Private Functional Signatures: Definition and Construction

Abstract

In this paper, we introduce a new cryptographic primitive: private functional signatures, where functional signing keys \(\mathsf {sk}_f\) for functions f derived from master signing key \(\mathsf {msk}\) which can be used to sign any message, allow one to sign any message in the range of the underlying function f. Besides, there is an encryption algorithm which takes as input the master secret key \(\mathsf {msk}\) to produce a ciphertext \(\mathsf {c}_x\) for message x. And the signing algorithm applies a signing key \(\mathsf {sk}_f\) on the ciphertext \(\mathsf {c}_x\) to produce a signature \(\sigma _{f(x)}\) on the result f(x).

We also formalize the security notions of private functional signatures. Furthermore, we provide a general compiler from any (single-key) symmetric-key predicate encryption scheme into a single-key private functional signature scheme. By instantiating our construction with schemes for symmetric-key predicate encryption, we obtain private functional signature schemes based on a variety of assumptions (including the LWE assumption, simple multilinear-maps assumptions, obfuscation assumptions, and even the existence of any one-way function) offering various trade-offs between security and efficiency.

5 Appendix

1.1 5.1 Signature Schemes

Definition 9

(Signature Scheme). A signature scheme \(\mathsf {S}\) for a message space \(\mathcal {M}\) is a tuple \((\mathsf {S.Gen,S.Sign,S.Verify}):\)

• \(\mathsf {S.Gen}(1^\lambda )\rightarrow (\mathsf {sik},\mathsf {vk}):\) Takes as input a security parameter \(\lambda \), and outputs a signing and verification key pair \((\mathsf {sik},\mathsf {vk})\).

• \(\mathsf {S.Sign}(\mathsf {sik},m)\rightarrow \sigma :\) Takes as inputs the signing key \(\mathsf {sik}\) and a message \(m\in \mathcal {M}\) and outputs a string \(\sigma \) which we call the signature of m.

• \(\mathsf {S.Verify}(\mathsf {vk},m,\sigma )\rightarrow \{0,1\}:\) Given the verification key \(\mathsf {vk}\), a message m, and signature \(\sigma \), returns 1 or 0 indicating whether the signature is valid.

Correctness.

\(\forall m\in \mathcal {M}, (\mathsf {sik},\mathsf {vk})\leftarrow \mathsf {S.Gen}(1^\lambda ), \sigma \leftarrow \mathsf {S.Sign}(\mathsf {sik},m),\mathsf {S.Verify}(\mathsf {vk},m,\sigma )\rightarrow 1.\)

Unforgeability under chosen message attack.

A signature scheme is unforgeable under chosen message attack if the winning probability of any PPT adversary in the following game is negligible in the security parameter:

• The challenger generates \((\mathsf {sik},\mathsf {vk})\leftarrow \mathsf {S.Gen}(1^\lambda )\) and gives \(\mathsf {vk}\) to the adversary.

• The adversary requests signatures from the challenger for a polynomial number of messages. Once receiving the query m, the challenger computes \(\sigma \leftarrow \mathsf {S.Sign}(\mathsf {sik},m)\) and returns \(\sigma \) to the adversary.

• The adversary outputs \((\hat{m},\hat{\sigma })\), and wins if \(\mathsf {S.Verify}(\mathsf {vk},\hat{m},\hat{\sigma })\rightarrow 1\) and the adversary has not previously queried a signature of \(\hat{m}\) from the challenger.

Lemma 1

[Rom90]. Under the assumption that one-way functions exist, there exists a signature scheme which is secure against existential forgery under adaptive chosen message attacks by polynomial-time algorithms.

We stress that the definitions of deterministic signature schemes are the same as signature schemes except that the signing algorithm is deterministic.

1.2 5.2 Symmetric-Key Predicate Encryption

We provide the full-fledged definition of predicate encryption in symmetric-key setting based on [SSW09] with some adaptations, and we present the formal notions of security for it.

Definition 10

(Symmetric-Key Predicate Encryption). A symmetric-key predicate encryption (\(\mathsf {PE}\)) for a class of predicates \(\mathcal {F}=\{\mathcal {F}_l\}_{l\in \mathbb {N}}\) represented as boolean circuits with l input bits and one output bit and an associated message space \(\mathcal {M}\) is a tuple of algorithms (\(\mathsf {PE.Setup},\mathsf {PE.KeyGen},\mathsf {PE.Enc},\mathsf {PE.Dec}\)) as follows:

• \(\mathsf {PE.Setup}(1^\lambda )\rightarrow \mathsf {pmsk}:\) Takes as input a security parameter \(\lambda \) and outputs a master secret key \(\mathsf {pmsk}\).

• \(\mathsf {PE.KeyGen}(\mathsf {pmsk},f)\rightarrow \mathsf {sk}_f:\) Given a master secret key \(\mathsf {pmsk}\) and a predicate \(f\in \mathcal {F}\), outputs a secret key \(\mathsf {sk}_f\) corresponding to f.

• \(\mathsf {PE.Enc}(\mathsf {pmsk},x,m)\rightarrow c:\) Takes as input the master secret key \(\mathsf {pmsk}\), an attribute \(x\in \{0,1\}^l\), and a message \(m\in \mathcal {M}\) and outputs a ciphertext c.

• \(\mathsf {PE.Dec}(\mathsf {sk}_f,c)\rightarrow m\,\text {or}\,\bot :\) Takes as input a secret key \(\mathsf {sk}_f\) for a predicate f and a ciphertext c and outputs either \(m\in \mathcal {M}\) or \(\bot \).

Correctness.

For every sufficiently large security parameter \(\lambda \), all predicates \(f\in \mathcal {F}\), all attributes \(x\in \{0,1\}^l\), and all messages \(m\in \mathcal {M}:\)

$$\begin{aligned} \mathrm {Pr} \left[ \begin{aligned}&\mathsf {pmsk}\leftarrow \mathsf {PE.Setup}(1^\lambda );\\&\mathsf {sk}_f\leftarrow \mathsf {PE.KeyGen}(\mathsf {pmsk},f);\\&c\leftarrow \mathsf {PE.Enc}(\mathsf {pmsk},x,m):\\&\mathsf {PE.Dec}(\mathsf {sk}_f,c)={\left\{ \begin{array}{ll} m, &{} \text {if } f(x)=1,\\ \bot , &{} \text {otherwise}. \end{array}\right. } \end{aligned} \right] =1-\mathrm {negl}(\lambda ). \end{aligned}$$

We now give formal definitions of security for symmetric-key predicate encryption. Throughout the paper we regard a pair of attribute and message as a context. Note that we only provide the security definitions for the case when the adversary can ask a single key because this is all we need for our results.

Definition 11

(Context hiding (\(\mathsf {PE}\) )). Let \(\mathsf {PE}\) be a symmetric-key predicate encryption scheme for the class of predicates \(\mathcal {F}\) and an associated message space \(\mathcal {M}\). Let \(\mathcal {A}\) be a PPT adversary. Consider the following experiment:

Setup: The challenger runs \(\mathsf {PE.Setup}(1^\lambda )\) and keeps \(\mathsf {pmsk}\) to itself.

Respond the secret key: \(\mathcal {A}\) gives the predicate \(f\in \mathcal {F}\), then the challenger responds with \(\mathsf {PE.KeyGen}(\mathsf {pmsk},f).\)

Ciphertext query 1: \(\mathcal {A}\) can query ciphertexts of some messages at most polynomial times. On the ith ciphertext query, \(\mathcal {A}\) outputs a context \((x_i\in \{0,1\}^l,m_i\in \mathcal {M})\). The challenger responds with \(\mathsf {PE.Enc}(\mathsf {pmsk},x_i,m_i).\)

Challenge: \(\mathcal {A}\) outputs two tuples \((x_0^*,m_0^*)\) and \((x_1^*,m_1^*)\) where \(x_0^*,x_1^*\in \{0,1\}^l\) and satisfies \(f(x_0^*)=f(x_1^*)=0\) for the previous secret key query f, and \(m_0^*,m_1^*\in \mathcal {M}\). The challenger chooses a random bit \(b\in \{0,1\}\) and responds with \(\mathsf {PE.Enc}(\mathsf {pmsk},x_b^*,m_b^*).\)

Ciphertext query 2: A adaptively issues additional queries as in Ciphertext query 1.

Guess: \(\mathcal {A}\) outputs a guess bit \(b'\).

The advantage of \(\mathcal {A}\) is defined as \(\mathsf {Adv}_{PE,\mathcal {A}}=|\Pr [b'=b]-1/2|\).

We say the scheme is single-key context hiding if, for all PPT adversaries \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in winning the above game is negligible in \(\lambda \).

Definition 12

(Predicate privacy (\(\mathsf {PE}\) )). Let \(\mathsf {PE}\) be a symmetric-key predicate encryption scheme for the class of predicates \(\mathcal {F}\) and an associated message space \(\mathcal {M}\). Let \(\mathcal {A}\) be a PPT adversary. Consider the following experiment:

Setup: The challenger runs \(\mathsf {PE.Setup}(1^\lambda )\) and keeps \(\mathsf {pmsk}\) to itself.

Ciphertext query 1: \(\mathcal {A}\) can query ciphertexts of some messages at most polynomial times. On the ith ciphertext query, \(\mathcal {A}\) outputs a context \((x_i\in \{0,1\}^l,m_i\in \mathcal {M})\). The challenger responds with \(\mathsf {PE.Enc}(\mathsf {pmsk},x_i,m_i).\)

Challenge: \(\mathcal {A}\) outputs two predicates \(f_0^*,f_1^*\in \mathcal {F}\) such that, for all previous ciphertext queries \(x_i\), \(f_0^*(x_i)=f_1^*(x_i)\). The challenger chooses a random bit \(b\in \{0,1\}\) and responds with \(\mathsf {PE.KeyGen}(\mathsf {pmsk},f_b^*).\)

Ciphertext query 2: A adaptively issues additional queries as in Ciphertext query 1.

Guess: \(\mathcal {A}\) outputs a guess bit \(b'\).

The advantage of \(\mathcal {A}\) is defined as \(\mathsf {Adv}_{PE,\mathcal {A}}=|\Pr [b'=b]-1/2|\).

We say the scheme is predicate private if, for all PPT adversaries \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in winning the above game is negligible in \(\lambda \).

According to the results of [BS15], we conclude that (single-key) symmetric-key predicate encryption schemes for all functions can be obtained either from LWE assumptions, from obfuscation assumptions, from simple multilinear-maps assumptions, and even from the existence of any one-way function (offering various trade-offs between security and efficiency).

1.3 5.3 Proofs in the First Step

Lemma 1

Game 0 and Game 1 are identical.

Despite that the processes are different, both the signature oracles \(\mathcal {O}_\mathsf {Sign}\) in Game 0 and Game 1 output the deterministic signature of f(x) on each query (f, x). Hence, Game 0 and Game 1 are identical.

Lemma 2

Assuming the underlying PE\(_2\) scheme is context hiding, Game 1 and Game 2 are computationally indistinguishable.

Proof

In Game 1 and Game 2, there are n PE\(_2\) encryptions, each with a pair of independent PE\(_2\) keys. To prove Game 1 and Game 2 are computationally indistinguishable, we firstly prove that they are computationally indistinguishable with only one of these encryption. In detail, the argument proceeds in a standard way with n hybrids, where the hybrid i has the first i ciphertexts as in Game 1 and the rest \(n-i\) as in Game 2, where \(i=0,\dots ,n\). In this setting, hybrid 0 corresponds to Game 2 and Hybrid n corresponds to Game 1. We now firstly prove that the adjacent hybrids are computationally indistinguishable. Suppose a PPT adversary \(\mathcal {A}\) can distinguish Hybrid \(k-1\) and Hybrid k for \(k\in [n]\), then we can use \(\mathcal {A}\) to construct a PPT adversary \(\mathcal {B}_\mathsf {PE_2}\) to break the security of PE\(_2\) as follows.

• \(\mathcal {B}_\mathsf {PE_2}(1^\lambda ):\)

• Public parameters. PE\(_2\) challenger generates \(\mathsf {pmsk}^*\), \(\mathcal {B}\) views \(\mathsf {pmsk}^*\) as \(\mathsf {pmsk}_k\) (Note \(\mathcal {B}\) can not get \(\mathsf {pmsk}^*\)). For \(i\in [n]\backslash \{k\}\), \(\mathcal {B}\) firstly generates \(\mathsf {pmsk}_i\leftarrow \mathsf {PE}_2.\mathsf {Setup}(1^\lambda )\), then run \(\mathsf {S.Gen(1^\lambda )}\rightarrow \mathsf {(sik,vk)}.\) Set \(\mathsf {msk}:=(\mathsf {pmsk}_1,\dots ,\mathsf {pmsk}_{k-1},\mathsf {pmsk}_{k+1},\dots , \mathsf {pmsk}_m),\mathsf {mvk:=vk}\), and give \(\mathsf {mvk}\) to \(\mathcal {A}\).

• Private key query. When \(\mathcal {A}\) queries the signing key for the function f, \(\mathcal {B}\) firstly queries PE\(_2\) challenger for \(\mathsf {sk}_{f_k}\), then for \(i\in [n]\backslash \{k\}\), generate \(\mathsf {sk}_{f_i}\leftarrow \mathsf {PE}_2.\mathsf {KeyGen}(\mathsf {pmsk}_i, f_i)\), finally set \(\mathsf {sk}_f:=(\mathsf {sk}_{f_1},\dots ,\mathsf {sk}_{f_n})\), and return \(\mathsf {sk}_f\) to \(\mathcal {A}\).

• Encryption queries. \(\mathcal {A}\) can adaptively query the encryptions for some messages for \(Q(\lambda )\) times. When receiving the query x from \(\mathcal {A}\), \(\mathcal {B}_\mathsf {PE_2}\) proceeds the computations below.

  1. 1.

     Compute \((\mathrm {\Gamma },\{L_i^0,L_i^1\}_{i=1}^n)\leftarrow \mathsf {Gb.Garble(1^\lambda ,S.Sign(sik,\cdot ))}.\)

  2. 2.

     Let \(vk_i^0=g(L_i^0),\,\,vk_i^1=g(L_i^1) \text { for }i\in [n].\) Set \(vk:=\{vk_i^0,vk_i^1\}_{i=1}^n.\)

  3. 3.

     Let \(a_i=f_i(x),\) for \(i\in [n]\), where f is the function that \(\mathcal {A}\) queried for the signing key before. Then set \(m:=L_k^{a_k},m_0:=L_k^{a_k},m_1:=L_k^{1-a_k},x_0:=x,x_1=x,\) and give the tuple \((m,m_0,m_1,x_0,x_1)\) to PE\(_2\) challenger.

  4. 4.

     PE\(_2\) challenger returns the challenge ciphertext \(c^*\) corresponding to either \(m_0\) or \(m_1\). Firstly set \(c_k:=c^*\), then for \(i\in [1,k-1],\) compute \(c_i\leftarrow \mathsf {PE}_2.\mathsf {Enc}.(\mathsf {pmsk}_i,x, L_i^0,L_i^1);\) for \(i\in [k+1,n],\) compute \(c_i\leftarrow \mathsf {PE}_2.\mathsf {Enc}.(\mathsf {pmsk}_i,x,L_i^{a_i},L_i^{a_i}).\)

  5. 5.

     Set \(c_x:=(c_1,\dots ,c_{k-1},c^*,c_{k+1},\dots ,c_n,\mathrm {\Gamma },vk)\), and return \(c_x\) to \(\mathcal {A}\).

• Signature queries. \(\mathcal {A}\) can adaptively query \(Q(\lambda )\) numbers of signatures. When \(\mathcal {B}\) receives the query (f, x) from \(\mathcal {A}\), it firstly computes the value f(x), then generates \(\sigma _{f(x)}\leftarrow \mathsf {S.Sign}(\mathsf {sik},f(x)),\) and returns \(\sigma _{f(x)}\) to \(\mathcal {A}\).

• Forge. Finally, \(\mathcal {A}\) outputs a signature \((\hat{x},\hat{\sigma })\). If it is a forge for \(\mathsf {PFS}\), outputs 1, and outputs 0 if not.

We notice that when \(c^*\) is the encryption corresponding to \(m_0\), the view of \(\mathcal {A}\) is as in Hybrid k, when \(c^*\) is the encryption corresponding to \(m_1\), the view of \(\mathcal {A}\) is as in Hybrid \(k-1\). Thus, the advantage of \(\mathcal {B}_\mathsf {PE_2}\) to break PE\(_2\)’s security is the same as \(\mathcal {A}\)’s advantage to distinguish Hybrid \(k-1\) and Hybrid k. Since we have assumed the underlying PE\(_2\) scheme is plaintext privacy, \(\mathcal {A}\) can distinguish Hybrid \(k-1\) and Hybrid k only with a negligible probability \(\epsilon (1^\lambda )\). According to the hybrid argument, for any PPT adversary, the maximal probability to successfully distinguish Game 1 (Hybrid n) and Game 2 (Hybrid 0) is \(n\cdot \epsilon (1^\lambda )\), which is also a negligible probability.   \(\square \)

Lemma 3

Assuming the underlying garbling scheme is circuit- and input-private, Game 2 and Game 3 are computationally indistinguishable.

Proof

Suppose a PPT adversary A can distinguish Game 2 and Game 3, then use \(\mathcal {A}\) to construct a PPT adversary \(\mathcal {B}\) to break the security of the garbling scheme as follows.

• \(\mathcal {B}_\mathsf {Gb}(1^\lambda ):\)

• Public parameters. \(\mathcal {B}_\mathsf {Gb}\) generates the master keys.

  \(\mathcal {B}\) firstly generates \(\mathsf {pmsk}_i\leftarrow \mathsf {PE}_2.\mathsf {Setup}(1^\lambda )\,\text {for}\,i\in [n],\) then generates \(\mathsf {(sik,vk)}\leftarrow \mathsf {S.Gen}(1^\lambda ).\) Set \(\mathsf {msk}:=\mathsf {pmsk}_1,\dots ,\mathsf {pmsk}_n,\mathsf {sik}, \mathsf {mvk}:=\mathsf {vk}\), and give \(\mathsf {mvk}\) to \(\mathcal {A}\).

• Private key query. When \(\mathcal {A}\) queries the signing key for the function f, \(\mathcal {B}_\mathsf {Gb}\) computes \(\mathsf {sk}_{f_i}\leftarrow \mathsf {PE}_2.\mathsf {KeyGen}(\mathsf {pmsk}_i,f_i)\,\text {for}\,i\in [n].\) Set \(\mathsf {sk}_f:=(\mathsf {sk}_{f_1},\dots ,\mathsf {sk}_{f_n})\), then return \(\mathsf {sk}_f\) to \(\mathcal {A}\).

• Encryption queries. \(\mathcal {A}\) can adaptively query the encryptions for some messages for \(Q(\lambda )\) times. When \(\mathcal {B}_\mathsf {Gb}\) receives the query x from \(\mathcal {A}\), it proceeds as follows:

  1. 1.

     \(\mathcal {B}_\mathsf {Gb}\) provides a circuit \(C(\cdot ):=\mathsf {S.Sign(sik,\cdot )}\), then receives a garbled circuit \(\mathrm {\Gamma }^*\) which could be output either of the real algorithm \(\mathsf {Gb.Garble}\) or of simulator \(\mathcal {S}_1^{\mathsf {Gb}}.\)

  2. 2.

     \(\mathcal {B}_\mathsf {Gb}\) queries f(x) then receives a set of labels \(\{L_i^*\}_{i=1}^n\), which could be the output either of the real algorithm \(\mathsf {Gb.Enc}\) or of the simulator \(\mathcal {S}_2^{\mathsf {Gb}}.\)

  3. 3.

     For \(i\in [n],\) let \(vk_i^{a_i}=g(L_i^*),vk_i^{1-a_i}=g(r_i^*)\), where \(r_i^*\) is randomly chosen from \(\{0,1\}^{|L_i^*|}, a_i=f_i(x).\) Set \(vk^*:=\{vk_i^{a_i},vk_i^{1-a_i}\}_{i=1}^n.\)

  4. 4.

     Compute \(c^*=(\{\mathsf {PE}_2.\mathsf {Enc}(\mathsf {pmpk}_i,(x,L_i^*,L_i^*))\}_{i=1}^n,\mathrm {\Gamma }^*,vk^*),\) then return \(c^*\) to \(\mathcal {A}\).

• Signature queries. \(\mathcal {A}\) can adaptively query \(Q(\lambda )\) numbers of signatures. When \(\mathcal {B}\) receives the query (f, x) from \(\mathcal {A}\), it firstly computes the value f(x), then computes \(\sigma _{f(x)}\leftarrow \mathsf {S.Sign}(\mathsf {sik},f(x)),\) and returns \(\sigma _{f(x)}\) to \(\mathcal {A}\).

• Forge. Finally, \(\mathcal {A}\) outputs a signature \((\hat{x},\hat{\sigma })\). If it is a forge for \(\mathsf {PFS}\), outputs 1, and outputs 0 if not.

We notice that if \((\mathrm {\Gamma }^*,\{L_i^*\}_{i=1}^n)\) are outputs of the real garbling scheme, the view of \(\mathcal {A}\) is as in Game 2, else if \((\mathrm {\Gamma }^*,\{L_i^*\}_{i=1}^n)\) are outputs of the \(\mathsf {Sim_{Garble}}\), the view of \(\mathcal {A}\) is as in Game 3. Thus, if \(\mathcal {A}\) can distinguish Game 2 and Game 3 with non-negligible probability, \(\mathcal {B}_\mathsf {Gb}\) is able to output the correct decision with non-negligible probability. Since we have assumed the underlying garbling scheme is circuit- and input-private, this is not the case.   \(\square \)

1.4 5.4 Proof in the Second Step

We use \(\mathcal {A}_\mathsf {PFS}\) to construct an adversary \(\mathcal {A}_\mathsf {S}\) such that, if \(\mathcal {A}_\mathsf {PFS}\) wins in Game 3 with non-negligible probability, then \(\mathcal {A}_\mathsf {S}\) breaks the underlying signature scheme \(\mathsf {S}\), which is assumed to be secure against chosen message attack.

• \(\mathcal {B}_\mathsf {S}^{\mathsf {unforge}}(1^\lambda ):\)

• Public parameters. \(\mathcal {B}\) firstly gets verification key \(\mathsf {vk}\) from the challenger of \(\mathsf {S}\), then computes \(\mathsf {pmsk}_i\leftarrow \mathsf {PE}_2.\mathsf {Setup}(1^\lambda )\,\text {for}\,i\in [n].\) Set \(\mathsf {msk}:=\mathsf {pmsk}_1,\dots ,\mathsf {pmsk}_n,\mathsf {mvk} :=\mathsf {vk}\), and give \(\mathsf {mvk}\) to \(\mathcal {A}_\mathsf {S}\).

• Private key query. When \(\mathcal {A}_\mathsf {S}\) queries the signing key for the function f, \(\mathcal {B}\) computes \(\mathsf {sk}_{f_i}\leftarrow \mathsf {PE}_2.\mathsf {KeyGen}(\mathsf {pmsk}_i,f_i)\,\text {for}\,i\in [n],\) then sets \(\mathsf {sk}_f:=(\mathsf {sk}_{f_1},\dots ,\mathsf {sk}_{f_n})\) and returns \(\mathsf {sk}_f\) to \(\mathcal {A}_\mathsf {S}\).

• Encryption queries. \(\mathcal {A}\) can adaptively query the encryptions for some messages for \(Q(\lambda )\) times. When receiving the query x from \(\mathcal {A}_\mathsf {S}\), \(\mathcal {B}\) proceeds as follows.

  1. 1.

     Use \(\mathcal {S}_1^{\mathsf {Gb}}\) to simulate the garbled circuit: \((\overline{\mathrm {\Gamma }},\mathsf {state}_{\mathcal {S}^{\mathsf {Gb}}})\leftarrow \mathcal {S}_1^{\mathsf {Gb}}(1^\lambda ,1^{|C|}).\)

  2. 2.

     Query the challenger of \(\mathsf {S}\) for the signature on f(x) and receive back \(\sigma _{f(x)}\), where f is the function that \(\mathcal {A}\) queried for the signing key before, then run the simulator \(\mathcal {S}_2^{\mathsf {Gb}}\) to compute the simulated labels: \(\{\bar{L}_i\}_{i=1}^n\leftarrow \mathcal {S}_2^{\mathsf {Gb}}(\sigma _{f(x)},1^{|f(x)|},\mathsf {state}_{\mathcal {S}^{\mathsf {Gb}}})\).

  3. 3.

     For \(i\in [n],\) compute \(\overline{vk}_i^{a_i}=g(\overline{L}_i),\overline{vk}_i^{1-a_i}=g(r_i)\), where \(r_i\) is randomly chosen from \(\{0,1\}^{|\overline{L}_i|}, a_i=f_i(x),\) then set \(\overline{vk}:=\{\overline{vk}_i^{a_i},\overline{vk}_i^{1-a_i}\}_{i=1}^n.\)

  4. 4.

     Produce encryptions of PE\(_2\): \(\mathsf {\overline{c}}_i\leftarrow \mathsf {PE}_2.\mathsf {Enc}(\mathsf {pmpk}_i,x,\overline{L_i},\overline{L_i})\,\text {for}\,i\in [n].\) Set \(\overline{c}_x:=(\overline{c}_1,\dots ,\overline{c}_n,\overline{\mathrm {\Gamma }},\overline{vk})\) and return \(\overline{c}_x\) to \(\mathcal {A}_\mathsf {S}\).

• Signature queries. \(\mathcal {A}\) can adaptively query \(Q(\lambda )\) numbers of signatures. When \(\mathcal {B}\) receives the query (f, x) from \(\mathcal {A}_\mathsf {S}\), it firstly computes the value f(x), then queries the challenger of \(\mathsf {S}\) for signature of f(x). Once receiving back \(\sigma _{f(x)}\), \(\mathcal {B}\) returns \(\sigma _{f(x)}\) to \(\mathcal {A}_\mathsf {S}\).

• Forge. Finally, \(\mathcal {A}_\mathsf {S}\) outputs a pair \((\hat{x},\hat{\sigma })\), if it is a forge for \(\mathsf {PFS}\), then \(\mathcal {B}\) returns \((\hat{x},\hat{\sigma })\) as a forge for the signature scheme \(\mathsf {S}\).

Obviously, \(\mathcal {B}\) simulates the same environment for \(\mathcal {A}_\mathsf {S}\) perfectly as in the Game 3. Thus, if \(\mathcal {A}_\mathsf {S}\) produces a forgery in the Game 3 with non-negligible probability, then \(\mathcal {B}\) successfully forges in the underlying signature scheme with non-negligible probability. But, this is cannot be the case, since we have assumed that S is the existentially unforgeable against chosen-message attack. From the above discussion and Lemmas 1, 2 and 3, we finally draw the conclusion of Theorem 3 thus complete the proof.   \(\square \)