Decentralized Multi-authority Anonymous Credential System with Bundled Languages on Identifiers

Abstract

We propose an anonymous credential system equipped with independent decentralized authorities who issue credentials. In our system, the number of authorities can dynamically increase or decrease. A credential is a private secret key issued by an authority, and it is given to an entity distinguished by an identifier. In the issuing phase, an authority only has to sign identifiers. In the proving phase, under a principle of “commit-to-id”, an entity proves to a verifier the knowledge of his/her identifier and private secret keys by generating a unified proof. The verifier should resist against collusion attacks executed by adversaries who bring together the private secret keys issued to different identifiers. To construct our system, we employ two building blocks; the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system. Both blocks work in the setting of bilinear groups. To attain the collusion resistance, we propose a notion of “bundled language” that is abstraction of simultaneous pairing-product equations which include an identifier as a variable.

Appendices

Appendix

A Four Properties of Commitment Part

Definition 2

(Correctness [9, 13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be correct if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {mode})\) where \(\texttt {mode}= \texttt {nor}\) or \(\texttt {ext}\) or \(\texttt {sim}\), and any message w,

$$\begin{aligned} \Pr [ d = 1\mid (c, r) \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w), d \leftarrow \textsf {Cmt.Vrf}_{\textit{pp}}(c, w, r) ] = 1. \end{aligned}$$

Definition 3

(Dual Mode [13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be dual mode if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),

$$\begin{aligned} \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid {ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor}) ] \nonumber \\ = \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid ({ck}, {xk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {ext}) ], \end{aligned}$$

(10)

$$\begin{aligned} \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid {ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor}) ] \nonumber \\ \approx _{\text {c}} \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim}) ]. \end{aligned}$$

(11)

The computational indistinguishability (11) is equivalent to the following: For any security parameter \(1^{\lambda }\), for any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\), the advantage \(\mathbf {Adv}^{\text {ind-dual}}_{\textsf {Cmt}_{\textit{pp}},\mathbf {A}}(\lambda )\) of \(\mathbf {A}\) over \(\textsf {Cmt}_{\textit{pp}}\) defined by the difference below is negligible in \(\lambda \):

$$\begin{aligned} \mathbf {Adv}^{\text {ind-dual}}_{\textsf {Cmt}_{\textit{pp}},\mathbf {A}}(\lambda ){\mathop {=}\limits ^{\text {def}}}|\Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid {ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor}) ] \nonumber \\ - \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim}) ]|. \end{aligned}$$

(12)

The indistinguishability holds, for example, for an instance of the Groth-Sahai proof system under the SXDH assumption [9, 13].

Definition 4

(Perfectly Binding [13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be perfectly binding if it satisfies the following condition for some unbounded algorithm \(\textsf {Cmt.Open}_{\textit{pp}}\): For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor})\) and any message w,

$$\begin{aligned} \Pr [ w = w' \mid (c, r) \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w; r), w' \leftarrow \textsf {Cmt.Open}_{\textit{pp}}(c) ] =1. \end{aligned}$$

Definition 5

(Perfectly Hiding [13]). A commitment scheme \(\textsf {Cmt}_{\textit{pp}}\) is said to be perfectly hiding if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key ck s.t. \(({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim})\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),

$$\begin{aligned} \Pr [&\mathbf {A}(S t, c) = 1 \mid (w, w', S t) \leftarrow \mathbf {A}(\textit{pp}, {ck}, {tk}), (c, r) \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w) ] \nonumber \\ = \Pr [&\mathbf {A}(S t, c') = 1 \mid (w, w', S t) \leftarrow \mathbf {A}(\textit{pp}, {ck}, {tk}), (c', r') \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w') ]. \end{aligned}$$

(13)

B Four Properties of Proof Part

Definition 6

(Perfect Correctness [13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be perfectly correct if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {mode})\) where \(\texttt {mode}= \texttt {nor}\) or \(\texttt {ext}\) or \(\texttt {sim}\) with \(\textit{pp}:= (\textit{pp},{ck})\), and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),

$$\begin{aligned} \Pr [&\textsf {V}_{\textit{pp}}(x, c, \pi ) = 1\text { if } ({ck}, x, w) \in R_{\textit{pp}} \mid \\&(x, w) \leftarrow \mathbf {A}(\textit{pp}), (c, r) \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w), \\&\pi \leftarrow \textsf {P}_{\textit{pp}}(x, c, w, r) ] = 1. \end{aligned}$$

Definition 7

(Perfect Soundness [13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be perfectly sound if it satisfies the following condition for some unbounded algorithm \(\textsf {Cmt.Open}_{\textit{pp}}\): For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \({ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor})\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),

$$\begin{aligned} \Pr&[ \textsf {V}_{\textit{pp}}(x, c, \pi ) =0 \text { or } ({ck}, x, w) \in R_{\textit{pp}} \mid \\&(x, c, \pi ) \leftarrow \mathbf {A}(\textit{pp}), w \leftarrow \textsf {Cmt.Open}_{\textit{pp}}(c) ] = 1. \end{aligned}$$

Let \(\mathcal {C}_{ck}\) be the set of commitments under ck to some message w.

Definition 8

(Perfect Knowledge Extraction[13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be perfectly knowledge extractable if it satisfies the following condition for some \(\textsc {ppt}\) algorithm \(\textsf {Cmt.Ext}_{\textit{pp}}\): For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\), any commitment key \(({ck}, {xk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {ext})\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),

$$\begin{aligned} \Pr [ c \notin \mathcal {C}_{{ck}} \text { or } \textsf {Cmt.Ext}_{\textit{pp}}({xk}, c) = \textsf {Cmt.Open}_{\textit{pp}}(c) \mid c \leftarrow \mathbf {A}(\textit{pp}, {ck}, {xk}) ] = 1. \end{aligned}$$

Definition 9

(Composable Witness-Indistinguishability [13]). A commit-and-prove scheme \(\textsf {CmtPrv}\) is said to be composably witness-indistinguishable if it satisfies the following condition: For any security parameter \(1^{\lambda }\), any set of public parameters \(\textit{pp}\leftarrow \textsf {CmtPrv}\textsf {.Setup}(1^{\lambda })\) and any \(\textsc {ppt}\) algorithm \(\mathbf {A}\),

$$\begin{aligned} \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid {ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor})] \nonumber \\ \approx _{\text {c}} \Pr&[\mathbf {A}(\textit{pp}, {ck}) = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim})], \text { and}\nonumber \\ \Pr&[({ck}, x, w), ({ck}, x, w') \in R_{\textit{pp}} \text { and } \mathbf {A}(S t, \pi ) = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim}), \textit{pp}:= (\textit{pp}, {ck}), \nonumber \\&(x, w, w', S t) \leftarrow \mathbf {A}^{\textsf {Cmt.Com}_{\textit{pp}}(\cdot )}(\textit{pp}, {ck}, {tk}), (c, r) \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w), \pi \leftarrow \textsf {P}_{\textit{pp}}(x, c, w, r) ] \nonumber \\ =\Pr&[({ck}, x, w), ({ck}, x, w') \in R_{\textit{pp}} \text { and } \mathbf {A}(S t, \pi ') = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim}), \textit{pp}:= (\textit{pp}, {ck}), \nonumber \\&(x, w, w', S t) \leftarrow \mathbf {A}^{\textsf {Cmt.Com}_{\textit{pp}}(\cdot )}(\textit{pp}, {ck}, {tk}), (c', r') \leftarrow \textsf {Cmt.Com}_{\textit{pp}}(w'), \pi ' \leftarrow \textsf {P}_{\textit{pp}}(x, c', w', r') ]. \end{aligned}$$

(14)

Especially, perfect witness-indistinguishability holds from (14).

C Instantiation of Structure-Preserving Signature Scheme [1, 2]

We concretely describe an instantiation of the SPS scheme [1, 2], which is known to be EUF-CMA under the q-SFP assumption.

\(\textsf {Sig.Setup}(1^{\lambda }) \rightarrow \textit{pp}\). On input the security parameter \(1^{\lambda }\), this \(\textsc {ppt}\) algorithm executes the bilinear group generator algorithm, and it puts the output as a set of public parameters: \(\mathcal {BG}(1^{\lambda }) \rightarrow (p, {\hat{\mathbb {G}}}, \check{{\mathbb {H}}}, \mathbb {T}, e, \hat{G}, \check{H}) =: \textit{pp}\). It returns \(\textit{pp}\).

\(\textsf {Sig.KG}_{\textit{pp}}() \rightarrow (\text {PK}, \text {SK})\). Based on the set of public parameters \(\textit{pp}\), this \(\textsc {ppt}\) algorithm generates a signing key \(\text {SK}\) and the corresponding public key \(\text {PK}\) as follows: \(\hat{G}_u \in _R{\hat{\mathbb {G}}}\), \(\gamma _1, \delta _1 \in _R\mathbb {Z}_p^*\), \(\hat{G}_1 := \hat{G}^{\gamma _1}, \hat{G}_{u, 1} := \hat{G}_u^{\delta _1}\). \(\gamma _z, \delta _z \in _R\mathbb {Z}_p^*\), \(\hat{G}_z := \hat{G}^{\gamma _z}, \hat{G}_{u, z} := \hat{G}_u^{\delta _z}\). \(\alpha , \beta \in _R\) \(\mathbb {Z}_p^*\), \((\hat{A}_i, \check{A}_i)_{i=0}^{1} \leftarrow \textsf {Extend}(\hat{G}, \check{H}^{\alpha })\), \((\hat{B}_i, \check{B}_i)_{i=0}^{1} \leftarrow \textsf {Extend}(\hat{G}_u, \check{H}^{\beta })\) (for \(\textsf {Extend}\), see [1, 2]). It puts \(\text {PK}:= (\hat{G}_z, \hat{G}_{u, z}, \hat{G}_u, \hat{G}_1, \hat{G}_{u, 1}, (\hat{A}_i, \check{A}_i, \hat{B}_i, \check{B}_i )_{i=0}^{1} )\) and \(\text {SK}:= (\alpha , \beta , \gamma _z, \delta _z, \gamma _1, \delta _1)\). It returns \((\text {PK}, \text {SK})\).

\(\textsf {Sig.Sign}_{\textit{pp}}(\text {PK}, \text {SK}, m) \rightarrow \sigma \). On input the public key \(\text {PK}\), the secret key \(\text {SK}\) and a message \(m = \check{M}\in \check{{\mathbb {H}}}\), this \(\textsc {ppt}\) algorithm generates a signature \(\sigma \) as follows.

$$\begin{aligned} \zeta , \rho , \tau , \phi , \omega \in _R\mathbb {Z}_p, \ \ \check{Z}:= \check{H}^{\zeta }, \check{R}&:= \check{H}^{\alpha - \rho \tau - \gamma _z\zeta } \check{M}^{-\gamma _1}, \hat{S}:= \hat{G}^{\rho }, \check{T}:= \check{H}^{\tau },\\ \check{U}&:= \check{H}^{\beta - \phi \omega - \delta _z\zeta } \check{M}^{-\delta _1}, \hat{V}:= \hat{G}_u^{\phi }, \check{W}:= \check{H}^{\omega }. \end{aligned}$$

It returns \(\sigma := (\check{Z}, \check{R}, \hat{S}, \check{T}, \check{U}, \hat{V}, \check{W})\).

\(\textsf {Sig.Vrf}_{\textit{pp}}(\text {PK}, m, \sigma ) \rightarrow d\). On input the public key \(\text {PK}\), a message \(m = \check{M}\in \check{{\mathbb {H}}}\) and a signature \(\sigma = (\check{Z}, \check{R}, \hat{S}, \check{T}, \check{U}, \hat{V}, \check{W})\), this deterministic algorithm checks whether the following verification equation system holds or not.

$$\begin{aligned}&e(\hat{G}_z, \check{Z}) e(\hat{G}, \check{R}) e(\hat{S}, \check{T}) e(\hat{G}_1, \check{M}) e(\hat{A}_0, \check{A}_0)^{-1} e(\hat{A}_1, \check{A}_1)^{-1} = 1_{\mathbb {T}}, \text { and } \end{aligned}$$

(15)

$$\begin{aligned}&e(\hat{G}_{u, z}, \check{Z}) e(\hat{G}_u, \check{U}) e(\hat{V}, \check{W}) e(\hat{G}_{u, 1}, \check{M}) e(\hat{B}_0, \check{B}_0)^{-1} e(\hat{B}_1, \check{B}_1)^{-1} = 1_{\mathbb {T}}. \end{aligned}$$

(16)

It returns a boolean decision d.

D Proof of Proposition 1

Proof

(Sketc.h). Suppose that any \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {ano-prf}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\) is given. Then we construct a \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {B}}{(1^\lambda , 1^\mu )}\) as follows. \(\mathbf {B}\) employs A as a subroutine. \(\mathbf {B}\) is able to generate \(\mathbf {A}\)’s input by using \(\mathbf {B}\)’s input and \(\mathbf {A}\)’s output. Also, \(\mathbf {B}\) is able to answer to \(\mathbf {A}\)’s queries by issuing queries to \(\mathbf {B}\)’s oracle and using the answers. Finally, when \(\mathbf {A}\) outputs \(b'\), \(\mathbf {B}\) puts \(d:=b'\).    \(\square \)

E Proof of Theorem 1

Proof

Given any \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {euf-coll}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\), we construct a \(\textsc {ppt}\) algorithm \(\mathbf {F}\) that generates an existential forgery of \(\textsf {Sig}\) according to the experiment \(\textsf {Exp}^{\text {euf-cma}}_{\textsf {Sig},\mathbf {F}}(1^\lambda )\). \(\mathbf {F}\) is given as input the set of public parameters \(\textit{pp}\) and a public key \(\text {PK}_{\textsf {Sig}}\). \(\mathbf {F}\) is also given an auxiliary input \(\mu \). \(\mathbf {F}\) executes \(\textsf {Cmt.KG}_{\textit{pp}}(\texttt {ext})\) to obtain a pair (ck, xk). \(\mathbf {F}\) puts \(\textit{pp}:= (\textit{pp}, {ck})\). \(\mathbf {F}\) invokes the algorithm \(\mathbf {A}\) with \(1^{\lambda }\) to obtain the number \(\mu \) and \(S t\). \(\mathbf {F}\) chooses a target index \(a^{\dag }\) from the set \(A := \{ 1,\dots ,\mu \}\) uniformly at random. \(\mathbf {F}\) executes the authority key generation algorithm honestly for \(a \in A\) except the target index \(a^{\dag }\). As for \(a^{\dag }\), \(\mathbf {F}\) uses the input public key:

$$\begin{aligned}&\text {For } a \in A, a \ne a^{\dag }: (\text {PK}^{a}, \text {MSK}^{a}) \leftarrow \textsf {AuthKG}_{\textit{pp}}(a),\\&\text {For } a = a^{\dag }: \text {PK}^{a^{\dag }} := \text {PK}_{\textsf {Sig}}. \end{aligned}$$

\(\mathbf {F}\) inputs \(S t\) and the public keys \((\text {PK}^{a})^{a \in A}\) into \(\mathbf {A}\). Then \(\mathbf {F}\) obtains a set of corrupted authority indices \(\tilde{A}\) from \(\mathbf {A}\). \(\mathbf {F}\) puts \(\bar{\tilde{A}} := A \backslash \tilde{A}\). If \(a^{\dag } \in \bar{\tilde{A}}\) (the case \(\textsc {TgtIdx}_1\)), then \(a^{\dag }\) is not in \(\tilde{A}\) and \(\mathbf {F}\) is able to input \((S t, (\text {MSK}^{a})^{a \in \tilde{A}})\) into \(\mathbf {A}\). Otherwise \(\mathbf {F}\) aborts.

Simulation of Private Secret Key Oracle. When \(\mathbf {A}\) issues a private secret key query with \(a \in A_j \subsetneq \bar{\tilde{A}}\) and \(\texttt {i}_j \in \mathbb {Z}_p (j=1,\dots , q_{\text {sk}})\), \(\mathbf {F}\) executes the private secret key generation algorithm with \(\texttt {i}_j\) honestly for \(a \in \bar{\tilde{A}}\) such that \(a \ne a^{\dag }\). As for \(a = a^{\dag }\), \(\mathbf {F}\) issues a signing query to its oracle with \(\texttt {i}_j\):

$$\begin{aligned}&\text {For } a \in \bar{\tilde{A}} \text { s.t. }a \ne a^{\dag }: \text {sk}^{a}_{\texttt {i}_j} \leftarrow \textsf {PrivKG}_{\textit{pp}}(\text {PK}^{a}, \text {MSK}^{a}, \texttt {i}_j),\\&\text {For } a = a^{\dag }, \text {sk}^{a^{\dag }}_{\texttt {i}_j} \leftarrow \mathbf {SignO}_{\textit{pp}}(\text {PK}, \text {SK}, \texttt {i}_j). \end{aligned}$$

\(\mathbf {F}\) replies to \(\mathbf {A}\) with the secret key \(\text {sk}^{a}_{\texttt {i}_j}\). This is a perfect simulation.

At the end \(\mathbf {A}\) returns a forgery proof and the target set of authority indices \((\pi ^*, A^*)\). Note here that \(A^* \subset \bar{\tilde{A}}\) as in the definition.

Generating Existential Forgery. Next, \(\mathbf {F}\) runs a \(\textsf {Verifier}_{\textit{pp}}\) with an input \(((\text {PK}^{a})^{a \in A^*}, \pi ^*)\). If the decision d of \(\textsf {Verifier}_{\textit{pp}}\) is \(1\), then \(\mathbf {F}\) executes for each \(a \in A^*\) the extraction algorithm \(\textsf {Cmt.Ext}_{\textit{pp}}({xk}, c^{a})\) to obtain a committed message \((w^{a})^* = ((w^{a}_0)^*, ((w^{a}_{k})^*)_{k} )\) (see Definition 8 in Appendix). Note here that, for all \(a \in A^*\), \((w^{a}_0)^*\) is equal to a single element \((w_0)^*\) in \({\mathbb {G}}\). This is because of the perfectly binding property of \(\textsf {Cmt}_{\textit{pp}}\). Then \(\mathbf {F}\) puts \(\texttt {i}^* := (w_0)^*\). Here the restriction (8)(9) assures that, if \(q_{\text {sk}} > 0\), then there exists at least one \(\hat{a} \in (A^* \backslash A_j)\) for some \(j \in \{1,\dots , q_{\text {sk}}\}\). If \(q_{\text {sk}} = 0\), then there exists at least one \(\hat{a} \in A^*\). \(\mathbf {F}\) chooses one such \(\hat{a}\) and puts \(\sigma ^* := (\sigma ^{\hat{a}})^* := ( (w^{\hat{a}}_{k})^*)_{k}\). \(\mathbf {F}\) returns a forgery pair of a message and a signature \((\texttt {i}^*, \sigma ^*)\). This completes the description of \(\mathbf {F}\).

Probability Evaluation. The probability that the returned value \((\texttt {i}^*, \sigma ^*)\) is actually an existential forgery is evaluated as follows. We name the events in the above \(\mathbf {F}\) as:

$$\begin{aligned} \textsc {Acc}&: d = 1,\\ \textsc {Ext}&: \textsf {Cmt.Ext}_{\textit{pp}}\text { returns a witness } (w^{a})^* \\ \textsc {TgtIdx}&: \hat{a} = a^{\dag },\\ \textsc {Forge}&: (\texttt {i}^*, \sigma ^*) \text { is an existential forgery on } \textsf {Sig}. \end{aligned}$$

We have the following equalities.

$$\begin{aligned} \mathbf {Adv}^{\text {euf-coll}}_{\textsf {dACS},\mathbf {A}}{(\lambda , \mu )}&= \Pr [ \textsc {Acc}], \end{aligned}$$

(17)

$$\begin{aligned} \Pr [ \textsc {Acc}, \textsc {Ext}, \textsc {TgtIdx}]&= \Pr [ \textsc {Forge}], \end{aligned}$$

(18)

$$\begin{aligned} \Pr [ \textsc {Forge}]&= \mathbf {Adv}^{\text {euf-cma}}_{\textsf {Sig},\mathbf {F}}(\lambda ). \end{aligned}$$

(19)

The left-hand side of the equality (18) is expanded as follows.

$$\begin{aligned} \Pr [ \textsc {Acc}, \textsc {Ext}, \textsc {TgtIdx}]&= \Pr [ \textsc {TgtIdx}] \cdot \Pr [ \textsc {Acc}, \textsc {Ext}] \nonumber \\&= \Pr [ \textsc {TgtIdx}] \cdot \Pr [ \textsc {Acc}] \cdot \Pr [ \textsc {Ext}\mid \textsc {Acc}]. \end{aligned}$$

(20)

Claim 1

$$\begin{aligned} \Pr [ \textsc {TgtIdx}] = 1/|A| = 1/\mu . \end{aligned}$$

(21)

Proof

\(\hat{a}\) coincides with \(a^{\dag }\) with probability 1/|A| because \(a^{\dag }\) is chosen uniformly at random from A by \(\mathbf {F}\) and no information of \(a^{\dag }\) is leaked to \(\mathbf {A}\).    \(\square \)

Claim 2

If \(\textsc {TgtIdx}\) occurs, then \(\texttt {i}^*\) is not queried by \(\mathbf {F}\) to its oracle \(\mathbf {SignO}_{\textit{pp}}\).

Proof

This is because of the restriction (8)(9).    \(\square \)

Claim 3

$$\begin{aligned} \Pr [ \textsc {Ext}\mid \textsc {Acc}] = 1. \end{aligned}$$

(22)

Proof

This is because of the perfect knowledge extraction of \({\textsf {Prv}_{\textit{pp}}}\) (see Definition 8 in Appendix).    \(\square \)

Combining (17), (18), (19), (20), (21) and (22) we have:

$$\begin{aligned} \mathbf {Adv}^{\text {euf-coll}}_{\textsf {dACS},\mathbf {A}}{(\lambda , \mu )}= \mu \cdot \mathbf {Adv}^{\text {euf-cma}}_{\textsf {Sig},\mathbf {F}}(\lambda ). \end{aligned}$$

(23)

   \(\square \)

F Proof of Theorem 2

Proof

Suppose that any \(\textsc {ppt}\) algorithm \(\mathbf {A}\) that is in accordance with the experiment \(\textsf {Exp}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\) is given. We set a sequence of games, \(\textsf {Game}_0\) and \(\textsf {Game}_1\), as follows. \(\textsf {Game}_0\) is exactly the same as \(\textsf {Exp}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {A}}{(1^\lambda , 1^\mu )}\). Note that when a set of public parameters \(\textit{pp}= (\textit{pp}', {ck})\) is given to \(\mathbf {A}\) where \(\textit{pp}'\) is for bilinear groups, the commitment key ck is chosen as a commitment key ck of the mode \(\texttt {nor}\). We denote the probability that \(\textsf {Game}_0\) returns \(\textsc {Win}\) as \(\Pr [\textsc {Win}_0]\).

\(\textsf {Game}_1\) is the same as \(\textsf {Game}_0\) except that, when a set of public parameters \(\textit{pp}= (\textit{pp}', {ck})\) is given to \(\mathbf {A}\), the commitment key ck is chosen as a commitment key ck of the mode \(\texttt {sim}\). We denote the probability that \(\textsf {Game}_1\) returns \(\textsc {Win}\) as \(\Pr [\textsc {Win}_1]\). The values in \(\textsf {Game}_1\) distribute identically for both \(\texttt {i}_0\) and \(\texttt {i}_1\) due to the perfectly hiding property (13) and the perfect witness-indistinguishability (14). Therefore, \(\Pr [\textsc {Win}_1] = 1/2\).

Employing \(\mathbf {A}\) as a subroutine, we construct a \(\textsc {ppt}\) distinguisher algorithm \(\mathbf {D}\) as follows. Given an input \(\textit{pp}, {ck}\), \(\mathbf {D}\) reads out the security parameter. \(\mathbf {D}\) simulates the environment of \(\mathbf {A}\) in \(\textsf {Game}_0\) or \(\textsf {Game}_1\) honestly except that \(\mathbf {D}\) puts \(\textit{pp}:= (\textit{pp}, {ck})\) instead of executing \(\textsf {Setup}(1^{\lambda })\). If \(b = b'\), then \(\mathbf {D}\) returns 1, and otherwise, 0. By the definition of (12) (see Definition 3 in Appendix), \(\Pr [\mathbf {D}(\textit{pp}, {ck}) = 1 \mid {ck} \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {nor}) ] = \Pr [\textsc {Win}_0]\) and \(\Pr [\mathbf {D}(\textit{pp}, {ck}) = 1 \mid ({ck}, {tk}) \leftarrow \textsf {Cmt.KG}_{\textit{pp}}(\texttt {sim}) ] = \Pr [\textsc {Win}_1]\), and

$$\begin{aligned} \mathbf {Adv}^{\text {ind-dual}}_{\textsf {Cmt}_{\textit{pp}},\mathbf {D}}(\lambda )= | \Pr [\textsc {Win}_0] - \Pr [\textsc {Win}_1] |. \end{aligned}$$

(24)

Therefore,

$$\begin{aligned} \mathbf {Adv}^{\text {unlink-prf}}_{\textsf {dACS},\mathbf {A}}{(\lambda , \mu )}&= | \Pr [\textsc {Win}_0] - (1/2) | \nonumber \\&\le | \Pr [\textsc {Win}_0] - \Pr [\textsc {Win}_1] | + | \Pr [\textsc {Win}_1] - (1/2) | \nonumber \\&= \mathbf {Adv}^{\text {ind-dual}}_{\textsf {Cmt}_{\textit{pp}},\mathbf {D}}(\lambda )+ 0 = \mathbf {Adv}^{\text {ind-dual}}_{\textsf {Cmt}_{\textit{pp}},\mathbf {D}}(\lambda ). \end{aligned}$$

(25)

   \(\square \)