StructurePreserving Signatures from Standard Assumptions, Revisited
 39 Citations
 2.9k Downloads
Abstract
Structurepreserving signatures (SPS) are pairingbased signatures where all the messages, signatures and public keys are group elements, with numerous applications in publickey cryptography. We present new, simple and improved SPS constructions under standard assumptions via a conceptually different approach. Our constructions significantly narrow the gap between existing constructions from standard assumptions and optimal schemes in the generic group model.
Keywords
Structurepreserving Signatures (SPS) Generic Group Model Public Key Random Message Attacks Pairing Product Equations1 Introduction
Structurepreserving signatures (SPS) [4] are pairingbased signatures where all the messages, signatures and public keys are group elements, verified by testing equality of products of pairings of group elements. They are useful building blocks in modular design of cryptographic protocols, in particular in combination with noninteractive zeroknowledge (NIZK) proofs for algebraic relations in a group [29]. Structurepreserving signatures have found numerous applications in publickey cryptography, such as blind signatures [4, 25], group signatures [4, 25, 27, 28, 40], homomorphic signatures [38], delegatable anonymous credentials [11, 24], compact verifiable shuffles [18], network encoding [9], oblivious transfer [26] and ecash [13].
A systematic treatment of structurepreserving signatures was initiated by Abe et al. in 2010 [4], building upon previous constructions in [17, 26, 27]. In the past few years, substantial and rapid progress were made in our understanding of the construction of structurepreserving signatures, yielding both efficient schemes under standard assumptions [2, 3, 4, 30] as well as “optimal” schemes in the generic group model with matching upper and lower bounds on the efficiency of the schemes [5, 6, 7, 8, 10]. The three important measures of efficiency in structurepreserving signatures are (i) signature size, (ii) public key size (also peruser public key size for applications like delegatable credentials where we need to sign user public keys), and (iii) number of pairing equations during verification, which in turn affects the efficiency of the NIZK proofs.
One of the main advantages of designing cryptographic protocols starting from structurepreserving signatures is that we can obtain efficient protocols that are secure under standard cryptographic assumptions without the use of random oracles. Ideally, we want to build efficient SPS based on the wellunderstood kLin assumption, which can then be used in conjunction with GrothSahai proofs [29] to derive protocols based on the same assumption. In contrast, if we start with SPS that are only secure in the generic group model, then the ensuing protocols would also only be secure in the generic group model, which offer little theoretical or practical benefits over alternative – and typically more efficient and pairingfree – solutions in the random oracle model.
Unfortunately, there is still a big efficiency gap between existing constructions of structurepreserving signatures from the kLin assumption and the optimal schemes in the generic group model. For instance, to sign a single group element, the best construction under the SXDH (1Lin) assumption contains 11 and 21 group elements in the signature and the public key [2], whereas the best construction in the generic group model contains 3 and 3 elements (moreover, this is “tight”) [5]. The goal of this work is to bridge this gap.
1.1 Our Results
We present clean, simple, and improved constructions of structurepreserving signatures via a conceptually novel approach. Our constructions are secure under the kLin assumption; under the SXDH assumption (i.e., \(k=1\)), we achieve 7 group elements in the signature.
Previous constructions use fairly distinct techniques, resulting in a large family of schemes with incomparable efficiency and security guarantees. We obtain a family of schemes that simultaneously match – and in many settings, improve upon – the efficiency, assumptions, and security guarantees of all of the previous constructions. Figure 1 summarizes the efficiency of our constructions. (The work of [41] is independent and concurrent.) Our schemes are fully explicit and simple to describe. Furthermore, our schemes have a natural derivation from a symmetrickey setting, and the derivation even extends to a modular and intuitive proof of security.

For Type III asymmetric pairings, under the SXDH assumption, we can sign a vector of n elements in \(\mathbb {G}_1\) with 7 group elements. This improves upon the prior SXDHbased scheme in [2] which requires 11 group elements, and matches the signature size of the scheme in [4] based on (nonstandard) qtype assumptions;

For Type I symmetric pairings, under the 2Lin assumption, we can sign a vector of n elements with 10 group elements, improving upon that in [3] which requires 14 group elements.
In each of these cases, we also improve the size of the public key, as well as the number of equations used in verification. Finally, we extend our schemes to obtain efficient SPS for signing bilateral messages in \(\mathbb {G}_1^{n_1}\times \mathbb {G}_2^{n_2}\) for Type III asymmetric pairings. Particularly, under the SXDH assumption, our scheme can sign messages in \(\mathbb {G}_1^{n_1}\times \mathbb {G}_2^{n_2}\) with 10 group elements in the signature, 4 pairing product equations for verification, and (\(n_1+n_2+8\)) group elements in the public key. Prior SXDHbased schemes from [2] required 14 group elements in the signature, 5 pairing product equations, and \((n_1+n_2+22)\) elements in the public key.
1.2 Our Approach: SPS from MACs
We provide an overview of our construction of structurepreserving signatures. Throughout this overview, we fix a pairing group \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T)\) with \(e: \mathbb {G}_1\times \mathbb {G}_2 \rightarrow \mathbb {G}_T\), and rely on implicit representation notation for group elements, as explained in Sect. 2.1.^{1} As a warmup, we explain in some detail how to build a onetime structurepreserving signature scheme, following closely the exposition in [36]. While we do not obtain significant improvement in this setting (nonetheless, we do simplify and generalize prior onetime schemes [4]), we believe it already illustrates the conceptual simplicity and novelty of our approach over previous constructions of structurepreserving signatures.

case 1: the adversary uses a fresh tag for \([\mathbf {m}^*]_1\). This immediately breaks the pseudorandomness of the security of the construction in Eq. (2);

case 2: the adversary reuses tag \(\tau _i\). Again, we know from pseudorandomness that the MAC values on the remaining \(Q1\) tags do not leak any information \(\mathbf {K}\); therefore, the only leakage about \(\mathbf {K}\) in the Q queries comes from \((1,\mathbf {m}_i^{\!\scriptscriptstyle {\top }}) \mathbf {K}\). We may then rely on the security of the onetime MAC to argue that given only \((1,\mathbf {m}_i^{\!\scriptscriptstyle {\top }}) \mathbf {K}\), it is hard to compute \((1,{\mathbf {m}^*}^{\!\scriptscriptstyle {\top }})\mathbf {K}\).
To obtain a structurepreserving signature, we cannot publish \(\tau \in \mathbb {Z}_q\) in the signature. The main technical challenge in this work is to find a way to embed \(\tau \) as a group element that enables both verification and a security reduction. The natural workaround is to add \([\tau \mathbf {K}_1\mathbf {A}]_2\) and \([\tau ]_1\) to the signature, but the proof breaks down. Instead, we add \([\tau ]_2\) and \([\tau \mathbf {t}^{\!\scriptscriptstyle {\top }}]_1\) to the signature to enable verification. This yields a signature with \(3k+4\) group elements.
An Alternative Interpretation. Linearly homomorphic signatures (LHS) [15, 21, 32] are signatures where the messages consist of vectors over group \(\mathbb {G}_1\) such that from any set of signatures on \([\mathbf {m}_i]_1 \in \mathbb {G}_1^n\), one can efficiently derive a signature \(\sigma \) on any element message \([\mathbf {m}]_1 := [\sum \omega _i \mathbf {m}_i]_1\) in the span of \(\mathbf {m}_1, \ldots , \mathbf {m}_Q\). For security, one requires that it is infeasible to produce a signature on a message outside of the span of all previously signed messages. Linearly homomorphic structure preserving signatures (LHSPS) [16, 36, 38] have the additional property that signatures and public keys are all elements of the groups \(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\), while allowing the use of a tag which is a scalar.

case 1: the adversary uses a fresh tag. Then, security of LHSPS tells us that the adversary can only sign the vector \(\mathbf {0} \in \mathbb {G}_1^{n+1}\), which does not correspond to a valid message in the SPS.

case 2: the adversary reuses tag \(\tau _i\). Then, \((1,\mathbf {m}^{*\top })\) must lie in the span of \((1,\mathbf {m}^\top _i)\), which means \(\mathbf {m}^* = \mathbf {m}_i\). Here, we crucially rely on the fact that \(\tau _1,\ldots ,\tau _Q\) are distinct, which ensures that the adversary has seen at most one signature corresponding to \(\tau _i\).
At this point, we can then embed \(\tau \in \mathbb {Z}_q\) as a group element as described earlier. Our constructions may also be viewed as instantiating the above paradigm with the stateoftheart LHSPS in [36].
1.3 Discussion
Optimality. The linearity in the verification equation of SPS poses severe restrictions on the efficiency of such constructions. In both Type I and III bilinear groups, it was proved in [5, 8] that any fully secure SPS requires at least 2 verification equations, at least 3 group elements, the 3 elements not all the same group (for Type III asymmetric pairings).In fact, [5] shows the above lower bounds by giving attacks the weaker security model of unforgeability against two random message queries. Furthermore, onetime secure SPS against random message attack (\(\mathsf {RMA}\)) in Type I bilinear groups require at least 2 group elements and 2 equations [8].Furthermore, SPSs in Type III bilinear groups require at least 4 group elements [6] for unforgeability against adaptive chosen message attack under noninteractive assumptions (such as kLin).
Interestingly, for onetime \(\mathsf {RMA}\)security, we can match the lower bounds. By combining our main result on the onetime \(\mathsf {CMA}\)secure SPS and the techniques used in [36] to obtain shorter QANIZK, we obtain an optimal \(\mathsf {RMA}\)secure onetime SPS (Sect. 5). In Type III asymmetric groups, under the SXDH assumption, signatures requires 1 group element and 1 verification equation which is clearly optimal; in Type I symmetric groups, under the 2Lin assumption, our scheme requires 2 elements and 2 verification equations, matching the lower bound for onetime \(\mathsf {RMA}\)secure SPS from [8].
Comparison with Previous Approaches. The prior works of Abe, et al. [2, 3] presented two generic approaches for constructing SPS from SXDH and 2Lin assumptions: both constructions combine a structurepreserving onetime signature and randommessage secure signatures ala [23], with slightly different syntax and security notions for the two underlying building blocks; the final signature is the concatenation of the two underlying signatures. Our construction has a similar flavor in that we combine a onetime MAC with a randomized PRF. However, we are able to exploit the common structure in both building blocks to compress the output; interestingly, working with the matrix DiffieHellman framework [22] makes it easier to identity such common structure. In particular, the output length of the randomized MAC with unbounded security is that of the PRF and not the sum of the output lengths of the onetime MAC and the PRF; this is akin to combining a onetime signature and a randommessage secure signature in such a way that the combined signature size is that of the latter rather than the sum of the two.
Signatures from IBE. While our construction of signatures exploits techniques from the literature on IBE, it is quite different from the wellknown Naor’s derivation of a signature scheme from an IBE. There, the signature on a message \(m \in \mathbb {Z}_q\) corresponds to an IBE secret key for the identity m. This approach seems to inherently fail for structurepreserving signatures as all known pairingsbased IBE schemes need to treat the identity as a scalar. In our construction, a signature on \([\mathbf {m}]_1\) also corresponds to an IBE secret key: the message vector (specifically, a onetime MAC applied to the message vector) is embedded into the master secret key component of an IBE, and a fresh random tag \(\tau \in \mathbb {Z}_q\) is chosen and used as the identity. The idea of embedding \([\mathbf {m}]_1\) into the master secret key component of an IBE also appeared in earlier constructions of linearly homomorphic structurepreserving schemes [36, 38, 39]; a crucial difference is that these prior constructions allow the use of a scalar tag in the signature.
Towards Shorter SPS? One promising approach to get even shorter SPS against adaptive chosen message attack by using our approach is to improve upon the underlying MAC in the computational core lemma (Lemma 3). Currently, the MAC achieves security against chosen message attacks, whereas it suffices to use one that is secure against random message attacks. Saving one group element in this MAC would likely yield a saving of two group elements in the SPS, which would in turn yield a SXDHbased signature with 5 group elements. Note that the stateoftheart standard signature from SXDH contains 4 group elements [20]. Together with existing lower bounds for SPS, this indicates a barrier of 5 group elements for SXDHbased SPS; breaking this barrier would likely require improving upon the best standard signatures from SXDH.
Perspective. As noted at the beginning of the introduction, structurepreserving signatures have been a target of intense scrutiny in recent years. We presented a conceptually different yet very simple approach for building structurepreserving signatures. We are optimistic that our approach will yield further insights into structurepreserving signatures as well as concrete improvements to the numerous applications that rely on such signatures.
2 Definitions
Notation. If \(\mathbf {x} \in \mathcal {B}^n\), then \(\mathbf {x}\) denotes the length n of the vector. Further, \(x \leftarrow _{\textsc {r}}\mathcal {B}\) denotes the process of sampling an element x from set \(\mathcal {B}\) uniformly at random. If \(\mathbf {{A}} \in \mathbb {Z}_q^{n \times k}\) is a matrix with \(n>k\), then \(\overline{\mathbf {{A}}} \in \mathbb {Z}_q^{k \times k}\) denotes the upper square matrix of \(\mathbf {{A}}\) and then \(\underline{\mathbf {{A}}} \in \mathbb {Z}_q^{(nk) \times k}\) denotes the remaining \(nk\) rows of \(\mathbf {{A}}\). We use \( span ()\) to denote the column span of a matrix.
2.1 Pairing Groups
Let \(\mathsf {GGen}\) be a probabilistic polynomial time (PPT) algorithm that on input \(1^\lambda \) returns a description \(\mathcal {PG}=(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,q,g_1,g_2,e)\) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic groups of order q for a \(\lambda \)bit prime q, \(g_1\) and \(g_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and \(e: \mathbb {G}_1 \times \mathbb {G}_2\) is an efficiently computable (nondegenerate) bilinear map. Define \(g_T:=e(g_1, g_2)\), which is a generator in \(\mathbb {G}_T\).
2.2 Matrix DiffieHellman Assumption
We recall the definitions of the Matrix Decision DiffieHellman (MDDH) and the Kernel DiffieHellman assumptions [22, 42].
Definition 1
(Matrix Distribution). Let \(k\in {{\mathbb N}}\). We call \(\mathcal {D}_{k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_q^{(k+1)\times k}\) of full rank k in polynomial time.
Without loss of generality, we assume the first k rows of \(\mathbf {{A}} \leftarrow _{\textsc {r}}\mathcal {D}_{k}\) form an invertible matrix. The \(\mathcal {D}_k\)Matrix DiffieHellman problem is to distinguish the two distributions \(([\mathbf {{A}}], [\mathbf {{A}} \mathbf {w}])\) and \(([\mathbf {{A}}],[\mathbf {u}])\) where \(\mathbf {{A}}\leftarrow _{\textsc {r}}\mathcal {D}_{k}\), \(\mathbf {w}\leftarrow _{\textsc {r}}\mathbb {Z}_q^k\) and \(\mathbf {u}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{k+1}\).
Definition 2
The KernelDiffieHellman assumption \(\mathcal {D}_{k}\)KerMDH [42] is a natural computational analogue of the \(\mathcal {D}_k\)MDDH Assumption.
Definition 3
Note that we can use a nonzero vector in the kernel of \(\mathbf {A}\) to test membership in the column space of \(\mathbf {A}\). This means that the \(\mathcal {D}_k\)KerMDH assumption is a relaxation of the \(\mathcal {D}_k\)MDDH assumption, as captured in the following lemma from [42].
Lemma 1
For any matrix distribution \(\mathcal {D}_k\), \(\mathcal {D}_k\)MDDH\(\Rightarrow \)\(\mathcal {D}_k\)KerMDH.
2.3 StructurePreserving Signatures
Let \(\mathsf {par}\) be some parameters that contain a pairing group \(\mathcal {PG}\). In a structurepreserving signature (SPS) [4], both the messages and signatures are group elements, verification proceeds via a pairingproduct equation.
Definition 4

The probabilistic key generation algorithm \(\mathsf {Gen}(\mathsf {par})\) returns the public/secret key \(( \mathsf {pk}, \mathsf {sk})\), where \( \mathsf {pk}\in \mathbb {G}^{n_{ \mathsf {pk}}}\) for some \(n_{ \mathsf {pk}} \in {{\mathrm{poly}}}(\lambda )\). We assume that \( \mathsf {pk}\) implicitly defines a message space \(\mathcal {M}:=\mathbb {G}^n\) for some \(n\in {{\mathrm{poly}}}(\lambda )\).

The probabilistic signing algorithm \(\mathsf {Sign}( \mathsf {sk},[\mathbf {m}])\) returns a signature \(\sigma \in \mathbb {G}^{n_{\sigma }}\) for \(n_{\sigma } \in {{\mathrm{poly}}}(\lambda )\).

The deterministic verification algorithm \(\mathsf {Verify}( \mathsf {pk}, [\mathbf {m}],\sigma )\) only consists of pairing product equations and returns 1 (accept) or 0 (reject).
Definition 5
3 OneTime CMASecure SPS
We will exploit the following lemma in the analysis of our scheme. Informally, the lemma says that \(\mathbf {m}\mapsto (1,\mathbf {m}^{\!\scriptscriptstyle {\top }})\mathbf {K}\) is a secure informationtheoretic onetime MAC even if the adversary first sees \((\mathbf {A},\mathbf {K}\mathbf {A})\).
Lemma 2
This lemma can be seen as an adaptive version of a special case of [36, Lemma 2] in that we fix \(t=1\), \(\mathbf {M}\) to be the matrix \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) \in \mathbb {Z}_q^{1 \times (n+1)}\), and we use the fact that if \(\mathbf {m}^* \ne \mathbf {m}\), then \((1,\mathbf {m}^*) \notin span (\mathbf {M})\). In our adaptive version, \(\mathbf {m}\) may depend on \(\mathbf {K}\mathbf {A}\) but the proof is essentially the same as in [36]. Lemma 2 implies the security of \(\mathsf {SPS}_\mathsf {ot}\). Formal proofs of Lemma 2 and Theorem 1 are given in [35].
Theorem 1
Under the \(\mathcal {D}_k\)KerMDH Assumption in \(\mathbb {G}_2\), \(\mathsf {SPS}_\mathsf {ot}\) from Fig. 2 is a onetime \(\mathsf {CMA}\)secure structurepreserving signature scheme.
4 Unbounded CMASecure SPS
4.1 Computational Core Lemma
We present a variant of the computational core lemma from [36, Lemma 3].
Lemma 3

\(\mathcal{O}_b(\tau )\) returns \((\left[ b\mu {\mathbf {a}^{\perp }}+ \mathbf {r}^{\!\scriptscriptstyle {\top }}(\mathbf {{P}}_0 + \tau \mathbf {{P}}_1)\right] _{1}, \left[ \mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {B}^{\!\scriptscriptstyle {\top }}\right] _{1}) \in (\mathbb {G}_1^{1 \times (k+1)})^2\) with \(\mu \leftarrow _{\textsc {r}}\mathbb {Z}_q, \mathbf {r}\leftarrow _{\textsc {r}}\mathbb {Z}_q^k\) and adds \(\tau \) to \({\mathcal Q}_{\mathrm {msg}}\). Here, \({\mathbf {a}^{\perp }}\) is nonzero vector in \(\mathbb {Z}_q^{1 \times (k+1)}\) that satisfies \({\mathbf {a}^{\perp }}\mathbf {A}= \mathbf {0}\).

Open image in new window . \(\mathcal {A}\) only gets a single call \(\tau ^*\) to \(\mathcal{O^*}\).

Q is the number of queries \(\mathcal {A}\) makes to \(\mathcal{O}_b\).

the security reduction knows \(\mathbf {K}_0,\mathbf {K}_1\), and therefore it can compute \([\mathbf {K}_0 + \tau ^*\mathbf {K}_1]_2\) given \([\tau ^*]_2\);

the quantity \([\mathbf {K}_0 + \tau ^*\mathbf {K}_1]_2\) does not reveal any additional information about \(\mathbf {K}_0,\mathbf {K}_1\) beyond \(\mathbf {K}_0 + \tau ^* \mathbf {K}_1\).
For completeness, a formal proof of the lemma is given in [35].
4.2 Our Scheme
Theorem 2
Under the \(\mathcal {D}_k\)MDDH Assumption in \(\mathbb {G}_1\) and \(\mathcal {D}_k\)KerMDH Assumption in \(\mathbb {G}_2\), \(\mathsf {SPS}_\mathsf {full}\) from Fig. 3 is an unbounded \(\mathsf {CMA}\)secure structurepreserving signature scheme.
Proof
 Game 0. This is the \(\mathsf {CMA}\)security experiment from Definition 5.$$\mathbf {Adv}^\mathrm {cma}_{\mathsf {SPS}_\mathsf {full}}(\mathcal {A}) = \mathbf {Adv}_0$$
 Game 1. Switch \(\mathsf {Verify}\) to \(\mathsf {Verify}^*\): Suppose \(e(\sigma _2, [\tau ]_2) = e(\sigma _3, [1]_2)\). We note thatHence, for any \(([\mathbf {m}]_1,\sigma )\) that passes \(\mathsf {Verify}\) but not \(\mathsf {Verify}^*\), the value$$\begin{aligned}&\qquad \! e(\sigma _1,[\mathbf {A}]_2) = e([(1,\mathbf {m}^\top )]_1,[\mathbf {C}]_2) \cdot e(\sigma _2, [\mathbf {C}_0]_2) \cdot e(\sigma _3, [\mathbf {C}_1]_2) \\&\Longleftrightarrow e(\sigma _1,[\mathbf {A}]_2) = e([(1,\mathbf {m}^\top )]_1,[\mathbf {K}\mathbf {A}]_2) \cdot e(\sigma _2, [\mathbf {K}_0 \mathbf {A}]_2) \cdot e(\sigma _3, [\mathbf {K}_1 \mathbf {A}]_2) \\&\Longleftarrow e(\sigma _1,[1]_2) = e([(1,\mathbf {m}^\top )]_1,[\mathbf {K}]_2) \cdot e(\sigma _2, [\mathbf {K}_0]_2) \cdot e(\sigma _3, [\mathbf {K}_1]_2) \\&\Longleftrightarrow e(\sigma _1,[1]_2) = e([(1,\mathbf {m}^\top )]_1,[\mathbf {K}]_2) \cdot e(\sigma _2, [\mathbf {K}_0 +\tau \mathbf {K}_1]_2) \end{aligned}$$is a nonzero vector in the kernel of \(\mathbf {A}\), which is hard to be computed under the \(\mathcal {D}_k\)\(\mathsf {KerMDH} \) assumption in \(\mathbb {G}_2\). This means that$$\sigma _1  ( [(1,\mathbf {m}^\top ) \mathbf {K}]_1 + \sigma _2 \mathbf {K}_0 + \sigma _3 \mathbf {K}_1) \in \mathbb {G}_1^{1 \times (k+1)}$$$$\begin{aligned} \mathbf {Adv}_0  \mathbf {Adv}_1 \le \mathbf {Adv}^\mathrm {kmdh}_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {B}_0). \end{aligned}$$
 Game 2. Let \(\tau _1,\ldots ,\tau _Q\) denote the randomly chosen tags in the Q queries to \(\mathsf {Sign}\mathsf {O}\). We abort if \(\tau _1,\ldots ,\tau _Q\) are not all distinct.$$\begin{aligned} \mathbf {Adv}_2 \ge \mathbf {Adv}_1  Q^2/2q. \end{aligned}$$
 Game 3. We define \(\tau _{Q+1} := \tau ^*\). Now, pick \(i^* \leftarrow _{\textsc {r}}[Q+1]\) and abort if \(i^*\) is not the smallest index i for which \(\tau ^* = \tau _i\). In the rest of the proof, we focus on the case we do not abort, which means that \(\tau ^* = \tau _{i^*}\) and \(\tau _1,\ldots ,\tau _{i^*1}\) are all different from \(\tau ^*\). This means that given \(\tau \), \(\mathsf {Sign}\mathsf {O}\) can check whether \(\tau ^*\) equals \(\tau \): for the rest \(i^*1\) queries, answer NO, and starting from the \(i^*\)’th query, we know \(\tau ^*\). It is easy to see that$$\begin{aligned} \mathbf {Adv}_3 \ge \frac{1}{Q+1} \mathbf {Adv}_2 . \end{aligned}$$
 Game 4. Switch \(\mathsf {Sign}\mathsf {O}\) to \(\mathsf {Sign}\mathsf {O}^*\) where We will use Lemma 3 to show thatBasically, we pick \(\mathbf {K}\) ourselves and use \(\mathcal{O}_b\) to simulate either \(\mathsf {Sign}\mathsf {O}\) or \(\mathsf {Sign}\mathsf {O}^*\) and \(\mathcal{O}^*\) to simulate \(\mathsf {Verify}^*\) as follows:$$\begin{aligned} \mathbf {Adv}_3  \mathbf {Adv}_4 \le 2Q \mathbf {Adv}^\mathrm {mddh}_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {B}_1) + Q/q \end{aligned}$$
 –For the i’th signing query \([\mathbf {m}]_1\) where \(i \ne i^*\), we query \(\mathcal{O}_b\) at \(\tau \leftarrow _{\textsc {r}}\mathbb {Z}_q\) to obtainand we return$$\begin{aligned} (\sigma _1',\sigma _2) := (\left[ b\mu {\mathbf {a}^{\perp }}+ \mathbf {r}^{\!\scriptscriptstyle {\top }}(\mathbf {{P}}_0 + \tau \mathbf {{P}}_1)\right] _{1}, \left[ \mathbf {r}^{\!\scriptscriptstyle {\top }}\mathbf {B}^{\!\scriptscriptstyle {\top }}\right] _{1}), \end{aligned}$$$$ (\sigma _1:= [(1,\mathbf {m}^{\!\scriptscriptstyle {\top }})\mathbf {K}]_1 \cdot \sigma '_1,\; \sigma _2,\; \sigma _3 := \sigma _2 \tau ,\; \sigma _4 := [\tau ]_2)$$
 –
For the \(i^*\)’th signing query \([\mathbf {m}]_1\) where \(i^* \le Q\), we run \(\mathsf {Sign}\) honestly using our knowledge of \(\mathbf {K},[\mathbf {{P}}_0]_1,[\mathbf {{P}}_1],[\mathbf {B}]_1\).
 –
For \(\mathsf {Verify}^*\), we will query \(\mathcal{O}^*\) on \([\tau ^*]_2\) to get \([\mathbf {K}_0 + \tau ^* \mathbf {K}_1]_2\). The latter is sufficient to simulate the \(\mathsf {Verify}^*\) query by computing \(e(\sigma _2, [\mathbf {K}_0 + \tau ^*\mathbf {K}_1]_2)\).
This allows us to then build a distinguisher for Lemma 3.
 –
 Game 5. Switch \(\mathbf {K}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{(n+1) \times (k+1)}\) in \(\mathsf {Gen}\) to \(\mathbf {K}:= \mathbf {K}' + \mathbf {u}{\mathbf {a}^{\perp }}\), where \(\mathbf {K}' \leftarrow _{\textsc {r}}\mathbb {Z}_q^{(n+1) \times (k+1)}, \mathbf {u}\leftarrow _{\textsc {r}}\mathbb {Z}_q^{n+1}\). Since \(\mathbf {u}{\mathbf {a}^{\perp }}\) is masked by a uniform matrix \(\mathbf {{K}}'\), \(\mathbf {{K}}\) in Game 5 is still uniformly random and thus Game 4 and 5 are identical. We haveTo conclude the proof, we bound the adversarial advantage in Game 5 via an informationtheoretic argument. We first consider the information about \(\mathbf {u}\) leaked from \( \mathsf {pk}\) and signing queries:$$\mathbf {Adv}_5=\mathbf {Adv}_4.$$
 –
\(\mathbf {C}= (\mathbf {K}' + \mathbf {u}{\mathbf {a}^{\perp }})\mathbf {A}= \mathbf {K}'\mathbf {A}\) completely hides \(\mathbf {u}\);
 –
the output of \(\mathsf {Sign}\mathsf {O}^*\) on \((\mathbf {m},\tau )\) for \(\tau \ne \tau ^*\) completely hides \(\mathbf {u}\), since \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) (\mathbf {K}' + \mathbf {u}{\mathbf {a}^{\perp }}) + \mu {\mathbf {a}^{\perp }}\) is identically distributed to \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) \mathbf {K}' + \mu {\mathbf {a}^{\perp }}\) (namely, \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) \mathbf {u}\) is masked by \(\mu \leftarrow _{\textsc {r}}\mathbb {Z}_q\)).
 –
the output of \(\mathsf {Sign}\mathsf {O}^*\) on \(\tau ^*\) leaks \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) (\mathbf {K}' + \mathbf {u}{\mathbf {a}^{\perp }})\), which is captured by \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) \mathbf {u}\).
To convince \(\mathsf {Verify}^*\) to accept a signature \(\sigma ^*\) on \(\mathbf {m}^*\), the adversary must correctly computeand thus \((1,{\mathbf {m}^*}^{\!\scriptscriptstyle {\top }}) \mathbf {u}\in \mathbb {Z}_q\). Given \((1,\mathbf {m}^{\!\scriptscriptstyle {\top }}) \mathbf {u}\), for any adaptively chosen \(\mathbf {m}^* \ne \mathbf {m}\), we have that \((1,{\mathbf {m}^*}^{\!\scriptscriptstyle {\top }}) \mathbf {u}\) is uniformly random over \(\mathbb {Z}_q\) from the adversary’s viewpoint. Therefore, \(\mathbf {Adv}_5 \le 1/q\). \(\square \)$$\begin{aligned} (1,{\mathbf {m}^*}^{\!\scriptscriptstyle {\top }}) (\mathbf {K}' + \mathbf {u}{\mathbf {a}^{\perp }}) \end{aligned}$$  –
4.3 Extension: SPS for Bilateral Message Spaces
Let \(\mathcal {M}:= \mathbb {G}_1^{n_1} \times \mathbb {G}_2^{n_2}\) be a message space. In Type III pairing groups, \(\mathcal {M}\) is bilateral if both \(n_1\ne 0\) and \(n_2\ne 0\); otherwise, \(\mathcal {M}\) is unilateral. We extend the construction from Sect. 4.2 to sign bilateral message spaces.
The main idea of our construction is to use the EvenGoldreichMicali (EGM) framework [23] and a method of Abe et al. [2]: for \(\mathbf {m}=([\mathbf {m}_1]_1,[\mathbf {m}_2]_2)\in \mathbb {G}_1^{n_1}\times \mathbb {G}_2^{n_2}\) we sign \([\mathbf {m}_1]_1\) by using a onetime SPS with a fresh public key \(\mathsf {pk}_{\mathsf {ot}}\) over \(\mathbb {G}_2\) and then sign message \(([\mathbf {m}_2]_2,\mathsf {pk}_{\mathsf {ot}})\) using an unbounded \(\mathsf {CMA}\)secure SPS; the signature on \(([\mathbf {m}_1]_1,[\mathbf {m}_2]_2)\) is \(\mathsf {pk}_{\mathsf {ot}}\) together with the concatenation of both signatures. However, this yields long signatures as \(\mathsf {pk}_{\mathsf {ot}}\) contains \(O(n_1 k)\) group element for the best known onetime SPS. Next, we observe that our onetime SPS is in fact a socalled “twotier” signature scheme [12], i.e. \(\mathsf {opk}\) can decomposed into a reusable long primary key plus a onetime short secondary key which contains only k group elements. For the transformation sketched above it is sufficient to put the short secondary key in the signature which leads to short signatures.
Details about our twotier SPS and generic transformation are given in the full version [35]. The resulting unbounded \(\mathsf {CMA}\)secure SPS for bilateral message spaces is shown in Fig. 4. Its parameters are: \(  \mathsf {pk} = (n_1+n_2)k+3(k+1)k+2\mathsf {RE}(\mathcal {D}_k), \sigma  = (4k+3,k+2) , \text { and } \#\text {equations}=3k+1\). Notation (x, y) represents x elements in \(\mathbb {G}_1\) and y elements in \(\mathbb {G}_2\). Under the \(\mathsf {SXDH} \) assumption, our scheme achieves \(( \mathsf {pk},\sigma , \# \text {equations})=(n_1+n_2+8,(7,3),4)\). Compared with \((n_1+n_2+22,(8,6),5)\) of [2], we obtain better efficiency under standard assumptions. The following theorem is proved in the full version [35].
Theorem 3
Under the \(\mathcal {D}_k\)\(\mathsf {MDDH} \) Assumption in \(\mathbb {G}_1\) and \(\mathcal {D}_k\)\(\mathsf {KerMDH} \) Assumption in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), \(\mathsf {BSPS_{full}}\) from Fig. 4 is an unbounded \(\mathsf {CMA}\)secure structurepreserving signature scheme.
5 Security Against Random Message Attacks
In this section, we consider possible efficiency improvements on the structurepreserving signatures (SPS) from Sects. 3 and 4 for the weaker security notion of unforgeability against random message attacks (\(\mathsf {RMA}\)). Precisely, we obtain a onetime \(\mathsf {RMA}\)secure SPS with signature size one less than that from Fig. 2 and an unbounded \(\mathsf {RMA}\)secure SPS with signature size \(k+1\) less than that from Fig. 3. Figure 5 summarizes our results.
5.1 Unforgeability Against Random Message Attacks
\(\mathsf {RMA}\)security states that it is hard for an adversary to forge a signature even if he sees many signatures on randomly chosen messages. The security is formally defined as follows:
Definition 6
5.2 OneTime RMASecure SPS
Theorem 4
Under the \(\mathcal {D}_k\)\(\mathsf {KerMDH} \) Assumption in \(\mathbb {G}_2\), \(\mathsf {rSPS}_\mathsf {ot}\) from Fig. 6 is a onetime \(\mathsf {RMA}\)secure structurepreserving signature scheme.
5.3 Unbounded RMASecure SPS
Theorem 5
Under the \(\mathcal {D}_k\)\(\mathsf {MDDH} \) Assumption in \(\mathbb {G}_1\) and \(\mathcal {D}_k\)\(\mathsf {KerMDH} \) Assumption in \(\mathbb {G}_2\), \(\mathsf {rSPS}_\mathsf {full}\) from Fig. 7 is an unbounded \(\mathsf {RMA}\)secure structurepreserving signature scheme.
The proof is given in [35].
Footnotes
 1.
For fixed generators \(g_1\) and \(g_2\) of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and for a matrix \(\mathbf {M}\in \mathbb {Z}_q^{n\times t}\), we define \([\mathbf {M}]_1:=g_1^{\mathbf {M}}\) and \([\mathbf {M}]_2:=g_2^{\mathbf {M}}\) (componentwise).
 2.
We refer the reader to Sect. 2.2 for a more detailed treatment of the assumptions.
Notes
Acknowledgments
We thank Olivier Blazy and Georg Fuchsbauer for helpful discussions.
References
 1.Abdalla, M., Benhamouda, F., Pointcheval, D.: Disjunctions for hash proof systems: new constructions and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 69–100. Springer, Heidelberg (2015) Google Scholar
 2.Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constantsize structurepreserving signatures: generic constructions and simple assumptions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 4–24. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 3.Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 4.Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 5.Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structurepreserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 6.Abe, M., Groth, J., Ohkubo, M.: Separating short structurepreserving signatures from noninteractive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 7.Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Structurepreserving signatures from type II pairings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 390–407. Springer, Heidelberg (2014) Google Scholar
 8.Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Unified, minimal and selectively randomizable structurepreserving signatures. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 688–712. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 9.Attrapadung, N., Libert, B., Peters, T.: Efficient completely contexthiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 10.Barthe, G., Fagerholm, E., Fiore, D., Scedrov, A., Schmidt, B., Tibouchi, M.: Stronglyoptimal structure preserving signatures from type II pairings: synthesis and lower bounds. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 355–376. Springer, Heidelberg (2015) Google Scholar
 11.Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 12.Bellare, M., Shoup, S.: Twotier signatures, strongly unforgeable signatures, and fiatshamir without random oracles. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 201–216. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 13.Blazy, O., Canard, S., Fuchsbauer, G., Gouget, A., Sibert, H., Traoré, J.: Achieving optimal anonymity in transferable ecash with a judge. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 206–223. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 14.Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) Identitybased encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014) Google Scholar
 15.Boneh, D., Freeman, D., Katz, J., Waters, B.: Signing a linear subspace: signature schemes for network coding. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 68–87. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 16.Catalano, D., Marcedone, A., Puglisi, O.: Authenticating computation on groups: new homomorphic primitives and applications. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 193–212. Springer, Heidelberg (2014) Google Scholar
 17.Cathalo, J., Libert, B., Yung, M.: Group encryption: noninteractive realization in the standard model. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 18.Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable proof systems and applications. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 281–300. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 19.Chen, J., Gay, R., Wee, H.: Improved dual system ABE in primeorder groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015) Google Scholar
 20.Chen, J., Lim, H.W., Ling, S., Wang, H., Wee, H.: Shorter IBE and signatures via asymmetric pairings. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 122–140. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 21.Desmedt, Y.: Computer security by redefining what a computer is. In: New Security Paradigms Workshop (NSPW) (1993)Google Scholar
 22.Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffiehellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 23.Even, S., Goldreich, O., Micali, S.: Online/offline digital signatures. J. Cryptology 9(1), 35–67 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 24.Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 25.Fuchsbauer, G., Vergnaud, D.: Fair Blind Signatures without Random Oracles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 16–33. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 26.Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 179–197. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 27.Groth, J.: Simulationsound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 28.Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 29.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 30.Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 31.Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 32.Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CTRSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 33.Jutla, C.S., Roy, A.: Shorter quasiadaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 34.Jutla, C.S., Roy, A.: Switching lemma for bilinear tests and constantsize NIZK proofs for linear subspaces. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 295–312. Springer, Heidelberg (2014) Google Scholar
 35.Kiltz, E., Pan, J., Wee, H.: Structurepreserving signatures from standard assumptions, revisited. Cryptology ePrint Archive, Full version of this paper (2015)Google Scholar
 36.Kiltz, E., Wee, H.: Quasiadaptive NIZK for linear subspaces revisited. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 101–128. Springer, Heidelberg (2015) Google Scholar
 37.Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 38.Libert, B., Peters, T., Joye, M., Yung, M.: Linearly homomorphic structurepreserving signatures and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 289–307. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 39.Libert, B., Peters, T., Joye, M., Yung, M.: Nonmalleability from malleability: simulationsound quasiadaptive nizk proofs and cca2secure encryption from homomorphic signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 514–532. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 40.Libert, B., Peters, T., Yung, M.: Group signatures with almostforfree revocation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 571–589. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 41.Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 42.Morillo, P., Ràfols, C., Villar, J.L.: Matrix computational assumptions in multilinear groups. Cryptology ePrint Archive, Report 2015/353 (2015)Google Scholar
 43.Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 44.Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014) CrossRefGoogle Scholar