Subset Signatures with Controlled Context-Hiding

Abstract

Subset signatures are a variant of malleable signatures which allow anyone to derive signatures on any subset of previously signed sets in such a way that derived signatures are indistinguishable from new signatures on the subset (i.e. context-hiding). Such a primitive has many applications. In some scenarios, it might be desirable to restrict some elements in the set from preserving the context-hiding property. In other words, it might be desirable to allow the signer, at the time of the signing, to mark specific elements (which we refer to hereafter as the restricted subset) such that the inclusion of any elements from the restricted subset in any derived signatures would violate the context-hiding property and make the derived signature linkable to the original signature. In this paper, we put forward the notion of subset signatures with controlled context-hiding. We propose a security model and a generic construction as well as efficient instantiations which do not rely on random oracles. Our instantiations are structure-preserving and therefore could be useful for other applications. As a special case of our constructions when the restricted subset is empty, we obtain more efficient constructions of standard subset signatures. Our constructions, which satisfy the strongest existing security definitions, have constant-size keys and outperform existing constructions in every respect.

As part of our contribution, we construct a structure-preserving signature scheme with combined unforgeability that signs a vector of group elements while maintaining constant-size signatures. The scheme has some desirable properties and combines nicely with Groth-Sahai proofs, and thus could be of independent interest.

Appendices

A  SXDH-Based Groth-Sahai Proofs

Here we give the SXDH-instantiation of Groth-Sahai proofs [32, 35].

Let \(\mathbb {B}:=\mathbb {G}^2\), \(\tilde{\mathbb {B}}:=\tilde{\mathbb {G}}^2\) and \(\mathbb {H}:=\mathbb {T}^4\), with all operations performed componentwise. Define

$$\begin{aligned} F : \left\{ \begin{array}{ccl} \mathbb {B}\times \tilde{\mathbb {B}}&{} \longrightarrow &{} \mathbb {H}\\ (X_1,Y_1) , (\tilde{X}_2,\tilde{Y}_2) &{} \longmapsto &{} \left( ~e(X_1,\tilde{X}_2),~ e(X_1,\tilde{Y}_2),~ e(Y_1,\tilde{X}_2),~ e(Y_1,\tilde{Y}_2) ~\right) \end{array} \right. . \end{aligned}$$

We will use the \(\bullet \) notation instead of F for vectors. To generate the \({\mathsf {crs}}\), the trusted party randomly chooses \(a_i, t_i \xleftarrow {~\$~}\mathbb {Z}_p^\times \) for \(i=1,2\) and computes \(Q :=G^{a_1}\), \(U :=G^{t_1}\), \(V :=Q^{t_1}\), \(\tilde{Q} :=\tilde{G}^{a_2}\), \(\tilde{U} :=\tilde{G}^{t_2}\), \(\tilde{V} :=\tilde{Q}^{t_2}\). We now set

The \({\mathsf {crs}}\) is then the set where and . Under the SXDH assumption, one cannot tell a binding key from a hiding key.

To define the commitment schemes used by the proof system, we need the two maps \(\iota : \mathbb {G}\rightarrow \mathbb {B}\) and \(\tilde{\iota }: \tilde{\mathbb {G}}\rightarrow \tilde{\mathbb {B}}\) which are defined as follows:

To commit to a group element \(X\in \mathbb {G}\), the commitment algorithm \(\mathsf {GSCommit}_{\mathbb {G}}\) chooses \({\varvec{r}}=(r_1,r_2) \xleftarrow {~\$~}\mathbb {Z}^2_p\) and computes . We have

Similarly, to commit to a group element \(\tilde{X}\in \tilde{\mathbb {G}}\), the commitment algorithm \(\mathsf {GSCommit}_{\tilde{\mathbb {G}}}\) chooses \({\varvec{s}}=(s_1,s_2) \xleftarrow {~\$~}\mathbb {Z}^2_p\) and computes . We have

$$\begin{aligned} \mathcal {C}_{\tilde{X}} =\left\{ \begin{array}{ll} \big (\tilde{G}^{(s_{1} + t_2 s_{2}) }, \tilde{X} \cdot \tilde{Q}^{(s_{1} + t_2 s_{2})}\big ) &{} \hbox { Binding Setting} \\ \big (\tilde{G}^{(s_{1} + t_2 s_{2}) }, \tilde{X} \cdot \tilde{Q}^{(s_{1} + t_2 s_{2})} \cdot \tilde{G}^{-s_2}\big ) &{} \hbox { Hiding Setting} \end{array} \right. \end{aligned}$$

We now define the map \(\iota _T\) as follows:

$$\begin{aligned} \iota _T&: \left\{ \begin{array}{ccc} \mathbb {T}&{} \longrightarrow &{} \mathbb {H}\\ \zeta &{} \longmapsto &{} (1_\mathbb {T}, 1_\mathbb {T}, 1_\mathbb {T},\zeta ) \end{array} \right. \end{aligned}$$

The equations we prove are pairing-product equations of the form:

$$\begin{aligned} \prod _{j=1}^n e(A_j,\underline{\tilde{Y}_j})\prod _{i=1}^m e(\underline{X_i}, \tilde{B}_i)\prod _{i=1}^m\prod _{j=1}^n e(\underline{X_i}, \underline{\tilde{Y}_j})^{\alpha _{i,j}}\ =\ t_T \end{aligned}$$

(4)

In fact, all the equations we prove are linear equations (Eq. 5) where \(\alpha _{i,j}=0\) for all i, j.

$$\begin{aligned} \prod _{j=1}^n e(A_j,\underline{\tilde{Y}_j})\prod _{i=1}^m e(\underline{X_i}, \tilde{B}_i)\ =\ t_T \end{aligned}$$

(5)

B  More Details of the Instantiation

Each signature in the set contains a proof for the following linear equation

$$\begin{aligned} e(\underline{S}_i, \tilde{G}) e(\underline{\tau _\mathcal {S}},\tilde{X}_0^{-1})= \prod ^{n}_{i=j} e(M_{i,j},\tilde{X}_{j}) e(R_i,\tilde{R}_i \cdot \tilde{Z}^{b_i}) e(G,\tilde{Y}) \end{aligned}$$

(6)

We have

The proof for the above linear equation is given by

$$\begin{aligned} \tilde{\varvec{\pi }}_i&:=\tilde{\iota }(\tilde{G})^{{{\varvec{r}}}_{{\varvec{i}}}^T} \cdot \tilde{\iota }(\tilde{X}_0^{-1})^{{\varvec{r}}_{\mathbf {0}}^T} = \Big (\big (1_{\tilde{\mathbb {G}}}, \tilde{G}^{r_{i,1}} \cdot \tilde{X}_0^{-r_{0,1}}\big ), \big (1_{\tilde{\mathbb {G}}}, \tilde{G}^{r_{i,2}} \cdot \tilde{X}_0^{-r_{0,2}}\big ) \Big )\in \tilde{\mathbb {B}}^2 \end{aligned}$$

As noted in [35], we can omit the \(1_{\tilde{\mathbb {G}}}\) components from the proof which halves the size of the proof into \(\tilde{\mathbb {G}}^2\). To verify the proof, one needs to check the following equation:

(7)

We show now how to randomize the public components of the signature, i.e. \(R_i\) and \(\tilde{R}_i\) (which are part of the statement) and the Groth-Sahai commitments and proof accordingly. One chooses \(\gamma _i \xleftarrow {~\$~}\mathbb {Z}_p\) and sets \(R^\prime _i:={R_i} \cdot G^{\gamma _i}\) and \(\tilde{R}_i^\prime :=\tilde{R}_i \cdot \tilde{G}^{\gamma _i}\). We also randomize the (committed) signature component \(S_i\) using the same randomness \(\gamma _i\) as follows:

$$\begin{aligned} \mathcal {C}_{S_i}&:=\mathcal {C}_{S_i} \cdot \iota \big (R_i^{2 \gamma _i} \cdot G^{\gamma _{i}^2}\big ) = \Big (G^{(r_{i,1} + t_1 r_{i,2})}, S_i \cdot R_i^{2 \gamma _i} \cdot G^{\gamma _{i}^2} \cdot Q^{(r_{i,1} + t_1 r_{i,2})}\Big ) \end{aligned}$$

We now re-randomize the Groth-Sahai commitments and proofs to make them unlinkable to the original ones. We choose \({\varvec{r}}^\prime _{\mathbf {0}}=(r^{\prime }_{0,1},r^{\prime }_{0,2}) \xleftarrow {~\$~}\mathbb {Z}^2_p\) and \({\varvec{r}}^\prime _{{\varvec{i}}}=(r^{\prime }_{i,1},r^{\prime }_{i,2}) \xleftarrow {~\$~}\mathbb {Z}^2_p\) for \(i=1,\ldots , |\mathcal {S}|\) and compute

Providing that all \({\varvec{r}}^\prime _i\) for \(i=0,\ldots ,|\mathcal {S}|\) are chosen at random, the new commitments are uniformly distributed over \(\mathbb {B}\) and are thus independent of the original ones. We now show how to re-randomize proof \(\tilde{\varvec{\pi }_i}\) into \(\tilde{\varvec{\pi }}^\prime _i\) accordingly.

$$\begin{aligned} \tilde{\varvec{\pi }}^\prime _i&:=\tilde{\varvec{\pi }_i} \cdot \tilde{\iota }(\tilde{G})^{{\varvec{r}}^{\prime _{{\varvec{i}}}^T}} \cdot \tilde{\iota }(\tilde{X}_0^{-1})^{{\varvec{r}}^{\prime _{\mathbf {0}}^T}} \\&= \Big (\big (1_{\tilde{\mathbb {G}}}, \tilde{G}^{r_{i,1}+r^\prime _{i,1}} \cdot \tilde{X}_0^{-(r_{0,1}+r^\prime _{0,1})}\big ), \big (1_{\tilde{\mathbb {G}}}, \tilde{G}^{r_{i,2}+r^\prime _{i,2}} \cdot \tilde{X}_0^{-(r_{0,2}+r^\prime _{0,2})}\big ) \Big ) \end{aligned}$$

Since \({\varvec{r}}^\prime _i\) for \(i=0,\ldots ,|\mathcal {S}|\) are chosen at random, the new proof is uniformly distributed and is thus independent of the original one. To verify the proof, one needs to check the following equation:

(8)

We now show that the new proofs will be accepted by the verify algorithm.

Lemma 4

The randomized proof \(\tilde{\varvec{\pi }}^\prime _i\) verifies correctly.

Proof

Our proof is for a binding CRS. The proof for a hiding CRS is very similar.

By expanding the left-hand side of the verification equation (Eq. 8), we have

$$\begin{aligned}&F\Big (\mathcal {C}^\prime _{S_i}, \tilde{\iota }(\tilde{G})\Big ) F\Big (\mathcal {C}^\prime _{\tau _\mathcal {S}},\tilde{\iota }(\tilde{X}_0^{-1})\big ) \\&= F\Big ( \Big (G^{\big ((r_{i,1}+ r^\prime _{i,1}) + t_1 (r_{i,2} + r^\prime _{i,2})\big ) }, S_i \cdot R_i^{2 \gamma _i} \cdot G^{\gamma _i^2} \cdot Q^{\big ((r_{i,1}+ r^\prime _{i,1}) + t_1 (r_{i,2} + r^\prime _{i,2})\big )} \Big ) ,\big (1_{\tilde{\mathbb {G}}},\tilde{G}\big ) \Big ) \\&~~~~ F\Big ( \Big (G^{\big ((r_{0,1}+ r^{\prime }_{0,1}) + t_1 (r_{0,2} + r^{\prime }_{0,2})\big ) }, \tau _\mathcal {S}\cdot Q^{\big ((r_{0,1}+ r^{\prime }_{0,1}) + t_1 (r_{0,2} + r^{\prime }_{0,2})\big )}\Big ) ,\big (1_{\tilde{\mathbb {G}}},\tilde{X}_0^{-1} \big ) \Big )\\&=\Big (1_\mathbb {T}, e\big ( G^{\big ((r_{i,1}+ r^\prime _{i,1}) + t_1 (r_{i,2} + r^\prime _{i,2})\big )} , \tilde{G}\big ) , 1_\mathbb {T}, e\big ( S_i \cdot R_i^{2 \gamma _i} \cdot G^{\gamma _i^2} \cdot Q^{\big ((r_{i,1}+ r^\prime _{i,1}) + t_1 (r_{i,2} + r^\prime _{i,2})\big )} , \tilde{G}\big ) \Big ) \\&~~~~ \Big (1_\mathbb {T}, e\Big (G^{\big ((r_{0,1}+ r^{\prime }_{0,1}) + t_1 (r_{0,2} + r^{\prime }_{0,2})\big ) }, \tilde{X}_0^{-1} \Big ) ,1_\mathbb {T}, e\Big (\tau _\mathcal {S}\cdot Q^{\big ((r_{0,1}+ r^{\prime }_{0,1}) + t_1 (r_{0,2} + r^{\prime }_{0,2})\big )}\Big ) ,\tilde{X}_0^{-1} \Big ) \Big )\\&=\Big (1_\mathbb {T}, e\big ( G^{\big ((r_{i,1}+ r^\prime _{i,1}) + t_1 (r_{i,2} + r^\prime _{i,2})\big )} , \tilde{G}\big ) ,\!\! 1_\mathbb {T}, e\big ( S_i \cdot R_i^{2 \gamma _i} \cdot G^{\gamma _i^2}, \tilde{G}\big ) e\big ( Q^{\big ((r_{i,1}+ r^\prime _{i,1}) + t_1 (r_{i,2} + r^\prime _{i,2})\big )} , \tilde{G}\big ) \Big ) \\&~~~~ \Big ( 1_\mathbb {T}, e\big (G^{\big ((r_{0,1}+ r^{\prime }_{0,1}) + t_1 (r_{0,2} + r^{\prime }_{0,2})\big ) }, \tilde{X}_0^{-1} \big ) ,1_\mathbb {T}, e\big (\tau _\mathcal {S},\tilde{X}_0^{-1} \big ) e\big (Q^{\big ((r_{0,1}+ r^{\prime }_{0,1}) + t_1 (r_{0,2} + r^{\prime }_{0,2})\big )} ,\tilde{X}_0^{-1} \big ) \Big ) \end{aligned}$$

Similarly, by expanding the right-hand side of Eq. 8, we have

It is clear both sides equate and hence the proof \(\tilde{\pi }^\prime _i\) verifies correctly.

This concludes the proof.    \(\square \)