TCC 2016: Theory of Cryptography pp 251-281

# Algebraic Partitioning: Fully Compact and (almost) Tightly Secure Cryptography

• Dennis Hofheinz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9562)

## Abstract

We describe a new technique for conducting “partitioning arguments”. Partitioning arguments are a popular way to prove the security of a cryptographic scheme. For instance, to prove the security of a signature scheme, a partitioning argument could divide the set of messages into “signable” messages for which a signature can be simulated during the proof, and “unsignable” ones for which any signature would allow to solve a computational problem. During the security proof, we would then hope that an adversary only requests signatures for signable messages, and later forges a signature for an unsignable one.

In this work, we develop a new class of partitioning arguments from simple assumptions. Unlike previous partitioning strategies, ours is based upon an algebraic property of the partitioned elements (e.g., the signed messages), and not on their bit structure. This allows to perform the partitioning efficiently in a “hidden” way, such that already a single “slot” for a partitioning operation in the scheme can be used to implement many different partitionings sequentially, one after the other. As a consequence, we can construct complex partitionings out of simple basic (but algebraic) partitionings in a very space-efficient way.

As a demonstration of our technique, we provide the first signature and public-key encryption schemes that achieve the following properties simultaneously: they are (almost) tightly secure under a simple assumption, and they are fully compact (in the sense that parameters, keys, and signatures, resp. ciphertexts only comprise a constant number of group elements).

## Keywords

Partitioning arguments Tight security proofs Digital signatures Public-key encryption

## 1 Introduction

Partitioning Arguments. Many security reductions rely on a partitioning argument. Informally, a partitioning argument divides the parts of a large system into those parts that are under the control of the simulation, and those parts into which a computational challenge can be embedded. For instance, a partitioning argument for a signature scheme could divide the set of message into “signable messages” (for which a signature can be generated by the security reduction), and “unsignable messages” (for which any signature would solve an underlying problem). During the security reduction, we hope that an adversary only asks for the signatures of signable messages, but forges a signature for an unsignable one. Partitioning arguments are a popular means for proving the security of signature schemes (e.g., [17, 29, 35, 38]), identity-based encyption schemes (e.g., [9, 10, 14, 38]), or tightly secure cryptosystems (e.g., [6, 15, 32]).

The Complexity of Bit-based Partitioning. All of the above works (except for [10, 17], which use a programmable random oracle to implement a partitioning) partition messages or identities according to their bit representation. For instance, in the signature scheme from [29], messages are signable precisely if they do not start with a particular bit prefix. This non-algebraic approach requires a certain preparation in the scheme itself: already the scheme must establish certain distinctions of messages based on their bit representation. For instance, the signature scheme of [38] uses a hash function of the form $$H(M)=h_0\prod _j h_{j,M _j}$$, where $$M _j$$ are the bits of the signed message $$M$$, and $$h_0$$ and the $$h_{j,b}$$ are public group elements. This leads to comparatively large public parameters or keys, in particular because all potential distinctions (based on the values of the $$M _j$$) are already present in the scheme.

Our Contribution. In this work, we develop an entirely different partitioning approach: instead of partitioning based on the bit representation, we partition according to a simple algebraic predicate. Namely, we view a message $$M$$ as above as a $$\mathbb {Z} _p$$-element, and consider various Legendre symbols $$L_j=\big (\frac{f _j(M)}{p}\big )$$ for different affine functions $$f _j$$. Taken together, sufficiently many $$L_j$$ uniquely determine $$M$$, but the computation of each $$L_j$$ can be encoded as a series of $$\mathbb {Z} _p$$-operations.1 Intuitively, this algebraic property allows to “internalize” and hide the computations of the $$L_j$$, e.g., by hiding the $$f _j$$ inside a homomorphic commitment. As a consequence, only one “universal” partitioning (according to a single $$L_j$$) needs to be performed in the scheme itself; in the analysis, several simple partitionings can then be implemented sequentially, by varying the $$f _j$$.

Comparison with Previous Partitioning Techniques. Compared to previous, bit-based partitioning approaches, our new strategy has the advantage that it simultaneously leads to compact schemes and to a tight security reduction. Previous partitioning strategies were either based on more complex partitionings (such as [9, 29, 35, 38]) that lead to a non-tight security reduction, or on a sequence of simple bit-based partitionings (such as [6, 15, 32]) that lead to large public parameters or keys. In contrast, we support many simple algebraic partitionings (and thus a tight security reduction), but we occupy only one “partitioning slot” in the public parameters. This leads to tightly secure and very compact applications, as we will detail next.

Applications. Specifically, we demonstrate the usefulness of our partitioning technique by describing the first (almost) tightly secure signature and PKE schemes that are fully compact, in the sense that parameters, keys, and signatures (resp. ciphertexts) only contain a constant number of group elements. Our security reduction loses only a factor of $$\mathbf {O} (k)$$, where $$k$$ is the security parameter. In particular, our security reduction does not degrade in the number of users or signatures, resp. ciphertexts. The security of our schemes is based upon the Decisional Diffie-Hellman (DDH) assumption in both preimage groups of a pairing. (This assumption is also called “Symmetric External Diffie-Hellman” or SXDH.) Tables 1 and 2 give a more detailed comparison with existing schemes.

In the following, we give more details on our techniques and results. To do so, we start with a little background concerning our applications.

Tight Security Reductions. To argue for the security of a given cryptographic scheme $$S$$, we usually employ a security reduction. That is, we try to argue that every hypothetical adversary $$\mathcal {A} _S$$ on $$S$$ can be converted into an adversary $$\mathcal {A} _P$$ on an allegedly hard computational problem $$P$$. In that sense, the only way to break $$S$$ is to solve $$P$$. Of course, we are mostly interested in reductions to well-investigated problems $$P$$. Furthermore, there are reasons to consider the tightness of the reduction: a tight reduction guarantees that $$\mathcal {A} _P$$’s success $$\varepsilon _P$$ in solving $$P$$ (in a reasonable metric) is about the same as $$\mathcal {A} _S$$’s success $$\varepsilon _S$$ in attacking $$S$$.

To explain the impact of a (non-)tight reduction in more detail, consider a public-key encryption (PKE) scheme $$S$$ that is deployed in a many-user environment. In this setting, an adversary $$\mathcal {A} _S$$ on $$S$$ may observe, say, $$n_C$$ ciphertexts generated for each of the, say, $$n_U$$ users. Most known security reductions in this setting are non-tight, in the sense that $$\varepsilon _P\le \frac{\varepsilon _S}{n_U\cdot n_C}$$. As a consequence, keylength recommendations should also take $$n_U$$ and $$n_C$$ into account; no “universal” keylength recommendation can be given for such a scheme. This is particularly problematic in settings that grow significantly beyond initial expectations.

Tightly Secure Encryption and Signature Schemes. The construction of tightly secure cryptographic schemes appears to be a nontrivial task. For instance, although already explicitly considered in 2000 [3], tightly secure PKE schemes have only been constructed very recently [2, 6, 15, 28, 32].2 $$^,$$ 3 Moreover, the schemes from [2, 28] have rather large ciphertexts, and the schemes induced by [6, 15] and from [32] require large parameters (but offer small keys and ciphertexts).

The situation for tightly secure signature schemes is somewhat brighter, but results are still limited. There are efficient signature schemes that are tightly secure under “$$q$$-type” [8, 16, 36] or interactive [21] assumptions, or in the random oracle model [5, 24, 30]. There are also more recent and somewhat less efficient schemes tightly secure under simple4 assumptions [6, 12, 15, 28, 32] (see also [1, 2]). Some of these latter schemes can even be converted into tightly secure PKE schemes; however, all of the schemes [2, 6, 12, 15, 28, 32] suffer from asymptotically large parameters, keys, or signatures (resp. ciphertexts).
Table 1.

Comparison of different (at least almost) tightly EUF-CMA secure signature schemes from simple$$^4$$ assumptions in pairing-friendly groups. The parameters, verification key, and signature columns denote space complexity, measured in group elements. The reduction loss column denotes the (multiplicative) loss of the security reduction to the respective assumption. For the schemes from [6, 15], we assume the signature scheme induced by the presented IBE scheme. Furthermore, $$n=\varvec{\varTheta } (k)$$ denotes the bitlength of the signed message (if the signed message is a bitstring and not a group element or an exponent). We note that [32] mention that their scheme can be generalized to the $$d$$-LIN assumption (including $$1$$-LIN=DDH). However, since they only give explicit complexities for the arising signatures (identical to the ones from [6]), we restrict to their DLIN-based scheme. Finally, we remark that all of these schemes (except for [12]) imply tightly secure PKE schemes (cf. Table 2).

Scheme

Parameters

Verification key

Signature

Reduction loss

Assumption

BMS03 [12]

$$0$$

$$k+3$$

$$k+1$$

$$\mathbf {O} (k)$$

CDH

HJ12 [28]

$$2$$

$$28$$

$$8k+22$$

$$\mathbf {O} (1)$$

DLIN

CW13 [15]

$$2d^2(2n+1)$$

$$d$$

$$4d$$

$$\mathbf {O} (k)$$

$$d$$-LIN

BKP14 [6]

$$d$$

$$d^2(2n+1)$$

$$2d+1$$

$$\mathbf {O} (k)$$

$$\mathcal {D}_d$$-MDDH

LJYP14 [32]

$$0$$

$$\mathbf {O} (d^2n)$$

$$2d+1$$

$$\mathbf {O} (k)$$

$$d$$-LIN

This work

$$14$$

$$6$$

$$25$$

$$\mathbf {O} (k)$$

DDH

The Scheme of Chen and Wee. Our technical ideas are best presented with our signature scheme. At a very high level, we follow the strategy of Chen and Wee [15] (see also [6]), where we interpret their IBE scheme as a signature scheme using Naor’s trick [11]. In their scheme, signatures are of the form
\begin{aligned} \sigma \;=\; \Big ( \;h_0,\; \; sigk \cdot \prod _{i=1}^nh_{i,M _i} \Big ), \end{aligned}
(1)
where $$sigk$$ is the secret key, $$M =(M _i)_{i=1}^n\in \{0,1\}^n$$ is the bit representation of the signed message, and $$h_0,(h_{i,0},h_{i,1})_{i=1}^n$$ are group elements chosen from a joint public distribution.5
During their proof of existential unforgeability (EUF-CMA security), Chen and Wee gradually modify signatures generated by the security experiment for an adversary $$\mathcal {A}$$. This is done via a small hybrid argument over the bit indices of messages, and thus yields a security proof that loses a factor of $$\mathbf {O} (n)$$. Concretely, in the $$i$$-th hybrid, generated signatures are of the form $$\sigma =(h_0, sigk _{M _1,\dots ,M _i}\cdot \prod _{j=1}^n h_{j,M _j})$$, where $$sigk _{M _1,\dots ,M _i}=\mathcal {R}(M _1,\dots ,M _i)$$ for a truly random function $$\mathcal {R}$$. Similarly, a forged message-signature pair $$(M ^*,\sigma ^*)$$ from $$\mathcal {A}$$ is only considered valid if it is consistent with $$sigk _{M ^*_1,\dots ,M ^*_i}$$ (instead of $$sigk$$). In other words, in the $$i$$-th hybrid, the secret key used in signatures depends on the first $$i$$ bits of the signed message.
Table 2.

Comparison of different (at least almost) tightly IND-CCA secure PKE schemes from simple$$^4$$ assumptions. As in Table 1, the parameters, public key, and ciphertext columns denote space complexity, measured in group elements, and the reduction loss column denotes the (multiplicative) loss of the security reduction to the respective assumption. For the schemes from [6, 15], we assume the PKE scheme induced by the respective signature scheme when going through the construction of [28]. We note that [32] only describe a symmetric-pairing version of their scheme, so their DDH-based scheme is not explicit. However, we expect that their DDH-based scheme has slightly more compact ciphertexts than ours.

Scheme

Parameters

Public key

Ciphertext

Reduction loss

Assumption

HJ12 [28]

$$\mathbf {O} (1)$$

$$\mathbf {O} (1)$$

$$\mathbf {O} (k)$$

$$\mathbf {O} (1)$$

DLIN

AKDNO13 [2]

$$\mathbf {O} (1)$$

$$\mathbf {O} (1)$$

$$\mathbf {O} (k)$$

$$\mathbf {O} (1)$$

DLIN

CW13 [15]

$$\mathbf {O} (d^2k)$$

$$\mathbf {O} (d)$$

$$\mathbf {O} (d)$$

$$\mathbf {O} (k)$$

$$d$$-LIN

BKP14 [6]

$$\mathbf {O} (d)$$

$$\mathbf {O} (d^2k)$$

$$\mathbf {O} (d)$$

$$\mathbf {O} (k)$$

$$\mathcal {D}_d$$-MDDH

LJYP14 [32]

$$\mathbf {O} (1)$$

$$\mathbf {O} (d^2k)$$

$$\mathbf {O} (d)$$

$$\mathbf {O} (k)$$

$$d$$-LIN

LJYP14 [32]

$$3$$

$$24k+30$$

$$69$$

$$\mathbf {O} (k)$$

DLIN

This work

$$15$$

$$2$$

$$60$$

$$\mathbf {O} (k)$$

DDH

Thus, the difference between the $$(i-1)$$-th and the $$i$$-th hybrid is an additional dependency of used secret keys on the $$i$$-th message bit $$M _i$$. To progress from hybrid $$i-1$$ to hybrid $$i$$, Chen and Wee first partition the message space in two halves (according to $$M _i$$). Then, using an elaborate argument, they consistently modify the secret keys used for messages from one half, and thus essentially decouple those keys from the keys used for messages from the other half. This creates an additional dependency on $$M _i$$. After $$n=|M |$$ such steps, each signature uses a different secret key (up to multiple signatures of the same message). In particular, $$\mathcal {A}$$ gets no information about the secret key $$sigk _{M ^*_1,\dots ,M ^*_n}$$ used to verify its own forgery, and existential unforgeability follows.

We would like to highlight the partitioning character of their analysis: in their proof, Chen and Wee introduce more and more dependencies of signatures on the corresponding messages, and each such dependency is based upon a different partitioning of the message space.6 Now observe that already regular signatures (as in (1)) feature distinctions based on all bits of $$M$$. These distinctions provide the technical tool to introduce dependencies in the security proof. However, as a consequence, rather complex joint distributions need to be sampled during signature generation, which results in public parameters of $$\mathbf {O} (n)$$ group elements.

Algebraic Partitioning. In a nutshell, our main technical tool is a new way to partition the message space of a signature scheme. We call this tool “algebraic partitioning.” Concretely, a signature for a message $$M \in \mathbb {Z} _p$$ in our scheme consists essentially of an encryption of the secret key $$X$$, along with a consistency proof:
\begin{aligned} \sigma \;=\; \left( \;C =\mathrm {Enc} ( pk ,X),\;\pi \;\right) . \end{aligned}
(2)
The corresponding encryption key $$pk$$ is part of the verification key $$vk$$, and the consistency proof $$\pi$$ proves the following statement:

Either  $$C$$ encrypts the secret key $$X$$, or $$f (M)\in \mathbb {Z} _p$$ is a quadratic residue (or both).”

Here, $$p$$ is the order of the underlying group, and $$f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p$$ is an affine function fixed (but hidden) in the verification key. Implicitly, this provides a single partitioning of messages into those for which $$f (M)$$ is a quadratic residue, and those for which $$f (M)$$ is not. However, since $$f$$ is hidden, many partitionings can be induced (one after the other) by varying $$f$$ during a proof.

In fact, during the security proof, this partitioning will fulfill the same role as the bit-based partitioning in the analysis of Chen and Wee. In particular, it will help to introduce additional dependencies of the signature on the message. More specifically, in the $$i$$-th hybrid of the security proof, $$C$$ will not encrypt $$X$$, but a value $$X _{M}$$ that depends on the $$i$$ Legendre symbols $$\big (\frac{f _j(M)}{p}\big )$$ for randomly chosen (but fixed) affine functions $$f _1,\dots ,f _i$$. Each new such dependency is introduced by first refreshing the affine function $$f$$ hidden in $$vk$$, and then modifying all values encrypted in signatures whenever possible (i.e., whenever $$f (M)$$ is a quadratic residue).7 Observe that the single explicit partitioning in regular signatures is used several times (for different $$f _j$$) to introduce many dependencies of signatures on messages in the proof. The remaining strategy can then be implemented as in [15].

Our different strategy to partition the message space results in a very compact scheme. Namely, since only one explicit partitioning step is performed in the scheme, parameters, keys, and signatures comprise only a constant number of group elements. Specifically, parameters, keys, and signatures contain $$14$$, $$6$$, and $$25$$ group elements, respectively. Besides, our scheme is compatible with Groth-Sahai proofs [26]. Hence, when used in the construction of [28], we immediately get the first compact (in the above sense) PKE scheme that is tightly IND-CCA secure under a simple assumption.8

Different Perspective: Our Scheme as a MAC. So far our high-level discussion can be equally used to justify a similar message authentication code (MAC), in which verification is non-public. Such a MAC can then be converted into a signature scheme, e.g., using the technique of Bellare and Goldwasser [4].9 One could hope that this yields a more modular construction, possibly with a MAC as a simpler basic building block. (In particular, this approach was suggested by a reviewer.)

In this work, we still present our idea directly in terms of a signature scheme. One reason is that a MAC following the strategy described above would actually not be significantly less complex than a full signature scheme. In particular, already a MAC would require Groth-Sahai proofs. Moreover, a modular approach in the spirit of [4] would require “algebraically compatible” building blocks (to allow for an efficient and tightly secure overall scheme), and would seem to lead to a more complex presentation.

Open Problems. Besides of course obtaining more efficient (and compact) schemes, it would be interesting to apply similar ideas in the identity-based setting. Specifically, currently there is no fully compact identity-based encryption (IBE) scheme whose security can be tightly based on a standard assumption.10 However, it is not obvious how to use algebraic partitioning in the identity-based setting. Specifically, it is not clear how to “derive functionality” from valid signature proofs, in the following sense.

Namely, first note that IBE schemes can be interpreted as signature schemes, in a sense noted by Naor (cf. [11]): IBE user secret keys for an identity $$M$$ correspond to signatures for message $$M$$, and verification simply checks whether the alleged signature works as a decryption key for identity $$M$$. It is natural to use the same interpretation to try to “upgrade” a signature scheme to an IBE scheme. For this strategy, however, one must find a way to make a signature $$\sigma$$ act as a decryption trapdoor, and thus to “derive functionality from $$\sigma$$” (as opposed to just check $$\sigma$$ for validity). In common discrete-log-based IBE schemes, this functionality property is achieved by the fact that a pairing operation is used to pair IBE user secret keys with ciphertext elements. The result of this pairing operation is then a common secret that is shared between encryptor and decryptor.

Our strategy, however, crucially uses quadratic $$\mathbb {Z} _p$$-equations in signatures (to implement the algebraic partitioning of messages). In particular, our signature scheme uses a pairing operation already to implement these quadratic equations (even though signatures in our scheme consist solely of group elements in the source group of the pairing). As a consequence, the pairing operation cannot be used anymore to derive a common secret shared with the encryptor. Hence, at least a straightforward way to turn our signature scheme into an IBE scheme fails.11

Roadmap. After recalling some basic definitions, we present our signature scheme in Sect. 3. In Sect. 4, we give a direct construction of a PKE scheme derived from our signature scheme. In Sect. 5, we give more details on the exact Groth-Sahai equations arising from the consistency proofs of signatures and ciphertexts. In Appendix A, we provide additional illustrations for the proof of our signature scheme.

## 2 Preliminaries

Notation. Throughout the paper, $$k\in \mathbb {N}$$ denotes the security parameter. For $$n\in \mathbb {N}$$, let $$[n]:=\{1,\ldots ,n\}$$. For a finite set $$S$$, we denote with $$s\leftarrow S$$ the process of sampling $$s$$ uniformly from $$S$$. For a probabilistic algorithm $$A$$, we denote with $$y\leftarrow A(x;R)$$ the process of running $$A$$ on input $$x$$ and with randomness $$R$$, and assigning $$y$$ the result. We write $$y\leftarrow A(x)$$ for $$y\leftarrow A(x;R)$$ with uniformly chosen $$R$$, and we write $$A(x)=y$$ for the event that $$A(x;R)$$ (for uniform $$R$$) outputs $$y$$. If $$A$$’s running time is polynomial in $$k$$, then $$A$$ is called probabilistic polynomial-time (PPT). A function $$f:\mathbb {N} \rightarrow \mathbb {R}$$ is negligible if it vanishes faster than the inverse of any polynomial (i.e., if $$\forall c\exists k_0\forall k\ge k_0:|f(x)|\le 1/k^c$$).

Collision-Resistant Hashing. A hash function generator is a PPT algorithm $$\mathcal {H}$$ that, on input $$1^k$$, outputs (the description of) an efficiently computable function $$\mathrm {H}:\{0,1\}^*\rightarrow \{0,1\}^k$$.

### Definition 1

(Collision-Resistance). We say that a hash function generator $$\mathcal {H}$$ outputs collision-resistant functions $$\mathrm {H}$$ (or, when the reference to $$\mathcal {H}$$ is clear, that such an $$\mathrm {H}$$ is collision-resistant), if
is negligible for every PPT adversary $$\mathcal {A}$$.

Signature Schemes. A signature scheme $$\mathrm {SIG}$$ consists of four PPT algorithms $$\mathrm {SPars},\mathrm {SGen},\mathrm {Sig},\mathrm {Ver}$$. Parameter generation $$\mathrm {SPars} (1^k)$$ outputs public parameters $$spp$$ that are shared among all users. Key generation $$\mathrm {SGen} ( spp )$$ takes public parameters $$spp$$, and outputs a verification key $$vk$$ and a signing key $$sigk$$. The signature algorithm $$\mathrm {Sig} ( spp , sigk ,M)$$ takes public parameters $$spp$$, a signing key $$sigk$$, and a message $$M$$, and outputs a signature $$\sigma$$. Verification $$\mathrm {Ver} ( spp , vk ,M,\sigma )$$ takes public parameters $$spp$$, a verification key $$vk$$, a message $$M$$, and a potential signature $$\sigma$$, and outputs a verdict $$b\in \{0,1\}$$. For correctness, we require that $$1\leftarrow \mathrm {Ver} ( spp , vk ,M,\sigma )=1$$ always and for all $$M$$, all $$( vk , sigk )\leftarrow \mathrm {SGen} (1^k)$$, and all $$\sigma \leftarrow \mathrm {Sig} ( spp , sigk ,M)$$. For the sake of readability, we will omit the public parameters $$spp$$ from invocations of $$\mathrm {Sig}$$ and $$\mathrm {Ver}$$ when the reference is clear.

### Definition 2

(Multi-user (One-Time) Existential Unforgetability). Let $$\mathrm {SIG}$$ be a signature scheme as above, and consider the following experiment for an adversary $$\mathcal {A}$$:
1. 1.

$$\mathcal {A}$$ specifies (in unary) the number $$n_U\in \mathbb {N}$$ of desired scheme instances.

2. 2.

The experiment then samples parameters $$spp \leftarrow \mathrm {SPars} (1^k)$$ as well as $$n_U$$ keypairs $$( vk ^{(\ell )}, sigk ^{(\ell )})\leftarrow \mathrm {SGen} ( spp )$$.

3. 3.

$$\mathcal {A}$$ is invoked on input $$(1^k, spp ,( vk ^{(\ell )})_{\ell =1}^{n_U})$$, and gets access to signing oracles $$\mathrm {Sig} ( sigk ^{(\ell )},\cdot )$$ for all $$\ell \in [n_U]$$. Finally, $$\mathcal {A}$$ outputs an index $$\ell ^*\in [n_U]$$ and a potential forgery $$(M ^*,\sigma ^*)$$.

4. 4.

$$\mathcal {A}$$ wins iff $$\mathrm {Ver} ( vk ^{(\ell ^*)},M ^*,\sigma ^*)=1$$ and $$M ^*$$ was not queried to $$\mathrm {Sig} ( sigk ^{(\ell ^*)},\cdot )$$.

Let $$\mathrm {Adv}^{ euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k)$$ denote the probability that $$\mathcal {A}$$ wins in the above experiment. We say that $$\mathrm {SIG}$$ is existentially unforgeable under chosen-message attacks in the multi-user setting (EUF-mCMA secure) iff $$\mathrm {Adv}^{ euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k)$$ is negligible for every PPT $$\mathcal {A}$$. Let $$\mathrm {Adv}^{ ot-euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k)$$ be the probability that $$\mathcal {A}$$ wins in the slightly modified experiment in which only one $$\mathrm {Sig}$$-query to each scheme instance $$\ell$$ is allowed. We say that $$\mathrm {SIG}$$ is existentially unforgeable under one-time chosen-message attacks in the multi-user setting (OT-EUF-mCMA secure) iff $$\mathrm {Adv}^{ ot-euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k)$$ is negligible for every PPT $$\mathcal {A}$$.

Public-key Encryption Schemes. A public-key encryption (PKE) scheme $$\mathrm {PKE}$$ consists of four PPT algorithms $$(\mathrm {EPars},\mathrm {EGen},\mathrm {Enc},\mathrm {Dec})$$. The parameter generation algorithm $$\mathrm {EPars} (1^k)$$ outputs public parameters $$epp$$. Key generation $$\mathrm {EGen} ( epp )$$ outputs a public key $$pk$$ and a secret key $$sk$$. Encryption $$\mathrm {Enc} ( epp , pk ,M)$$ takes parameters $$epp$$, a public key $$pk$$, and a message $$M$$, and outputs a ciphertext $$C$$. Decryption $$\mathrm {Dec} ( epp , sk ,C)$$ takes public parameters $$epp$$, a secret key $$sk$$, and a ciphertext $$C$$, and outputs a message $$M$$. For correctness, we require $$\mathrm {Dec} ( epp , sk ,C)=M$$ always and for all $$M$$, all $$epp \leftarrow \mathrm {EPars} (1^k)$$, all $$( pk , sk )\leftarrow \mathrm {EGen} ( epp )$$, and all $$C \leftarrow \mathrm {Enc} ( epp , pk ,M)$$. As with signatures, we usually omit the public parameters $$epp$$ from invocations of $$\mathrm {Enc}$$ and $$\mathrm {Dec}$$.

### Definition 3

(Multi-user, Multi-challenge Indistinguishability of Ciphertexts). For a public-key encryption scheme $$\mathrm {PKE}$$ and an adversary $$\mathcal {A}$$, consider the following security experiment $$\mathrm {Exp}^{ ind-mcca }_{\mathrm {PKE},\mathcal {A}} (k)$$:
1. 1.

$$\mathcal {A}$$ specifies (in unary) the number $$n_U\in \mathbb {N}$$ of desired scheme instances.

2. 2.

The experiment samples parameters $$epp \leftarrow \mathrm {EPars} (1^k)$$, and $$n_U$$ keypairs through $$( pk ^{(\ell )}, sk ^{(\ell )})\leftarrow \mathrm {EGen} ( epp )$$, and uniformly chooses a bit $$b\leftarrow \{0,1\}$$.

3. 3.

$$\mathcal {A}$$ is invoked on input $$(1^k, epp ,( pk ^{(\ell )})_{\ell =1}^{n_U})$$, and gets access to challenge oracles $$\mathcal {O}^{(\ell )}$$ and decryption oracles $$\mathrm {Dec} ( sk ^{(\ell )},\cdot )$$ for all $$\ell \in [n_U]$$. Here, challenge oracle $$\mathcal {O}^{(\ell )}$$, on input two messages $$M _0,M _1$$, outputs an encryption $$C \leftarrow \mathrm {Enc} ( pk ^{(\ell )},M _b)$$ of $$M _b$$.

4. 4.

Finally, $$\mathcal {A}$$ outputs a bit $$b'$$, and the experiment outputs $$1$$ iff $$b=b'$$.

A PPT adversary $$\mathcal {A}$$ is valid if every pair $$(M _0,M _1)$$ of messages submitted to an $$\mathcal {O}^{(\ell )}$$ by $$\mathcal {A}$$ satisfies $$|M _0|=|M _1|$$, and if $$\mathcal {A}$$ never submits any challenge ciphertext (previously received from an $$\mathcal {O}^{(\ell )}$$) to the corresponding decryption oracle $$\mathrm {Dec} ( sk ^{(\ell )},\cdot )$$. Let
$$\mathrm {Adv}^{ ind-mcca }_{\mathrm {PKE},\mathcal {A}} (k) \;=\; \Pr \left[ {\mathrm {Exp}^{ ind-mcca }_{\mathrm {PKE},\mathcal {A}} (k)=1}\right] - 1/2.$$
We say that $$\mathrm {PKE}$$ has indistinguishable ciphertexts under chosen-ciphertext attacks in the multi-user, multi-challenge setting (short: is IND-mCCA secure) iff $$\mathrm {Adv}^{ ind-mcca }_{\mathrm {PKE},\mathcal {A}} (k)$$ is negligible for all valid $$\mathcal {A}$$. Let $$\mathrm {Adv}^{ ind-mcpa }_{\mathrm {PKE},\mathcal {A}}$$ be defined similarly, except that $$\mathcal {A}$$ has no access to any $$\mathrm {Dec}$$ oracles. $$\mathrm {PKE}$$ has indistinguishable ciphertexts under chosen-plaintext attacks in the multi-user, multi-challenge setting (short: is IND-mCPA secure) iff $$\mathrm {Adv}^{ ind-mcpa }_{\mathrm {PKE},\mathcal {A}} (k)$$ is negligible for all valid $$\mathcal {A}$$.

Quadratic Residues and Legendre Symbols. Let $$p$$ be a prime. Then, $$\mathrm {QR} _p\subseteq \mathbb {Z} _p^*$$ is the set of quadratic residues modulo $$p$$, i.e., the set of all $$x\in \mathbb {Z} _p^*$$ for which an $$r\in \mathbb {Z} _p^*$$ with $$r^2=x~\mathrm{mod}~p$$ exists. Given $$p$$ and an $$x\in \mathrm {QR} _p$$, such an $$r$$ can be computed efficiently. For $$x\in \mathbb {Z} _p$$, we let $$\big (\frac{x}{p}\big ) =x^{\frac{p-1}{2}}\mathrm{mod}~p$$ denote the Legendre of $$x$$ modulo $$p$$. We have $$\big (\frac{x}{p}\big ) \in \{-1,0,1\}$$, and in particular $$\big (\frac{x}{p}\big ) =1\,\Leftrightarrow \, x\in \mathrm {QR} _p$$, as well as $$\big (\frac{x}{p}\big ) =0\,\Leftrightarrow \, x=0$$, and $$\big (\frac{x}{p}\big ) =-1\,\Leftrightarrow \, x\in \mathbb {Z} _p^*\setminus \mathrm {QR} _p$$.

Group and Pairing Generators. A group generator $$\mathcal {G}$$ is a PPT algorithm that, on input $$1^k$$, outputs the description of a group $$\mathbb {G}$$, along with its (prime) order $$p$$, and a generator $$g$$ of $$\mathbb {G}$$. A pairing generator $$\mathcal {P}$$ is a PPT algorithm that, on input $$1^k$$, outputs descriptions of:
• three groups $$\mathbb {G},\mathbb {\hat{G}},\mathbb {G}_T$$ of the same prime order $$p$$, along with $$p$$, and generators $$g,\hat{g}$$ of $$\mathbb {G},\mathbb {\hat{G}}$$,

• a bilinear map $$e:\mathbb {G} \times \mathbb {\hat{G}} \rightarrow \mathbb {G}_T$$ that is non-degenerate in the sense of $$e (g,\hat{g})\ne 1\in \mathbb {G}_T$$.

Occasionally, it will also be useful to consider a pairing generator $$\mathcal {P}$$ as a group generator (that only outputs $$(\mathbb {G},p,g)$$ or $$(\mathbb {\hat{G}},p,\hat{g})$$).

### Assumption 1

(Decisional Diffie-Hellman). For a group generator $$\mathcal {G}$$ and an adversary $$\mathcal {A}$$, let $$\mathrm {Adv}^{ ddh }_{\mathcal {G},\mathcal {A}} (k)$$ be the following difference:
$$\Pr \left[ {\mathcal {A} (1^k,\mathbb {G},p,g,g^{x},g^{y},g^{xy})=1}\right] - \Pr \left[ {\mathcal {A} (1^k,\mathbb {G},p,g,g^{x},g^{y},g^{z})=1}\right] .$$
Here, the probability is over $$(\mathbb {G},p,g)\leftarrow \mathcal {G} (1^k)$$ and uniformly chosen $$x,y,z\in \mathbb {Z} _p$$. We say that the Decisional Diffie-Hellman (DDH) assumption holds with respect to $$\mathcal {G}$$ iff $$\mathrm {Adv}^{ ddh }_{\mathcal {G},\mathcal {A}}$$ is negligible for every PPT $$\mathcal {A}$$. When the reference to $$\mathcal {G}$$ is clear, we also say that the DDH assumption holds in $$\mathbb {G}$$ (and write $$\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {A}}$$). On occasion, we might also say that the DDH assumption holds in groups $$\mathbb {G}$$ or $$\mathbb {\hat{G}}$$ sampled by a pairing generator, with the obvious meaning.

ElGamal Encryption. The ElGamal encryption scheme $$\mathrm {PKE}_{\mathrm {eg}}$$ is defined as follows, where we assume a suitable group generator $$\mathcal {G}$$.

• $$\mathrm {EPars}_{\mathrm {eg}} (1^k)$$ runs $$(\mathbb {G},p,g)\leftarrow \mathcal {G} (1^k)$$ and outputs $$epp =(\mathbb {G},p,g)$$.

• $$\mathrm {EGen}_{\mathrm {eg}} ( epp )$$ picks a uniform $$sk \leftarrow \mathbb {Z} _p$$, sets $$pk =g^{ sk }$$, and outputs $$( pk , sk )$$.

• $$\mathrm {Enc} ( pk ,M)$$, for $$M \in \mathbb {G}$$, picks an $$R \leftarrow \mathbb {Z} _p$$, and outputs $$C =(g^{R}, pk ^{R}\cdot M)$$.

• $$\mathrm {Dec} ( sk ,C)$$, for $$C =(C _1,C _2)\in \mathbb {G} ^2$$, outputs $$M =C _2/C _1^{ sk }$$.

The ElGamal scheme is tightly IND-mCPA secure under the DDH assumption in $$\mathbb {G}$$. Concretely, for every valid IND-mCPA adversary $$\mathcal {A}$$, there is a DDH adversary $$\mathcal {B}$$ (of roughly the same complexity as the IND-mCPA experiment with $$\mathcal {A}$$) with $$\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B}} (k)=\mathrm {Adv}^{ ind-mcpa }_{\mathrm {PKE}_{\mathrm {eg}},\mathcal {A}} (k)$$.

Groth-Sahai Proofs. In a setting with a pairing generator, Groth-Sahai proofs [26] provide a very versatile and efficient way to prove the satisfiability of very general classes of equations over $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$. We will not need them in full generality, and the next definition only captures a number of abstract properties of Groth-Sahai proofs we will use. In particular, we will not formalize the exact classes of languages amenable to Groth-Sahai proofs. (For the exact languages used in our application, however, we give more details in Sect. 5.1.) Like [18, 19], we formalize Groth-Sahai proofs as commit-and-prove systems:

### Definition 4

(GS Proofs [26]). The Groth-Sahai proof system for a given pairing generator $$\mathcal {P}$$ consists of the following PPT algorithms, where $$gpp$$ denotes group parameters sampled by $$\mathcal {P}$$.

• Common Reference Strings. $$\mathrm {HGen} ( gpp )$$ and $$\mathrm {BGen} ( gpp )$$ sample hiding, resp. binding common reference strings (CRSs) $$\mathrm {CRS}$$.

• Commitments. For a (hiding or binding) CRS $$\mathrm {CRS}$$ and a $$\mathbb {G}$$-, $$\mathbb {\hat{G}}$$-, or $$\mathbb {Z} _p$$-element $$v$$, the commitment algorithm $$\mathrm {Com} ( gpp ,\mathrm {CRS},v;R)$$ outputs a commitment C, where $$R$$ denotes the used random coins.

• Proofs. Let $$\mathrm {CRS}$$ be a CRS, and let $$\mathcal {X}$$ be a system of equations. Each equation may be over $$\mathbb {G}$$, $$\mathbb {\hat{G}}$$, or $$\mathbb {Z} _p$$, and involve variables and constants. Let $$(v _i)_i$$ be a variable assignment that satisfies $$\mathcal {X}$$, and let $$(R _i)_i$$ be a vector of random coins for $$\mathrm {Com}$$. Then $$\mathrm {Prove} ( gpp ,\mathrm {CRS},\mathcal {X},(v _i,R _i)_i)$$ outputs a proof $$\pi$$.

• Verification. For a CRS $$\mathrm {CRS}$$, a system $$\mathcal {X}$$ of equations, a commitment vector $$(C_i)_i$$ to an assignment of the variables in $$\mathcal {X}$$, and a proof $$\pi$$, the verification algorithm $$\mathrm {Verify} ( gpp ,\mathrm {CRS},\mathcal {X},(C_i)_i,\pi )$$ outputs a verdict $$b\in \{0,1\}$$.

• Simulation. For a hiding CRS generated as $$\mathrm {CRS} \leftarrow \mathrm {HGen} ( gpp ;R _{\mathrm {CRS}})$$, a system $$\mathcal {X}$$ of equations, and a vector $$(R _i)_i$$ of commitment random coins, we have that $$\mathrm {Sim} ( gpp ,R _{\mathrm {CRS}},\mathcal {X},(R _i)_i)$$ outputs a simulated proof $$\pi$$.

As with signatures and encryption, we usually omit the group parameters $$gpp$$ on invocations of $$C,\mathrm {Prove},\mathrm {Verify},\mathrm {Sim}$$ when the reference is clear.

### Theorem 1

(Properties of GS Proofs [26]). The algorithms from Definition 4 satisfy the following for all choices group parameters $$gpp \leftarrow \mathcal {P} (1^k)$$ (unless noted otherwise):

• Homomorphic Commitments. For any (hiding or binding) CRS $$\mathrm {CRS}$$, any two given commitments $$\mathrm {Com} (\mathrm {CRS},v;R)$$ and $$\mathrm {Com} (\mathrm {CRS},v ';R ')$$ to $$\mathbb {G}$$-elements $$v,v '$$ allow to efficiently compute a commitment $$\mathrm {Com} (\mathrm {CRS},v \cdot v ';R \cdot R ')$$ to $$v \cdot v '$$. (Note that the corresponding random coins $$R \cdot R '$$ can be efficiently computed from $$R$$ and $$R '$$.) The same holds for two commitments to $$\mathbb {\hat{G}}$$-elements, and two commitments to $$\mathbb {Z} _p$$-elements (where the homomorphic operation on $$\mathbb {Z} _p$$-elements is addition).

• Dual-Mode Commitments. Consider a commitment $$C\leftarrow \mathrm {Com} (\mathrm {CRS},v;R)$$. If $$\mathrm {CRS}$$ is binding, then C uniquely determines $$v$$, and if $$\mathrm {CRS}$$ is hiding, then the distribution of C does not depend on $$v$$.

• CRS Indistinguishability. For every PPT adversary $$\mathcal {A}$$, there are PPT adversaries $$\mathcal {A} _1$$ and $$\mathcal {A} _2$$ with
\begin{aligned}&\left| \Pr \left[ {\mathcal {A} (1^{k},\mathrm {HGen} ( gpp ))=1}\right] - \Pr \left[ {\mathcal {A} (1^{k},\mathrm {BGen} ( gpp ))=1}\right] \right| \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \le \left| \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {A} _1} (k) \right| + \left| \mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {A} _2} (k) \right| , \end{aligned}
where the probability is over $$gpp \leftarrow \mathcal {P} (1^k)$$, and the random coins of $$\mathrm {HGen}$$, $$\mathrm {BGen}$$, and $$\mathcal {A}$$.
• Perfect Completeness. For every (hiding or binding) CRS $$\mathrm {CRS}$$, every system $$\mathcal {X}$$ of equations, every satisfying assignment $$(v _i)_i$$ of $$\mathcal {X}$$, and every possible vector $$(C_i)_i$$ of commitments generated through $$C_i\leftarrow \mathrm {Com} (\mathrm {CRS},v _i;R _i)$$, we have $$\mathrm {Verify} (\mathrm {CRS},\mathcal {X},(C_i)_i,\mathrm {Prove} (\mathrm {CRS},\mathcal {X},(v _i,R _i)_i))=1$$ with probability $$1$$.

• Perfect Soundness. For every binding CRS $$\mathrm {CRS}$$, every system $$\mathcal {X}$$ of equations that is not satisfiable, and every $$(C_i)_i$$ and $$\pi$$, $$\mathrm {Verify} (\mathrm {CRS},\mathcal {X},(C_i)_i,\pi )=0$$ always.

• Perfect Simulation. For every hiding CRS $$\mathrm {CRS} \leftarrow \mathrm {HGen} ( gpp ;R _{\mathrm {CRS}})$$, and every system $$\mathcal {X}$$ of equations that is satisfied by a variable assignment $$(v _i)_i$$, the following two distributions are identical:
\begin{aligned} \bigl ( (C_i)_i,\;\mathrm {Prove} (\mathrm {CRS},\mathcal {X},(v _i,R _i)_i) \bigr )&\quad \text {for}\,\, C_i\leftarrow \mathrm {Com} (\mathrm {CRS},v _i;R _i) \,\mathrm{and~fresh} R _i, \\ \bigl ( (C_i)_i,\;\mathrm {Sim} (R _{\mathrm {CRS}},\mathcal {X},(R _i)_i) \bigr )&\quad \text {for}\,\, C_i\leftarrow \mathrm {Com} (\mathrm {CRS},1;R _i) \,\mathrm{and~fresh} R _i. \end{aligned}
(The probability space consists of the $$R _i$$ and the coins of $$\mathrm {Prove}$$ and $$\mathrm {Sim}$$.)

Since simulation is perfect (in the sense above), it also holds for reused commitments (i.e., when multiple adaptively chosen statements $$\mathcal {X}$$ that involve the same variables and commitments are proven, see also [18]). Besides, perfect simulation directly implies perfect witness-indistinguishability (under a hiding CRS): for any two vectors $$(v _i)_i$$ and $$(v '_i)_i$$ of satisfying assignments of a given system $$\mathcal {X}$$ of equations, the corresponding commitments and proofs $$((C_i)_i,\pi )$$ and $$((C'_i)_i,\pi ')$$ are identically distributed. Again, this holds even if the same commitments are used in several proofs for adaptively generated statements $$\mathcal {X}$$.

## 3 The Signature Scheme

### 3.1 Scheme Description

Setting and Ingredients. We assume the following ingredients:
• A pairing generator $$\mathcal {P}$$ that outputs groups $$\mathbb {G} =\langle g \rangle$$ and $$\mathbb {\hat{G}} =\langle \hat{g} \rangle$$ of prime order $$p>2^{k}$$ and an asymmetric pairing $$e:\mathbb {G} \times \mathbb {\hat{G}} \rightarrow \mathbb {G}_T$$. We make the DDH assumption in both $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$.

• The ElGamal encryption scheme (given by algorithms $$\mathrm {EGen}_{\mathrm {eg}},\mathrm {Enc}_{\mathrm {eg}},\mathrm {Dec}_{\mathrm {eg}}$$) over $$\mathbb {G}$$. (That is, we will use $$\mathcal {P}$$ in place of $$\mathrm {EPars}_{\mathrm {eg}}$$ to generate the group $$\mathbb {G}$$ for ElGamal.)

• A Groth-Sahai proof system for $$\mathcal {P}$$ (see Definition 4), given by algorithms $$\mathrm {HGen},\mathrm {BGen},\mathrm {Com},\mathrm {Prove},\mathrm {Verify},\mathrm {Sim}$$.

Public Parameters. $$\mathrm {SPars} (1^k)$$ samples group parameters
\begin{aligned} gpp&=(\mathbb {G},\mathbb {\hat{G}},\mathbb {G}_T,p,g,\hat{g},e)\leftarrow \mathcal {P} (1^k) \end{aligned}
and sets $$epp _{\mathrm {eg}} =(\mathbb {G},p,g)$$. Then, $$\mathrm {SPars}$$ generates two binding Groth-Sahai CRSs and two ElGamal keypairs:
\begin{aligned} \mathrm {CRS} _1&\leftarrow \mathrm {BGen} ( gpp )&( pk _0, sk _0)&\leftarrow \mathrm {EGen}_{\mathrm {eg}} ( epp _{\mathrm {eg}}) \\ \mathrm {CRS} _2&\leftarrow \mathrm {BGen} ( gpp )&( pk _1, sk _1)&\leftarrow \mathrm {EGen}_{\mathrm {eg}} ( epp _{\mathrm {eg}}). \end{aligned}
The public parameters are then defined as
\begin{aligned} spp&=( gpp ,\mathrm {CRS} _1,\mathrm {CRS} _2, pk _0, pk _1). \end{aligned}
Key Generation. $$\mathrm {SGen} ( spp )$$ first sets up the exponents
\begin{aligned} Z =X \leftarrow \mathbb {Z} _p^* \qquad \text {and}\qquad \alpha =\beta =0, \end{aligned}
and commits to them using fresh random coins $$R_{Z},R_{\alpha },R_{\beta }$$: We will use that $$\alpha ,\beta$$ define an affine function $$f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p$$ through $$f (x)=\alpha \cdot x+\beta \,\mathrm{mod}\, p$$.
Verification and signing key are given by
\begin{aligned} vk&=(C_{Z},C_{\alpha },C_{\beta })&sigk&=(X,R_{Z},R_{\alpha },R_{\beta }). \end{aligned}
Signature Generation. $$\mathrm {Sig} ( sigk ,M)$$, for $$M \in \mathbb {Z} _p$$, picks fresh random coins $$R$$ and encrypts
\begin{aligned} C _0&=\mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{Z _0};R)&C _1&=\mathrm {Enc}_{\mathrm {eg}} ( pk _1,g^{Z _1};R) \end{aligned}
for $$Z _0=Z _1=X \in \mathbb {Z} _p$$, using the same coins $$R$$ in both encryptions for efficiency. Then, $$\mathrm {Sig}$$ generates proofs $$\pi _1$$ and $$\pi _2$$ for the respective statements
\begin{aligned} \Bigl ( \underbrace{Z _0=Z _1}_{S 1} \quad \vee \quad \underbrace{f (M)\in \mathrm {QR} _p\cup \{0\}}_{S 2} \Bigr ) \qquad \text {and}\qquad \underbrace{Z _0=Z}_{S 3}. \end{aligned}
(3)
Here, $$Z _0,Z _1,Z,f$$ refer to the values encrypted (resp. committed to) in $$C _0,C _1,C_{Z},(C_{\alpha },C_{\beta })$$. Concretely, $$\mathrm {Sig}$$ generates a proof $$\pi _1$$ for $$S 1\vee S 2$$ under $$\mathrm {CRS} _1$$, using as witness $$Z _0=Z _1=X$$ and the encryption coins $$R$$. Also, $$\mathrm {Sig}$$ computes a proof $$\pi _2$$ for $$S 3$$ under $$\mathrm {CRS} _2$$, using as witness $$X$$ and $$R_{Z},R$$. We stress that $$\pi _1$$ and $$\pi _2$$ are independently generated, with different (fresh) Groth-Sahai commitments to the respective witnesses. We describe the exact Groth-Sahai equations for these proofs in Sect. 5.1, and give some intuition on the meaning of the statements $$S 1$$-$$S 3$$ in Sect. 3.2 below.
The signature is then defined as
$$\sigma = (C _0,C _1,\pi _1,\pi _2).$$
Verification. $$\mathrm {Ver} ( spp , vk ,M,\sigma )$$ outputs $$1$$ if and only if both proofs $$\pi _1$$ and $$\pi _2$$ in $$\sigma$$ are valid with respect to $$M,C _0,C _1,C_{Z},C_{\alpha },C_{\beta }$$.

Correctness. The completeness of Groth-Sahai proofs implies the correctness of $$\mathrm {SIG}$$.

Efficiency. $$\mathrm {SIG}$$ has the following efficiency characteristics (cf. Section 5.1):
• The public parameters consist of $$8$$ $$\mathbb {G}$$- and $$6$$ $$\mathbb {\hat{G}}$$-elements, plus the group parameters $$gpp$$.

• Each verification key contains $$2$$ $$\mathbb {G}$$- and $$4$$ $$\mathbb {\hat{G}}$$-elements.

• Each signing key contains $$7$$ $$\mathbb {Z} _p$$-exponents.

• Each signature contains $$11$$ $$\mathbb {G}$$- and $$14$$ $$\mathbb {\hat{G}}$$-elements.

### 3.2 Security Analysis

More Details on the Role of $$\pi _1$$ and $$\pi _2$$ in Signatures. Before we proceed to the proof, we give some intuition on the proofs $$\pi _1$$ and $$\pi _2$$ published in signatures (and the statements $$S 1$$-$$S 3$$):
• $$\pi _1$$ proves that either $$C _0$$ and $$C _1$$ encrypt the same value or that the signed message satisfies a special property $$S 2$$ (or both). In the scheme, all messages are special in this sense (because $$f (M)=0$$ for all $$M$$). However, in the proof, we can adjust $$f$$ and, e.g., partition the set of messages into special and non-special ones in a random and roughly balanced way. Intuitively, this provides a means to make the double encryption $$(C _0,C _1)$$ inconsistent (and subsequently change the encrypted values) in signatures for special messages. At the same time, any valid adversarial forgery on a non-special message (that does not satisfy $$S 2$$) must carry a consistent double encryption $$(C _0,C _1)$$.

• In the scheme, $$\pi _2$$ ties the plaintext encrypted in $$C _0$$ to the master secret $$Z$$. In the simulation, we will remove that connection by simulating $$\pi _2$$. Specifically, recall that $$\pi _1$$ and $$\pi _2$$ are independently generated, using independently generated Groth-Sahai commitments to the respective witnesses. Thus, in the proof, we can simulate $$\pi _2$$ without witness (by choosing a hiding $$\mathrm {CRS} _2$$ and using $$\mathrm {Sim}$$), while preserving the soundness of $$\pi _1$$ (assuming $$\mathrm {CRS} _1$$ is binding). This simulation of $$\pi _2$$ will be instrumental in changing the message encrypted in $$C _0$$ (when the signed message is special in the above sense).

### Theorem 2

(Security of $$\mathrm {SIG}$$ ). Under the DDH assumptions in $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$, the signature scheme $$\mathrm {SIG}$$ from Sect. 3.1 is EUF-mCMA secure. Concretely, for every EUF-mCMA adversary $$\mathcal {A}$$ on $$\mathrm {SIG}$$, there exist DDH adversaries $$\mathcal {B}$$ and $$\mathcal {B} '$$ (of roughly the same complexity as the EUF-mCMA experiment with $$\mathcal {A}$$ and $$\mathrm {SIG}$$) with
\begin{aligned} \mathrm {Adv}^{ euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k) \;\le \; (8n+1)\cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B}} (k)\big | + (4n+1)\cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '} (k)\big | + \mathbf {O} (n/2^{k}) \end{aligned}
(4)
for $$n=2\lceil \log _2(p)\rceil +k$$, where $$p$$ denotes the order of $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$, and $$k$$ is the security parameter.

Proof Outline. The proof starts with a number of preparations for the core argument. Our main goal during this phase will be to implement an additional and explicit check of $$\mathcal {A}$$ ’s forgery $$\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)$$ for $$\mathrm {Dec}_{\mathrm {eg}} ( sk _0,C _0^*)=g^{X^{*}}$$. (Note that in the default key setup, this explicit check is redundant, since valid signatures must fulfill statement $$S 3$$ from (3).)

In the core argument (from Game 4 to Game 5, detailed in Lemma 1), we replace the value $$X$$ used in generated signatures and the additional forgery check with a value $${\mathcal {H}}(M)$$ that depends on the signed message. We start with a constant function $${\mathcal {H}}(M)=X$$ (which corresponds to Game 4), and then introduce more and more dependencies of $${\mathcal {H}}(M)$$ on the Legendre symbols $$\big (\frac{f _j(M)}{p}\big )$$ for independently and randomly selected (invertible) affine functions $$f _j$$.

Each such dependency is introduced as follows. We start by committing to (the coefficients of) a new random function $$f ^*$$ in $$C_{\alpha },C_{\beta }$$. This change allows us to modify the messages $$Z _0,Z _1$$ encrypted in generated signatures for all $$M$$ with $$f ^*(M)\in \mathrm {QR} _p\cup \{0\}$$ (and only for those $$M$$), by proving $$S 2$$ (and not $$S 1$$) in signatures. We will also abort if $$\mathcal {A}$$ ’s forgery satisfies $$f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}$$, and we will keep enforcing our forgery check on $$C _0^*$$. Hence, from $$\mathcal {A}$$ ’s point of view, an additional dependency on $$\big (\frac{f ^*(M)}{p}\big )$$ is consistently introduced on all signatures. More importantly, this dependency is also enforced during the additional forgery check.

After sufficiently many such dependencies are introduced (for several different $$f ^*$$), all signatures are consistently generated with (or checked for) $$Z _0=Z _1=\mathcal {R}(M)$$ for a truly random function $$\mathcal {R}$$. At this point, $$\mathcal {A}$$ has to predict a truly random function $$\mathcal {R}$$ on a fresh input $$M ^*$$ in order to produce a valid forgery. Hence, $$\mathcal {A}$$ ’s forgery success must be negligible.

Figures 1 and 2 (on page 27 and page 28) give a more technical summary of the game transitions of the proof (also taking into account the notation for the multi-user case). The remainder of this section is devoted to a detailed proof.

### Proof

(Proof of Theorem 2 ) We proceed in games. Let $$out _{i}$$ denote the output of Game i.

Game 1 is the original EUF-mCMA game with $$\mathcal {A}$$ and $$\mathrm {SIG}$$. Of course,
\begin{aligned} \mathrm{Pr} \,[out_{1} = 1] \;=\; \mathrm {Adv}^{ euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k). \end{aligned}
(5)
In the following, we apply a superscript to variables to denote to which $$\mathrm {SIG}$$ instance they belong. For instance, we denote with $$X^{(\ell )}$$ and $$sk ^{(\ell )} _0, sk ^{(\ell )} _1$$ the respective values from the $$\ell$$-th used $$\mathrm {SIG}$$ instance. Furthermore, we write $$X^{*}$$ for $$X^{(\ell ^*)}$$ for the challenge instance $$\ell ^*$$ selected by $$\mathcal {A}$$ for his forgery, and similarly for $$sk ^{*} _0$$ and $$sk ^{*} _1$$.
Thus, in Game 2, we implement an additional “forgery check”. Concretely, we only consider a forgery $$\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)$$ from $$\mathcal {A}$$ as valid if $$\pi _1^*$$ and $$\pi _2^*$$ are valid and if $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=g^{X^{*}}$$. (Otherwise, the game outputs $$0$$.) This change is purely conceptual: indeed, since $$\mathrm {CRS} _2$$ is binding, we can use the soundness of Groth-Sahai proofs. Thus, any valid proof $$\pi _2^*$$ guarantees that $$S 3$$ (from (3)) holds, and so $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=g^{X^{*}}$$. We obtain
\begin{aligned} \mathrm{Pr} \,[out_2 = 1] \;=\; \mathrm{Pr} \,[out_1 = 1]. \end{aligned}
(6)
In Game 3, we generate both $$\mathrm {CRS} _1$$ and $$\mathrm {CRS} _2$$ as hiding CRSs, using $$\mathrm {HGen}$$. The CRS indistinguishability of Groth-Sahai proofs yields
\begin{aligned} \mathrm{Pr} \,[out_{3} = 1] - \mathrm{Pr} \,[out_{2} = 1] \;=\; \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{3}} (k) + \mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '_{3}} (k) \end{aligned}
(7)
for suitable DDH adversaries $$\mathcal {B} _{3}$$ and $$\mathcal {B} '_{3}$$. (Here, we use the re-randomizability of DDH tuples. This enables a reduction that loses only a factor of $$1$$ instead of $$2$$.)
In Game 4, we simulate all proofs $$\pi _2$$ in signatures generated for $$\mathcal {A}$$, using the Groth-Sahai simulator $$\mathrm {Sim}$$ (on input the random coins $$R _{\mathrm {CRS}}$$ used to prepare $$\mathrm {CRS}$$). We also generate the corresponding commitments $$C_{Z}$$ in all verification keys as $$C_{Z} \leftarrow \mathrm {Com} (\mathrm {CRS} _2,1)$$. We stress that all $$X^{(\ell )}$$ are still chosen randomly, and all signatures are generated with encryptions $$C _0,C _1$$ of $$X^{(\ell )}$$. By the simulation property of Groth-Sahai proofs (see Theorem 1 and the following comment concerning the reuse of commitments), these changes do not affect $$\mathcal {A}$$ ’s view:
\begin{aligned} \mathrm{Pr} \,[out_{4} = 1] \;=\; \mathrm{Pr} \,[out_{3} = 1] . \end{aligned}
(8)
In Game 5, we change the generation of signatures and the forgery check from Game 2 as follows. To describe these changes, let $$\mathcal {R}^{{(\ell )}} :\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*$$ (for all scheme instances $$\ell \in [n_U]$$) be truly random functions. Our changes in Game 5 are then as follows:
• All signatures generated for $$\mathcal {A}$$ contain encryptions $$C _0,C _1$$ of exponents $$Z _0=Z _1=\mathcal {R}^{{(\ell )}}(M)$$ (encoded as $$g^{Z _0},g^{Z _1}$$) instead of $$Z _0=Z _1=X^{(\ell )}$$, where $$M$$ is the signed message. As in Game 4, the corresponding proof $$\pi$$ is generated using witnesses for $$S 1$$ and $$S 3$$ from (3).

• Any forgery $$\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)$$ for a (fresh) message $$M ^*$$ from $$\mathcal {A}$$ is considered valid only if $$\pi _1^*$$ and $$\pi _2^*$$ are valid and $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {R}^*(M ^*)$$ holds. Otherwise, the game outputs $$0$$. (Again, we use the shorthand notation $$\mathcal {R}^*=\mathcal {R}^{({\ell ^{*}})}$$ for the challenge instance $$\ell ^*$$.)

In particular, the second change implies that
\begin{aligned} \mathrm{Pr} \,[out_{5} = 1] \;\le \; 1/(p-1) \;\le \; 1/2^k, \end{aligned}
(9)
since $$\mathcal {R}^*(M ^*)$$ is information-theoretically hidden from $$\mathcal {A}$$.

Hence, it remains to relate Game 4 and Game 5:

### Lemma 1

For $$n=2\lceil \log _2(p)\rceil +k$$ and suitable DDH adversaries $$\mathcal {B} _{5}$$ and $$\mathcal {B} '_{5}$$, we have
\begin{aligned} \big | \mathrm{Pr} \,[out_5 = 1] - \mathrm{Pr} \,[out_4 = 1] \big | \;\le \; 8n \cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{5}} (k)\big | + 4n \cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '_{5}} (k)\big | + \mathbf {O} (n/2^k). \end{aligned}
(10)

Before we prove Lemma 1, we remark that putting together (510), we obtain (4), which is sufficient to show Theorem 2.

### Proof

(of Lemma 1 ) We will consider a series of hybrid games between Game 4 and Game 5. Concretely, Game 4.i (for $$i\ge 0$$) is defined like Game 4, except for the following changes:
• We initially uniformly and independently choose $$i$$ invertible affine functions $$f _j:\mathbb {Z} _p\rightarrow \mathbb {Z} _p$$ (for $$j\in [i]$$). The $$f _j$$ define a “partial fingerprint” function $$\mathcal {L}_{i}:\mathbb {Z} _p\rightarrow \{-1,0,1\}^i$$ through
\begin{aligned} \mathcal {L}_{i} (M) = \left( \left( \frac{f _1(M)}{p}\right) , \dots , \left( \frac{f _i(M)}{p}\right) \right) . \end{aligned}
(11)
For every scheme instance $$\ell \in [n_U]$$, let $$\mathcal {H} ^{(\ell )}_{i}:\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*$$ be the composition of $$\mathcal {L}_{i}$$ with a truly random function $$\mathcal {R}^{{(\ell )}}_{i} :\{-1,0,1\}^i\rightarrow \mathbb {Z} _p^*$$ (so that $$\mathcal {H} ^{(\ell )}_{i}(M)=\mathcal {R}^{{(\ell )}}_{i}(\mathcal {L}_{i} (M))$$).
• Signatures for $$\mathcal {A}$$ contain encryptions $$C _0,C _1$$ of exponents $$Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)$$.

• Any forgery $$\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)$$ for a (fresh) message $$M ^*$$ from $$\mathcal {A}$$ is considered valid only if $$\pi _1^*$$ and $$\pi _2^*$$ are valid and $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {H} ^{(\ell )}_{i}(M ^*)$$.

Note that every $$\mathcal {H} ^{(\ell )}_{0}$$ is a constant function that maps every input $$M$$ to the same random value. Hence, Game 4.0 is identical to Game 4:
\begin{aligned} \mathrm{Pr} \,[out_{4.0} = 1] \;=\; \mathrm{Pr} \,[out_4 = 1]. \end{aligned}
(12)
Conversely, for large enough $$i$$ and with high probability, the “fingerprint function” $$\mathcal {L}_{i}$$ becomes injective, so that all $$\mathcal {H} ^{(\ell )}_{i}$$ become independent truly random functions from $$\mathbb {Z} _p$$ to $$\mathbb {Z} _p^*$$:

### Lemma 2

For $$n=2\lceil \log _2(p)\rceil +k$$, the function $$\mathcal {L}_{n}$$ from (11) is injective, except with probability $$1/2^k$$ (over the choice of the invertible affine functions $$f _j:\mathbb {Z} _p\rightarrow \mathbb {Z} _p$$).

We postpone a proof of Lemma 2 for now.

Hence, the functions $$\mathcal {H} ^{(\ell )}_{n}=\mathcal {R}^{{(\ell )}}_{n}\circ \mathcal {L}_{n}$$ used in Game 4.n (for $$n=2\lceil \log _2(p)\rceil +k$$) are statistically close to truly random functions $$\mathcal {R}^{{(\ell )}}$$ (as used in Game 5):
\begin{aligned} \big | \mathrm{Pr}\, [{out_{4.n} = 1}] - \mathrm{Pr}\, [{out_{5} = 1}] \big | \;\le \; 1/2^k. \end{aligned}
(13)
The Algebraic Partitioning Step. Thus, we only need to show that there is no detectable difference between Game 4.i and Game 4.(i+1) for any $$i$$. We do so using a hybrid argument (i.e., a sequence of games) that interpolates between Game 4.i and Game 4.(i+1). (See Fig. 2 for an overview.) In short, we first refresh the affine function $$f$$ from $$C_{\alpha },C_{\beta }$$ to a fresh random (but invertible) affine function $$f ^*$$. Next, we use $$f ^*$$ to implement a different treatment of signatures, depending on $$\big (\frac{f (M)}{p}\big )$$. We detail these steps in the following.
Concretely, Game 4.i.0 is identical to Game 4.i. Thus,
\begin{aligned} \mathrm{Pr} \,[{out_{4.i.0} = 1}] \;=\; \mathrm{Pr} \,[{out_{4.i} = 1}]. \end{aligned}
(14)
Step 1: Refresh $$f$$ . In Game 4.i.1, we initially choose an invertible affine function $$f ^*:\mathbb {Z} _p\rightarrow \mathbb {Z} _p$$ uniformly, and we abort (with output $$0$$) if the message $$M ^*$$ for which $$\mathcal {A}$$ finally prepares a forgery satisfies $$f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}$$. We stress that $$f ^*$$ is not (yet) committed to in any $$C_{\alpha },C_{\beta }$$, and thus completely hidden from $$\mathcal {A}$$. Hence, an abort occurs with probability $$\frac{p+1}{2p}=\frac{1}{2}+\frac{1}{2p}$$, independently of $$\mathcal {A}$$ ’s view, so
\begin{aligned} \mathrm{Pr} \,[out_{4.i.1} = 1] \;=\; \left( \frac{1}{2}-\frac{1}{2p}\right) \cdot \mathrm{Pr} \,[out_{4.i.0} = 1] \;\ge \; \frac{1}{2} \cdot \mathrm{Pr} \,[out_{4.i.0} = 1] - \frac{1}{2p}. \end{aligned}
(15)
In Game 4.i.2, we commit to the coefficients $$f ^*_0,f ^*_1$$ of $$f ^*$$ from Game 4.i.1 in $$C_{\alpha },C_{\beta }$$ for all verification keys (instead of the coefficients $$\alpha =\beta =0$$). Accordingly, we generate all signatures for $$\mathcal {A}$$ by proving statement $$S 2$$ (and not $$S 1$$) from (3) whenever possible (i.e., upon all signature queries with $$f ^*(M)\in \mathrm {QR} _p\cup \{0\}$$). Since $$\mathrm {CRS} _1$$ is hiding, we can use the witness-indistinguishability of Groth-Sahai proofs to obtain
\begin{aligned} \mathrm{Pr} \,[out_{4.i.2} = 1] \;=\; \mathrm{Pr} \,[out_{4.i.1} = 1] . \end{aligned}
(16)
Step 2: Use $$f ^*$$ to Decouple Signatures. To describe our change in Game 4.i.3, recall that in Game 4.i.2, functions $$\mathcal {H} ^{(\ell )}_{i}$$ is used to determine both the values $$Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)$$ encrypted in $$C _0,C _1$$ upon signature queries, and to implement the forgery check. In Game 4.i.3, we use three such functions $$\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}:\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*$$. Each of these functions is defined like $$\mathcal {H} ^{(\ell )}_{i}$$, for the same fingerprint function $$\mathcal {L}_{i}$$, but with different (i.e., independently chosen) random functions $$\mathcal {R}^{{(\ell )}}_{i}$$. (In other words, we can write $$\mathcal {H} ^{(\ell )}_{i}=F \circ \,\mathcal {L}_{i}$$, and $$\mathcal {Z} ^{(\ell )}_{i}=F'\circ \mathcal {L}_{i}$$, and $$\mathcal {Q} ^{(\ell )}_{i}=F''\circ \,\mathcal {L}_{i}$$ for independently random functions $$F,F',F'':\{-1,0,1\}^i\rightarrow \mathbb {Z} _p^*$$. Intuitively, thus, $$\mathcal {Z} ^{(\ell )}_{i}$$ and $$\mathcal {Q} ^{(\ell )}_{i}$$ are “decoupled copies” of $$\mathcal {H} ^{(\ell )}_{i}$$.)

Our goal will be to use the functions $$\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}$$ for messages $$M$$ satisfying $$f ^*(M)\notin \mathrm {QR} _p$$, $$f ^*(M)=0$$, and $$f ^*(M)\in \mathrm {QR} _p$$, respectively. (Hence the symbols $${\mathcal {Z}}$$ and $${\mathcal {Q}}$$.)This will be conceptually identical to using a single function $$\mathcal {H} ^{(\ell )}_{i+1}$$ for all messages of a given scheme instance $$\ell$$. At this point, however, we can only partially implement this strategy, since we can only replace the messages encrypted in $$C _1$$, but not those from $$C _0$$. (Indeed, $$sk ^{*} _0$$ is still required to implement the additional forgery check in Game 4.i.3.)

Thus, in Game 4.i.3, for every scheme instance $$\ell \in [n_U]$$, we use the respective function $$\mathcal {H} ^{(\ell )}_{i}$$ to generate all ciphertexts $$C _0,C _1$$ in signatures (as in Game 4.i.2), with the following exceptions:
• For signature queries with $$f ^*(M)=0$$, we encrypt $$Z _1=\mathcal {Z} ^{(\ell )}_{i}(M)$$ (instead of $$Z _1=\mathcal {H} ^{(\ell )}_{i}(M)$$) in the ciphertext $$C _1$$ of the generated signature.

• For signature queries with $$f ^*(M)\in \mathrm {QR} _p$$, we encrypt $$Z _1=\mathcal {Q} ^{(\ell )}_{i}(M)$$ in $$C _1$$.

Note that for signatures with $$f ^*(M)\in \mathrm {QR} _p\cup \{0\}$$, the random coins used to generate $$C _1$$ (or $$C _0$$) are not used as a witness in the process of constructing $$\pi$$. Furthermore, no secret key $$sk ^{(\ell )} _1$$ has to be known to the game. A reduction to the (tight) IND-mCPA security of ElGamal yields
\begin{aligned} \sum _{i=0}^{n-1} \mathrm{Pr} \,[out_{4.i.3} = 1] - \mathrm{Pr} \,[out_{4.i.2} = 1] \;=\; n\cdot \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{4.i.3}} (k) \end{aligned}
(17)
for a suitable DDH adversary $$\mathcal {B} _{4.i.3}$$. (We note that even though the random coins $$R$$ of $$C _1$$ are not known explicitly to $$\mathcal {B} _{4.i.3}$$, a $$C _0$$ with reused $$R$$ can be constructed from $$sk ^{(\ell )} _0$$ and a given $$g^{R}$$.)

Our next step will be to replace the values encrypted in $$C _0$$ in a similar way. To do so, however, we need some preparations, since Game 4.i.3 still knows the secret keys $$sk ^{(\ell )} _0$$ (to finally implement the forgery check). Fortunately, however, we can alternatively use the $$sk ^{(\ell )} _1$$ to implement this check. (To see why this yields the same functionality, recall that by our abort rule from Game 1, we may restrict to forgeries with $$f ^*(M ^*)\notin \mathrm {QR} _p\cup \{0\}$$. However, by (3), a valid forgery for such a message must contain $$C _0^*$$ and $$C _1^*$$ that encrypt the same message.)

As a first step, in Game 4.i.4, we initially generate a binding CRS $$\mathrm {CRS} _1$$ (using $$\mathrm {CRS} _1\leftarrow \mathrm {BGen} ( gpp )$$). The CRS indistinguishability of Groth-Sahai proofs ensures that
\begin{aligned} \sum _{i=0}^{n-1} \mathrm{Pr} \,[out_{4.i.4} = 1] - \mathrm{Pr} \,[out_{4.i.3} = 1] \;=\; n\cdot \left( \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{4.i.4}} (k) + \mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '_{4.i.4}} (k) \right) \end{aligned}
(18)
for suitable DDH adversaries $$\mathcal {B} _{4.i.4}$$ and $$\mathcal {B} '_{4.i.4}$$.
Next, in Game 4.i.5, we implement the forgery check rule from Game 2 using $$sk ^{*} _1$$ (and not $$sk ^{*} _0$$). That is, when $$\mathcal {A}$$ submits a forgery $$\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)$$, we check if $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _1,C _1^*)=\mathcal {H} ^{*}_{i}(M ^*)$$ holds (and reject the forgery if not). We may assume that $$M ^*\notin \mathrm {QR} _p\cup \{0\}$$ (since otherwise, we trivially abort anyway). But for such $$M ^*$$, a valid forgery must fulfill $$S 1$$ from (3), since at this point, $$\mathrm {CRS} _1$$ is binding. In other words, we have $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _1,C _1^*)=\mathcal {H} ^{*}_{i}(M ^*)$$ if and only if $$\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {H} ^{*}_{i}(M ^*)$$. Hence, the change in Game 4.i.5 is purely conceptual, and we get:
\begin{aligned} \mathrm{Pr} \,[out_{4.i.5} = 1] = \mathrm{Pr} \,[out_{4.i.4} = 1]. \end{aligned}
(19)
Since we no longer use $$sk ^{*} _0$$ (or the random coins from any $$C _1$$ generated upon a signature query), we can continue with our strategy. Specifically, in Game 4.i.6, we generate all ciphertexts $$C _0,C _1$$ in signatures as follows:
• For queries with $$f ^*(M)\notin \mathrm {QR} _p$$, we encrypt $$Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)$$ in $$C _0$$ and $$C _1$$.

• For queries with $$f ^*(M)=0$$, we encrypt $$Z _0=Z _1=\mathcal {Z} ^{(\ell )}_{i}(M)$$ in $$C _0$$ and $$C _1$$.

• For queries with $$f ^*(M)\in \mathrm {QR} _p$$, we encrypt $$Z _0=Z _1=\mathcal {Q} ^{(\ell )}_{i}(M)$$ in $$C _0$$ and $$C _1$$.

Observe that the only difference to Game 4.i.5 is that the messages $$Z _0$$ encrypted in ciphertexts $$C _0$$ in signatures with $$f ^*(M)\in \mathrm {QR} _p\cup \{0\}$$ are changed. For such encryptions, neither secret key nor random coins are used by the game. Hence, a reduction to the (tight) IND-mCPA security of ElGamal yields
\begin{aligned} \sum _{i=0}^{n-1} \mathrm{Pr} \,[out_{4.i.6} = 1] - \mathrm{Pr} \,[out_{4.i.5} = 1] \;=\; n\cdot \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{4.i.6}} (k) \end{aligned}
(20)
for a suitable DDH adversary $$\mathcal {B} _{4.i.6}$$. (Again, a reuse of random coins between $$C _0$$ and $$C _1$$ is possible since the secret key $$sk _1$$ is known to $$\mathcal {B} _{4.i.6}$$ during the reduction.)

Step 3: Clean Up. Now in Game 4.i.6, we handle both signature queries and $$\mathcal {A}$$ ’s forgery with either $$\mathcal {H} ^{(\ell )}_{i}$$, $$\mathcal {Z} ^{(\ell )}_{i}$$, or $$\mathcal {Q} ^{(\ell )}_{i}$$, depending on the Legendre symbol $$\big (\frac{M}{p}\big )$$ of $$M$$. This is equivalent to handling all messages with a single function $$\mathcal {H} ^{(\ell )}_{i+1}$$ by the definition of $$\mathcal {H} ^{(\ell )}_{i}$$ (see also (11)). Hence, we already “almost” implement the rules of Game 4.($$i + 1$$), and we only need to clean up things a little.

Namely, in Game 4.i.7, we again implement the forgery check from Game 2 using $$sk ^{*} _0$$ (and not $$sk ^{*} _1$$). With the same reasoning as in Game 5, we get:
\begin{aligned} \mathrm{Pr} \,[out_{4.i.7} = 1] \;=\; \mathrm{Pr} \,[out_{4.i.6} = 1]. \end{aligned}
(21)
Next, in Game 4.i.8, we again set up $$\mathrm {CRS} _1$$ as a hiding CRS (using $$\mathrm {HGen}$$). Again, CRS indistinguishability guarantees
\begin{aligned} \sum _{i=0}^{n-1} \mathrm{Pr} \,[out_{4.i.8} = 1] - \mathrm{Pr} \,[out_{4.i.7} = 1] \;=\; n\cdot \left( \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{4.i.8}} (k) + \mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '_{4.i.8}} (k) \right) \end{aligned}
(22)
for suitable DDH adversaries $$\mathcal {B} _{4.i.8}$$ and $$\mathcal {B} '_{4.i.8}$$.
In Game 4.i.9, we again set up the commitments $$C_{\alpha },C_{\beta }$$ in all verification keys as commitments to $$\alpha =\beta =0$$. Accordingly, we generate all signatures for $$\mathcal {A}$$ by proving statement $$S 1$$ from (3). (Note that this is possible again since all generated pairs $$(C _0,C _1)$$ do encrypt the same message.) By the witness-indistinguishability of Groth-Sahai proofs,
\begin{aligned} \mathrm{Pr} \,[out_{4.i.9} = 1] \;=\; \mathrm{Pr} \,[out_{4.i.8} = 1]. \end{aligned}
(23)
Finally, in Game 4.i.10, we do not abort anymore. (That is, we take back the abort rule from Game 1.) To see how this change affects the game’s output, we make a few observations. First, note that in both Game 4.i.9 and Game 4.i.10, $$\mathcal {A}$$ ’s view only depends on the way $$f ^*$$ partitions the set of messages depending on $$\big (\frac{f ^*(M)}{p}\big )$$, but not on which messages $$M$$ are mapped by $$f ^*$$ to squares, and which to non-squares. (Indeed, any partitioning of the $$M$$ is invariant under multiplying $$f ^*$$ with an invertible non-square modulo $$p$$. However, multiplication with an invertible non-square inverts the Legendre symbol of $$f ^*(M)$$.)
Thus, the probability for $$\mathcal {A}$$ to successfully forge a signature with $$\big (\frac{f ^*(M ^*)}{p}\big ) =1$$ is exactly the same as that to forge a signature with $$\big (\frac{f ^*(M ^*)}{p}\big ) =-1$$. Hence, if we cease to abort upon $$f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}$$, we at least double $$\mathcal {A}$$ ’s success probability:
\begin{aligned} \mathrm{Pr} \,[out_{4.i.10} = 1] \;\ge \; 2 \cdot \mathrm{Pr} \,[out_{4.i.9} = 1]. \end{aligned}
(24)
At the same time, Game 4.i.10 is identical to Game 4.($$i + 1$$). (As argued, the use of three functions $$\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}$$ for each scheme instance $$\ell$$ is equivalent to the use of a single function $$\mathcal {H} ^{(\ell )}_{i+1}$$ in Game 4.($$i + 1$$). Furthermore, $$\mathrm {CRS} _1$$ is hiding, the $$C_{\alpha },C_{\beta }$$ are set up as commitments to $$\alpha =\beta =0$$, and the signatures use proofs of statement $$S 1$$.) Thus,
\begin{aligned} \mathrm{Pr} \,[out_{4.i.10} = 1] \;=\; \mathrm{Pr} \,[out_{4.(i+1)} = 1]. \end{aligned}
(25)
Collecting all differences of probabilities from (1425), we obtain
\begin{aligned} \Big | \mathrm{Pr} \,[out_{4.0}&= 1] - \mathrm{Pr} \,[out_{4.n} = 1] \Big | \;\le \; \Big | \sum _{i=0}^{n-1} \mathrm{Pr} \,[out_{4.i} = 1] - \mathrm{Pr} \,[out_{4.(i+1)} = 1]\Big | \\&\qquad \qquad \quad \le \; 8n \cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B} _{5}} (k)\big |+ 4n \cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '_{5}} (k)\big | + \mathbf {O} (n/2^k) \end{aligned}
for DDH adversaries $$\mathcal {B} _{5}$$ and $$\mathcal {B} '_{5}$$ that combine all adversaries from the collected differences. Together with (12) and (13), we obtain (10).

It remains to prove Lemma 2:

### Proof

(of Lemma 2 ) For any distinct $$M _0,M _1\in \mathbb {Z} _p$$ and a uniformly chosen invertible affine function $$f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p$$, we have $$\Pr \left[ {\left( \frac{f (M _0)}{p}\right) =\left( \frac{f (M _1)}{p}\right) }\right] \le 1/2$$, since $$f$$ is pairwise independent. As all $$f _j$$ from (11) are chosen independently, we get
$$\Pr \left[ {\mathcal {L}_{n} (M _0)=\mathcal {L}_{n} (M _1)}\right] \;\le \;1/2^n$$
for any two distinct $$M _0,M _1$$. A union bound over all $$\mathbf {O} (p^2)$$ such pairs $$(M _0,M _1)$$ shows the claim.

## 4 Compact and (almost) Tightly Secure Public-Key Encryption

Our signature scheme $$\mathrm {SIG}$$ from Sect. 3 is “almost” automorphic (in the sense of [1]). Namely, while its verification can be expressed as a system of equations that is compatible with Groth-Sahai proofs, its messages are exponents (as opposed to group elements). However, our scheme can still be used in the generic construction of [28]. This yields an (almost) tightly secure public-key encryption scheme with compact parameters, keys and ciphertexts. (Here, “compact” means “comprised of only a constant number of group elements or exponents.”)

But although compact in the above sense, the resulting encryption scheme would be rather inefficient (in particular since it would use nested Groth-Sahai proofs). Thus, here we describe an optimized and more compact (almost) tightly secure public-key encryption scheme $$\mathrm {PKE}$$.

Setting and Ingredients. The basis for our PKE construction is the signature scheme $$\mathrm {SIG}$$ from Sect. 3, and we assume similar ingredients. In particular, we assume groups $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$, along with the ElGamal encryption and Groth-Sahai proofs over $$\mathbb {G}$$. Additionally, we assume:
• An OT-EUF-mCMA secure signature scheme with message space $$\mathbb {Z} _p$$, given by algorithms $$\mathrm {OPars},\mathrm {OGen},\mathrm {OSig},\mathrm {OVer}$$. For concreteness, in all of the following, we assume the one-time signature scheme $$\mathsf {TOTS}$$ from [28] in $$\mathbb {G}$$. Its OT-EUF-mCMA security can be tightly reduced to the discrete logarithm assumption in $$\mathbb {G}$$ (which is implied by the DDH assumption in $$\mathbb {G}$$).

• A generator $$\mathcal {H}$$ of collision-resistant hash functions $$\mathrm {H}:\{0,1\}^*\rightarrow \{0,1\}^k$$. We will interpret $$\mathrm {H}$$-outputs as $$\mathbb {Z} _p$$-elements in the natural way. (Recall that $$p>2^k$$.)

All ingredients can be instantiated under the DDH assumptions in $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$.

Public Parameters. $$\mathrm {EPars} (1^k)$$ first proceeds like the parameter generation of $$\mathrm {SIG}$$, and samples group parameters $$gpp$$, a hiding Groth-Sahai CRS, and two ElGamal public keys $$pk _0, pk _1$$. Then, $$\mathrm {EPars}$$ sets up exponents $$Z,\alpha ,\beta$$ and ciphertexts
\begin{aligned} C_{\alpha } \leftarrow \mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{\alpha };R_{\alpha }), \; C_{\beta } \leftarrow \mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{\beta };R_{\beta }), \; C_{Z} \leftarrow \mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{Z};R_{Z}). \end{aligned}
Note that here, we encrypt (and do not commit to) $$Z,\alpha ,\beta$$ in order to be able to produce slightly more compact proofs involving $$Z,\alpha ,\beta$$ later on. However, we note that conceptually, we could have as well committed to $$Z,\alpha ,\beta$$ as with $$\mathrm {SIG}$$.

Finally, $$\mathrm {EPars}$$ chooses parameters $$opp \leftarrow \mathrm {OPars} (1^k)$$ and a hash function $$\mathrm {H}$$, and outputs $$epp =( gpp ,\mathrm {CRS}, pk _0, pk _1, opp ,\mathrm {H},C_{\alpha },C_{\beta },C_{Z})$$.

Key Generation. $$\mathrm {EGen} ( epp )$$ samples two ElGamal keypairs $$( pk '_0, sk '_0), ( pk '_1, sk '_1)\leftarrow \mathrm {EGen}_{\mathrm {eg}} (\mathbb {G},p,g)$$, and outputs a public and a secret key as
\begin{aligned} pk&=( pk '_0, pk '_1)&sk&=(d, sk '_d) \end{aligned}
for a uniformly chosen bit $$d\leftarrow \{0,1\}$$.
Encryption. Intuitively, encryption corresponds to a Naor-Yung style double encryption with consistency proof [34]. The consistency proof itself proceeds as in [28], and essentially proves that either the double encryption is consistent, or a signature to a fresh value is known. (A suitable fresh value will be hash of a freshly sampled verification key of the one-time signature scheme.) Concretely, $$\mathrm {Enc} ( pk ,M)$$, for $$M \in \mathbb {G}$$, chooses a one-time signature keypair $$( ovk , osk )\leftarrow \mathrm {OGen} ( opp )$$, and encrypts the values $$Z '_0=Z '_1=M \in \mathbb {G}$$ and $$Z _0=Z _1=0$$ as
\begin{aligned} C '_0&=\mathrm {Enc}_{\mathrm {eg}} ( pk '_0,Z '_0;R ')&C _0&=\mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{Z _0};R) \\ C '_1&=\mathrm {Enc}_{\mathrm {eg}} ( pk '_1,Z '_1;R ')&C _1&=\mathrm {Enc}_{\mathrm {eg}} ( pk _1,g^{Z _1};R). \end{aligned}
(Note that for efficiency and to simplify proofs involving these values, we reuse the encryption random coins $$R '$$ and $$R$$.) Then, $$\mathrm {Enc}$$ generates a proof $$\pi$$ (under $$\mathrm {CRS}$$) of the statement
\begin{aligned} Z _0'=Z _1' \;\vee \; \Big ( \big ( Z _0=Z _1 \;\vee \; f (\mathrm {H} ( ovk ))\in \mathrm {QR} _p\cup \{0\} \big ) \;\wedge \; \big ( Z _0=Z \;\vee \; Z =0 \big ) \Big ). \end{aligned}
(26)
$$\mathrm {Enc}$$ will prove the left branch $$S 1'$$ of the outer $$\vee$$ clause, using as witness the encryption randomness $$R '$$. Hence, $$\pi$$ essentially proves consistency of $$C '_0,C '_1$$, or the same statement as for a $$\mathrm {SIG}$$-signature for $$\mathrm {H} ( ovk )$$. (There are some slight differences compared to a $$\mathrm {SIG}$$-signature: first, we use only one CRS. Hence, we cannot simulate proofs for substatement $$Z _0=Z$$ during the proof. Instead, however, we can set $$Z =0$$ to be able to generate proofs for $$S 3'$$ without knowledge of $$Z _0$$. Second, because the random coins used for $$C_{\alpha },C_{\beta },C_{Z}$$ are not known at encryption time, the proof of quadratic residuosity becomes somewhat less efficient than the one in $$\mathrm {SIG}$$ ’s signing algorithm. We refer to Sect. 5.2 for more details on the exact proof equations.)

Finally, $$\mathrm {Enc}$$ signs $$\sigma \leftarrow \mathrm {OSig} ( osk ,\mathrm {H} (C '_0,C '_1,C _0,C _1,\pi ))$$ and outputs the ciphertext $$C =(C '_0,C '_1,C _0,C _1,\pi , ovk ,\sigma )$$.

Decryption. $$\mathrm {Dec} ( sk ,C)$$ checks the validity of $$\sigma$$ and $$\pi$$. If both $$\sigma$$ and $$\pi$$ are valid, $$\mathrm {Dec}$$ outputs $$M \leftarrow \mathrm {Dec}_{\mathrm {eg}} ( sk '_d,C '_d)$$; otherwise, $$\mathrm {Dec}$$ outputs $$\bot$$.

Efficiency. $$\mathrm {PKE}$$ has the following efficiency characteristics (cf. Section 5.2):
• The public parameters consist of $$12$$ $$\mathbb {G}$$- and $$3$$ $$\mathbb {\hat{G}}$$-elements, plus the group parameters $$gpp$$, and a description of the hash function $$\mathrm {H}$$.

• Each public key contains $$2$$ $$\mathbb {G}$$-elements.

• Each secret key contains one $$\mathbb {Z} _p$$-exponent and a bit.

• Each ciphertext contains $$27$$ $$\mathbb {G}$$- and $$30$$ $$\mathbb {\hat{G}}$$-elements, and $$3$$ $$\mathbb {Z} _p$$-exponents.

### Theorem 3

(Security of $$\mathrm {PKE}$$ ). Under the DDH assumptions in $$\mathbb {G}$$ and $$\mathbb {\hat{G}}$$, and assuming that $$\mathrm {H}$$ is collision-resistant, the PKE scheme $$\mathrm {PKE}$$ described above is IND-mCCA secure. Concretely, for every EUF-mCMA adversary $$\mathcal {A}$$ on $$\mathrm {SIG}$$, there exist DDH adversaries $$\mathcal {B}$$ and $$\mathcal {B} '$$, and an adversary $$\mathcal {C}$$ on the collision-resistance of $$\mathrm {H}$$ (of roughly the same complexity as the EUF-mCMA experiment with $$\mathcal {A}$$ and $$\mathrm {SIG}$$) with
\begin{aligned} \mathrm {Adv}^{ euf-mcma }_{\mathrm {SIG},\mathcal {A}} (k) \;\le \; \mathbf {O} (k)\cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B}} (k)\big | + \mathbf {O} (k)\cdot \big |\mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {B} '} (k)\big | + \mathrm {Adv}^{ cr }_{\mathcal {H},\mathcal {C}} (k) + \mathbf {O} (k/2^{k}). \end{aligned}
(27)

### Proof

(Proof sketch) The proof combines the strategy from [28] with our concrete signature scheme, and thus we outline only the main strategy. This strategy proceeds in games, and modifies an IND-mCCA attack with adversary $$\mathcal {A}$$ as follows:
• First, the consistency proofs in all ciphertexts are prepared with different witnesses. More specifically, instead of proving $$Z '_0=Z '_1$$, we prove the right branch of (26). (Note that this right branch corresponds to the validity of a $$\mathrm {SIG}$$-signature for message $$\mathrm {H} ( ovk )$$.) Thanks to the witness-indistinguishability of Groth-Sahai proofs, this change is not detectable by $$\mathcal {A}$$.

• Next, all challenge ciphertexts generated for $$\mathcal {A}$$ are made inconsistent. (This is possible since the ciphertext consistency proofs are prepared from signature witnesses now.) Concretely, recall that so far we have encrypted the respective challenge message $$M ^*_b$$ (for the secret bit $$b$$ chosen by the IND-mCCA experiment) in both $$C '_0$$ and $$C '_1$$ of all challenge ciphertexts. Now we encrypt $$M ^*_b$$ in $$C '_{d}$$ and $$M ^*_{1-b}$$ in $$C '_{1-{d}}$$, where $$d$$ is the bit chosen for the respective $$\mathrm {PKE}$$ instance $$i$$. Hence, we change the encrypted message for all ElGamal instances whose secret key is not used. Since only the secret keys $$sk '_d$$ (but not the $$sk '_{1-d}$$) are used in the experiment, this game modification can be justified with the (tight) security of ElGamal.

• We now reject all inconsistent (in the sense $$\mathrm {Dec}_{\mathrm {eg}} ( sk '_0,C '_0)\ne \mathrm {Dec}_{\mathrm {eg}} ( sk '_1,C '_1)$$) decryption queries from $$\mathcal {A}$$. At this point in the proof, we know both $$sk '_0$$ and $$sk '_1$$ for all $$\mathrm {PKE}$$-instances, and can thus recognize the first inconsistent (in the above sense) decryption query with a valid consistency proof. Note that any such query implies a valid $$\mathrm {SIG}$$-signature for a message $$\mathrm {H} ( ovk )$$. The security of the one-time signature scheme guarantees that this message is fresh, so that $$\mathcal {A}$$ has essentially forged a $$\mathrm {SIG}$$-signature. Any such forgery can be excluded with the same strategy as in the proof of Theorem 2 (with the differences described above). This step entails the dominant terms in (27) related to DDH reductions.

At this point, $$\mathcal {A}$$ gets no information about the IND-mCCA secret $$b$$ anymore. Namely, each challenge ciphertext contains ElGamal encryptions of both $$M ^*_0$$ and $$M ^*_1$$, in an order determined by $$d\oplus b$$, where $$d$$ denotes which ElGamal secret key $$sk '_d$$ the experiment uses to decrypt for this instance. Now since inconsistent ciphertexts are rejected, the game’s answer to $$\mathcal {A}$$ ’s decryption queries does not depend on the any of the bits $$d$$. Moreover, unless (any) $$d$$ is known, also $$b$$ is hidden. Hence, $$\mathcal {A}$$ ’s view is now completely independent of $$b$$, and thus $$\mathcal {A}$$ ’s IND-mCCA success is zero.

## 5 Details on the Exact Groth-Sahai Equations in Our Schemes

### 5.1 The Exact Groth-Sahai Equations for the Proofs in Signatures

We now give details on the proofs $$\pi _1$$ and $$\pi _2$$ in signatures from $$\mathrm {SIG}$$. Recall that $$\pi _1$$ and $$\pi _2$$ shall prove the respective statements
\begin{aligned} \Big ( \underbrace{Z _0=Z _1}_{S 1} \quad \vee \quad \underbrace{f (M)\in \mathrm {QR} _p\cup \{0\}}_{S 2} \Big ) \qquad \text {and}\qquad \underbrace{Z _0=Z}_{S 3}. \end{aligned}
(28)
The Statements $$S 1$$-$$S 3$$ . We now discuss the three individual statements $$S 1$$-$$S 3$$ from (28) in more detail. To this end, let us write the ElGamal ciphertexts $$C _0,C _1$$ from a signature as
\begin{aligned} C _0&=(A,B_0)=(g^{R}, pk _0^{R}\cdot g^{Z _0})&C _1&=(A,B_1)=(g^{R}, pk _1^{R}\cdot g^{Z _1}). \end{aligned}
(Of course, the reused value $$A=g^{R}$$ will only appear once in a signature.)
$$S 1$$.

The statement $$Z _0=Z _1$$ holds if and only if $$(g, pk _1/ pk _0,A,B_1/B_0)$$ is a Diffie-Hellman tuple. Thus, $$S 1$$ is equivalent to the equations $$A=g^{R}$$ and $$B_1/B_0=( pk _1/ pk _0)^{R}$$, with witness $$R$$.

$$S 2$$.

The statement $$f (M)\in \mathrm {QR} _p\cup \{0\}$$ is equivalent to the existence of an exponent $$W\in \mathbb {Z} _p$$ with $$f (M)=W^{2} \,\mathrm{mod}\, p$$. (Recall that a commitment to $$f (M)$$ can be homomorphically computed from $$M$$ and the commitments $$C_{\alpha },C_{\beta }$$.) Hence, a witness to $$S 2$$ is given by $$(\alpha ,\beta ,W)$$.

$$S 3$$.

We can express $$Z _0=Z$$ as an equation $$B_0= pk _0^{R}\cdot g^{Z}$$ with witness $$(R,Z)$$.

All involved commitment random coins are additionally required to construct a valid proof. Besides, so far we have neglected that in a setting with an asymmetric pairing, not all combinations of, e.g., $$\mathbb {Z} _p$$-products can be directly expressed. (For instance, a square $$W^2$$ needs to be rephrased as $$W\cdot \widehat{W}$$, with an additional proof that $$W=\widehat{W}$$.) Hence, in the rest of this section, we will decorate variables that correspond to a $$\mathbb {\hat{G}}$$-commitment with a hat (e.g., $$\widehat{W}$$).

The Equations for $$\pi _1$$ . Equations for the disjunction $$S 1\vee S 2$$ can be derived using standard techniques. However, if we optimize a little, we obtain the following equations for $$S 1\vee S 2$$:
\begin{aligned} A^{\widehat{U}}&= g^{\widehat{V}}&(B_1/B_0)^{\widehat{U}}&= ( pk _1/ pk _0)^{\widehat{V}}&\widehat{f (M)}&= W\cdot \widehat{W}&W&= \widehat{W}+\widehat{U}. \end{aligned}
(For instance, if we want to prove $$S 2$$, we can set $$\widehat{U}=\widehat{V}=0$$ and $$W=\widehat{W}$$ such that $$f (M)=W^2$$.) The involved variables from the verification key are $$\widehat{\alpha }$$ and $$\widehat{\beta }$$ (used to homomorphically construct $$\widehat{f (M)}$$). The variables whose commitments are placed in the signature are $$\widehat{U},\widehat{V},W,\widehat{W}$$. All of these variables are committed to using $$\mathrm {CRS} _1$$.
The Equations for $$\pi _2$$ . Similarly, we obtain the following equations for $$S 3$$:
\begin{aligned} A&= g^{\widehat{S}}&B_0&= pk _0^{\widehat{S}}\cdot g^{Z}. \end{aligned}
The variables are $$Z$$ (committed to in $$vk$$) and $$\widehat{S}$$ (from $$\sigma$$), both committed to using $$\mathrm {CRS} _2$$.

Remarks and Efficiency Summary. We emphasize that hence, the proofs $$\pi _1$$ and $$\pi _2$$ are independent (and in particular do not share commitments). Furthermore, thanks to the composability of Groth-Sahai proofs, the commitments $$C_{\alpha },C_{\beta },C_{Z}$$ to $$\alpha ,\beta ,Z$$ that are placed in the verification key can be directly (re-)used in proofs. Each commitment occupies $$2$$ group elements. In total, the equations above comprise $$4$$ linear equations over $$\mathbb {G}$$, and $$2$$ quadratic equations over $$\mathbb {Z} _p$$. Thus, $$\pi _1$$ contains $$4\cdot 2+2\cdot 1+2\cdot 4=18$$ group elements ($$12$$ of them from $$\mathbb {\hat{G}}$$), and $$\pi _2$$ contains $$1\cdot 2+2\cdot 1=4$$ group elements ($$2$$ of them from $$\mathbb {\hat{G}}$$).

### 5.2 The Exact Groth-Sahai Equations for the Proofs in Ciphertexts

We now detail the proof $$\pi$$ in ciphertexts from $$\mathrm {PKE}$$. Recall that $$\pi$$ shall prove the statement
\begin{aligned} \underbrace{Z _0'=Z _1'}_{S 1'} \;\vee \; \Big ( \big ( \underbrace{Z _0=Z _1}_{S 2'} \;\vee \; \underbrace{f (\mathrm {H} ( ovk ))\in \mathrm {QR} _p\cup \{0\}}_{S 3'} \big ) \;\wedge \; \big ( \underbrace{Z _0=Z}_{S 4'} \;\vee \; \underbrace{Z =0}_{S 5'} \big ) \Big ). \end{aligned}
(29)
The variables in (29) refer to the messages encrypted in $$\mathrm {PKE}_{\mathrm {eg}}$$-ciphertexts from the public parameters and the $$\mathrm {PKE}$$-ciphertext at hand. We make these $$\mathrm {PKE}_{\mathrm {eg}}$$-ciphertexts explicit as
\begin{aligned} C _0&=\mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{Z _0};R)=(A,B_0)&C '_0&=\mathrm {Enc}_{\mathrm {eg}} ( pk '_0,g^{Z '_0};R ')=(A',B'_0) \\ C _1&=\mathrm {Enc}_{\mathrm {eg}} ( pk _1,g^{Z _1};R)=(A,B_1)&C '_1&=\mathrm {Enc}_{\mathrm {eg}} ( pk '_1,g^{Z '_1};R ')=(A',B'_1) \\ C_{Z}&=\mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{Z};R_{Z})=(A_{Z},B_{Z}). \end{aligned}
Besides, a $$\mathrm {PKE}_{\mathrm {eg}}$$-ciphertext $$C _{f}=\mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{f (\mathrm {H} ( ovk ))};R _{f})=(A_{f},B_{f})$$ that determines the variable $$f (\mathrm {H} ( ovk ))$$ can be homomorphically computed from the ciphertexts $$C_{\alpha },C_{\beta }$$, and $$\mathrm {H} ( ovk )$$.

The Statements $$S 1'$$-$$S 5'$$ . Let us take a closer look at the individual statements $$S 1'$$-$$S 5'$$:

$$S 1',S 2'$$.

These statements can be formalized like statement $$S 1$$ for $$\mathrm {SIG}$$. For instance, $$S 1'$$ holds if and only if $$(g, pk '_1/ pk '_0,A',B'_1/B'_0)$$ is a Diffie-Hellman tuple; a suitable witness is $$R '$$.

$$S 4',S 5'$$.

Similarly, $$S 4'$$ holds precisely if $$(g, pk _0,A/A_{Z},B_0/B_{Z})$$ is a Diffie-Hellman tuple; a witness is $$R-R _{Z}$$. (Statement $$S 5'$$ can be formalized analogously, with a witness $$R _{Z}$$.)

$$S 3'$$.

As with $$\mathrm {SIG}$$, $$S 3'$$ holds if and only if there is a $$W\in \mathbb {Z} _p$$ with $$f (\mathrm {H} ( ovk ))=W^2 \,\mathrm{mod}\, p$$. A suitable witness consists of $$W$$, and the encryption randomness $$R _{f}$$ of $$C _{f}$$.

A Reformulation. The composed statement from (29) is equivalent to
$$\big (S 1'\;\vee \;S 2'\;\vee \;S 3'\big ) \quad \wedge \quad \big (S 1'\;\vee \;S 4'\;\vee \;S 5'\big ).$$
By the above, the first sub-statement $$S 1'\vee S 2'\vee S 3'$$ is implied by the equations
\begin{aligned} \begin{aligned} A^{\widehat{U}}&= g^{\widehat{V}}&A'^{\widehat{U'}}&= g^{\widehat{V'}}&A_{f}^{\widehat{U_{f}}}&= g^{\widehat{V_{f}}} \\ (B_1/B_0)^{\widehat{U}}&= ( pk _1/ pk _0)^{\widehat{V}}&(B'_1/B'_0)^{\widehat{U'}}&= ( pk '_1/ pk '_0)^{\widehat{V'}}&B_0^{\widehat{U_{f}}}&= pk _0^{\widehat{V_{f}}}\cdot g^{\widehat{F}} \\ \widehat{F}&= W\cdot \widehat{W}&W&= \widehat{W}&1&= \widehat{U}+\widehat{U'}+\widehat{U_{f}} \end{aligned} \end{aligned}
(30)
for new variables $$\widehat{U},\widehat{V},\widehat{U'},\widehat{V'},\widehat{U_{f}},\widehat{V_{f}},\widehat{F},W,\widehat{W}$$. (We adopt the notation from Sect. 5.1 to decorate variables in $$\mathbb {\hat{G}}$$ with a hat.) Roughly, the last equation guarantees that one of $$\widehat{U},\widehat{U'},\widehat{U_{f}}$$ is nonzero, and in fact that $$\widehat{U_{f}}=1$$ once $$\widehat{U}=\widehat{U'}=0$$. Furthermore, we have $$\widehat{U'}\ne 0\Rightarrow S 1'$$, and $$\widehat{U}\ne 0\Rightarrow S 2'$$, and $$\widehat{U_{f}}\ne 0\Rightarrow S 3'$$. Finally, a witness for (30) can be produced from either a witness for $$S 1'$$, or for $$S 2'$$, or for $$S 3'$$. (For instance, we can set $$\widehat{U'}=\widehat{V'}=0$$ whenever a witness for $$S 1'$$ is not available.)
Similarly, sub-statement $$S 1'\vee S 4'\vee S 5'$$ yields additional equations
\begin{aligned} (A/A_{Z})^{\widehat{U_0}}&= g^{\widehat{V_0}}&A_{Z}^{\widehat{U_{Z}}}&= g^{\widehat{V_{Z}}}&\widehat{U'}+\widehat{U_0}+\widehat{U_{Z}}&= 1 \\ (B_0/B_{Z})^{\widehat{U_0}}&= pk _0^{\widehat{V_0}}&B_{Z}^{\widehat{U_{Z}}}&= pk _0^{\widehat{V_{Z}}} \end{aligned}
for new variables $$\widehat{U_0},\widehat{V_0},\widehat{U_{Z}},\widehat{V_{Z}}$$.

Summary. Summing up, $$\pi$$ contains commitments to $$13$$ variables ($$12$$ of them from $$\mathbb {\hat{G}}$$), and proves $$10$$ $$\mathbb {G}$$-linear, $$2$$ $$\mathbb {Z} _p$$-linear, and $$3$$ quadratic equations over $$\mathbb {Z} _p$$. This yields a proof of $$13\cdot 2+10\cdot 1+3\cdot 4=48$$ group elements ($$30$$ of them from $$\mathbb {\hat{G}}$$) and $$2\cdot 1=2$$ exponents from $$\mathbb {Z} _p$$.

## Footnotes

1. 1.

Technically, we will not even need to explicitly compute $$L_j$$, but only prove that $$L_j=1$$. This is possible using a quadratic equation over $$\mathbb {Z} _p$$.

2. 2.

Actually, [6, 15] construct tightly secure identity-based encryption (IBE) schemes. However, those IBE schemes can be viewed as tightly secure signature schemes (using Naor’s trick [11]), and then converted into tightly secure PKE schemes using the transformation from [28]. In fact, the PKE scheme of [32] can be viewed as a (modified and highly optimized) conversion of the IBE scheme from [15].

3. 3.

We note that earlier PKE schemes achieve at least a certain form of tight security under “$$q$$-type” assumptions [22, 23, 27], or in the random oracle model [7, 13, 20].

4. 4.

With a “simple” assumption, we mean one in which the adversary gets a challenge whose size only depends on the security parameter, and is then supposed to output a unique solution without further interaction. Examples of simple assumptions are DLOG, DDH, $$d$$-LIN, or RSA, but not, say, Strong Diffie-Hellman [8] or $$q$$-ABDHE [22].

5. 5.

We note that although their scheme can be viewed as a generalization of Waters signatures [38], their analysis is entirely different. Also, we omit here certain subtleties regarding the used distributions of group elements.

6. 6.

We note that a similar technique has also been used in the context of pseudorandom functions [25, 33].

7. 7.

This neglects a number of details. For instance, in the somewhat simplified scheme above, $$\pi$$ always ties the ciphertexts in signatures for quadratic non-residues $$f (M)$$ to a single value $$X$$. In our actual proof, we will thus simulate a part of $$\pi$$, such that the encrypted values can be decoupled from the original secret key $$X$$.

8. 8.

Actually, plugging our scheme directly into the construction of [28] yields an asymptotically compact, but not very efficient scheme. Thus, we provide a more direct and efficient explicit PKE construction with parameters, public keys, and ciphertexts comprised of $$15$$, $$2$$, and $$60$$ group elements, respectively.

9. 9.

In a signature scheme derived using the conversion of Bellare and Goldwasser, the verification key contains an encryption of the MAC secret key. A signature for a message $$M$$ then consists of a MAC tag $$\tau$$ for $$M$$, along with a non-interactive zero-knowledge proof that $$\tau$$ is valid relative to the encrypted MAC key.

10. 10.

The schemes of [22, 23] are tightly secure and fully compact, but rely on a nonstandard ($$q$$-type) assumption. On the other hand, IBE schemes obtained through the “dual systems” technique (e.g., [31, 37]) are compact and secure under standard assumptions, but not known to be tightly secure.

11. 11.

We realize that this explanation is somewhat technical and may not seem very compelling. We wish we had a better one.

## Notes

### Acknowledgments

The author would like to thank Eike Kiltz, Julia Hesse, Willi Geiselmann, and the anonymous reviewers for helpful feedback.

## References

1. 1.
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)
2. 2.
Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged one-time signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013)
3. 3.
Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)
4. 4.
Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interactive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990) Google Scholar
5. 5.
Bernstein, D.J.: Proving tight security for Rabin-Williams signatures. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 70–87. Springer, Heidelberg (2008)
6. 6.
Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) Identity-based encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014)
7. 7.
Boldyreva, A.: Strengthening Security of RSA-OAEP. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 399–413. Springer, Heidelberg (2009)
8. 8.
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
9. 9.
Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004)
10. 10.
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001)
11. 11.
Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
12. 12.
Boneh, D., Mironov, I., Shoup, V.: A secure signature scheme from Bilinear maps. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 98–110. Springer, Heidelberg (2003)
13. 13.
Cash, D.M., Kiltz, E., Shoup, V.: The twin Diffie-Hellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)
14. 14.
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)
15. 15.
Chen, J., Wee, H.: Fully, (Almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013)
16. 16.
Chevallier-Mames, B., Joye, M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2006)
17. 17.
Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)
18. 18.
Escala, A., Groth, J.: Fine-tuning groth-sahai proofs. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 630–649. Springer, Heidelberg (2014)
19. 19.
Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011)
20. 20.
Galindo, D., Martín, S., Morillo, P., Villar, J.L.: Easy verifiable primitives and practical public key cryptosystems. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 69–83. Springer, Heidelberg (2003)
21. 21.
Gennaro, R., Halevi, S., Rabin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)
22. 22.
Gentry, C.: Practical identity-based encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)
23. 23.
Gentry, C., Halevi, S.: Hierarchical identity based encryption with polynomially many levels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437–456. Springer, Heidelberg (2009)
24. 24.
Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the Diffie-Hellman problems. J. Cryptology 20(4), 493–514 (2007)
25. 25.
Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985)
26. 26.
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
27. 27.
Hofheinz, D.: All-but-many lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012)
28. 28.
Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012)
29. 29.
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009)
30. 30.
Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012)
31. 31.
Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010)
32. 32.
Libert, B., Joye, M., Yung, M., Peters, T.: Concise multi-challenge CCA-secure encryption and signatures with almost tight security. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 1–21. Springer, Heidelberg (2014) Google Scholar
33. 33.
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo random functions. In: Proceedings of the FOCS 1997, pp. 458–467. IEEE Computer Society (1997)Google Scholar
34. 34.
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the STOC 1990, pp. 427–437. ACM (1990)Google Scholar
35. 35.
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the STOC 1989, pp. 33–43. ACM (1989)Google Scholar
36. 36.
Schäge, S.: Tight proofs for signature schemes without random oracles. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 189–206. Springer, Heidelberg (2011)
37. 37.
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)
38. 38.
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)