More Efficient (Almost) Tightly Secure StructurePreserving Signatures
 15 Citations
 2.3k Downloads
Abstract
We provide a structurepreserving signature (SPS) scheme with an (almost) tight security reduction to a standard assumption. Compared to the stateoftheart tightly secure SPS scheme of Abe et al. (CRYPTO 2017), our scheme has smaller signatures and public keys (of about \(56\%\), resp. \(40\%\) of the size of signatures and public keys in Abe et al.’s scheme), and a lower security loss (of \(\mathbf{O}(\log Q)\) instead of \(\mathbf{O}(\lambda )\), where \(\lambda \) is the security parameter, and \(Q=\mathsf {poly}(\lambda )\) is the number of adversarial signature queries).
While our scheme is still less compact than structurepreserving signature schemes without tight security reduction, it significantly lowers the price to pay for a tight security reduction. In fact, when accounting for a nontight security reduction with larger key (i.e., group) sizes, the computational efficiency of our scheme becomes at least comparable to that of nontightly secure SPS schemes.
Technically, we combine and refine recent existing works on tightly secure encryption and SPS schemes. Our technical novelties include a modular treatment (that develops an SPS scheme out of a basic message authentication code), and a refined hybrid argument that enables a lower security loss of \(\mathbf{O}(\log Q)\) (instead of \(\mathbf{O}(\lambda )\)).
Keywords
Structurepreserving signatures Tight security1 Introduction
StructurePreserving Signatures (SPSs). Informally, a cryptographic scheme (such as an encryption or signature scheme) is called structurepreserving if its operation can be expressed using equations over a (usually pairingfriendly) cyclic group. A structurepreserving scheme has the advantage that we can reason about it with efficient zeroknowledge proof systems such as the GrothSahai noninteractive zeroknowledge (NIZK) system [31]. This compatibility is the key to constructing efficient anonymous credential systems (e.g., [10]), and can be extremely useful in voting schemes and mixnets (e.g., [30]).
In this work, we are concerned with structurepreserving signature (SPS) schemes. Since popular tools such as “structurebreaking” collisionresistant hash functions cannot be used in a structurepreserving scheme, constructing an SPS scheme is a particularly challenging task. Still, there already exist a variety of SPS schemes in the literature [2, 4, 5, 6, 17, 18, 19, 29, 35, 37, 39, 44] (see also Table 1 for details on some of them).
Tight Security for SPS Schemes. A little more specifically, in this work we are interested in tightly secure SPS schemes. Informally, a cryptographic scheme is tightly secure if it enjoys a tight security reduction, i.e., a security reduction that transforms any adversary \(\mathcal {A}\) on the scheme into a problemsolver with about the same runtime and success probability as \(\mathcal {A}\), independently of the number of uses of the scheme.^{1} A tight security reduction gives security guarantees that do not degrade in the size of the setting in which the scheme is used.
Specifically, tight security reductions allow to give “universal” keylength recommendations that do not depend on the envisioned size of an application. This is useful when deploying an application for which the eventual number of uses cannot be reasonably bounded a priori. Moreover, this point is particularly vital for SPS schemes. Namely, an SPS scheme is usually combined with several other components that all use the same cyclic group. Thus, a keylength increase (which implies changing the group, and which might be necessary for a nontightly secure scheme for which a secure keylength depends on the number of uses) affects several schemes, and is particularly costly.
Comparison of standardmodel SPS schemes (in their most efficient variants). We list unilateral schemes (with messages over one group) and bilateral schemes (with messages over both source groups of a pairing) separately. The notation \((x_1,x_2)\) denotes \(x_1\) elements in \({{\mathbb {G}}_1}\) and \(x_2\) elements in \({{\mathbb {G}}_2}\). \({M}\), \(\sigma \), and \({ pk }\) denote the size of messages, signatures, and public keys (measured in group elements). “Sec. loss” denotes the multiplicative factor that the security reduction to “Assumption” loses, where we omit dominated and additive factors. (Here, “generic” means that only a proof in the generic group model is known.) For the treebased scheme HJ12, \(\ell \) denotes the depth of the tree (which limits the number of signing queries to \(2^\ell \)). \(Q\) denotes the number of adversarial signing queries, and \(\lambda \) is the security parameter.
Scheme  \({M}\)  \(\sigma \)  \({ pk }\)  Sec. loss  Assumption 

HJ12 [35]  1  \(10 \ell + 6\)  13  8  DLIN 
ACDKNO16 [2]  \((n_1, 0)\)  (7, 4)  \((5, n_1+ 12)\)  \(Q\)  SXDH, XDLIN 
LPY15 [44]  \((n_1, 0)\)  (10, 1)  \((16, 2 n_1+ 5)\)  \(\mathbf{O}(Q)\)  SXDH, XDLINX 
KPW15 [39]  \((n_1, 0)\)  (6, 1)  \((0,n_1+6)\)  \(2Q^2\)  SXDH 
JR17 [37]  \((n_1, 0)\)  (5, 1)  \((0,n_1+6)\)  \(Q\log Q\)  SXDH 
AHNOP17 [6]  \((n_1, 0)\)  (13, 12)  \((18,n_1+11)\)  \(80\lambda \)  SXDH 
Ours (unilateral)  \((n_1, 0)\)  (8, 6)  \((2,n_1+9)\)  \(6\log Q\)  SXDH 
AGHO11 [5]  \((n_1, n_2)\)  (2, 1)  \((n_1,n_2+2)\)  —  Generic 
ACDKNO16 [2]  \((n_1, n_2)\)  (8, 6)  \((n_2+6, n_1+ 13)\)  \(Q\)  SXDH, XDLIN 
KPW15 [39]  \((n_1, n_2)\)  (7, 3)  \((n_2+1,n_1+7)\)  \(2Q^2\)  SXDH 
AHNOP17 [6]  \((n_1, n_2)\)  (14, 14)  \((n_2+19,n_1+12)\)  \(80\lambda \)  SXDH 
Ours (bilateral)  \((n_1, n_2)\)  (9, 8)  \((n_2+4,n_1+9)\)  \(6\log Q\)  SXDH 
1.1 Our Contribution
Overview. We present a tightly secure SPS scheme with significantly improved efficiency and tighter security reduction compared to the stateoftheart tightly secure SPS scheme of Abe et al. [6]. Specifically, our signatures contain 14 group elements (compared to 25 group elements in [6]), and our security reduction loses a factor of only \(\mathbf{O}(\log Q)\) (compared to \(\mathbf{O}(\lambda )\)), where \(\lambda \) denotes the security parameter, and \(Q=\mathsf {poly}(\lambda )\) denotes the number of adversarial signature queries. When accounting for loose reductions through an appropriate keylength increase, the computational efficiency of our scheme even compares favorably to that of stateoftheart nontightly secure SPS schemes.
In the following, we will detail how we achieve our results, and in particular the progress we make upon previous techniques. We will also compare our work to existing SPS schemes (both tightly and nontightly secure).
Central Idea: A Modular Treatment. A central idea in our work (that in particular contrasts our approach to the one of Abe et al.) is a modular construction. That is, similar to the approach to tight IBE security of Blazy, Kiltz, and Pan [14], the basis of our construction is a tightly secure message authentication code (MAC). This tightly secure MAC will then be converted into a signature scheme by using NIZK proofs, following (but suitably adapting) the generic MACtosignatures conversion of Bellare and Goldwasser [12].
We can view this KEM as a MAC scheme simply by declaring the MAC tag for a message \({M}\) to be the values (C, K) from (1), only with \(\mu :={M}\) (instead of \(\mu =H([\mathbf {t}])\)). The verification procedure of the resulting MAC will check \(\pi \), and then check whether C really decrypts to K. (Hence, MAC verification still requires the secret key \(\mathbf {k}_0,\mathbf {k}_1\).) Now a slight adaptation of a generic argument of Dodis et al. [22] reduces the security of this MAC tightly to the security of the underlying KEM scheme. Unfortunately, this resulting MAC is not structurepreserving yet (even if the used NIZK proof \(\pi \) is): the message \({M}=\mu \) is a scalar (from \({\mathbb {Z}}_p\)).^{5}
Abstracting Our Strategy into a Single “core lemma”. We can distill the essence of the security proof of our MAC above into a single “core lemma”. This core lemma forms the heart of our work, and shows how to randomize all tags of our MAC. While this randomization follows a previous paradigm called “adaptive partitioning” (used to prove the tight security of PKE [26, 33] and SPS schemes [6]), our core lemma induces a much smaller reduction loss. The reason for this smaller reduction loss is that previous works on tightly secure schemes (including [6, 26, 33]) conduct their reduction along the individual bits of a certain hash value (or message to be signed). Since this hash value (or message) usually has \(\mathbf{O}(\lambda )\) bits, this induces a hybrid argument of \(\mathbf{O}(\lambda )\) steps, and thus a reduction loss of \(\mathbf{O}(\lambda )\). In contrast, we conduct our security argument along the individual bits of the index of a signing query (i.e., a value from 1 to Q, where Q is the number of signing queries). This index exists only in the security proof, and can thus be considered as an “implicit” way to structure our reduction.^{6}
From MACs to Signatures and StructurePreserving Signatures. Fortunately, our core lemma can be used to prove not only our MAC scheme, but also a suitable signature and SPS scheme tightly secure. To construct a signature scheme, we can now use an casetailored (and heavily optimized) version of the generic transformation of Bellare and Goldwasser [12]. In a nutshell, that transformation turns a MAC tag (that requires a secret key to verify) into a publicly verifiable signature by adding a NIZK proof to the tag that proves its validity, relative to a public commitment to the secret key. For our MAC, we only need to prove that the given key K really is of the form \(K=[(\mathbf {k}_0+\mu \mathbf {k}_1)^\top \mathbf {t}]\). This linear statement can be proven with a comparatively simple and efficient NIZK proof \(\pi '\). For \(k=1\), an optimized GrothSahaibased implementation of \(\pi \), and an implicit \(\pi '\) (that uses ideas from [38, 40]), the resulting signature scheme will have signatures that contain 14 group elements.
 (a)
it is algebraic (in the sense that it integrates a message \({M}\in {\mathbb {G}}\)), and
 (b)
it is compatible with our core lemma (so it can be randomized quickly).
Our security proof will directly rely on our core lemma to first randomize the \(\mathbf {k}_0^\top \mathbf {t}\) part of (2) in all signatures. After that, similar to [39], an informationtheoretic argument (that only uses the pairwise independence of the second part of (2), when viewed as a function of \({M}\)) shows security.
Comparison of the computational efficiency of stateoftheart SPS schemes (in their most efficient, SXDHbased variants) with our SXDHbased schemes in the unilateral (UL) and bilateral (BL) version. With “PPEs” and “Pairings”, we denote the number of those operations necessary during verification, where “batched” denotes optimized figures obtained by “batching” verification equations [13]. The “\({M}\)” and “Sec. loss” columns have the same meaning as in Table 1. The column “\({{\mathbb {G}}_1}\)” denotes the (bit)size of elements from the first source group in a large but realistic scenario (under some simplifying assumptions), see the discussion in Sect. 1.2. “\(\sigma \) (bits)” denotes the resulting overall signature size, where we assume that the bitsize of \({{\mathbb {G}}_2}\) elements is twice the bitsize of \({{\mathbb {G}}_1}\)elements.
Scheme  \({M}\)  PPEs  Pairings (plain)  Pairings (batched)  Sec. loss  \({{\mathbb {G}}_1}\) (bits)  \(\sigma \) (bits) 

KPW [39]  \((n_1, 0)\)  3  \(n_1+11\)  \(n_1+10\)  \(2Q^2\)  322  2576 
JR [37]  \((n_1, 0)\)  2  \(n_1+8\)  \(n_1+6\)  \(Q\log Q\)  270  1890 
AHNOP [6]  \((n_1, 0)\)  15  \(n_1+57\)  \(n_1+16\)  \(80\lambda \)  226  8362 
Ours (UL)  \((n_1, 0)\)  6  \(n_1+29\)  \(n_1+11\)  \(6\log Q\)  216  4320 
KPW [39]  \((n_1, n_2)\)  4  \(n_1+n_2+15\)  \(n_1+n_2+14\)  \(2Q^2\)  322  4186 
AHNOP [6]  \((n_1, n_2)\)  16  \(n_1+n_2+61\)  \(n_1+n_2+18\)  \(80\lambda \)  226  9492 
Ours (BL)  \((n_1, n_2)\)  7  \(n_1+n_2+33\)  \(n_1+n_2+15\)  \(6\log Q\)  216  5400 
1.2 Related Work and Efficiency Comparison
In this subsection, we compare our work to the closest existing work (namely, the tightly secure SPS scheme of Abe et al. [6]) and other, nontightly secure SPS schemes.
Comparison to the Work of Abe et al. The state of the art in tightly secure SPS schemes (and in fact currently the only other efficient tightly secure SPS scheme) is the recent work of Abe et al. [6]. Technically, their scheme also uses a tightly secure PKE scheme (in that case [33]) as an inspiration. However, there are also a number of differences in our approaches which explain our improved efficiency and reduction.
First, Abe et al.’s scheme involves more (and more complex) NIZK proofs, since they rather closely follow the PKE scheme from [33]. This leads to larger proofs and thus larger signatures. Instead, our starting point is the much simpler scheme of [26] (which only features one comparatively simple NIZK proof in its ciphertext).
Second, while the construction of Abe et al. is rather monolithic, our construction can be explained as a modification of a simple MAC scheme. Our approach thus allows for a more modular exposition, and in particular we can outsource the core of the reduction into a core lemma (as explained above) that can be applied to MAC, signature, and SPS scheme.
Third, like previous tightly secure schemes (and in particular the PKE schemes of [26, 33]), Abe et al. conduct their security reduction along the individual bits of a certain hash value (or message to be signed). As explained above, our reduction is more economic, and uses a hybrid argument over an “implicit” counter value.
Efficiency Comparison. We give a comparison to other SPS schemes in Table 1. This table shows that our scheme is still significantly less efficient in terms of signature size than existing, nontightly secure SPS schemes. However, when considering computational efficiency, and when accounting for a larger security loss in the reduction with larger groups, things look differently.
The currently most efficient nontightly secure SPS schemes are due to Jutla and Roy [37] and Kiltz, Pan, and Wee [39]. Table 2 compares the computational complexity of their verification operation with the tightly secure SPSs of Abe et al. and our schemes. Now consider a large scenario with \(Q=2^{30}\) signing queries and a target security parameter of \(\lambda =100\). Assume further that we use groups that only allow generic attacks (that require time about the square root of the group size). This means that we should run a scheme in a group of size at least \(2^{2(\lambda +\log L)}\), where L denotes the multiplicative loss of the respective security reduction. Table 2 shows the resulting group sizes in column “\({{\mathbb {G}}_1}\)” (in bits, such that \({{\mathbb {G}}_1}=200\) denotes a group of size \(2^{200}\)).
Now very roughly, the computational complexity of pairings can be assumed to be cubic in the (bit)size of the group [7, 9, 23, 28]. Hence, in the unilateral setting, and assuming an optimized verification implementation (that uses “batching” [13]) the computational efficiency of the verification in our scheme is roughly on par with that in the (nontightly secure) stateoftheart scheme of Jutla and Roy [37], even for small messages. For larger messages, our scheme becomes preferable. In the bilateral setting, our scheme is clearly the most efficient known scheme.
Roadmap
We fix some notation and recall some preliminaries in Sect. 2. In Sect. 3, we present our basic MAC and prove it secure (using the mentioned core lemma). In Sects. 4 and 5, we present our signature and SPS schemes. Due to lack of space, for some proofs (including the more technical parts of the proof of the core lemma, and a full proof for the signature scheme) we refer to the full version.
2 Preliminaries
In this section we provide the preliminaries which our paper builds upon. First, we want to give an overview of notation used throughout all sections.
2.1 Notation
By \(\lambda \in \mathbb {N}\) we denote the security parameter. We always employ \(\mathsf {negl}:\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) to denote a negligible function, that is for all polynomials \(p\in \mathbb {N}[X]\) there exists an \(n_0\in \mathbb {N}\) such that \(\mathsf {negl}(n)< 1/p(n)\) for all \(n\ge n_0\). For any set \(\mathcal {S}\), by \(s \leftarrow _{R}\mathcal {S}\) we set s to be a uniformly at random sampled element from \(\mathcal {S}\). For any distribution \(\mathcal {D}\) by \(d\leftarrow \mathcal {D}\) we denote the process of sampling an element d according to the distribution \(\mathcal {D}\). For any probabilistic algorithm \(\mathcal {B}\) by \(\mathrm {out}\leftarrow \mathcal {B}(\mathrm {in})\) by \(\mathrm {out}\) we denote the output of \(\mathcal {B}\) on input \(\mathrm {in}\). For a deterministic algorithm we sometimes use the notation \(\mathrm {out}:=\mathcal {B}(\mathrm {in})\) instead. By p we denote a prime throughout the paper. For any element \(m \in \mathbb {Z}_p\), we denote by \(m_i\in \{0,1\}\) the ith bit of m’s bit representation and by \(m_{i} \in \{0,1\}^i\) the bit string comprising the first i bits of m’s bit representation.
Similarly, for a matrix \(\mathbf {A}\in \mathbb {Z}_p^{2k\times k}\), by \(\overline{\mathbf {A}}\in \mathbb {Z}_p^{k\times k}\) we denote the upper square matrix and by \(\underline{\mathbf {A}}\in \mathbb {Z}_p^{k\times k}\) the lower one.
2.2 Pairing Groups and Matrix DiffieHellman Assumptions
Let \({\mathsf {GGen}}\) be a probabilistic polynomial time (PPT) algorithm that on input \(1^\lambda \) returns a description \(\mathcal {PG}=(\mathbb {G}_1,\mathbb {G}_2,G_T,p,P_1,P_2,e)\) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic group of order p for a \(2\lambda \)bit prime p, \(P_1\) and \(P_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) is an efficiently computable (nondegenerate) bilinear map. Define \(P_T := e(P_1, P_2)\), which is a generator of \(\mathbb {G}_T\). We use implicit representation of group elements. For \(i \in \{1, 2, T \}\) and \(a \in \mathbb {Z}_p\), we define \([a]_i = a P_i \in \mathbb {G}_i\) as the implicit representation of a in \(\mathbb {G}_i\). Given \([a]_1\), \([a]_2\), one can efficiently compute \([ab]_T\) using the pairing e. For two matrices \(\mathbf {A}\), \(\mathbf {B}\) with matching dimensions, we define \(e([\mathbf {A}]_1, [\mathbf {B}]_2 ) := [\mathbf {A}\mathbf {B}]_T \in \mathbb {G}_T\).
We recall the definitions of the Matrix Decision DiffieHellman (MDDH) assumption from [24].
Definition 1
(Matrix distribution). Let \(k,\ell \in \mathbb {N}\), with \(\ell > k\) and p be a \(2\lambda \)bit prime. We call a PPT algorithm \(\mathcal {D}_{\ell ,k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_p^{\ell \times k}\) of full rank k.
Note that instantiating \(\mathcal {D}_{2,1}\) with a PPT algorithm outputting matrices \(\begin{pmatrix}1\\ a\end{pmatrix}\) for \(a\leftarrow _{R}\mathbb {Z}_p\), \(\mathcal {D}_{2,1}\)MDDH relative to \(\mathbb {G}_1\) corresponds to the DDH assumption in \(\mathbb {G}_1\). Thus, for \(\mathcal {PG}=(\mathbb {G}_1,\mathbb {G}_2,G_T,p,P_1, P_2,e)\), assuming \(\mathcal {D}_{2,1}\)MDDH relative to \(\mathbb {G}_1\) and relative to \(\mathbb {G}_2\), corresponds to the SXDH assumption.
In the following we only consider matrix distributions \(\mathcal {D}_{\ell ,k}\), where for all \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}\) the first k rows of \(\mathbf {A}\) form an invertible matrix. We also require that in case \(\ell =2k\) for any two matrices \(\mathbf {A}_0,\mathbf {A}_1\leftarrow _{R}\mathcal {D}_{2k,k}\) the matrix \(({\mathbf {A}}_0\mid {\mathbf {A}}_1 )\) has full rank with overwhelming probability. In the following we will denote this probability by \(1\varDelta _{\mathcal {D}_{2k,k}}\). Note that if \((\mathbf {A}_0\mid \mathbf {A}_1)\) has full rank, then for any \(\mathbf {A}^\bot _0\in \mathsf {orth}(\mathbf {A}_0)\), \(\mathbf {A}^\bot _1\in \mathsf {orth}(\mathbf {A}_1)\) the matrix \((\mathbf {A}^\bot _0\mid \mathbf {A}^\bot _1)\in \mathbb {Z}_p^{2k\times 2k}\) has full rank as well, as otherwise there would exists a nonzero vector \(\mathbf {v}\in \mathbb {Z}_p^{2k}\backslash \{\mathbf {0}\}\) with \((\mathbf {A}_0\mid \mathbf {A}_1)^\top \mathbf {v}=\mathbf {0}\). Further, by similar reasoning \((\mathbf {A}^\bot _0)^\top \mathbf {A}_1\in \mathbb {Z}_p^{k\times k}\) has full rank.
The \(\mathcal {D}_{\ell ,k}\)Matrix DiffieHellman problem in \(\mathbb {G}_i\), for \(i \in \{1,2,T\}\), is to distinguish the between tuples of the form \(([\mathbf {A}]_i,[\mathbf {A}\mathbf {w}]_i)\) and \(([\mathbf {A}]_i,[\mathbf {u}]_i)\), for a randomly chosen \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}\), \(\mathbf {w}\leftarrow _{R}\mathbb {Z}_p^k\) and \(\mathbf {u}\leftarrow _{R}\mathbb {Z}_p^{\ell }\).
Definition 2
For \(Q \in \mathbb {N}\), \(\mathbf {W}\leftarrow _{R}\mathbb {Z}_p^{k \times Q}\) and \(\mathbf {U}\leftarrow _{R}\mathbb {Z}_p^{\ell \times Q}\), we consider the Qfold \(\mathcal {D}_{\ell ,k}\)MDDH assumption, which states that distinguishing tuples of the form \(([\mathbf {A}]_i, [\mathbf {A}\mathbf {W}]_i)\) from \(([\mathbf {A}]_i, [\mathbf {U}]_i)\) is hard. That is, a challenge for the Qfold \(\mathcal {D}_{\ell ,k}\)MDDH assumption consists of Q independent challenges of the \(\mathcal {D}_{\ell ,k}\)MDDH assumption (with the same \(\mathbf {A}\) but different randomness \(\mathbf {w}\)). In [24] it is shown that the two problems are equivalent, where the reduction loses at most a factor \(\ell k\).
Lemma 1
For \(k\in \mathbb {N}\) we define \(\mathcal {D}_{k}:=\mathcal {D}_{k+1,k}\).
The KernelDiffieHellman assumption \(\mathcal {D}_{k}\)KMDH [45] is a natural computational analogue of the \(\mathcal {D}_k\)MDDH Assumption.
Definition 3
Note that we can use a nonzero vector in the kernel of \(\mathbf {A}\) to test membership in the column space of \(\mathbf {A}\). This means that the \(\mathcal {D}_k\)KMDH assumption is a relaxation of the \(\mathcal {D}_k\)MDDH assumption, as captured in the following lemma from [45].
Lemma 2
([45]). For any matrix distribution \(\mathcal {D}_k\), \(\mathcal {D}_k\)MDDH \(\Rightarrow \) \(\mathcal {D}_k\)KMDH.
2.3 Signature Schems and Message Authentication Codes
Definition 4

\({\mathsf {Gen}}(1^\lambda )\): on input of the security parameter, generates public parameters \( pp \) and a secret key \({ sk }\).

\({\mathsf {Tag}}( pp ,{ sk }, m)\): on input of public parameters \( pp \), the secret key \({ sk }\) and a message \(m \in \mathcal {M}\), returns a tag \(\mathsf {tag}\).

\({\mathsf {Ver}}( pp ,{{ sk }},m,\mathsf {tag})\): verifies the tag \(\mathsf {tag}\) for the message m, outputting a bit \(b=1\) if \(\mathsf {tag}\) is valid respective to m, and 0 otherwise.
Definition 5
Note that in our notion of \(\mathsf {UF}\text {}\mathsf {CMA}\) security, the adversary gets only one forgery attempt. This is due to the fact that we employ the MAC primarily as a building block for our signature. Our notion suffices for this purpose, as an adversary can check the validity of a signature itself.
Definition 6

\({\mathsf {Gen}}(1^\lambda )\): on input of the security parameter, generates a pair \(({ pk },{ sk })\) of keys.

\({\mathsf {Sign}}({ pk },{ sk }, m)\): on input of the public key \({ pk }\), the secret key \({ sk }\) and a message \(m \in \mathcal {M}\), returns a signature \(\sigma \).

\({\mathsf {Ver}}({ pk },m,\sigma )\): verifies the signature \(\sigma \) for the message m, outputting a bit \(b=1\) if \(\sigma \) is valid respective to m, and 0 otherwise.
Definition 7
2.4 Noninteractive ZeroKnowledge Proof (NIZK)
The notion of a noninteractive zeroknowledge proof was introduced in [15]. In the following we present the definition from [32]. Noninteractive zeroknowledge proofs will serve as a crucial building block for our constructions.
Definition 8

\(\mathsf {PGen}(1^\lambda ,{ pars })\) generates a common reference string \( crs \).

\(\mathsf {PTGen}(1^\lambda ,{ pars })\) generates a common reference string \( crs \) and additionally a trapdoor \( td \).

\(\mathsf {PPrv}( crs , x, w)\) given a word \(x\in {\mathcal {L}}\) and a witness w with \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), outputs a proof \(\varPi \in \mathcal {P}\).

\(\mathsf {PVer}( crs ,x,\varPi )\) on input \( crs \), \(x\in \mathcal {X}\) and \(\varPi \) outputs a verdict \(b\in \{0,1\}\).

\(\mathsf {PSim}( crs , td ,x)\) given a \( crs \) with corresponding trapdoor \( td \) and a word \(x\in \mathcal {X}\), outputs a proof \(\varPi \).
Further we require the following properties to hold.
 Completeness: For all possible public parameters \({ pars }\), for all words \(x~\in ~{\mathcal {L}}\), and all witnesses w such that \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), we havewhere the probability is taken over \(( crs , psk )\leftarrow \mathsf {PGen}~(1^\lambda ,{ pars })\) and \(\varPi \leftarrow \mathsf {PPrv}( crs ,x,w)\).$$\begin{aligned} \Pr [\mathsf {PVer}( crs ,x,\varPi )=1]=1, \end{aligned}$$
 Composable zeroknowledge\(^\star \): For all PPT adversaries \(\mathcal {A}\) we have thatis negligible in \(\lambda \).$$\begin{aligned}{\mathrm {Adv}^\mathrm{keygen}_{\mathsf {PS},\mathcal {A}}}(\lambda ) :=&\left \Pr [\mathcal {A}{}(1^{\lambda }, crs )=1\mid crs \leftarrow \mathsf {PGen}(1^{\lambda },{ pars })]\right. \\ {}&\left. \Pr [\mathcal {A}{}(1^{\lambda }, crs )=1\mid ( crs , td )\leftarrow \mathsf {PTGen}(1^{\lambda },{ pars })]\right \end{aligned}$$Further for all public parameters \({ pars }\), all pairs \(( crs , td )\) in the range of \(\mathsf {PTGen}(1^\lambda )\), all words \(x\in {\mathcal {L}}\), and all witnesses w with \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), we have that the outputs ofare statistically indistinguishable.$$\begin{aligned} \mathsf {PPrv}( crs ,x,w) \text{ and } \mathsf {PSim}( crs , td ,x) \end{aligned}$$

Perfect soundness: For all \( crs \) in the range of \(\mathsf {PGen}(1^\lambda ,{ pars })\), for all words \(x\notin {\mathcal {L}}\) and all proofs \(\varPi \) it holds \(\mathsf {PVer}( crs ,x,\varPi )=0\).
 Composable zeroknowledge: For a PPT adversary \(\mathcal {A}\), we defineHere \(\textsc {Prove}(x,w)\) returns \(\bot \) if \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=0\) or \(\varPi _b\) if \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), where \(\varPi _0 \leftarrow _{R}\mathsf {PPrv}( crs _0,x,w)\) and \(\varPi _1 \leftarrow _{R}\mathsf {PSim}( crs _1, td ,x)\). We say that \(\mathsf {PS}\) satisfies composable zeroknowledge if \({\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda ) \) is negligible in \(\lambda \) for all PPT \(\mathcal {A}\).$$\begin{aligned} {\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda ) := \bigg  \Pr \left[ b' = b \left \begin{array}{l} crs _0\leftarrow _{R}\mathsf {PGen}(1^\lambda ,{ pars }); \\ ( crs _1, td ) \leftarrow _{R}\mathsf {PTGen}(1^\lambda ,{ pars });\\ b \leftarrow _{R}\{0,1\}; \\ b' \leftarrow _{R}\mathcal {A}^{\textsc {Prove}(\cdot ,\cdot )}(1^\lambda , crs _b) \end{array} \right. \right]  \tfrac{1}{2} \bigg . \end{aligned}$$
Note that the original definition of composable zeroknowledge tightly implies our definition of composable zeroknowledge. We choose to work with the latter in order to simplify the presentation of our proofs. Note that for working with this definition in the tightness setting, it is crucial that \({\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda )\) is independent of the number of queries to the oracle \(\textsc {Prove}\).
2.5 NIZK for Our ORlanguage
In this section we recall an instantiation of a NIZK for an ORlanguage implicitly given in [31, 46]. This NIZK will be a crucial part of all our constructions, allowing to employ the randomization techniques from [6, 26, 33] to obtain a tight security reduction.
Lemma 3
3 Tightly Secure Message Authentication Code Scheme
Lemma 4
Proof Outline. Since the proof of Lemma 4 is rather complex, we first outline our strategy. Intuitively, our goal is to randomize the term \(u'\) used by oracles \(\textsc {TagO}\) and \(\textsc {VerO}\) (i.e., to change this term from \(\mathbf {k}_0^\top \mathbf {t}\) to \((\mathbf {k}_0+\mathbf {F}(\mathsf {ctr}))^\top \mathbf {t}\) for a truly random function \(\mathbf {F}\)). In this, it will also be helpful to change the distribution of \(\mathbf {t}\in {\mathbb {Z}}_p^{2k}\) in tags handed out by \(\textsc {TagO}\) as needed. (Intuitively, changing \(\mathbf {t}\) can be justified with the \(\mathcal {D}_{2k,k}\)MDDH assumption, but we can only rely on the soundness of \(\mathsf {PS}\) if \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\). In other words, we may assume that \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\) for any of \(\mathcal {A}\)’s \(\textsc {VerO}\) queries, but only if the same holds for all \(\mathbf {t}\) chosen by \(\textsc {TagO}\).)

Partitioning. First, we choose \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_{\mathsf {ctr}_{i+1}})\) in \(\textsc {VerO}\), where \(\mathsf {ctr}_{i+1}\) is the \((i+1)\)th bit of \(\mathsf {ctr}\). As noted above, this change can be justified with the \(\mathcal {D}_{2k,k}\)MDDH assumption, and we may still assume \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\) in every \(\textsc {TagO}\) query from \(\mathcal {A}\).

Decoupling. At this point, the values \(u'\) computed in \(\textsc {TagO}\) and \(\textsc {VerO}\) are either of the form \(u'=(\mathbf {k}_0^\top +\mathbf {F}_i(\mathsf {ctr}_{i}))^\top \mathbf {A}_0\mathbf {r}\) or \(u'=(\mathbf {k}_0^\top +\mathbf {F}_i(\mathsf {ctr}_{i}))^\top \mathbf {A}_1\mathbf {r}\) (depending on \(\mathbf {t}\)). Since \(\mathbf {F}_i:\{0,1\}^i\rightarrow {\mathbb {Z}}_p^{2k}\) is truly random, and the matrix \(\mathbf {A}_0\mathbf {A}_1\in {\mathbb {Z}}_p^{2k\times 2k}\) has linearly independent columns (with overwhelming probability), the two possible subterms \(\mathbf {F}_i(\mathsf {ctr}_{i})^\top \mathbf {A}_0\) and \(\mathbf {F}_i(\mathsf {ctr}_{i})^\top \mathbf {A}_1\) are independent. Thus, switching to \(u'=(\mathbf {k}_0^\top +\mathbf {F}_{i+1}(\mathsf {ctr}_{i+1}))^\top \mathbf {t}\) does not change \(\mathcal {A}\)’s view at all.
After these modifications (and resetting \(\mathbf {t}\)), we have arrived at the \((i+1)\)th hybrid, which completes the proof. However, this outline neglects a number of details, including a proper reasoning of \(\mathsf {PS}\) proofs, and a careful discussion of the decoupling step. In particular, an additional complication arises in this step from the fact that an adversary may choose \(\mathbf {t}\in {\mathrm {span}}(A_b)\) for an arbitrary bit b not related to any specific \(\mathsf {ctr}\). This difficulty is the reason for the somewhat surprising “\(\exists \mathsf {ctr}'\le \mathsf {ctr}\)” clause in \(\textsc {VerO}\).
Proof
Theorem 1
Proof
We employ an intermediary game \(\mathsf {G}_{0}\) to prove \(\mathsf {UF}\text {}\mathsf {CMA}\) security of the MAC. By \(\varepsilon _0\) we denote the advantage of \(\mathcal {A}\) to win game \(\mathsf {G}_{0} \), that is \(\Pr [\mathsf {G}_{0}(\mathcal {A},1^\lambda )=1]\), where the probability is taken over the random coins of \(\mathsf {G}_{0}\) and \(\mathcal {A}\).
4 Tightly Secure Signature Scheme
In this section, we present a signature scheme \(\mathsf {SIG}\) for signing messages from \(\mathbb {Z}_p\), described in Fig. 6, whose UFCMA security can be tightly reduced to the \(\mathcal {D}_{2k,k}\)MDDH and \(\mathcal {D}_{k}\)MDDH assumptions.
\(\mathsf {SIG}\) builds upon the tightly secure MAC from Sect. 3, and functions as a stepping stone to explain the main ideas of the upcoming structurepreserving signature in Sect. 5. Recall that our MAC outputs \(\mathsf {tag}=([\mathbf {t}]_1, \varPi ,[u]_1)\), where \(\varPi \) is a (publicly verifiable) NIZK proof of the statement \(\mathbf {t} \in {\mathrm {span}}({\mathbf {A}}_0) \cup {\mathrm {span}}({\mathbf {A}}_1)\), and \(u=(\mathbf {k}_0 + \mu \mathbf {k}_1)^\top \mathbf {t}\) has an affine structure. Hence, alternatively, we can also view our MAC as an affine MAC [14] with \(\mathbf {t} \in {\mathrm {span}}({\mathbf {A}}_0) \cup {\mathrm {span}}({\mathbf {A}}_1)\) and a NIZK proof for that. Similar to [14], we use (tuned) GrothSahai proofs to make \([u]_1\) publicly verifiable. Similar ideas have been used to construct efficient quasiadaptive NIZK for linear subspace [38, 40], structurepreserving signatures [39], and identitybased encryption schemes [14]. In the following theorem we state the state the security of \(\mathsf {SIG}\). For a proof we refer to the full version.
Theorem 2
5 Tightly Secure StructurePreserving Signature Scheme
Theorem 3
Strategy. In a nutshell, we will embed a “shadow MAC” in our signature scheme, and then invoke the core lemma to randomize the MAC tags computed during signing queries and the final verification of \(\mathcal {A}\)’s forgery. A little more specifically, we will embed a term \(\mathbf {k}_0^\top \mathbf {t}\) into the \(\mathbf {A}\)orthogonal space of each \(\mathbf {u}\) computed by \(\textsc {SignO}\) and \(\textsc {VerO}\). (Intuitively, changes to this \(\mathbf {A}\)orthogonal space do not influence the verification key, and simply correspond to changing from one signing key to another signing key that is compatible with the same verification key.) Using our core lemma, we can randomize this term \(\mathbf {k}_0^\top \mathbf {t}\) to \((\mathbf {k}_0+\mathbf {F}(\mathsf {ctr}))^\top \mathbf {t}\) for a random function \(\mathbf {F}\) and a signature counter \(\mathsf {ctr}\). Intuitively, this means that we use a freshly randomized signing key for each signature query. After these changes, an adversary only has a statistically small chance in producing a valid forgery.
Proof
(of Theorem 3). We proceed via a series of hybrid games \(\mathsf {G}_{0}\) to \(\mathsf {G}_{2}\), described in Fig. 8. By \(\varepsilon _i\) we denote the advantage of \(\mathcal {A}\) to win \(\mathsf {G}_{i}\).
Open image in new window Here we change the verification oracle as described in Fig. 8.
To simulate \(\textsc {SignO}([\mathbf {m}]_1)\), \({\mathcal {B}}\) uses its oracle \(\textsc {TagO}\), which takes no input, and gives back \(([\mathbf {t}]_1, \varPi , [u]_1)\). Then, \({\mathcal {B}}\) computes \([\mathbf {u}]_1 := \mathbf {K}_0^\top {[\mathbf {t}]}_1 + \mathbf {a}^\bot [u]_1 + \mathbf {K}^\top \begin{bmatrix} \mathbf {m}\\ 1 \end{bmatrix}_1\), and returns \(\sigma := ([\mathbf {t}]_1, \varPi , [\mathbf {u}]_1)\) to \(\mathcal {A}\).
Finally, given the forgery \(\big ([\mathbf {m}^\star ]_1,\sigma ^\star )\) with corresponding signature \(\sigma ^\star :=([\mathbf {t}^\star ]_1, \varPi ^\star , [\mathbf {u}^\star ]_1)\), \({\mathcal {B}}\) first checks if \([\mathbf {m}^\star ]_1 \notin \mathcal {Q}_{\mathsf {sign}}\) and \([\mathbf {u}^\star ]_1 \ne [{\mathbf {0}}]_1\). If it is not the case, then \({\mathcal {B}}\) returns 0 to \(\mathcal {A}\). If it is the case, with the knowledge of \(\mathbf {a}^\bot \in \mathbb {Z}_p\), \({\mathcal {B}}\) efficiently checks whether there exists \([u^\star ]_1 \in \mathbb {G}_1\) such that \([\mathbf {u}^\star ]_1 \mathbf {K}_0^\top {[\mathbf {t}^\star ]}_1  \mathbf {K}^\top \begin{bmatrix} \mathbf {m}^\star \\1 \end{bmatrix}_1 = [u^\star ]_1 \mathbf {a}^\bot \). If it is not the case, \({\mathcal {B}}\) returns 0 to \(\mathcal {A}\). If it is the case, \({\mathcal {B}}\) computes \([u^\star ]_1\) (it can do so efficiently given \(\mathbf {a}^\bot \)), sets \(\mathsf {tag}:= ([\mathbf {t}^\star ]_1, \varPi ^\star , [u^\star ]_1)\), calls its verification oracle \(\textsc {VerO}(\mathsf {tag})\), and forwards the answer to \(\mathcal {A}\).
First, we can replace \(\mathbf {K}\) by \(\mathbf {K}+ {\mathbf {v}(\mathbf {a}^\bot )^\top }\) for \(\mathbf {v}\leftarrow _{R}\mathbb {Z}_p^{n+1}\), and \(\{ \mathbf {F}(i): i \in [Q], i \ne \widetilde{\mathsf {ctr}}\}\) by \(\{ \mathbf {F}(i) + \mathbf {w}_i: i \in [Q], i \ne \widetilde{\mathsf {ctr}}\}\) for \(\mathbf {w}_i \leftarrow _{R}\mathbb {Z}_p^{2k}\). Note that this does not change the distribution of the game.
Footnotes
 1.
We are only interested in reductions to wellestablished and plausible computational problems here. While the security of any scheme can be trivially (and tightly) reduced to the security of that same scheme, such a trivial reduction is of course not very useful.
 2.
Most of the schemes in the literature are only “almost” tightly secure, meaning that their security reduction suffers from a small multiplicative loss (that however is independent of the number of uses of the scheme). In the following, we will not make this distinction, although we will of course be precise in the description and comparison of the reduction loss of our own scheme.
 3.
For \(k=1\), we can reduce to DDH in \({\mathbb {G}}\), and for \(k>1\), we can reduce to the kLinear assumption, and in fact even to the weaker MatrixDDH assumption [24].
 4.
Actually, the scheme of [26] uses an efficient designatedverifier NIZK proof \(\pi \) that is however not structurepreserving (and thus not useful for our case), and also induces an additional term in K. For our purposes, we can think of \(\pi \) as a (structurepreserving) GrothSahai proof.
 5.
A structurepreserving scheme should have group elements (and not scalars) as messages, since GrothSahai proofs cannot (easily) be used to prove knowledge of scalars.
 6.
A reduction loss of \(\mathbf{O}(\log Q)\) has been achieved in the context of IBE schemes [20], but their techniques are different and rely on a compositeorder group.
References
 1.Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constantsize structurepreserving signatures: generic constructions and simple assumptions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 4–24. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642349614_3CrossRefGoogle Scholar
 2.Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constantsize structurepreserving signatures: generic constructions and simple assumptions. J. Cryptol. 29(4), 833–878 (2016). https://doi.org/10.1007/s0014501592117MathSciNetCrossRefzbMATHGoogle Scholar
 3.Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642363627_20CrossRefGoogle Scholar
 4.Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2016). https://doi.org/10.1007/s0014501491967MathSciNetCrossRefzbMATHGoogle Scholar
 5.Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structurepreserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011). https://doi.org/10.1007/9783642227929_37CrossRefGoogle Scholar
 6.Abe, M., Hofheinz, D., Nishimaki, R., Ohkubo, M., Pan, J.: Compact structurepreserving signatures with almost tight security. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 548–580. Springer, Cham (2017). https://doi.org/10.1007/9783319637150_19CrossRefGoogle Scholar
 7.Acar, T., Lauter, K., Naehrig, M., Shumow, D.: Affine pairings on ARM. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 203–209. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642363344_13CrossRefGoogle Scholar
 8.Attrapadung, N., Hanaoka, G., Yamada, S.: A framework for identitybased encryption with almost tight security. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 521–549. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662487976_22CrossRefGoogle Scholar
 9.Barreto, P.S.L.M., Costello, C., Misoczki, R., Naehrig, M., Pereira, G.C.C.F., Zanon, G.: Subgroup security in pairingbased cryptography. In: Lauter, K., RodríguezHenríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 245–265. Springer, Cham (2015). https://doi.org/10.1007/9783319221748_14CrossRefGoogle Scholar
 10.Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Psignatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540785248_20CrossRefGoogle Scholar
 11.Bellare, M., Boldyreva, A., Micali, S.: Publickey encryption in a multiuser setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). https://doi.org/10.1007/3540455396_18CrossRefGoogle Scholar
 12.Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on noninteractive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, New York (1990). https://doi.org/10.1007/0387348050_19CrossRefGoogle Scholar
 13.Blazy, O., Fuchsbauer, G., Izabachène, M., Jambert, A., Sibert, H., Vergnaud, D.: Batch Groth–Sahai. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 218–235. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642137082_14CrossRefGoogle Scholar
 14.Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) identitybased encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662443712_23CrossRefGoogle Scholar
 15.Blum, M., Feldman, P., Micali, S.: Noninteractive zeroknowledge and its applications (extended abstract). In: 20th ACM STOC, pp. 103–112. ACM Press, May 1988Google Scholar
 16.Boneh, D., Mironov, I., Shoup, V.: A secure signature scheme from bilinear maps. In: Joye, M. (ed.) CTRSA 2003. LNCS, vol. 2612, pp. 98–110. Springer, Heidelberg (2003). https://doi.org/10.1007/354036563X_7CrossRefGoogle Scholar
 17.Camenisch, J., Dubovitskaya, M., Haralambiev, K.: Efficient structurepreserving signature scheme from standard assumptions. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 76–94. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642329289_5CrossRefGoogle Scholar
 18.Cathalo, J., Libert, B., Yung, M.: Group encryption: noninteractive realization in the standard model. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642103667_11CrossRefGoogle Scholar
 19.Chase, M., Kohlweiss, M.: A new hashandsign approach and structurepreserving signatures from DLIN. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 131–148. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642329289_8CrossRefGoogle Scholar
 20.Chen, J., Gong, J., Weng, J.: Tightly secure IBE under constantsize master public key. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10174, pp. 207–231. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662543658_9CrossRefGoogle Scholar
 21.Chen, J., Wee, H.: Fully, (almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841_25CrossRefGoogle Scholar
 22.Dodis, Y., Kiltz, E., Pietrzak, K., Wichs, D.: Message authentication, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 355–374. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642290114_22CrossRefGoogle Scholar
 23.Enge, A., Milan, J.: Implementing cryptographic pairings at standard security levels. In: Chakraborty, R.S., Matyas, V., Schaumont, P. (eds.) SPACE 2014. LNCS, vol. 8804, pp. 28–46. Springer, Cham (2014). https://doi.org/10.1007/9783319120607_3Google Scholar
 24.Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for DiffieHellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642400841_8CrossRefGoogle Scholar
 25.Gay, R., Hofheinz, D., Kiltz, E., Wee, H.: Tightly CCAsecure encryption without pairings. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 1–27. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662498903_1CrossRefGoogle Scholar
 26.Gay, R., Hofheinz, D., Kohl, L.: KurosawaDesmedt meets tight security. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 133–160. Springer, Cham (2017). https://doi.org/10.1007/9783319636979_5CrossRefGoogle Scholar
 27.Gong, J., Chen, J., Dong, X., Cao, Z., Tang, S.: Extended nested dual system groups, revisited. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 133–163. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662493847_6CrossRefGoogle Scholar
 28.Grewal, G., Azarderakhsh, R., Longa, P., Hu, S., Jao, D.: Efficient implementation of bilinear pairings on ARM processors. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 149–165. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642359996_11CrossRefGoogle Scholar
 29.Groth, J.: Simulationsound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_29CrossRefGoogle Scholar
 30.Groth, J., Lu, S.: A noninteractive shuffle with pairing based verifiability. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 51–67. Springer, Heidelberg (2007). https://doi.org/10.1007/9783540769002_4CrossRefGoogle Scholar
 31.Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zeroknowledge. J. ACM 59(3), 1–35 (2012). https://doi.org/10.1145/2220357.2220358. ISSN: 00045411. http://doi.acm.org/10.1145/2220357.2220358MathSciNetCrossRefzbMATHGoogle Scholar
 32.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540789673_24CrossRefGoogle Scholar
 33.Hofheinz, D.: Adaptive partitioning. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 489–518. Springer, Cham (2017). https://doi.org/10.1007/9783319566177_17CrossRefGoogle Scholar
 34.Hofheinz, D.: Algebraic partitioning: fully compact and (almost) tightly secure cryptography. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 251–281. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662490969_11CrossRefGoogle Scholar
 35.Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_35CrossRefGoogle Scholar
 36.Hofheinz, D., Koch, J., Striecks, C.: Identitybased encryption with (almost) tight security in the multiinstance, multiciphertext setting. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 799–822. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662464472_36Google Scholar
 37.Jutla, C.S., Roy, A.: Improved structure preserving signatures under standard bilinear assumptions. In: Fehr, S. (ed.) PKC 2017. LNCS, vol. 10175, pp. 183–209. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662543887_7CrossRefGoogle Scholar
 38.Jutla, C.S., Roy, A.: Switching lemma for bilinear tests and constantsize NIZK proofs for linear subspaces. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 295–312. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662443811_17CrossRefGoogle Scholar
 39.Kiltz, E., Pan, J., Wee, H.: Structurepreserving signatures from standard assumptions, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 275–295. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662480007_14CrossRefGoogle Scholar
 40.Kiltz, E., Wee, H.: Quasiadaptive NIZK for linear subspaces revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 101–128. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_4Google Scholar
 41.Kurosawa, K., Desmedt, Y.: A new paradigm of hybrid encryption scheme. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 426–442. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540286288_26CrossRefGoogle Scholar
 42.Libert, B., Joye, M., Yung, M., Peters, T.: Concise multichallenge CCAsecure encryption and signatures with almost tight security. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 1–21. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662456088_1Google Scholar
 43.Libert, B., Peters, T., Joye, M., Yung, M.: Compactly hiding linear spans. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 681–707. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662487976_28CrossRefGoogle Scholar
 44.Libert, B., Peters, T., Yung, M.: Short group signatures via structurepreserving signatures: standard model security from simple assumptions. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 296–316. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662480007_15CrossRefGoogle Scholar
 45.Morillo, P., Ràfols, C., Villar, J.L.: The kernel matrix DiffieHellman assumption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10031, pp. 729–758. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662538876_27CrossRefGoogle Scholar
 46.Ràfols, C.: Stretching GrothSahai: NIZK proofs of partial satisfiability. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 247–276. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662464977_10CrossRefGoogle Scholar