Witness-Indistinguishable Arguments with \(\varSigma \)-Protocols for Bundled Witness Spaces and Its Application to Global Identities

Abstract

We propose a generic construction of a \(\varSigma \)-protocol of commit-and-prove type, which is an and-composition of \(\varSigma \)-protocols on the statements that include a common commitment. Our protocol enables a prover to convince a verifier that the prover knows a bundle of witnesses that have a common component which we call a base witness point. When the component \(\varSigma \)-protocols are of witness-indistinguishable argument systems, our \(\varSigma \)-protocol is also a witness-indistinguishable argument system as a whole. As an application, we propose a decentralized multi-authority anonymous authentication scheme. We first define a syntax and security notions of the scheme. Then we give a generic construction of a decentralized multi-authority anonymous authentication scheme. There a witness is a bundle of witnesses each of which decomposes into a common global identity string and a digital signature on it. We mention an instantiation of the generic scheme in the setting of bilinear groups.

1 Introduction

Global identities such as Passport Numbers (PNs) or Social Security Numbers (SSNs) in each country are currently common for identification. They are used not only for governmental identification but also for commercial services; that is, when we want to use a commercial service, we often ask the service administration authority to issue an attribute certificate at the registration stage. In the stage, the authority confirms our identities by the global identity string such as PN or SSN. Once the attribute certificate is issued, we become to be accepted at the authentication stage of the service. Hence the global identity strings work for us to be issued our attribute certificates. It is notable that recently multi-factor authentication schemes are utilized to prevent misauthentication. In the scheme a user of a service is granted access only after presenting several separate pieces of evidence. Actually the multi-factor authentication of using both a laptop PC, which is connected to the internet by a service provider, and a smartphone, which is activated by a cellular carrier, is getting usual. Thus, there is a compound model that involves independent administration authorities for us to be authenticated and receive benefit of a service.

Privacy protection is a function to be pursued in the authentication, especially recently. The growth of the internet of things and related big data analysis have protecting privacy more critical to involved users. For the purpose, an authentication framework of identity strings and passwords should be evolved into a framework where anonymity is guaranteed at the authentication stage. For example, when a smart household machine generates a report about the situation of a house via the internet as a query for a useful suggestion (such as air conditioning or cooking recipes), the identity information is often unnecessary. A further example is a connected-to-the-internet vehicle which uses a combination of plural services like local traffic information system and the passenger’s web-scheduler. The identity information should not be leaked even when the memberships are needed in the registration stages. In this example a user should be authenticated by the service providers at the same time in the authentication stages, anonymously. This is an authentication framework in which plural attributes of a single user are authenticated. However, there is a threat on anonymous authentication frameworks; the collusion attack. A malicious user collects private attribute keys from honest users who have different identities, and tries to make a verifier accept anonymously by using the merged attribute keys. Here the vary anonymity is a critical potential drawback from the view point of the collusion attacks.

1.1 Related Work and Our Contribution

A decentralized multi-authority attribute-based signature scheme (DMA-ABS) [11] is an ABS scheme with decentralized key-issuing authorities. In an ABS scheme, a signer has credentials (i.e. private secret keys) on her attributes, and a message has a signing policy expressed as a boolean formula on attributes. The signer is able to sign it if and only if her attributes satisfies the boolean formula. There are assignment patterns and the attribute privacy of an ABS scheme should assure that the signatures do not leak any information on the satisfying pattern. We note that this property also requires the anonymity of the signer’s identity. A non-trivial task in constructing an ABS scheme is to assure both the collusion resistance and the attribute privacy. On the other hand, allowing decentralized multi-authorities is to have independent issuers each of which generates each private secret attribute-key to the user.

In this paper, we propose a new notion; a witness-indistinguishable argument system (WIA) with \(\varSigma \)-protocols for a bundled witness space. It is known that WIA is a natural building block to achieve anonymity in cryptographic primitives [9]. However, there is no previous work for the multi-prover setting executed by a hidden single prover who is able to convince a verifier that she is certainly a single prover. We construct the kind of WIA by employing a commitment scheme as one of the building blocks.

As an application, we give a generic construction of a decentralized multi-authority anonymous authentication scheme, which can be converted into a DMA-ABS scheme by the Fiat-Shamir transform [8]. Actually, if a prover chooses a monotone boolean formula instead of an all-and formula (as in this paper), and if we apply the Fiat-Shamir transform to the \(\varSigma \)-protocol in our authentication scheme, then we obtain a DMA-ABS scheme.

2 Preliminaries

The security parameter is denoted by \(\lambda \). The bit length of a string a is denoted by |a|. The number of elements of a set S is denoted by |S|. A uniform random sampling of an element a from a set S is denoted as \(a \in _RS\). The expression \(a =_{?}b\) returns a boolean 1 (true) when \(a=b\), and otherwise 0 (false). The expression \(a \in _{?}S\) returns a boolean 1 when \(a \in A\), and otherwise 0. When an algorithm A with input a returns z, we denote it as \(z \leftarrow A(a)\), or, \(A(a) \rightarrow z\). When a probabilistic polynomial-time (\(\textsc {ppt}\), for short) algorithm A with input a and a randomness r on a random tape returns z, we denote it as \(z \leftarrow A(a; r)\) When an algorithm A with input a and an algorithm B with input b interact with each other and return z, we denote it as \(z \leftarrow \langle A(a), B(b) \rangle \). The transcript of all the messages of the interaction is denoted by \(transc \langle A(a), B(b) \rangle \). When an algorithm A accesses an oracle \(\mathbf {O}\), we denote it by \(A^{\mathbf {O}}\). When A accesses n oracles \(\mathbf {O}_{1},\dots ,\mathbf {O}_{n}\) concurrently, i.e. in arbitrarily interleaved order of messages, we denote it by \(A^{\mathbf {O}_{i}|_{i=1}^{n}}\). The probability of an event E is denoted by \(\Pr [E]\). The conditional probability of an event E given events \(F_1,\dots , F_n\) in this order is denoted by \(\Pr [E | F_1,\dots , F_n]\). The distribution of a random variable X is denoted by \(dist \bigl ( X \bigr )\). The distribution of a random variable X whose probability is given by a joint probability of random variables \(X,Y_1,\dots ,Y_n\) is denoted by \(dist \bigl ( X | X, Y_1,\dots ,Y_n \bigr )\). We say that a probability p is negligible in \(\lambda \) if it is upper-bounded by the inverse of any polynomial \(\text {poly}(\lambda )\) of positive coefficients (i.e. \(p < 1/\text {poly}(\lambda )\)). We say that a probability p is overwhelming in \(\lambda \) if it is lower-bounded by 1 − (the inverse of any fixed polynomial \(\text {poly}(\lambda )\) of positive coefficients) (i.e. \(p > 1 - 1/\text {poly}(\lambda )\)).

2.1 Interactive Argument System, \(\varSigma \)-Protocol and Witness-Indistinguishability

Suppose that there exists a predicate \(\varPhi \) that defines the membership of a binary relation R; i.e., \(\varPhi \) maps \((x,w) \in (\{0, 1\}^*)^2 \) to \(\textsc {true}\) or \(\textsc {false}\). The relation R is defined as \(R\,{\mathop {=}\limits ^{\text {def}}}\,\{(x, w) \in (\{0, 1\}^*)^2 | \varPhi (x, w) = \textsc {true}\}\). We say that R is polynomially bounded if there exists a polynomial \(\ell (\cdot )\) such that \(|w| \le \ell (|x|)\) for any \((x, w)\in R\). We say that R is an NP relation if R is polynomially bounded and \(\varPhi \) is computable within polynomial-time in |x| as an algorithm. For a pair \((x, w)\in R\) we call x a statement and w a witness of x. We call R the witness relation, and \(\varPhi (\cdot , \cdot )\) the predicate of the witness relation R. When a set of public parameter values \(\texttt {PP}\) are needed to define the predicate (for example, to set up algebraic operations), we denote it as \(\varPhi _{\texttt {PP}}\). An NP language L for an NP relation R is defined as the set of all possible statements: \(L \,{\mathop {=}\limits ^{\text {def}}}\, \{x \in \{0, 1\}^* ; \exists w \in \{0, 1\}^*, (x, w) \in R \}\). We denote the set of witnesses of a statement x by W(x): \(W(x) \,{\mathop {=}\limits ^{\text {def}}}\, \{ w \in \{0, 1\}^* \ | \ (x, w) \in R \}\). We call the union W of all the sets W(x) for \(x \in L\) the witness space of L: \(W \,{\mathop {=}\limits ^{\text {def}}}\, \bigcup _{x \in L} W(x)\). We denote an interactive proof system on an NP relation R [1, 10] by \(\varPi =(\varPi {.}{} \texttt {Setup}, \texttt {P}, \texttt {V})\), where \(\varPi {.}{} \texttt {Setup}\) is a set up algorithm for a set of public parameter values \(\texttt {PP}\), and \(\texttt {P}\) and \(\texttt {V}\) are a pair of interactive algorithms. \(\texttt {P}\), which is called a prover, is probabilistic and unbounded, and \(\texttt {V}\), which is called a verifier, is probabilistic polynomial-time (\(\textsc {ppt}\)). If \(\texttt {P}\) is also limited to \(\textsc {ppt}\), then \(\varPi \) is called an interactive argument system.

\(\varvec{\varSigma }\)-protocol [4, 5]. Let R be an NP relation. A \(\varSigma \)-protocol \(\varSigma \) on the relation R is a 3-move public-coin protocol of an interactive argument system \(\varPi =(\varPi {.}{} \texttt {Setup}, \texttt {P}, \texttt {V})\) [4, 5]. We introduce six \(\textsc {ppt}\) algorithms for a \(\varSigma \)-protocol: \(\varSigma = ({\varSigma _{\text {com}}}, {\varSigma _{\text {cha}}}, {\varSigma _{\text {res}}}, {\varSigma _{\text {vrf}}}, {\varSigma _{\text {ext}}}, {\varSigma _{\text {sim}}})\). The first algorithm \({\varSigma _{\text {com}}}\) is executed by \(\texttt {P}\). On input a pair of a statement and a witness \((x, w) \in R\), it generates a commitment message \(\textsc {com}\) and outputs its inner state \(S t\). It returns them as \({\varSigma _{\text {com}}}(x, w) \rightarrow (\textsc {com}, S t)\). The second algorithm \({\varSigma _{\text {cha}}}\) is executed by \(\texttt {V}\). On input the statement x, it reads out the size of the security parameter as \(1^{\lambda }\) and chooses a challenge message \(\textsc {cha}\in _R\textsc {chaSp}(1^{\lambda })\) from the challenge space \(\textsc {chaSp}(1^\lambda ):=\{0, 1\}^{\omega (\lambda )}\), where \(\omega (\cdot )\) is a super-log function [2]. It returns the message as \({\varSigma _{\text {cha}}}(x) \rightarrow \textsc {cha}\). The third algorithm \({\varSigma _{\text {res}}}\) is executed by \(\texttt {P}\). On input the state \(S t\) and the challenge message \(\textsc {cha}\), it generates a response message \(\textsc {res}\). It returns the message as \({\varSigma _{\text {res}}}(S t, \textsc {cha}) \rightarrow \textsc {res}\). The fourth algorithm \({\varSigma _{\text {vrf}}}\) is executed by \(\texttt {V}\). On input the statement x and the messages \(\textsc {com}\), \(\textsc {cha}\) and \(\textsc {res}\), it computes a boolean decision d. It returns the decision as \({\varSigma _{\text {vrf}}}(x, \textsc {com}, \textsc {cha}, \textsc {res}) \rightarrow d\). If \(d = 1\), then we say that \(\texttt {P}\) is accepted by \(\texttt {V}\) on x. Otherwise, we say that \(\texttt {P}\) is rejected by \(\texttt {V}\) on x. The vector of all the messages \((\textsc {com}, \textsc {cha}, \textsc {res})\) is called a transcript of the interaction on x.

These four algorithms \(({\varSigma _{\text {com}}}, {\varSigma _{\text {cha}}}, {\varSigma _{\text {res}}}, {\varSigma _{\text {vrf}}})\) must satisfy the following property.

Completeness. For any \((x, w) \in R\), a prover \(\texttt {P}(x, w)\) has a verifier \(\texttt {V}(x)\) accept with probability 1: \(\Pr [ {\varSigma _{\text {vrf}}}(x, \textsc {com}, \textsc {cha}, \textsc {res}) = 1\ |\ {\varSigma _{\text {com}}}(x, w) \rightarrow (\textsc {com}, S t), {\varSigma _{\text {cha}}}(x) \rightarrow \textsc {cha}, {\varSigma _{\text {res}}}(S t, \textsc {cha}) \rightarrow \textsc {res}]\).

The fifth algorithm \({\varSigma _{\text {ext}}}\) concerns with the following property.

Special Soundness. There is a \(\textsc {ppt}\) algorithm \({\varSigma _{\text {ext}}}\) called a knowledge extractor, which, on input a statement x and two accepting transcripts with a common commitment message and different challenge messages, \((\textsc {com}, \textsc {cha}, \textsc {res})\) and \((\textsc {com}, \textsc {cha}', \textsc {res}')\), \(\textsc {cha}\ne \textsc {cha}'\), computes a witness \(\hat{w}\) satisfying \((x, \hat{w}) \in R\) with an overwhelming probability in |x|: \(\hat{w} \leftarrow {\varSigma _{\text {ext}}}(x, \textsc {com}, \textsc {cha}, \textsc {res}, \textsc {cha}', \textsc {res}')\).

The sixth algorithm \({\varSigma _{\text {sim}}}\) concerns with the following property.

Honest-Verifier Zero-Knowledge. There is a \(\textsc {ppt}\) algorithm called a simulator \({\varSigma _{\text {sim}}}\), which, on input a statement x, computes an accepting transcript on x: \((\tilde{\textsc {com}}, \tilde{\textsc {cha}}, \tilde{\textsc {res}}) \leftarrow {\varSigma _{\text {sim}}}(x)\), where the distribution of the simulated transcripts \(dist \bigl ( \tilde{\textsc {com}}, \tilde{\textsc {cha}}, \tilde{\textsc {res}} \bigr )\) is identical to the distribution of the real accepting transcripts \(dist \bigl (\textsc {com}, \textsc {cha}, \textsc {res}\bigr )\).

Note 1: Our Use Case. In a \(\varSigma \)-protocol the challenge message \(\textsc {cha}\) is a public coin. This property enables us in this paper to use the following variant of the simulator \({\varSigma _{\text {sim}}}(x)\): On input a simulated challenge message \(\tilde{\textsc {cha}}\) that is chosen uniformly at random, the variant generates a commitment \(\tilde{\textsc {com}}\) and a response \(\tilde{\textsc {res}}\): \(\tilde{\textsc {cha}} \in _R\textsc {chaSp}(1^{\lambda }),\ \ (\tilde{\textsc {com}}, \tilde{\textsc {res}}) \leftarrow {\varSigma _{\text {sim}}}(x, \tilde{\textsc {cha}})\).

Witness-Indistinguishability [7, 9]. Let R be an NP relation. Suppose that an interactive argument system \(\varPi =(\varPi {.}{} \texttt {Setup}, \texttt {P}, \texttt {V})\) with a \(\varSigma \)-protocol \(\varSigma \) on the relation R is given. In this paper we focus on the following property.

Perfect Witness Indistinguishability. For any \(\textsc {ppt}\) algorithm \(\texttt {V}^*\), any sequences of witnesses \(\mathbf {w} = ( w_x )_{x \in L}\) and \(\mathbf {w'} = ( w'_x )_{x \in L} \text { s.t. }w_x, w'_x \in W(x)\), any string \(x \in L\) and any string \(z \in \{0, 1\}^*\), the two distributions \(dist \bigl ( x, z, transc \langle \texttt {P}(x, w_x), \texttt {V}^*(x, z) \rangle \bigr )\) and \(dist \bigl ( x, z, transc \langle \texttt {P}(x, w'_x), \texttt {V}^*(x, z) \rangle \bigr )\) are identical.

2.2 Commit-and-Prove Scheme [3, 6]

A commit-and-prove scheme \(\texttt {CmtPrv}\) consists of five ppt algorithms: \(\texttt {CmtPrv}= (\texttt {CmtPrv} \texttt {.} \texttt {Setup}, \texttt {Cmt}= (\texttt {Cmt} \texttt {.} \texttt {Com}, \texttt {Cmt} \texttt {.} \texttt {Vrf}), \varPi = (\texttt {P}, \texttt {V}) )\).

\(\texttt {CmtPrv} \texttt {.} \texttt {Setup}(1^\lambda ) \rightarrow \texttt {PP}\). On input the security parameter \(1^\lambda \), it generates a set of public parameter values \(\texttt {PP}\). It returns \(\texttt {PP}\).

\(\texttt {Cmt} \texttt {.} \texttt {Com}(\texttt {PP}, m) \rightarrow (c, \kappa )\). On input the set of public parameter values \(\texttt {PP}\), a message m in the message space \({\mathcal M}sg(1^\lambda )\), this \(\textsc {ppt}\) algorithm generates a commitment c. It also generates an opening key \(\kappa \). It returns \((c, \kappa )\).

\(\texttt {Cmt} \texttt {.} \texttt {Vrf}(\texttt {PP}, c, m, \kappa ) \rightarrow d\). On input the set of public parameter values \(\texttt {PP}\), a commitment c, a message m and an opening key \(\kappa \), this deterministic algorithm generates a boolean decision d. It returns d.

The correctness should hold for the commitment part \(\texttt {Cmt}\) of the scheme: For any security parameter \(1^{\lambda }\), any set of public parameter values \(\texttt {PP}\) and any message \(m \in {\mathcal M}sg(1^\lambda )\), \(\Pr [ d = 1\ |\ (c, \kappa ) \leftarrow \texttt {Cmt} \texttt {.} \texttt {Com}(\texttt {PP}, m), d \leftarrow \texttt {Cmt} \texttt {.} \texttt {Vrf}(\texttt {PP}, c, m, \kappa ) ] = 1\).

We denote by \(\varPhi _{\texttt {PP}}\) a predicate that returns the boolean decision: \(\varPhi _{\texttt {PP}}(c, (m, \kappa )) \,{\mathop {=}\limits ^{\text {def}}}\, ( \texttt {Cmt} \texttt {.} \texttt {Vrf}(\texttt {PP}, c, m, \kappa ) )\). In the scheme there is an interactive argument system \(\varPi = (\texttt {P}, \texttt {V})\) for the following relation R:

$$\begin{aligned} R := \{ (c, (m, \kappa )) \in \{0, 1\}^* \times (\{0, 1\}^*)^2 \ |\ \varPhi _{\texttt {PP}}(c, (m, \kappa )) = \textsc {true}\}. \end{aligned}$$

In this paper we focus on the following properties for the commitment part \(\texttt {Cmt}\).

Perfectly Hiding. For any security parameter \(1^{\lambda }\), any set of public parameter values \(\texttt {PP}\) and any two messages \(m, m' \in {\mathcal M}sg(1^\lambda )\), the two distributions \(dist \bigl ( c \ |\ (c, \kappa ) \leftarrow \texttt {Cmt} \texttt {.} \texttt {Com}(\texttt {PP}, m) \bigr )\) and \(dist \bigl ( c \ |\ (c, \kappa ) \leftarrow \texttt {Cmt} \texttt {.} \texttt {Com}(\texttt {PP}, m') \bigr )\) are identical.

Computationally Binding. The attack of breaking binding property of \(\texttt {Cmt}\) by an algorithm \(\mathbf {A}\) is defined by the following experiment.

The advantage of \(\mathbf {A}\) over \(\texttt {Cmt}\) is defined as \(\mathbf {Adv}^{\text {bind}}_{\texttt {Cmt},\mathbf {A}}(\lambda ):= \Pr [\mathbf {Exp}^{\text {bind}}_{\texttt {Cmt},\mathbf {A}}(1^\lambda )\) \(\text {returns } \textsc {Win}]\). The commitment scheme \(\texttt {Cmt}\) is said to be computationally binding if for any set of public parameter values \(\texttt {PP}\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\), the advantage \(\mathbf {Adv}^{\text {bind}}_{\texttt {Cmt},\mathbf {A}}(\lambda )\) is negligible in \(\lambda \).

Note 2: Our Use Case. The commitment generation algorithm \(\texttt {Cmt} \texttt {.} \texttt {Com}\) uses random tapes [9]. In this paper we are in the case that a randomness \(r \in \{0,1\}^{\lambda }\) is used to generate a commitment c, and the opening key \(\kappa \) is the randomness: \(\kappa := r\). That is, \(\texttt {Cmt} \texttt {.} \texttt {Com}(\texttt {PP}, m; r) \rightarrow (c, r)\).

2.3 Digital Signature Scheme [8]

A digital signature scheme \(\texttt {Sig}\) consists of four \(\textsc {ppt}\) algorithms: \(\texttt {Sig}= \) \((\texttt {Sig} \texttt {.} \texttt {Setup},\) \(\texttt {Sig} \texttt {.} \texttt {KG},\) \(\texttt {Sig} \texttt {.} \texttt {Sign},\) \(\texttt {Sig} \texttt {.} \texttt {Vrf})\).

\(\texttt {Sig} \texttt {.} \texttt {Setup}(1^{\lambda }) \rightarrow \texttt {PP}\). On input the security parameter \(1^\lambda \), it generates a set of public parameter values \(\texttt {PP}\). It returns \(\texttt {PP}\).

\(\texttt {Sig} \texttt {.} \texttt {KG}(\texttt {PP}) \rightarrow (\text {PK}, \text {SK})\). On input the set of public parameter values \(\texttt {PP}\), this \(\textsc {ppt}\) algorithm generates a signing key \(\text {SK}\) and the corresponding public key \(\text {PK}\). It returns \((\text {PK}, \text {SK})\).

\(\texttt {Sig} \texttt {.} \texttt {Sign}(\texttt {PP}, \text {PK}, \text {SK}, m) \rightarrow \sigma \). On input the set of public parameter values \(\texttt {PP}\), the public key \(\text {PK}\), the secret key \(\text {SK}\) and a message m in the message space \({\mathcal M}sg(1^\lambda )\), this \(\textsc {ppt}\) algorithm generates a signature \(\sigma \). It returns \(\sigma \).

\(\texttt {Sig} \texttt {.} \texttt {Vrf}(\texttt {PP}, \text {PK}, m, \sigma ) \rightarrow d\). On input the public key \(\text {PK}\), a message m and a signature \(\sigma \), it returns a boolean d.

The correctness should hold for the scheme \(\texttt {Sig}\): For any security parameter \(1^{\lambda }\) and any message \(m \in {\mathcal M}sg(1^\lambda )\), \(\Pr [ d = 1\ |\ \texttt {PP}\leftarrow \texttt {Sig} \texttt {.} \texttt {Setup}(1^{\lambda }), (\text {PK}, \text {SK}) \leftarrow \texttt {Sig} \texttt {.} \texttt {KG}(\texttt {PP}), \sigma \leftarrow \texttt {Sig} \texttt {.} \texttt {Sign}(\texttt {PP}, \text {PK}, \text {SK}, m), d \leftarrow \texttt {Sig} \texttt {.} \texttt {Vrf}(\texttt {PP}, \text {PK}, m, \sigma ) ] = 1\).

An adaptive chosen-message attack on the scheme \(\texttt {Sig}\) by a forger algorithm \(\mathbf {F}\) is defined by the following experiment.

In the experiment, \(\mathbf {F}\) issues a signing query to its signing oracle \(\mathbf {SignO}(\texttt {PP}, \text {PK}, \text {SK}, \cdot )\) by sending a message \(m_j\) at most \(q_{\text {s}}\) times (\(1 \le j \le q_{\text {s}}\)). As a reply, \(\mathbf {F}\) receives a valid signature \(\sigma _j\) on \(m_j\). After receiving replies, \(\mathbf {F}\) returns a message and a signature \((m^*, \sigma ^*)\). A restriction is imposed on the algorithm \(\mathbf {F}\): The set of queried messages \(\{ m_j \}_{1 \le j \le q_{\text {s}}}\) should not contain the message \(m^*\). The advantage of \(\mathbf {F}\) over \(\texttt {Sig}\) is defined as \(\mathbf {Adv}^{\text {euf-cma}}_{\texttt {Sig},\mathbf {F}}(\lambda ):= \Pr [\mathbf {Exp}^{\text {euf-cma}}_{\texttt {Sig},\mathbf {F}}(1^\lambda )\text { returns } \textsc {Win}]\). The digital signature scheme \(\texttt {Sig}\) is said to be existentially unforgeable against adaptive chosen-message attacks if for any given \(\textsc {ppt}\) algorithm \(\mathbf {F}\), the advantage \(\mathbf {Adv}^{\text {euf-cma}}_{\texttt {Sig},\mathbf {F}}(\lambda )\) is negligible in \(\lambda \).

3 Witness-Indistinguishable Arguments with \(\varSigma \)-Protocols for Bundled Witness Space

In this section, we propose a generic construction of an interactive argument system that is a witness-indistinguishable argument system for a newly introduced bundled witness space. Our protocol of the interactive argument system is an AND-composition of \(\varSigma \)-protocols together with a commitment scheme, which is to prove the knowledge of witness pairs each of which consists of two components; one is a common component (such as a global identity string) and the other is an individual component (such as a digital signature issued by an individual authority on the global identity). We prove that our protocol is certainly a \(\varSigma \)-protocol. Finally, we prove that our interactive argument system with the protocol is perfectly witness-indistinguishable under the condition that the employed commitment scheme is perfectly hiding and the component \(\varSigma \)-protocols are perfectly witness-indistinguishable.

3.1 Building Blocks

Component Interactive Argument Systems with \(\varvec{\varSigma }\)-Protocols. For a polynomially bounded integer n, let A be the set of indices: \(A := \{ 1,\dots ,n \}\). We start with an efficiently computable predicate \(\varPhi _{\texttt {PP}}^a\) for each index \(a \in A\), which determines an NP witness relation \(R^a\):

$$\begin{aligned} R^a = \{ (x^a, w^a) \in \{0, 1\}^* \times \{0, 1\}^* \ | \ \varPhi _{\texttt {PP}}^a(x^a, w^a) = \textsc {true}\}, a \in A. \end{aligned}$$

(1)

We suppose for each \(a \in A\) that there is an interactive argument system \(\varPi ^a = (\varPi {.}{} \texttt {Setup}, \texttt {P}^a, \texttt {V}^a)\) which is executed in accordance with a \(\varSigma \)-protocol for the relation \(R^a\):

$$\begin{aligned} \varSigma ^a= ({\varSigma ^a_{\text {com}}}, {\varSigma ^a_{\text {cha}}}, {\varSigma ^a_{\text {res}}}, {\varSigma ^a_{\text {vrf}}}, {\varSigma ^a_{\text {ext}}}, {\varSigma ^a_{\text {sim}}}). \end{aligned}$$

(2)

We suppose further that the witness space \(W^a\) decomposes into two components \(W^a = W^a_0 \times W^a_1\) for each \(a \in A\). In this paper, our interest is in the case that all the 0th components \(W^a_0, a \in A\), are equal, which we denote by \(W_0\). We call the equal set \(W_0\) the base witness space of the witness spaces \(W^a, a \in A\), and an element \(w_0 \in W_0\) a base witness point. Then a witness \(w^a \in W^a\) consists of \(w_0\) and \(w^a_1\). That is, \(W^a = W_0 \times W^a_1 \ni (w_0, w^a_1) = w^a\).

Commit-and-Prove Scheme with \(\varvec{\varSigma }\)-Protocol. We employ a commit-and-prove scheme with a \(\varSigma \)-protocol: \(\texttt {CmtPrv}= ( \texttt {CmtPrv} \texttt {.} \texttt {Setup}, \texttt {Cmt}= (\texttt {Cmt} \texttt {.} \texttt {Com}, \texttt {Cmt} \texttt {.} \texttt {Vrf}), \varPi _0= (\texttt {P}_0, \texttt {V}_0) )\), where the predicate \(\varPhi _{0,\texttt {PP}}\) and the relation \(R_0\) is defined as follows, and \(\varPi _0\) is executed in accordance with a \(\varSigma \)-protocol \(\Sigma _0\):

$$\begin{aligned}&\varPhi _{0,\texttt {PP}}(c_0, (w_0, r_0)) \,{\mathop {=}\limits ^{\text {def}}}\, ( \texttt {Cmt} \texttt {.} \texttt {Com}(\texttt {PP}_0, w_0; r_0) =_{?}(c_0, r_0) ),\nonumber \\&R_0 \,{\mathop {=}\limits ^{\text {def}}}\, \{ (c_0, (w_0, r_0)) \in \{0, 1\}^* \times (\{0, 1\}^*)^2 \ |\ \varPhi _{0,\texttt {PP}}(c_0, (w_0, r_0)) = \textsc {true}\},\end{aligned}$$

(3)

$$\begin{aligned}&\Sigma _0= ({\varSigma _{0, \text {com}}}, {\varSigma _{0, \text {cha}}}, {\varSigma _{0, \text {res}}}, {\varSigma _{0, \text {vrf}}}, {\varSigma _{0, \text {ext}}}, {\varSigma _{0, \text {sim}}}). \end{aligned}$$

(4)

Note that a message m to be committed is a base witness point \(w_0\).

3.2 On the Existence of a \(\varSigma \)-Protocol for Simultaneous Satisfiability

We introduce for each index \(a \in A\) the following composed relation determined by the two predicates \(\varPhi ^a_\texttt {PP}\) and \(\varPhi _{0,\texttt {PP}}\). That is, the relation \(R^a_0\) is for simultaneous satisfiability of \(\varPhi ^a_\texttt {PP}\) and \(\varPhi _{0,\texttt {PP}}\) on the base witness point \(w_0\): For each \(a \in A\),

$$\begin{aligned} R^a_0 := \Bigl \{ ( x^a_0 = (x^a, c_0), w^a_0 = (w_0, w^a_1, r_0) ) | {\left\{ \begin{array}{ll} \varPhi ^a_\texttt {PP}(x^a, (w_0, w^a_1) ) = \textsc {true}\\ \varPhi _{0,\texttt {PP}}(c_0, (w_0, r_0) ) = \textsc {true}\end{array}\right. } \Bigr \}. \end{aligned}$$

(5)

We require here that the \(\varSigma \)-protocols \(\varSigma ^a\) and \(\Sigma _0\) can be merged into a single \(\varSigma \)-protocol \(\varSigma ^a_0\) of an interactive argument system \(\varPi ^a_0= (\varPi {.}{} \texttt {Setup}, \texttt {CmtPrv} \texttt {.} \texttt {Setup}, \texttt {P}^a_0, \texttt {V}^a_0)\) for the above relation \(R^a_0\):

$$\begin{aligned} \varSigma ^a_0= ({\varSigma ^a_{0, \text {com}}}, {\varSigma ^a_{0, \text {cha}}}, {\varSigma ^a_{0, \text {res}}}, {\varSigma ^a_{0, \text {vrf}}}, {\varSigma ^a_{0, \text {ext}}}, {\varSigma ^a_{0, \text {sim}}}). \end{aligned}$$

(6)

• \({\varSigma ^a_{0, \text {com}}}( x^a_0, w^a_0 ) \rightarrow (\textsc {com}^a, \textsc {com}_{a,0}, S t^a_0)\). This \(\textsc {ppt}\) algorithm is executed by \(\texttt {P}^a_0\). On input a statement \(x^a_0 = (x^a, c_0)\) and a witness \(w^a_0 = (w_0, w^a_1, r_0)\), it runs the algorithms \({\varSigma ^a_{\text {com}}}(x^a, (w_0, w^a_1))\) and \({\varSigma _{0, \text {com}}}(c_0, (w_0, r_0))\) to obtain the commitment messages and the inner states, \((\textsc {com}^a, S t^a)\) and \((\textsc {com}_{a,0}, S t_{a,0})\), respectively, with a constraint that the knowledge extractor \({\varSigma ^a_{0, \text {ext}}}\) should return a witness which simultaneously satisfies the two predicates \(\varPhi ^a\) and \(\varPhi _0\) on the base witness point \(w_0\). It sets the state as \(S t^a_0 := (S t^a, S t_{a,0})\). It returns \((\textsc {com}^a, \textsc {com}_{a,0}, S t^a_0)\). \(\texttt {P}^a_0\) sends \((\textsc {com}^a, \textsc {com}_{a,0})\) to \(\texttt {V}^a_0\) as a commitment message, and keeps the state \(S t^a_0\).

• \({\varSigma ^a_{0, \text {cha}}}( x^a_0 ) \rightarrow \textsc {cha}\). This \(\textsc {ppt}\) algorithm is executed by \(\texttt {V}^a_0\). On input the statement \(x^a_0\), it reads out the size of the security parameter as \(1^{\lambda }\) and chooses a challenge message \(\textsc {cha}\in _R\textsc {chaSp}(1^{\lambda })\). It returns \(\textsc {cha}\). \(\texttt {V}^a_0\) sends \(\textsc {cha}\) to \(\texttt {P}^a_0\) as a challenge message.

• \( \ {\varSigma ^a_{0, \text {res}}}(S t^a_0, \textsc {cha}) \rightarrow (\textsc {res}^a, \textsc {res}_{a,0})\). This \(\textsc {ppt}\) algorithm is executed by \(\texttt {P}^a_0\). On input the state \(S t^a_0\) and the challenge message \(\textsc {cha}\), it runs the algorithms \({\varSigma ^a_{\text {res}}}(S t^a, \textsc {cha})\) and \({\varSigma _{0, \text {res}}}(S t_{a,0}, \textsc {cha})\) to obtain the response messages \(\textsc {res}^a\) and \(\textsc {res}_{a,0}\), respectively, with the constraint that the knowledge extractor \({\varSigma ^a_{0, \text {ext}}}\) should return a witness which simultaneously satisfies \(\varPhi ^a\) and \(\varPhi _0\) on \(w_0\). It returns \((\textsc {res}^a, \textsc {res}_{a,0})\). \(\texttt {P}^a_0\) sends \((\textsc {res}^a, \textsc {res}_{a,0})\) to \(\texttt {V}^a_0\) as a response message.

• \({\varSigma ^a_{0, \text {vrf}}}(x^a_0, (\textsc {com}^a, \textsc {com}_{a,0}), \textsc {cha}, (\textsc {res}^a, \textsc {res}_{a,0}) ) \rightarrow d\). This deterministic algorithm is executed by \(\texttt {V}^a_0\). On input the statement \(x^a_0 = (x^a, c_0)\) and all the messages \((\textsc {com}^a, \textsc {com}_{a,0})\), \(\textsc {cha}\) and \((\textsc {res}^a, \textsc {res}_{a,0})\), it runs the algorithms \({\varSigma ^a_{\text {vrf}}}(x^a, \textsc {com}^a, \textsc {cha}, \textsc {res}^a)\) and \({\varSigma _{0, \text {vrf}}}(c_0, \textsc {com}_{a,0}, \textsc {cha}, \textsc {res}_{a,0})\) to obtain two boolean decisions \(d^a\) and \(d_{a,0}\). If the both \(d^a\) and \(d_{a,0}\) are \(1\), then it returns \(d := 1\), and otherwise \(d := 0\). \(\texttt {V}^a_0\) returns d as the decision of the interactive protocol on \(x^a_0\).

• \({\varSigma ^a_{0, \text {ext}}}(x^a_0, (\textsc {com}^a, \textsc {com}_{a,0}), \textsc {cha}, (\textsc {res}^a, \textsc {res}_{a,0}), \textsc {cha}', ({\textsc {res}^a}', {\textsc {res}_{a,0}}') ) \rightarrow (\hat{w}^a_0, \hat{w}^a_1, \hat{r}_{a,0}) \). This \(\textsc {ppt}\) algorithm is for knowledge extraction. On input the statement \(x^a_0 = (x^a, c_0)\) and two accepting transcripts with a common commitment message and different challenge messages, \(((\textsc {com}^a, \textsc {com}_{a,0}), \textsc {cha},\) \((\textsc {res}^a, \textsc {res}_{a,0}))\) and \(((\textsc {com}^a, \textsc {com}_{a,0}),\textsc {cha}', ({\textsc {res}^a}', {\textsc {res}_{a,0}}'))\), \(\textsc {cha}\ne \textsc {cha}'\), it runs the algorithms \({\varSigma ^a_{\text {ext}}}(x^a, \textsc {com}^a, \textsc {cha}, \textsc {res}^a, \textsc {cha}', {\textsc {res}^a}')\) and \({\varSigma _{0, \text {ext}}}(c_0, \textsc {com}_{a,0}, \textsc {cha}, \textsc {res}_{a,0}, \textsc {cha}', {\textsc {res}_{a,0}}')\) to obtain witnesses \((\hat{w}^a_0, \hat{w}^a_1)\) and \((\hat{w}_{a,0}, \hat{r}_{a,0})\) satisfying \((x^a, (\hat{w}^a_0, \hat{w}^a_1)) \in R^a\) and \((c_0, (\hat{w}_{a,0}, \hat{r}_{a,0})) \in R_0\) with an overwhelming probability in \(|x^a|\) and \(|c_0|\), respectively. Here the simultaneous satisfiability on \(w_0\) should assure the following equality:

  $$\begin{aligned} \hat{w}^a_0 = \hat{w}_{a,0} \ \text {with probability one}. \end{aligned}$$

  (7)

  It returns \((\hat{w}^a_0, \hat{w}^a_1, \hat{r}^a_0)\).

• \({\varSigma ^a_{0, \text {sim}}}(x^a_0, \tilde{\textsc {cha}}) \rightarrow ( (\tilde{\textsc {com}}^a, \tilde{\textsc {com}}_{a,0}), (\tilde{\textsc {res}}^a, \tilde{\textsc {res}}_{a,0}) )\). This \(\textsc {ppt}\) algorithm is for the simulation of an accepting transcript. On input a statement \(x^a_0 = (x^a, c_0)\) and a uniform random string \(\tilde{\textsc {cha}} \in _R\textsc {chaSp}(1^{\lambda })\), it runs the algorithms \({\varSigma ^a_{\text {sim}}}(x^a, \tilde{\textsc {cha}})\) and \({\varSigma _{0, \text {sim}}}(c_0, \tilde{\textsc {cha}})\) to obtain the remaining part of the transcripts \((\tilde{\textsc {com}}^a, \tilde{\textsc {res}}^a)\) and \((\tilde{\textsc {com}}_{a,0}, \tilde{\textsc {res}}_{a,0})\), respectively. The simulated messages \(( (\tilde{\textsc {com}}^a, \tilde{\textsc {com}}_{a,0}), \tilde{\textsc {cha}}, (\tilde{\textsc {res}}^a, \tilde{\textsc {res}}_{a,0}) )\) should form \(dist \bigl ( (\tilde{\textsc {com}}^a, \tilde{\textsc {com}}_{a,0}), \tilde{\textsc {cha}}, (\tilde{\textsc {res}}^a, \tilde{\textsc {res}}_{a,0}) \ |\ \text {gen. by }\textsc {chaSp}(1^{\lambda }),\) \({\varSigma ^a_{0, \text {sim}}}(x^a_0, \tilde{\textsc {cha}}) \bigl )\) which is identical to \(dist ( (\textsc {com}^a, \textsc {com}_{a,0}),\) \(\textsc {cha}, (\textsc {res}^a, \textsc {res}_{a,0}) \ | \ \text {real accepting})\).

Remark

To construct the algorithm \({\varSigma ^a_{0, \text {com}}}\) of commitment message and the algorithm \({\varSigma ^a_{0, \text {res}}}\) of response message is a non-trivial task. That is, we have to construct \({\varSigma ^a_{0, \text {com}}}\) and \({\varSigma ^a_{0, \text {res}}}\) so that the knowledge extractor \({\varSigma ^a_{0, \text {ext}}}\) returns a witness which simultaneously satisfies \(\varPhi ^a\) and \(\varPhi _0\) on a base witness point \(w_0\). The idea of the construction is to use a common random tape to generate commitment messages \(\textsc {com}^a\) and \(\textsc {com}_{a,0}\), but we do not describe the inner treatment of the random tapes in \({\varSigma ^a_{0, \text {com}}}\) and \({\varSigma ^a_{0, \text {res}}}\) for generality. Hence our approach is to show the construction when we instantiate the \(\varSigma \)-protocol \(\varSigma ^a_0\).

3.3 Bundled Witness Space

We now introduce an NP witness relation for our bundled witness space. We first fix the base witness point \(w_0\) in the base witness space \(W_0\) and consider a subset \(R^a_{w_0}\) for each NP witness relation \(R^a, a \in A\):

$$\begin{aligned} R^a_{w_0} := \{ (x^a, w^a) \in R^a \ |\ w^a = (w_0, w^a_1) \text { for some }w^a_1 \} \subset R^a, \ a \in A. \end{aligned}$$

(8)

Then we run the base witness point \(w_0\) to claim the following property.

Claim 1

For a polynomially bounded integer n, let A be the set of indices \(\{ 1,\dots ,n \}\). Then we have:

$$\begin{aligned} \bigcup _{w_0 \in W_0} \Bigl ( \prod _{a \in A} R^a_{w_0} \Bigr ) \subset \prod _{a \in A} \Bigl (\bigcup _{w_0 \in W_0} R^a_{w_0} \Bigr ) = \prod _{a \in A} R^a. \end{aligned}$$

(9)

Proof

The equality of the right-hand side is because \(\bigcup _{w_0 \in W_0} R^a_{w_0} = R^a\). An element of the left hand side is of the form \((x^1, (w_0, w^1_1) ), \dots , (x^n, (w_0, w^n_1) )\) where \(w_0 \in W_0\) and \((x^a, (w_0, w^a_0) ) \in R^a\) for \(a \in A\). This is an element of \(\prod _{a \in A} R^a\), and hence the inclusion follows. \(\square \)

Deleting the redundancy, we obtain the following one-to-one correspondence:

$$\begin{aligned} R^{a \in A}_{\text {bnd}}&\,{\mathop {=}\limits ^{\text {def}}}\, \{ \bigl ( (x^a)^{a \in A}, w_0, (w^a_1)^{a \in A} \bigr ) | (x^a, (w_0, w^a_1)) \in R^a, a \in A \} \simeq \bigcup _{w_0 \in W_0} \Bigl ( \prod _{a \in A} R^a_{w_0} \Bigr ). \end{aligned}$$

Claim 2

For a polynomially bounded integer n, let A be the set of indices \(\{ 1,\dots ,n \}\). Then the relation \(R^{a \in A}_{\text {bnd}}\) is an NP relation.

Proof

Omitted. (will appear in the full version).

Definition 1

(Relation for Bundled Witness Space). For a polynomially bounded integer n, an NP witness relation for the bundled witness spaces is defined as \(R^{a \in A}_{\text {bnd}}\).

Definition 2

(Bundled Witness Space). For a polynomially bounded integer n, let A be the set of indices \(\{ 1,\dots ,n \}\). Let \(R^a, a \in A\) be NP witness relations where each witness space decomposes \(W^a = W_0 \times W^a_1, a \in A\). Then the bundled witness space is defined as follows.

$$\begin{aligned} W^{a \in A}_{\text {bnd}} \,{\mathop {=}\limits ^{\text {def}}}\, W_0 \times (W^a_1)^{a \in A}. \end{aligned}$$

(10)

3.4 Generic Construction of \(\varSigma \)-Protocol for Bundled Witness Space

By using the above \(\varSigma \)-protocols \((\varSigma ^a_0)^{a \in A}\) and a commitment generation algorithm \(\texttt {Cmt} \texttt {.} \texttt {Com}\), we construct an interactive argument system \(\varPi ^{a \in A}_{\text {bnd}}= (\texttt {P}, \texttt {V})\) for the witness relation \(R^{a \in A}_{\text {bnd}}\) with a protocol \(\varSigma ^{a \in A}_{\text {bnd}}\). \(\varSigma ^{a \in A}_{\text {bnd}}\) is actually a \(\varSigma \)-protocol, which consists of the six \(\textsc {ppt}\) algorithms described below (see also Fig. 1):

$$\begin{aligned} \varSigma ^{a \in A}_{\text {bnd}}= ({\varSigma ^{a \in A}_{\text {bnd}, \text {com}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {cha}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {res}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {vrf}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {ext}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {sim}}}). \end{aligned}$$

(11)

• \({\varSigma ^{a \in A}_{\text {bnd}, \text {com}}}((x^a)^{a \in A}, (w_0, (w^a_1)^{a \in A})) \rightarrow (c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A}, S t)\). This \(\textsc {ppt}\) algorithm is executed by \(\texttt {P}\). On input a statement that is a vector \((x^a)^{a \in A}\) and a witness that is a vector \((w_0, (w^a_1)^{a \in A})\), it computes a commitment \(c_0\) to the base witness point \(w_0\) with a randomness \(r_0 \in _R\{0, 1\}^{\lambda }\) by running the commitment generation algorithm of \(\texttt {Cmt}\): \((c_0, r_0) \leftarrow \texttt {Cmt} \texttt {.} \texttt {Com}(w_0; r_0)\). It sets the extended statement as \(x^a_0 := (x^a, c_0)\) and the extended witness as \(w^a_0 := (w_0, w^a_1, r_0)\) for each \(a \in A\). it runs the algorithms \({\varSigma ^a_{0, \text {com}}}( x^a_0, w^a_0 )\) to obtain \((\textsc {com}^a, \textsc {com}_{a,0}, S t^a_0)\) for each \(a \in A\). It sets the state as \(S t:= (S t^a_0)^{a \in A}\). It returns \((c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A}, S t)\). \(\texttt {P}\) sends \((c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A})\) to \(\texttt {V}\) as a commitment message, and keeps the state \(S t\).

• \({\varSigma ^{a \in A}_{\text {bnd}, \text {cha}}}( (x^a)^{a \in A} ) \rightarrow \textsc {cha}\). This \(\textsc {ppt}\) algorithm is executed by \(\texttt {V}\). On input the statement \((x^a)^{a \in A}\), it reads out the size of the security parameter as \(1^{\lambda }\) and chooses a challenge message \(\textsc {cha}\in _R\textsc {chaSp}(1^{\lambda })\). It returns \(\textsc {cha}\). \(\texttt {V}^a_0\) sends \(\textsc {cha}\) to \(\texttt {P}^a_0\) as a challenge message.

• \({\varSigma ^{a \in A}_{\text {bnd}, \text {res}}}(S t, \textsc {cha}) \rightarrow (\textsc {res}^a, \textsc {res}_{a,0})^{a \in A}\). This \(\textsc {ppt}\) algorithm is executed by \(\texttt {P}\). On input the state \(S t\) and the challenge message \(\textsc {cha}\), it runs the algorithms \({\varSigma ^a_{0, \text {res}}}(S t^a_0, \textsc {cha})\) to obtain \((\textsc {res}^a, \textsc {res}_{a,0})\) for each \(a \in A\). It returns \((\textsc {res}^a, \textsc {res}_{a,0})\). \(\texttt {P}\) sends \((\textsc {res}^a, \textsc {res}_{a,0})^{a \in A}\) to \(\texttt {V}\) as a response message.

• \({\varSigma ^{a \in A}_{\text {bnd}, \text {vrf}}}( (x^a)^{a \in A} ) \rightarrow d\). This deterministic algorithm is executed by \(\texttt {V}\). On input the statement \((x^a)^{a \in A}\) and all the messages \((c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A})\), \(\textsc {cha}\) and \((\textsc {res}^a, \textsc {res}_{a,0})^{a \in A}\), it first sets the extended statement as \(x^a_0 := (x^a, c_0)\) for each \(a \in A\). Then it runs the algorithms \({\varSigma ^a_{0, \text {vrf}}}(x^a_0, \textsc {com}^a, \textsc {com}_{a,0}, \textsc {cha}, \textsc {res}^a, \textsc {res}_{a,0} )\) to obtain boolean decisions, for each \(a \in A\). If all the decisions are \(1\), then \(\texttt {V}\) returns \(1\), and otherwise, \(0\).

These four algorithms \(({\varSigma ^{a \in A}_{\text {bnd}, \text {com}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {cha}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {res}}}, {\varSigma ^{a \in A}_{\text {bnd}, \text {vrf}}})\) must satisfy the following property.

Proposition 1

(Completeness). If \(\texttt {Cmt}\) is correct, and if \(\varSigma ^a_0\) is complete for \(a \in A\), then our \(\varSigma ^{a \in A}_{\text {bnd}}\) is complete.

Proof

The completeness of our \(\varPi ^{a \in A}_{\text {bnd}}\) comes from the correctness of \(\texttt {Cmt}\) and the completeness of \(\varPi ^a_0\) for each \(a \in A\). \(\square \)

• \({\varSigma ^{a \in A}_{\text {bnd}, \text {ext}}}((x^a)^{a \in A}, (c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A}), \textsc {cha}, (\textsc {res}^a, \textsc {res}_{a,0})^{a \in A}, \textsc {cha}',\) \(( (\textsc {res}^a)',\) \((\textsc {res}_{a,0})' )^{a \in A})\rightarrow ( \hat{w}_0,(\hat{w}^a_1)^{a \in A} )\). This \(\textsc {ppt}\) algorithm is for knowledge extraction. On input the statement \((x^a)^{a \in A}\) and two accepting transcripts with a common commitment message and different challenge messages, \(((c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A}), \textsc {cha}, ( \textsc {res}^a, \textsc {res}_{a,0} )^{a \in A}))\) and \(((c_0, (\textsc {com}^a, \textsc {com}_{a,0})^{a \in A}),\textsc {cha}', ( {\textsc {res}^a}', {\textsc {res}_{a,0}}' )^{a \in A}))\), \(\textsc {cha}\ne \textsc {cha}'\), it first sets the extended statement as \(x^a_0 := (x^a, c_0)\) for each \(a \in A\). Then it runs the algorithms \({\varSigma ^a_{0, \text {ext}}}(x^a_0, (\textsc {com}^a, \textsc {com}_{a,0}), \textsc {cha}, (\textsc {res}^a, \textsc {res}_{a,0}), \textsc {cha}',\) \(({\textsc {res}^a}', {\textsc {res}_{a,0}}') )\) to obtain \((\hat{w}^a_0, \hat{w}^a_1, \hat{r}^a_0)\) for each \(a \in A\). If this event does not occur (i.e. at least at one a \({\varSigma ^a_{0, \text {ext}}}\) fails to extract a witness), then it returns \(\perp \). Otherwise, if \(\hat{w}^{a}_0 = \hat{w}^{a'}_0\) for any \(a, a' \in A\), then it sets the common value \(\hat{w}_0 := \hat{w}^{a}_0\) and returns \(( \hat{w}_0, (\hat{w}^a_1)^{a \in A} )\). Otherwise it returns \(\perp ^*\). The binding property of the commitment scheme \(\texttt {Cmt}\) assures that the former case holds with an overwhelming probability, as claimed in the following proposition.

Proposition 2

(Special Soundness). If \(\texttt {Cmt}\) is correct and computationally binding, and if \(\varSigma ^a_0\) has the special soundness for \(a \in A\), then our \(\varSigma ^{a \in A}_{\text {bnd}}\) has the special soundness.

Proof

Omitted. (will appear in the full version).

Note 3. For simplicity of the later discussion, we hereafter assume that, for all \(a \in A\), \(\Pr [ {\varSigma ^a_{0, \text {ext}}}\text { returns a witness} ] = 1\). That is, we assume that \(\Pr [ {\varSigma ^a_{0, \text {ext}}}\text { returns } \perp ] = 0\) for each \(a \in A\).

• \({\varSigma ^{a \in A}_{\text {bnd}, \text {sim}}}( (x^a)^{a \in A}, \tilde{\textsc {cha}} ) \rightarrow ( (\tilde{c}_0, (\tilde{\textsc {com}}^a, \tilde{\textsc {com}}^a_0)^{a \in A}), (\tilde{\textsc {res}}^a, \tilde{\textsc {res}}^a_0)^{a \in A} )\). This \(\textsc {ppt}\) algorithm is for the simulation of an accepting transcript. On input a statement \((x^a)^{a \in A}\) and a uniform random string \(\tilde{\textsc {cha}} \in _R\textsc {chaSp}(1^{\lambda })\), it first chooses a base witness point \(\tilde{w}_0 \in _RW_0\) uniformly at random, and runs the commitment generation algorithm with a randomness \(\tilde{r}_0\), \(\texttt {Cmt} \texttt {.} \texttt {Com}(\tilde{w}_0; \tilde{r}_0) \rightarrow (\tilde{c}_0, \tilde{r}_0)\), to obtain a commitment \(\tilde{c}_0\). Then it sets the extended statement as \(x^a_0 := (x^a, \tilde{c}_0)\) for each \(a \in A\). Then, it runs the algorithms \({\varSigma ^a_{0, \text {sim}}}(x^a_0, \tilde{\textsc {cha}})\) to obtain \(( (\tilde{\textsc {com}}^a, \tilde{\textsc {com}}_{a,0}), (\tilde{\textsc {res}}^a, \tilde{\textsc {res}}_{a,0}) )\) for each \(a \in A\). It returns \(( (\tilde{c}_0, (\tilde{\textsc {com}}^a, \tilde{\textsc {com}}_{a,0})^{a \in A}), (\tilde{\textsc {res}}^a, \tilde{\textsc {res}}_{a,0})^{a \in A} )\).

Proposition 3

(Honest-Verifyer Zero-Knowledge). If \(\texttt {Cmt}\) is perfectly hiding, and if \(\varSigma ^a_0\) is honest-verifier zero-knowledge for \(a \in A\), then our \(\varSigma ^{a \in A}_{\text {bnd}}\) is honest-verifier zero-knowledge.

Proof

Omitted. (will appear in the full version).

Fig. 1.

The protocol \(\varSigma ^{a \in A}_{\text {bnd}}\) of our proof system \(\varPi ^{a \in A}_{\text {bnd}}\) for the NP witness relation \(R^{a \in A}_{\text {bnd}}\).

Theorem 1

If \(\texttt {Cmt}\) is correct, computationally binding and perfectly hiding, and if \(\varSigma ^a_0\) is a \(\varSigma \)-protocol for \(a \in A\), then our protocol \(\varSigma ^{a \in A}_{\text {bnd}}\) is a \(\varSigma \)-protocol.

Proof

Propositions 1, 2 and 3 deduces that \(\varSigma ^{a \in A}_{\text {bnd}}\) is a \(\varSigma \)-protocol. \(\square \)

Theorem 2

If the component interactive proof system \(\varPi ^a_0\) with \(\varSigma ^a_0\) is perfectly witness-indistinguishable for each \(a \in A\), and if \(\texttt {Cmt}\) is perfectly hiding, then our interactive argument system \(\varPi ^{a \in A}_{\text {bnd}}\) with \(\varSigma ^{a \in A}_{\text {bnd}}\) is perfectly witness-indistinguishable.

Proof

Omitted. (will appear in the full version).

4 Decentralized Multi-authority Anonymous Authentication Scheme

In this section, we give a syntax and security definitions of an interactive anonymous authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) in a decentralized multi-authority setting on key generation.

4.1 Syntax and Security Definitions

Our \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) consists of five \(\textsc {ppt}\) algorithms, \((\texttt {Setup},\) \(\texttt {AuthKG},\) \(\texttt {PrivKG},\) \(\texttt {P},\) \(\texttt {V})\).

• \(\texttt {Setup}(1^{\lambda }) \rightarrow \texttt {PP}\). This \(\textsc {ppt}\) algorithm is needed to generate a set of public parameter values \(\texttt {PP}\). On input the security parameter \(1^\lambda \), it generates the set of values \(\texttt {PP}\). It returns \(\texttt {PP}\).

• \(\texttt {AuthKG}(\texttt {PP}, a) \rightarrow (\text {PK}^a, \text {MSK}^a)\). This \(\textsc {ppt}\) algorithm is executed by a key-issuing authority indexed by a positive integer a. On input the set of public parameter values \(\texttt {PP}\) and the authority index a, it generates the a-th public key \(\text {PK}^a\) of the authority and the corresponding a-th master secret key \(\text {MSK}^a\). It returns \((\text {PK}^a, \text {MSK}^a)\).

• \(\texttt {PrivKG}(\texttt {PP}, \text {PK}^a, \text {MSK}^a, \texttt {g} \texttt {i} \texttt {d}) \rightarrow \text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\). This \(\textsc {ppt}\) algorithm is executed by the a-th key-issuing authority. On input the set of public parameter values \(\texttt {PP}\), the a-th public and master secret keys \((\text {PK}^a, \text {MSK}^a)\) and a string \(\texttt {g} \texttt {i} \texttt {d}\) of a prover (a global identity string), it generates a private secret key \(\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\) of a prover. It returns \(\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\).

• \(\langle \texttt {P}(\texttt {PP}, (\text {PK}^a, \text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}})^{a \in A'}), \texttt {V}(\texttt {PP}, (\text {PK}^a)^{a \in A'}) \rangle \rightarrow d\). These two interactive \(\textsc {ppt}\) algorithms are a prover who is to be authenticated, and a verifier who confirms that the prover certainly knows the secret keys for indices \(a \in A'\), respectively, where \(A'\) denotes a subset of all indices at which the prover is issued her private secret keys by authorities. On input the set of public parameter values \(\texttt {PP}\) and the public keys \((\text {PK}^a)^{a \in A}\) to \(\texttt {P}\) and \(\texttt {V}\) and the corresponding private secret keys \((\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}})^{a \in A}\) to \(\texttt {P}\), \(\texttt {P}\) and \(\texttt {V}\) interact with each other. After at most polynomially many (in \(\lambda \)) moves of messages between \(\texttt {P}\) and \(\texttt {V}\), \(\texttt {V}\) returns \(d: = 1\) (“accept”) or \(d := 0\) (“reject”).

We discuss two security notions for our authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \).

Security Against Concurrent and Collusion Attack of Misauthentication. One of the possible attacks to cause misauthentication is the concurrent and collusion attack on our \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \). For a formal treatment we define the following experiment on \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) and an adversary algorithm \(\mathbf {A}\).

Intuitively, the above experiment describes the attack as follows. The adversary algorithm \(\mathbf {A}\), on input the security parameter \(1^\lambda \), first outputs the number \(q_A\) of key-issuing authorities. Then, on input the set of public parameter values \(\texttt {PP}\) and the issued public keys \((\text {PK}^a)^{a \in A}\), \(\mathbf {A}\) outputs the number \(q_I\) of provers with which \(\mathbf {A}\) interacts concurrently (i.e. in arbitrarily interleaved order of messages). In addition, \(\mathbf {A}\) collects at most \(q_{\text {sk}}\) private secret keys by issuing queries to the private secret key oracle \(\mathbf {PrivKO}(\texttt {PP}, \text {PK}^{\cdot }, \text {MSK}^{\cdot }, {\cdot })\) with an authority index \(a \in A\) and a global identity string \(\texttt {g} \texttt {i} \texttt {d}_j \in \{0,1\}^\lambda \) for \(j = q_I + 1, \dots , q_I + q_{\text {sk}}\). We denote by \(A_j\) the set of authority indices for which the queries with the global identity string \(\texttt {g} \texttt {i} \texttt {d}_j\) were issued. That is, \(A_j := \{ a \in A \ |\ \mathbf {A}\text { receives } \text {sk}^{a}_{\texttt {g} \texttt {i} \texttt {d}_j} \}, j = q_I + 1, \dots , q_I + q_{\text {sk}}\). We here require that the numbers \(q_A\), \(q_I\) and \(q_{\text {sk}}\) are bounded by a polynomial in \(\lambda \). At the last of this “learning phase”, \(\mathbf {A}\) outputs a target set of authority indices \(A^*\) and its inner state \(S t^*\). Next, in the “attacking phase”, on input the inner state \(S t^*\), the adversary \(\mathbf {A}\) interacts with the verifier \(\texttt {V}(\texttt {PP}, (\text {PK}^a)^{a \in A^*})\). If the decision d of \(\texttt {V}\) is \(1\), then the experiment returns \(\textsc {Win}\) and otherwise, returns \(\textsc {Lose}\). A restriction is imposed on the adversary \(\mathbf {A}\): The target set of authority indices \(A^*\) should not be a subset of any single set \(A_j\): \(A^* \nsubseteq A_j, \ j = q_I + 1, \dots , q_I + q_{\text {sk}}\). This restriction is because, otherwise, \(\mathbf {A}\) is given private secret keys for \(A^*\) on a single \(\texttt {g} \texttt {i} \texttt {d}_{i^*}\) for some \(i^*\), \(q_I < i^* \le q_I + q_{\text {sk}}\), and then \(\mathbf {A}\) can trivially be accepted in the attacking phase.

The advantage of an adversary \(\mathbf {A}\) over our authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) in the experiment is defined as: \(\mathbf {Adv}^{\text {conc-coll}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(\lambda )}\,{\mathop {=}\limits ^{\text {def}}}\, \Pr [\mathbf {Expr}^{\text {conc-coll}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(1^\lambda )}= \textsc {Win}]\). An authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) is called secure against concurrent and collusion attacks of misauthentication if, for any given \(\textsc {ppt}\) algorithm \(\mathbf {A}\), the advantage \(\mathbf {Adv}^{\text {conc-coll}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(\lambda )}\) is negligible in \(\lambda \).

Anonymity. A critical feature to be attained is provers’ anonymity on global identities when the provers are authenticated. For a formal treatment we define the following experiment on \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) and an adversary algorithm \(\mathbf {A}\).

Intuitively, the above experiment describes the attack as follows. The adversary algorithm \(\mathbf {A}\), on input the security parameter \(1^\lambda \), first outputs the number \(q_A\) of key-issuing authorities. Then, on input the issued public keys \((\text {PK}^a)^{a \in A}\), \(\mathbf {A}\) designates two identity strings \(\texttt {g} \texttt {i} \texttt {d}_0\) and \(\texttt {g} \texttt {i} \texttt {d}_1\) (as is usual in the indistinguishability games). Next, \(\mathbf {A}\) interacts with a prover \(\texttt {P}\) on input even the private secret keys \((\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}_b})^{a \in A}\), where the index b is chosen uniformly at random. If the decision \(b^*\) of \(\mathbf {A}\) is equal to b, then the experiment returns \(\textsc {Win}\) and otherwise, returns \(\textsc {Lose}\).

The advantage of an adversary \(\mathbf {A}\) over our authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) in the experiment is defined as: \(\mathbf {Adv}^{\text {ano}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(\lambda )}\,{\mathop {=}\limits ^{\text {def}}}\, \bigl | \Pr [\mathbf {Expr}^{\text {ano}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(1^\lambda )}= \textsc {Win}] - (1/2) \bigr |\). An authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) is called to have anonymity if, for any \(\textsc {ppt}\) algorithm \(\mathbf {A}\), the advantage \(\mathbf {Adv}^{\text {ano}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(\lambda )}\) is negligible in \(\lambda \).

4.2 Generic Construction

We give a generic construction of our authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \). The building blocks are the interactive proof system \(\varPi ^{a \in A}_{\text {bnd}}\) with our \(\varSigma \)-protocol \(\varSigma ^{a \in A}_{\text {bnd}}\) and a digital signature scheme \(\texttt {Sig}\). We note that a commit-and-prove scheme \(\texttt {CmtPrv}\) is employed in \(\varSigma ^{a \in A}_{\text {bnd}}\).

• \(\texttt {Setup}(1^{\lambda }) \rightarrow \texttt {PP}\). On input the security parameter \(1^\lambda \), this \(\textsc {ppt}\) algorithm generates a set of public parameter values by running the setup algorithms \(\texttt {Sig} \texttt {.} \texttt {Setup}(1^\lambda )\), \(\varPi {.}{} \texttt {Setup}(1^\lambda )\) and \(\texttt {CmtPrv} \texttt {.} \texttt {Setup}(1^\lambda )\). These algorithms are for the digital signature scheme \(\texttt {Sig}\), the interactive argument systems \((\varPi ^a_0)^{a \in A}\), and the commitment generation algorithm \(\texttt {Cmt} \texttt {.} \texttt {Com}\). They generate \(\texttt {PP}_{\texttt {Sig}}\), \(\texttt {PP}_{\varPi }\) and \(\texttt {PP}_{\texttt {Cmt}}\), respectively. It merges them as \(\texttt {PP}:= (\texttt {PP}_{\texttt {Sig}}, \texttt {PP}_{\varPi }, \texttt {PP}_{\texttt {Cmt}})\). It returns \(\texttt {PP}\).

• \(\texttt {AuthKG}(\texttt {PP}, a) \rightarrow (\text {PK}^a, \text {MSK}^a)\). On input the set of public parameter values \(\texttt {PP}\) and an authority index a, this \(\textsc {ppt}\) algorithm executes the key generation algorithm \(\texttt {Sig} \texttt {.} \texttt {KG}(\texttt {PP}_{\texttt {Sig}})\) to obtain a signing key \(\text {SK}\) and the corresponding public key \(\text {PK}\). It sets the master secret key as \(\text {MSK}^a := \text {SK}\) and the corresponding public key as \(\text {PK}^a := \text {PK}\). It returns \((\text {PK}^a, \text {MSK}^a)\).

• \(\texttt {PrivKG}(\texttt {PP}, \text {PK}^a, \text {MSK}^a, \texttt {g} \texttt {i} \texttt {d}) \rightarrow \text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\). On input the set of public parameter values \(\texttt {PP}\), a public key \(\text {PK}^a\), the corresponding master secret key \(\text {MSK}^a\) and a string \(\texttt {g} \texttt {i} \texttt {d}\), this \(\textsc {ppt}\) algorithm executes the signing algorithm \(\texttt {Sig} \texttt {.} \texttt {Sign}(\texttt {PP}_{\texttt {Sig}}, \text {PK}^a, \text {MSK}^a, \texttt {g} \texttt {i} \texttt {d})\) to obtain a digital signature \(\sigma ^a_{\texttt {g} \texttt {i} \texttt {d}}\) on the message \(\texttt {g} \texttt {i} \texttt {d}\). It puts a private secret key \(\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\) as \(\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}} := \sigma ^a_{\texttt {g} \texttt {i} \texttt {d}}\). It returns \(\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\).

• \(\texttt {P}(\texttt {PP}, (\text {PK}^a)^{a \in A}, (\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}})^{a \in A})\) and \(\texttt {V}(\texttt {PP}, (\text {PK}^a)^{a \in A})\). On input the set of public parameter values \(\texttt {PP}\) and the public keys \((\text {PK}^a)^{a \in A}\) to the prover \(\texttt {P}\) and the verifier \(\texttt {V}\), and the corresponding private secret keys \((\text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}})^{a \in A}\) to \(\texttt {P}\), \(\textsc {ppt}\) algorithms \(\texttt {P}\) and \(\texttt {V}\) first set the statements as \(x^a := \text {PK}^a\) for \(a \in A\) and \(\texttt {P}\) sets the witness as \(w_0 := \texttt {g} \texttt {i} \texttt {d}\) and \(w^a_1 := \text {sk}^a_{\texttt {g} \texttt {i} \texttt {d}}\) for \(a \in A\). The witness spaces \(W^a, a \in A\) are described as follows: \(W^a = W_0 \times W^a_1, W_0 = \{ \texttt {g} \texttt {i} \texttt {d}\ |\ \text {string of length }\lambda \} = \{0, 1\}^{\lambda }, W^a_1 = \{ \sigma ^a_{\texttt {g} \texttt {i} \texttt {d}} \ |\ \sigma ^a_{\texttt {g} \texttt {i} \texttt {d}} \leftarrow \texttt {Sig} \texttt {.} \texttt {Sign}(\texttt {PP}_{\texttt {Sig}}, \text {PK}^a, \text {MSK}^a, \texttt {g} \texttt {i} \texttt {d}) \text { for some } \texttt {g} \texttt {i} \texttt {d}\in W_0 \}\). \(\texttt {P}\) and \(\texttt {V}\) execute the \(\varSigma \) protocol \(\varSigma ^{a \in A}_{\text {bnd}}\). \(\texttt {V}\) returns the returned boolean d of the verifier algorithm \({\varSigma ^{a \in A}_{\text {bnd}, \text {vrf}}}\).

Fig. 2.

Generic construction of our decentralized multi-authority anonymous authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \).

4.3 Properties

Theorem 3

If the component proof system \(\varPi ^a_0\) is perfectly witness-indistinguishable for each \(a \in A\), if the commitment scheme \(\texttt {Cmt}\) is perfectly hiding and computationally binding, and if the digital signature scheme \(\texttt {Sig}\) is existentially unforgeable against adaptive chosen-message attacks, then our \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) is secure against concurrent and collusion attacks. More precisely, let \(q_A\) denote the maximum number of authorities. For any given \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that executes a concurrent and collusion attack on our \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) in accordance with the experiment \(\mathbf {Expr}^{\text {conc-coll}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(1^\lambda )}\), there exists a \(\textsc {ppt}\) algorithm \(\mathbf {F}\) that generates an existential forgery on \(\texttt {Sig}\) in accordance with the experiment \(\mathbf {Exp}^{\text {euf-cma}}_{\texttt {Sig},\mathbf {F}}(1^\lambda )\) and there exists a \(\textsc {ppt}\) algorithm \(\mathbf {B}\) that breaks the bandaging property of \(\texttt {Cmt}\) in accordance with the experiment \(\mathbf {Exp}^{\text {bind}}_{\texttt {Cmt},\mathbf {B}}(1^\lambda )\) satisfying the following inequality.

$$\begin{aligned} \mathbf {Adv}^{\text {conc-coll}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(\lambda )}\le \frac{1}{|\textsc {chaSp}(1^\lambda )|} + \sqrt{ \frac{ 2^\lambda }{2^\lambda - 1} \cdot q_A \cdot \mathbf {Adv}^{\text {euf-cma}}_{\texttt {Sig},\mathbf {F}}(\lambda )+ \mathbf {Adv}^{\text {bind}}_{\texttt {Cmt},\mathbf {B}}(\lambda )}. \end{aligned}$$

Proof

Omitted. (will appear in the full version).

Theorem 4

If the component proof system \(\varPi ^a_0\) is perfectly witness-indistinguishable for each \(a \in A\), and if the commitment scheme \(\texttt {Cmt}\) is perfectly hiding, then our \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) has anonymity. More precisely, for any given \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that executes the anonymity game on our \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) in accordance with the experiment \(\mathbf {Expr}^{\text {ano}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(1^\lambda )}\), the following equality holds.

$$\begin{aligned} \mathbf {Adv}^{\text {ano}}_{\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} ,\mathbf {A}}{(\lambda )}= 0. \end{aligned}$$

Proof. Omitted. (will appear in the full version).

5 On Instantiation and Implementation

In this section, we briefly discuss instantiation and implementation of our generic authentication scheme \(\texttt {a} \texttt {-} \texttt {a} \texttt {u} \texttt {t} \texttt {h} \) in Sect. 4.

Basically, we can employ any three building blocks that satisfy the requirements stated in Sect. 4. We here briefly mention an instantiation in the setting of bilinear groups. The three building blocks are the pairing version of the Camenisch-Lysyanskaya digital signature scheme \(\texttt {Sig}^{\texttt {CL}}\) by Sudarsono-Nakanishi-Funabiki [14] and Teranishi-Furukawa [15], the pairing version of the Camenisch-Lysyanskaya perfectly witness-indistinguishable argument of knowledge system \(\varPi ^{\texttt {CL}}\) by [14, 15], and the Pedersen-Okamoto commit-and-prove scheme \(\texttt {CmtPrv}^{\texttt {PO}}\) [12, 13].

As for implementation, we expect a similar result to the result found in [14] because the execution of the Pedersen-Okamoto commit-and-prove is fast. When the number of authorities involved in our authentication is 3, the expected times for proof-generation and verification are both under 0.5 seconds except the communication time. (See Sect. 5.2 of [14] “the total number of string attribute types”.)

6 Conclusion

We proposed a generic construction of a \(\varSigma \)-protocol of commit-and-prove type, which is an and-composition of \(\varSigma \)-protocols on the statements that include a common commitment. When the component \(\varSigma \)-protocols are of witness-indistinguishable argument systems, our \(\varSigma \)-protocol is also a witness-indistinguishable argument system as a whole. As an application, we gave a generic construction of a decentralized multi-authority anonymous authentication scheme. There a witness is a bundle of witnesses each of which decomposes into a fixed global identity string and a digital signature on it. We mentioned an instantiation of the scheme in the setting of bilinear groups. A post-quantum instantiation should be our future work.