathrm {CRS}, pk _0, pk _1, opp ,\mathrm {H},C_{\alpha },C_{\beta },C_{Z})\).
Finally, \(\mathrm {Enc}\) signs \(\sigma \leftarrow \mathrm {OSig} ( osk ,\mathrm {H} (C '_0,C '_1,C _0,C _1,\pi ))\) and outputs the ciphertext \(C =(C '_0,C '_1,C _0,C _1,\pi , ovk ,\sigma )\).
Decryption. \(\mathrm {Dec} ( sk ,C)\) checks the validity of \(\sigma \) and \(\pi \). If both \(\sigma \) and \(\pi \) are valid, \(\mathrm {Dec}\) outputs \(M \leftarrow \mathrm {Dec}_{\mathrm {eg}} ( sk '_d,C '_d)\); otherwise, \(\mathrm {Dec}\) outputs \(\bot \).

The public parameters consist of \(12\) \(\mathbb {G}\) and \(3\) \(\mathbb {\hat{G}}\)elements, plus the group parameters \( gpp \), and a description of the hash function \(\mathrm {H}\).

Each public key contains \(2\) \(\mathbb {G}\)elements.

Each secret key contains one \(\mathbb {Z} _p\)exponent and a bit.

Each ciphertext contains \(27\) \(\mathbb {G}\) and \(30\) \(\mathbb {\hat{G}}\)elements, and \(3\) \(\mathbb {Z} _p\)exponents.
Theorem 3
Proof

First, the consistency proofs in all ciphertexts are prepared with different witnesses. More specifically, instead of proving \(Z '_0=Z '_1\), we prove the right branch of (26). (Note that this right branch corresponds to the validity of a \(\mathrm {SIG}\)signature for message \(\mathrm {H} ( ovk )\).) Thanks to the witnessindistinguishability of GrothSahai proofs, this change is not detectable by \(\mathcal {A}\).

Next, all challenge ciphertexts generated for \(\mathcal {A}\) are made inconsistent. (This is possible since the ciphertext consistency proofs are prepared from signature witnesses now.) Concretely, recall that so far we have encrypted the respective challenge message \(M ^*_b\) (for the secret bit \(b\) chosen by the INDmCCA experiment) in both \(C '_0\) and \(C '_1\) of all challenge ciphertexts. Now we encrypt \(M ^*_b\) in \(C '_{d}\) and \(M ^*_{1b}\) in \(C '_{1{d}}\), where \(d\) is the bit chosen for the respective \(\mathrm {PKE}\) instance \(i\). Hence, we change the encrypted message for all ElGamal instances whose secret key is not used. Since only the secret keys \( sk '_d\) (but not the \( sk '_{1d}\)) are used in the experiment, this game modification can be justified with the (tight) security of ElGamal.

We now reject all inconsistent (in the sense \(\mathrm {Dec}_{\mathrm {eg}} ( sk '_0,C '_0)\ne \mathrm {Dec}_{\mathrm {eg}} ( sk '_1,C '_1)\)) decryption queries from \(\mathcal {A}\). At this point in the proof, we know both \( sk '_0\) and \( sk '_1\) for all \(\mathrm {PKE}\)instances, and can thus recognize the first inconsistent (in the above sense) decryption query with a valid consistency proof. Note that any such query implies a valid \(\mathrm {SIG}\)signature for a message \(\mathrm {H} ( ovk )\). The security of the onetime signature scheme guarantees that this message is fresh, so that \(\mathcal {A}\) has essentially forged a \(\mathrm {SIG}\)signature. Any such forgery can be excluded with the same strategy as in the proof of Theorem 2 (with the differences described above). This step entails the dominant terms in (27) related to DDH reductions.
At this point, \(\mathcal {A}\) gets no information about the INDmCCA secret \(b\) anymore. Namely, each challenge ciphertext contains ElGamal encryptions of both \(M ^*_0\) and \(M ^*_1\), in an order determined by \(d\oplus b\), where \(d\) denotes which ElGamal secret key \( sk '_d\) the experiment uses to decrypt for this instance. Now since inconsistent ciphertexts are rejected, the game’s answer to \(\mathcal {A}\) ’s decryption queries does not depend on the any of the bits \(d\). Moreover, unless (any) \(d\) is known, also \(b\) is hidden. Hence, \(\mathcal {A}\) ’s view is now completely independent of \(b\), and thus \(\mathcal {A}\) ’s INDmCCA success is zero.
5 Details on the Exact GrothSahai Equations in Our Schemes
5.1 The Exact GrothSahai Equations for the Proofs in Signatures
 \(S 1\).

The statement \(Z _0=Z _1\) holds if and only if \((g, pk _1/ pk _0,A,B_1/B_0)\) is a DiffieHellman tuple. Thus, \(S 1\) is equivalent to the equations \(A=g^{R} \) and \(B_1/B_0=( pk _1/ pk _0)^{R}\), with witness \(R\).
 \(S 2\).

The statement \(f (M)\in \mathrm {QR} _p\cup \{0\}\) is equivalent to the existence of an exponent \(W\in \mathbb {Z} _p\) with \(f (M)=W^{2} \,\mathrm{mod}\, p\). (Recall that a commitment to \(f (M)\) can be homomorphically computed from \(M\) and the commitments \(C_{\alpha },C_{\beta } \).) Hence, a witness to \(S 2\) is given by \((\alpha ,\beta ,W)\).
 \(S 3\).

We can express \(Z _0=Z \) as an equation \(B_0= pk _0^{R}\cdot g^{Z} \) with witness \((R,Z)\).
All involved commitment random coins are additionally required to construct a valid proof. Besides, so far we have neglected that in a setting with an asymmetric pairing, not all combinations of, e.g., \(\mathbb {Z} _p\)products can be directly expressed. (For instance, a square \(W^2\) needs to be rephrased as \(W\cdot \widehat{W}\), with an additional proof that \(W=\widehat{W}\).) Hence, in the rest of this section, we will decorate variables that correspond to a \(\mathbb {\hat{G}}\)commitment with a hat (e.g., \(\widehat{W}\)).
Remarks and Efficiency Summary. We emphasize that hence, the proofs \(\pi _1\) and \(\pi _2\) are independent (and in particular do not share commitments). Furthermore, thanks to the composability of GrothSahai proofs, the commitments \(C_{\alpha },C_{\beta },C_{Z} \) to \(\alpha ,\beta ,Z \) that are placed in the verification key can be directly (re)used in proofs. Each commitment occupies \(2\) group elements. In total, the equations above comprise \(4\) linear equations over \(\mathbb {G}\), and \(2\) quadratic equations over \(\mathbb {Z} _p\). Thus, \(\pi _1\) contains \(4\cdot 2+2\cdot 1+2\cdot 4=18\) group elements (\(12\) of them from \(\mathbb {\hat{G}}\)), and \(\pi _2\) contains \(1\cdot 2+2\cdot 1=4\) group elements (\(2\) of them from \(\mathbb {\hat{G}}\)).
5.2 The Exact GrothSahai Equations for the Proofs in Ciphertexts
The Statements \(S 1'\)\(S 5'\) . Let us take a closer look at the individual statements \(S 1'\)\(S 5'\):
 \(S 1',S 2'\).

These statements can be formalized like statement \(S 1\) for \(\mathrm {SIG}\). For instance, \(S 1'\) holds if and only if \((g, pk '_1/ pk '_0,A',B'_1/B'_0)\) is a DiffieHellman tuple; a suitable witness is \(R '\).
 \(S 4',S 5'\).

Similarly, \(S 4'\) holds precisely if \((g, pk _0,A/A_{Z},B_0/B_{Z})\) is a DiffieHellman tuple; a witness is \(RR _{Z}\). (Statement \(S 5'\) can be formalized analogously, with a witness \(R _{Z}\).)
 \(S 3'\).

As with \(\mathrm {SIG}\), \(S 3'\) holds if and only if there is a \(W\in \mathbb {Z} _p\) with \(f (\mathrm {H} ( ovk ))=W^2 \,\mathrm{mod}\, p\). A suitable witness consists of \(W\), and the encryption randomness \(R _{f}\) of \(C _{f}\).
Summary. Summing up, \(\pi \) contains commitments to \(13\) variables (\(12\) of them from \(\mathbb {\hat{G}}\)), and proves \(10\) \(\mathbb {G}\)linear, \(2\) \(\mathbb {Z} _p\)linear, and \(3\) quadratic equations over \(\mathbb {Z} _p\). This yields a proof of \(13\cdot 2+10\cdot 1+3\cdot 4=48\) group elements (\(30\) of them from \(\mathbb {\hat{G}}\)) and \(2\cdot 1=2\) exponents from \(\mathbb {Z} _p\).
Footnotes
 1.
Technically, we will not even need to explicitly compute \(L_j\), but only prove that \(L_j=1\). This is possible using a quadratic equation over \(\mathbb {Z} _p\).
 2.
Actually, [6, 15] construct tightly secure identitybased encryption (IBE) schemes. However, those IBE schemes can be viewed as tightly secure signature schemes (using Naor’s trick [11]), and then converted into tightly secure PKE schemes using the transformation from [28]. In fact, the PKE scheme of [32] can be viewed as a (modified and highly optimized) conversion of the IBE scheme from [15].
 3.
 4.
With a “simple” assumption, we mean one in which the adversary gets a challenge whose size only depends on the security parameter, and is then supposed to output a unique solution without further interaction. Examples of simple assumptions are DLOG, DDH, \(d\)LIN, or RSA, but not, say, Strong DiffieHellman [8] or \(q\)ABDHE [22].
 5.
We note that although their scheme can be viewed as a generalization of Waters signatures [38], their analysis is entirely different. Also, we omit here certain subtleties regarding the used distributions of group elements.
 6.
 7.
This neglects a number of details. For instance, in the somewhat simplified scheme above, \(\pi \) always ties the ciphertexts in signatures for quadratic nonresidues \(f (M)\) to a single value \(X\). In our actual proof, we will thus simulate a part of \(\pi \), such that the encrypted values can be decoupled from the original secret key \(X\).
 8.
Actually, plugging our scheme directly into the construction of [28] yields an asymptotically compact, but not very efficient scheme. Thus, we provide a more direct and efficient explicit PKE construction with parameters, public keys, and ciphertexts comprised of \(15\), \(2\), and \(60\) group elements, respectively.
 9.
In a signature scheme derived using the conversion of Bellare and Goldwasser, the verification key contains an encryption of the MAC secret key. A signature for a message \(M\) then consists of a MAC tag \(\tau \) for \(M\), along with a noninteractive zeroknowledge proof that \(\tau \) is valid relative to the encrypted MAC key.
 10.
 11.
We realize that this explanation is somewhat technical and may not seem very compelling. We wish we had a better one.
Notes
Acknowledgments
The author would like to thank Eike Kiltz, Julia Hesse, Willi Geiselmann, and the anonymous reviewers for helpful feedback.
Supplementary material
References
 1.Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 2.Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Bellare, M., Boldyreva, A., Micali, S.: Publickey encryption in a multiuser setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 4.Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on noninteractive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990) Google Scholar
 5.Bernstein, D.J.: Proving tight security for RabinWilliams signatures. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 70–87. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 6.Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) Identitybased encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 7.Boldyreva, A.: Strengthening Security of RSAOAEP. In: Fischlin, M. (ed.) CTRSA 2009. LNCS, vol. 5473, pp. 399–413. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 8.Boneh, D., Boyen, X.: Efficient selectiveID secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 9.Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 10.Boneh, D., Franklin, M.: Identitybased encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 11.Boneh, D., Franklin, M.K.: Identitybased encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 12.Boneh, D., Mironov, I., Shoup, V.: A secure signature scheme from Bilinear maps. In: Joye, M. (ed.) CTRSA 2003. LNCS, vol. 2612, pp. 98–110. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 13.Cash, D.M., Kiltz, E., Shoup, V.: The twin DiffieHellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 14.Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 15.Chen, J., Wee, H.: Fully, (Almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 16.ChevallierMames, B., Joye, M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) CTRSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 17.Coron, J.S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 18.Escala, A., Groth, J.: Finetuning grothsahai proofs. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 630–649. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 19.Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 20.Galindo, D., Martín, S., Morillo, P., Villar, J.L.: Easy verifiable primitives and practical public key cryptosystems. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 69–83. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 21.Gennaro, R., Halevi, S., Rabin, T.: Secure hashandsign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 22.Gentry, C.: Practical identitybased encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 23.Gentry, C., Halevi, S.: Hierarchical identity based encryption with polynomially many levels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437–456. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 24.Goh, E.J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the DiffieHellman problems. J. Cryptology 20(4), 493–514 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
 25.Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985) CrossRefGoogle Scholar
 26.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 27.Hofheinz, D.: Allbutmany lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 28.Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 29.Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 30.Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 31.Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 32.Libert, B., Joye, M., Yung, M., Peters, T.: Concise multichallenge CCAsecure encryption and signatures with almost tight security. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 1–21. Springer, Heidelberg (2014) Google Scholar
 33.Naor, M., Reingold, O.: Numbertheoretic constructions of efficient pseudo random functions. In: Proceedings of the FOCS 1997, pp. 458–467. IEEE Computer Society (1997)Google Scholar
 34.Naor, M., Yung, M.: Publickey cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the STOC 1990, pp. 427–437. ACM (1990)Google Scholar
 35.Naor, M., Yung, M.: Universal oneway hash functions and their cryptographic applications. In: Proceedings of the STOC 1989, pp. 33–43. ACM (1989)Google Scholar
 36.Schäge, S.: Tight proofs for signature schemes without random oracles. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 189–206. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 37.Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 38.Waters, B.: Efficient identitybased encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) CrossRefGoogle Scholar