Short Group Signatures via StructurePreserving Signatures: Standard Model Security from Simple Assumptions
 39 Citations
 2.9k Downloads
Abstract
Group signatures are a central cryptographic primitive which allows users to sign messages while hiding their identity within a crowd of group members. In the standard model (without the random oracle idealization), the most efficient constructions rely on the GrothSahai proof systems (Eurocrypt’08). The structurepreserving signatures of Abe et al. (Asiacrypt’12) make it possible to design group signatures based on wellestablished, constantsize number theoretic assumptions (a.k.a. “simple assumptions”) like the Symmetric eXternal DiffieHellman or Decision Linear assumptions. While much more efficient than group signatures built on general assumptions, these constructions incur a significant overhead w.r.t. constructions secure in the idealized random oracle model. Indeed, the best known solution based on simple assumptions requires 2.8 kB per signature for currently recommended parameters. Reducing this size and presenting techniques for shorter signatures are thus natural questions. In this paper, our first contribution is to significantly reduce this overhead. Namely, we obtain the first fully anonymous group signatures based on simple assumptions with signatures shorter than 2 kB at the 128bit security level. In dynamic (resp. static) groups, our signature length drops to 1.8 kB (resp. 1 kB). This improvement is enabled by two technical tools. As a result of independent interest, we first construct a new structurepreserving signature based on simple assumptions which shortens the best previous scheme by \(25\,\%\). Our second tool is a method for attaining anonymity in the strongest sense using a new CCA2secure encryption scheme which is also a GrothSahai commitment.
Keywords
Group signatures Standard model Simple assumptions Efficiency Structurepreserving cryptography QANIZK arguments1 Introduction
As introduced by Chaum and van Heyst [27] in 1991, group signatures allow members of a group administered by some authority to anonymously sign messages on behalf of the group. In order to prevent abuses, an opening authority has the power to uncover a signer’s identity if the need arises.
The usual approach for building a group signature consists in having the signer encrypt his group membership credential under the public key of the opening authority while appending a noninteractive zeroknowledge (NIZK) proof, which is associated with the message, claiming that things were done correctly. Until 2006, efficient instantiations of this primitive were only available under the random oracle idealization [14], which is limited to only provide heuristic arguments in terms of security [24]. This state of affairs changed in the last decade, with the emergence of solutions [20, 21, 35, 36] enabled by breakthrough results in the design of relatively efficient noninteractive witness indistinguishable (NIWI) proofs [37]. While drastically more efficient than solutions based on general NIZK proofs [12, 15], the constructions of [20, 21, 35, 36] still incur a substantial overhead when compared with their randomoraclebased counterparts [10, 18, 30]. Moreover, their most efficient variants [21, 36] tend to rely on parametrized assumptions – often referred to as “qtype” assumptions – where the number of input elements is determined by a parameter q which, in turn, depends on the number of users in the system or the number of adversarial queries (or both). Since the assumption becomes stronger as q increases, a different assumption is needed for every adversary (based on its number of queries) and every maximal number of users in the group. Not only does it limit the scalability of realizations, it also restricts the level of confidence in their security.
In this paper, we consider the problem of devising as short as possible group signatures based on simple assumptions. By “simple assumption”, we mean a wellestablished assumption, like the Decision DiffieHellman assumption, which is simultaneously noninteractive and described using a constant number of elements, regardless of the number of users in the system or the number of adversarial queries. We remark that even in the random oracle model, this problem turns out to be highly nontrivial as nonsimple assumptions (like the Strong RSA [10, 42] or Strong DiffieHellman [18, 30]) are frequently relied on. In the standard model, our main contribution is designing the first group signatures based on simple assumptions and whose size is less than 2 kB for the currently recommended 128bit security level. In static groups, our most efficient scheme features signatures slightly longer than 1 kB. So far, the best standardmodel group signature based on simple assumptions was obtained from the structurepreserving signatures (SPS) of Abe et al. [1, 2] and required 2.875 kB per signature. Along the way and as a result of independent interest, we also build a new structurepreserving signature (SPS) with the shortest length among those based on simple assumptions. Concretely, the best previous SPS based on similar assumptions [1, 2] is shortened by \(25\,\%\).
Related Work. Group signatures have a long history. Still, efficient and provably coalitionresistant constructions (in the random oracle model) remained elusive until the work of Ateniese, Camenisch, Joye and Tsudik [10] in 2000. At that time, however, there was no proper formalization of the security properties that can be naturally expected from group signatures. This gap was filled in 2003 by Bellare, Micciancio and Warinschi [12] (BMW) who captured all the requirements of group signatures in three properties. In (a variant of) this model, Boneh, Boyen and Shacham [18] obtained very short signatures using the random oracle methodology [14].
The BMW model assumes static groups where the set of members is frozen after the setup phase beyond which no new member can be added. The setting of dynamic groups was explored later on by BellareShiZhang [15] and, independently, by Kiayias and Yung [42]. In these models [15, 42], short signature lengths were obtained in [30]. A construction based on interactive assumptions in the standard model was also put forth by Ateniese et al. [9]. Using standard assumptions, Boyen and Waters gave a different solution [20] based on the GrothOstrovskySahai NIZK proof system [34]. They subsequently managed to obtain O(1)size signatures at the expense of appealing to a qtype assumption [21]. Their constructions [20, 21] were both analyzed in (a relaxation of) the BMW model [12] where the adversary is not granted access to a signature opening oracle. In dynamic groups [15], Groth [35] obtained constantsize signatures in the standard model but, due to huge hidden constants, his result was mostly a proof of concept. By making the most of GrothSahai NIWI proofs [37], he subsequently reduced signatures to 48 group elements [36] with the caveat of resting on relatively ad hoc qtype assumptions. For the time being, the best group signatures based on standard assumptions are enabled by the structurepreserving signatures of Abe, Chase, David, Kohlweiss, Nishimaki, and Ohkubo [1]. In asymmetric pairings \(e: \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\) (where \(\mathbb {G}\ne \hat{\mathbb {G}}\)), anonymously signing messages requires at least 40 elements of \(\mathbb {G}\) and 26 elements of \(\hat{\mathbb {G}}\).
In 2010, Abe et al. [3, 8] advocated the use of structurepreserving cryptography as a general tool for building privacypreserving protocols in a modular fashion. In short, structurepreserving signatures (SPS) are signature schemes that smoothly interact with GrothSahai proofs [37] as messages, signatures public keys all live in the source groups \((\mathbb {G},\hat{\mathbb {G}})\) of a bilinear map \(e: \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\). SPS schemes were initially introduced by Groth [35] and further studied in [25, 31]. In the last three years, a large body of work was devoted to the feasibility and efficiency of structurepreserving signatures [1, 2, 3, 4, 8, 23, 25, 26, 31, 35, 38]. In Type III pairings (i.e., where \(\mathbb {G}\ne \hat{\mathbb {G}}\) and no isomorphism is computable from \(\hat{\mathbb {G}}\) to \(\mathbb {G}\) or backwards), Abe et al. [4] showed that any SPS scheme must contain at least 3 group elements per signature. For a natural class of reductions, the security of optimally short signatures was also shown [5] unprovable under any noninteractive assumption. These impossibility results were recently found [7] not to carry over to Type II pairings (i.e., where \(\mathbb {G}\ne \hat{\mathbb {G}}\) and an efficiently computable isomorphism \(\psi : \hat{\mathbb {G}} \rightarrow \mathbb {G}\) is available).
To the best of our knowledge, the minimal length of structurepreserving signatures based on simple assumptions remains an unsettled open question. We believe it to be of primary importance considering the versatility of structurepreserving cryptography in the design of privacyrelated protocols, including group signatures [8], group encryption [25] or adaptive oblivious transfer [33].
Our Results. The first contribution of this paper is to describe a new structurepreserving signature based on the standard Symmetric eXternal DiffieHellman (SXDH) assumption and an asymmetric variant of the Decision Linear assumption with only 10 group elements (more precisely, 9 elements of \(\mathbb {G}\) and one element of \(\hat{\mathbb {G}}\)) per signature. So far, the best instantiation of [1, 2] required 7 elements of \(\mathbb {G}\) and 4 elements of \(\hat{\mathbb {G}}\). Since the representation of \(\hat{\mathbb {G}}\) elements is at least twice as long as that of \(\mathbb {G}\) elements, our scheme thus saves \(26\,\%\) in terms of signature length. Armed with our new SPS and other tools, we then construct dynamic group signatures using only 32 elements of \(\mathbb {G}\) and 14 elements of \(\hat{\mathbb {G}}\) in each signature, where Abe et al. [1, 2] need at least 40 elements of \(\mathbb {G}\) and 26 elements of \(\hat{\mathbb {G}}\). For typical parameters, our signatures are thus \(37\,\%\) shorter with a total length of only 1.8 kB at the 128bit security level. In an independent work, Kiltz, Pan and Wee [45] managed to obtain even shorter structurepreserving signatures than ours under the SXDH assumption. If their construction is used in our dynamic group signature, it allows eliminating at least 4 more elements of \(\mathbb {G}\) from signatures. In the static model of Bellare, Micciancio and Warinschi [12], we describe an even more efficient realization where the signature length decreases to almost 1 kB.
Our Techniques. Our structurepreserving signature can be seen as a nontrivial optimization of a modular design, suggested by Abe et al. [1], which combines a weakly secure SPS scheme and a tagged onetime signature (TOTS). In a TOTS scheme, each signature contains a fresh tag and, without knowing the private key, it should be computationally infeasible to generate a signature on a new message for a previously used tag. The construction of [1] obtains a fullfledged SPS by combining a TOTS scheme with an SPS system that is only secure against extended random message attacks (XRMA). As defined in [1], XRMA security basically captures security against an adversary that only obtains signatures on random group elements even knowing some auxiliary information used to sample these elements (typically their discrete logarithms). While Abe et al. [1] make use of the discrete logs of signed messages in their proofs of XRMA security, their modular construction does not. Here, by explicitly using the discrete logarithms in the construction, we obtain significant efficiency improvements. Using Waters’ dual system techniques [51], we construct an SXDHbased Funforgeable signature scheme which, according to the terminology of Belenkiy et al. [11], is a signature scheme that remains verifiable and unforgeable even if the adversary only outputs an injective function of the forgery message. Our new SPS is the result of combining our Funforgeable signature and the TOTS system of [2]. We stress that our scheme can no longer be seen as an instantiation of a generic construction. Still, at the natural expense of sacrificing modularity, it does provide shorter signatures.
In turn, our Funforgeable signatures are obtained by taking advantage of the quasiadaptive NIZK (QANIZK) arguments of linear subspace membership suggested by Jutla and Roy [40] and further studied in [41, 47], where the CRS may depend on the language for which proofs have to be generated. In a nutshell, our starting point is a signature scheme suggested by Jutla and Roy (inspired by ideas due to Camenisch et al. [22]) where each signature is a CCA2secure encryption of the private key (made verifiable via QANIZK proofs) and the message is included in the label [50]. We rely on the observation that QANIZK proofs for linear subspaces [40] (or their optimized variants [41, 47]) make it possible to verify signatures even if the message is only available in the exponent.
In order to save the equivalent of 15 elements of the group \(\mathbb {G}\) and make the group signature as short as possible, we also design a new CCA2secure tagbased encryption (TBE) scheme [44, 48] which incorporates a GrothSahai commitment. In fully anonymous group signatures, CCA2anonymity is usually acquired by verifiably encrypting the signer’s credential using a CCA2secure cryptosystem while providing evidence that the plaintext coincides with a committed group element. Inspired by a lossy encryption scheme [13] suggested by Hemenway et al. [39], we depart from this approach and rather use a CCA2secure encryption scheme which simultaneously plays the role of a GrothSahai commitment. That is, even when the GrothSahai CRS is a perfectly hiding CRS, we are able to extract committed group elements for any tag but a specific one, where the encryption scheme behaves like a perfectly hiding commitment and induces perfectly NIWI proofs. In order to make the validity of TBE ciphertexts publicly verifiable, we rely on the QANIZK proofs of Libert et al. [47] which are wellsuited to the specific subspaces encountered^{1} in this context. We believe this encryption scheme to be of interest in its own right since it allows shortening other group signatures based on GrothSahai proofs (e.g., [36]) in a similar way.
Our group signature in the static BMW model [12] does not build on structurepreserving signatures but rather follows the same design principle as the constructions of Boyen and Waters [20, 21]. It is obtained by extending our Funforgeable signature into a 2level hierarchical signature [43] (or, equivalently, an identitybased signature [49]) where firstlevel messages are implicit in the exponent. In spirit and from an efficiency standpoint, our static group signature is thus similar to the second construction [21] of Boyen and Waters, with the benefit of providing full anonymity while relying on the sole SXDH assumption.
2 Background
2.1 Hardness Assumptions
We use bilinear maps \(e:\mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\) over groups of prime order p where \(e(g,\hat{h})\ne 1_{\mathbb {G}_T}\) if and only if \(g \ne 1_{\mathbb {G}}\) and \(\hat{h} \ne 1_{\hat{\mathbb {G}}}\). We rely on hardness assumptions that are noninteractive and described using a constant number of elements.
Definition 1
The Decision DiffieHellman (DDH) problem in \(\mathbb {G}\), is to distinguish the distributions \((g^{a},g^b,g^{ab} )\) and \((g^{a},g^b,g^{ c} )\), with \(a,b,c \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\). The DDH assumption is the intractability of the problem for any PPT distinguisher.
In the following, we will rely on the Symmetric external DiffieHellman (SXDH) assumption which posits the hardness of DDH in \(\mathbb {G}\) and \(\hat{\mathbb {G}}\) in asymmetric pairing configurations. We also assume the hardness of the following problem, which generalizes the Decision Linear problem [18] to asymmetric pairings.
Definition 2
The XDLIN\(_1\) assumption is defined analogously and posits the infeasibility of distinguishing \(g^{c+d}\) and \(g^z\) given \((g,g^{a},g^b,g^{ac},g^{bd}, \hat{g},\hat{g}^a, \hat{g}^b,\hat{g}^{ac},\hat{g}^{bd})\).
2.2 Linearly Homomorphic StructurePreserving Signatures
Structurepreserving signatures [3, 8] are signature schemes where messages and public keys all consist of elements of a group over which a bilinear map \(e: \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\) is efficiently computable.
Libert et al. [46] considered structurepreserving signatures with linear homomorphic properties. This section recalls the onetime linearly homomorphic structurepreserving signature (LHSPS) of [46]. In the description below, we assume that all algorithms take as input the description of common public parameters \(\mathsf {cp}\) consisting of asymmetric bilinear groups \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) of prime order \(p>2^\lambda \), where \(\lambda \) is the security parameter.
In [46], Libert et al. suggested the following construction which can be proved secure under the SXDH assumption.

Open image in new window : Given common public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) and the dimension \(n \in \mathbb {N}\) of the subspace to be signed. Then, choose \(\hat{g_z},\hat{g_r} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\). For \(i=1\) to n, pick \(\chi _i,\gamma _i \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute \(\hat{g}_i=\hat{g_z}^{\chi _i} \hat{g_r}^{\gamma _i}\). The private key is \(\mathsf {sk}= \{ (\chi _i, \gamma _i ) \}_{i=1}^n \) while the public key is \( \mathsf {pk}=\big (\hat{g_z},~\hat{g_r} ,~\{ \hat{g}_i \}_{i=1}^n \big ) \in \hat{\mathbb {G}}^{n+2}\).

Open image in new window : In order to sign a vector \((M_1,\cdots ,M_n) \in \mathbb {G}^n\) using \(\mathsf {sk}= \{ (\chi _i, \gamma _i) \}_{i=1}^n \), output \(\sigma =(z,r ) = \big (\prod _{i=1}^n M_i^{\chi _i} , \prod _{i=1}^n, M_i^{\gamma _i} \big ) \).

Open image in new window : given \(\mathsf {pk}\) as well as \(\ell \) tuples \((\omega _i,\sigma ^{(i)}) \), parse \(\sigma ^{(i)}\) as \(\sigma ^{(i)}=\big ( z_i,r_i \big ) \) for \(i=1\) to \(\ell \). Return \(\sigma =(z,r ) =\big ( \prod _{i=1}^\ell z_{i}^{\omega _i}, \prod _{i=1}^{\ell } r_i^{\omega _i} \big )\).

Open image in new window : Given a signature \(\sigma =(z,r ) \in \mathbb {G}^2\) and a vector \((M_1,\cdots ,M_n)\), return 1 if and only if \((M_1,\cdots ,M_n)\ne (1_{\mathbb {G}},\cdots ,1_{\mathbb {G}})\) and (z, r ) satisfy \( 1_{\mathbb {G}_T} = e(z,\hat{g_z}) \cdot e(r,\hat{g_r}) \cdot \prod _{i=1}^n e(M_i,\hat{g}_i) . \)
In [47], (a variant of) this scheme was used to construct constantsize QANIZK arguments [40] showing that a vector \({{\varvec{v}}} \in \mathbb {G}^n\) belongs to a linear subspace of rank t spanned by a matrix \({\varvec{\rho }} \in \mathbb {G}^{t \times n}\). Under the SXDH assumption, each argument is comprised of two elements of \(\mathbb {G}\), independently of t or n.
3 An FUnforgeable Signature
As a technical tool, our constructions rely on a signature scheme which we prove Funforgeable under the SXDH assumption. As defined by Belenkiy et al. [11], Funforgeability refers to the inability of the adversary to output a valid signature for a nontrivial message M without outputting the message itself. Instead, the adversary is only required to output F(M), for an injective but not necessarily efficiently invertible function F.
The scheme extends ideas used in signature schemes suggested in [22, 40], where each signature is a CCA2secure encryption —using the message to be signed as a label—of the private key accompanied with a QANIZK proof that the encrypted value is the private key. In their most efficient variant, Jutla and Roy observed [40, Sect. 5] that it suffices to encrypt private keys \(g^\omega \) with a projective hash value \((v^M \cdot w)^r\) [29] so as to obtain signatures of the form \((\sigma _1,\sigma _3,\sigma _3)=(g^\omega \cdot (v^M \cdot w)^r,g^r,h^r )\), which is reminiscent of selectively secure BonehBoyen signatures [16].
As in [32, 51], the security proof proceeds with a sequence of games to gradually reach a game where the signing oracle never uses the private key, in which case it becomes easier to prove security. In the final game, signatures always encrypt a random value while QANIZK proofs are simulated. When transitioning from one hybrid game to the next one, the crucial step is to argue that, even if the signing oracle produces fewer and fewer signatures using the private key, the adversary’s forgery will still encrypt the private key. This is achieved via an information theoretic argument borrowed from hash proof systems [28, 29].
In order to obtain an Funforgeable signature which is verifiable given only F(M), our key observation is that QANIZK proofs make it possible to verify signatures even if M appears only implicitly in a tuple \((g^{s \cdot M},g^s,h^{s \cdot M},h^s) \in \mathbb {G}^4\).

Keygen \((\mathsf {cp})\) : Given common public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) consisting of asymmetric bilinear groups of prime order \(p>2^\lambda \), do the following.
 1.
Choose \(\omega ,a \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\), \(g ,v,w \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\), \(\hat{g} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\) and set \(h=g^a\), \(\varOmega =h^{\omega }\).
 2.Define a matrix \(\mathbf {{M}}=(M_{j,i})_{j,i} \) given by
 3.
Generate a key pair \((\mathsf {sk}_{hsps},\mathsf {pk}_{hsps})\) for the onetime linearly homomorphic signature of Sect. 2.2 in order to sign vectors of dimension \(n=6\). Let \(\mathsf {sk}_{hsps}=\{(\chi _i,\gamma _i)\}_{i=1}^{6}\) be the private key, of which the corresponding public key is \( \mathsf {pk}_{hsps} = \big ( \hat{g_z}, ~ \hat{g_r},~\{ \hat{g}_i \}_{i=1}^{6} \big )\).
 4.
Using \(\mathsf {sk}_{hsps}=\{ \chi _i, \gamma _i \}_{i=1}^{6} \), generate onetime homomorphic signatures \(\{({z}_j,{r}_j)\}_{j=1}^{3}\) on the rows \({{\varvec{M}}}_{j}=({M}_{j,1},\cdots ,{M}_{j,6})\in {\mathbb {G}}^{6}\) of \(\mathbf {{M}}\). These are obtained as \( ({z}_{j},{r}_{j}) = \left( \prod _{i=1}^{6} {M}_{j,i}^{\chi _i},~\prod _{i=1}^{6} {M}_{j,i}^{\gamma _i} \right) ,\) for each \( j \in \{1,2,3\} \) and, as part of the common reference string for the QANIZK proof system of [47], they will be included in the public key.
The private key is \( \mathsf {sk}:=\omega \) and the public key is defined as$$ \mathsf {pk}=\Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~p,~g,~h,~\hat{g}, ~(v,w),~\varOmega =h^\omega ,~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{3} \Bigr ).$$  1.
 Sign \((\mathsf {sk},M)\) : given \(\mathsf {sk}=\omega \) and a message \(M \in \mathbb {Z}_p\), choose \(s \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) to computeThen, generate a QANIZK proof that the vector \((\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5,\varOmega ) \in \mathbb {G}^{6} \) is in the row space of \(\mathbf {M}\). This QANIZK proof \((z,r) \in \mathbb {G}^2\) is obtained as$$\begin{aligned} \sigma _1= & {} g^\omega \cdot (v^M \cdot w)^{s} , \qquad \qquad \quad ~~~ \sigma _2=g^{s \cdot M}, \qquad \qquad ~~~ \sigma _3 = g^{s } \\ \sigma _4= & {} h^{s \cdot M} \qquad \qquad \qquad \qquad \qquad ~ \!\!\!\!\sigma _5=h^{s} \end{aligned}$$Return the signature \(\sigma =\big (\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5, z,r \big ).\)$$\begin{aligned} z= & {} z_1^\omega \cdot (z_2^M \cdot z_3)^{s} , \qquad \qquad r = r_1^\omega \cdot (r_2^M \cdot r_3)^{s} . \end{aligned}$$(2)
 Verify \((\mathsf {pk},\sigma ,{M})\) : parse \(\sigma \) as above and return 1 if and only if it holds thatand \((\sigma _2,\sigma _4)=(\sigma _3^M,\sigma _5^M)\).$$\begin{aligned} e({z},\hat{g_z})\cdot e({r},\hat{g_r})= & {} e(\sigma _1,\hat{g_1})^{1}\cdot e(\sigma _3,\hat{g_3}\cdot \hat{g_2}^M)^{1}\cdot e(\sigma _5,\hat{g_5}\cdot \hat{g_4}^M)^{1} \\&\qquad \qquad \quad \!\!\!\!\! \cdot e(\varOmega ,\hat{g_{6}})^{1} \end{aligned}$$
Under the SXDH assumption, the scheme can be proved to be Funforgeable for the injective function \(F(M)=\hat{g}^M\). The proof of this result is implied by the security result of Sect. 4 where we describe a generalization of the scheme that will be used to build a group signature in the BMW model.
4 A TwoLevel SXDHbased Hierarchical Signature
This section extends our Funforgeable signature into a 2level hierarchical signature with partially hidden messages. In a 2level hierarchical signature [43] (a.k.a. identitybased signature), a signature on a message \(\mathsf {ID}\) (called “identity”) can be used as a delegated key for signing messages of the form \((\mathsf {ID},M)\) for any M. In order to construct group signatures, Boyen and Waters [21] used hierarchical signatures that can be verified even when identities (i.e., firstlevel messages) are not explicitly given to the verifier, but only appear implicitly in the exponent. The syntax and security definition are given in [20, 21].
In their most efficient construction [21], Boyen and Waters used a nonstandard qtype assumption. This section gives a very efficient solution based on the standard SXDH assumption. It is obtained from our signature of Sect. 3 by having a signature \((g^\omega \cdot (v^\mathsf {ID}\cdot w)^s,g^s,h^s)\) on a given identity \(\mathsf {ID}\) serve as a private key for this identity modulo the introduction of a delegation component \(t^s\) akin to those of the BonehBoyenGoh hierarchical IBE [17]. For the security proof to go through, we need to make sure that pairs \((g^{s \cdot M},g^{s})\), \((h^{s \cdot M},h^{s})\) hide the same message M, which is not immediately verifiable in the SXDH setting. To enforce this condition, we thus include \(\hat{g}^M\) in each signature.

Setup \((\mathsf {cp})\) : Given public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\), do the following.
 1.
Choose \(\omega ,a \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\), \(g,t,v,w \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\), \(\hat{g} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\) and set \(h=g^a\), \(\varOmega =h^{\omega }\).
 2.Define a matrix \(\mathbf {{M}}=(M_{j,i})_{j,i} \) given by
 3.
Generate a key pair \((\mathsf {sk}_{hsps},\mathsf {pk}_{hsps})\) for the onetime linearly homomorphic signature of Sect. 2.2 in order to sign vectors of dimension \(n=8\). Let \(\mathsf {sk}_{hsps}=\{(\chi _i,\gamma _i)\}_{i=1}^{8}\) be the private key, of which the corresponding public key is \( \mathsf {pk}_{hsps} = \big ( \hat{g_z}, ~ \hat{g_r},~\{ \hat{g}_i \}_{i=1}^{8} \big )\).
 4.
Using \(\mathsf {sk}_{hsps}=\{ \chi _i, \gamma _i \}_{i=1}^{8} \), generate onetime homomorphic signatures \(\{({z}_j,{r}_j)\}_{j=1}^{4}\) on the rows \({{\varvec{M}}}_{j}=({M}_{j,1},\cdots ,{M}_{j,8})\in {\mathbb {G}}^{8}\) of \(\mathbf {{M}}\). These are obtained as \( ({z}_{j},{r}_{j}) = \left( \prod _{i=1}^{8} {M}_{j,i}^{\chi _i},~\prod _{i=1}^{8} {M}_{j,i}^{\gamma _i} \right) \) each for \(j \in \{1,\cdots ,4\}\) and, as part of the common reference string for the QANIZK proof system of [47], they will be included in the public key.
The master secret key is \(\mathsf {msk}:=\omega \) and the master public key is defined as$$ \mathsf {mpk}=\Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~p,~g,~h,~\hat{g}, ~(t,v,w),~\varOmega =h^\omega ,~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{4} \Bigr ).$$  1.
 Extract \((\mathsf {msk},\mathsf {ID})\) : given \(\mathsf {msk}=\omega \) and \(\mathsf {ID} \in \mathbb {Z}_p\), choose \(s \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) to computeas well as \(\hat{K_7} =\hat{g}^{\mathsf {ID}}.\) Looking ahead, \(K_6\) will serve as a delegation component in the generation of level 2 signatures. Then, generate a QANIZK proof that the vector \( (K_1,K_2,K_3,K_4,K_5,1,1,\varOmega ) \in \mathbb {G}^{8} \) is in the row space of the first 3 rows of \(\mathbf {M}\). This QANIZK proof \((z,r) \in \mathbb {G}^2\) is obtained as$$\begin{aligned} K_1= & {} g^\omega \cdot (v^\mathsf {ID}\cdot w)^{s} , \qquad \qquad \quad ~~~ K_2=g^{s \cdot \mathsf {ID}}, \qquad \qquad K_3 = g^{s } \\ K_4= & {} h^{s \cdot \mathsf {ID}} \qquad \qquad \qquad \qquad \qquad ~\!\!\!\! K_5=h^{s} \qquad \qquad \quad ~ \!\!K_6 = t^{s} \end{aligned}$$Then, generate a QANIZK proof \((z_{d},r_{d} )\) that the delegation component \(K_6\) is wellformed. This proof consists of \((z_{d},r_{d})=(z_4^{s} ,r_4^{s} ).\) The private key is$$\begin{aligned} z= & {} z_1^\omega \cdot (z_2^\mathsf {ID}\cdot z_3)^{s} , \qquad \qquad r = r_1^\omega \cdot (r_2^\mathsf {ID}\cdot r_3)^{s} . \end{aligned}$$(4)$$\begin{aligned} K_{\mathsf {ID}}=\big (K_1,K_2,K_3,K_4,K_5,K_6, \hat{K_7}, z,r , z_{d},r_{d} \big ). \quad \end{aligned}$$(5)

Sign \((\mathsf {mpk},K_{\mathsf {ID}},M)\) : to sign \(M \in \mathbb {Z}_p\), parse \(K_{\mathsf {ID}}\) as in (5) and do the following.
 1.Choose \(s' \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and computewhere \(\tilde{s}=s +s'\), as well as$$\begin{aligned} \sigma _1= & {} K_1 \cdot K_6^M \cdot (v^\mathsf {ID}\cdot t^M \cdot w)^{s'} = g^\omega \cdot (v^\mathsf {ID}\cdot t^M \cdot w)^{\tilde{s}} , \end{aligned}$$$$\begin{aligned} \sigma _2= & {} K_2 \cdot g^{s' \cdot \mathsf {ID}} = g^{\tilde{s} \cdot \mathsf {ID}}, \qquad \quad \sigma _3 = K_3 \cdot g^{s' } = g^{\tilde{s} }, \qquad \quad \hat{\sigma _6} = \hat{K_7} = \hat{g}^{\mathsf {ID}} \\ \sigma _4= & {} K_4 \cdot h^{s' \cdot \mathsf {ID}} = h^{\tilde{s} \cdot \mathsf {ID}}, \qquad \quad \sigma _5 = K_5 \cdot h^{s'} = h^{\tilde{s}} . \end{aligned}$$
 2.
Using (z, r) and \((z_{d},r_{d})\), generate a QANIZK proof \((\tilde{z},\tilde{r}) \in \mathbb {G}^2\) that the vector \((\sigma _1,\sigma _2,\sigma _3, \sigma _4,\sigma _5,\sigma _3^M,\sigma _5^M,\varOmega ) \in \mathbb {G}^{8}\) is in the row space of \(\mathbf {M}\). Namely, compute \(\tilde{z} = z \cdot z_{d}^M \cdot (z_2^\mathsf {ID}\cdot z_4^M \cdot z_3)^{s '}\) and \(\tilde{r} = r \cdot r_{d}^M \cdot (r_2^\mathsf {ID}\cdot r_4^M \cdot r_3)^{s '}\).
Return the signature \(\sigma =\bigl ( \sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5 , \tilde{z},\tilde{r}, \hat{\sigma _6} \bigr ) \in \mathbb {G}^{7} \times \hat{\mathbb {G}} .\)
 1.
 Verify \((\mathsf {mpk},\sigma ,M)\) : parse \(\sigma \) as above and return 1 if and only if it holds thatas well as \(e(\sigma _2,\hat{g}) = e(\sigma _3,\hat{\sigma _6})\) and \(e(\sigma _4,\hat{g}) = e(\sigma _5,\hat{\sigma _6})\).$$\begin{aligned} e(\tilde{z},\hat{g_z}) \cdot e(\tilde{r},\hat{g_r})= & {} e(\sigma _1,\hat{g_1})^{1} \cdot e(\sigma _2,\hat{g_2})^{1} \cdot e(\sigma _3,\hat{g_3} \cdot \hat{g_6}^M)^{1} \\&\qquad \qquad \!\!\!\! \cdot e(\sigma _4, \hat{g_4})^{1} \cdot e(\sigma _5,\hat{g_5} \cdot \hat{g_7}^M)^{1} \cdot e(\varOmega ,\hat{g_{8}})^{1} \end{aligned}$$
As in Sect. 3, the technique of [41] can be used to shorten the signature by one element of \(\mathbb {G}\) as it allows replacing \((\tilde{z},\tilde{r})\) by one element of \(\mathbb {G}\).
We prove that, under the sole SXDH assumption, the scheme is secure in the sense of the natural security definition used by Boyen and Waters [20, 21]. In short, this definition requires that the adversary be unable to forge a valid signature for a pair \((\mathsf {ID}^\star ,M^\star )\) such that no private key query was made for \(\mathsf {ID}^\star \) and no signing query was made for the pair \((\mathsf {ID}^\star ,M^\star )\).
Theorem 1
The above hierarchical signature is secure under chosenmessage attacks if the SXDH assumption holds in \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\). (The proof is available the full version of the paper).
A simple reduction shows that the signature scheme of Sect. 3 is Funforgeable so long as the above scheme is a secure 2level hierarchical signature.
Theorem 2
The signature scheme of Sect. 3 is Funforgeable under chosenmessage attacks for the function \(F(M)=\hat{g}^M\) if the SXDH assumption holds in \((\mathbb {G},\hat{\mathbb {G}},{\mathbb {G}}_T)\). (The proof is available in the full version of the paper).
5 A StructurePreserving Signature from the SXDH and XDLIN\(_2\) Assumptions
Our Funforgeable signature of Sect. 3 can be combined with the tagged onetime signature of Abe et al. [2] (or, more precisely, an adaption of [2] to asymmetric pairings) so as to obtain a new structurepreserving signature based on the SXDH and XDLIN\(_2\) assumptions. Like [1], we obtain an SPS scheme based on simple assumptions with only 11 group elements per signature. However, only one of them has to be in \(\hat{\mathbb {G}}\), instead of 4 in [1]. Considering that \(\hat{\mathbb {G}}\) elements are at least twice as long to represent as those of \(\mathbb {G}\), we thus shorten signatures by the equivalent of 3 elements of \(\mathbb {G}\) (or \(20\,\%\)).
Our construction can be seen as an optimized instantiation of a general construction [1] that combines a tagged onetime signature and an SPS scheme which is only secure against extended randommessage (XRMA) attacks. A tagged onetime signature (TOTS) is a signature scheme where each signature contains a singleuse tag: namely, only one signature is generated w.r.t. each tag. The generic construction of [1] proceeds by certifying the tag of the TOTS scheme using an XRMAsecure SPS scheme. Specifically, our Funforgeable signature assumes the role of the XRMAsecure signature and its shorter message space allows us to make the most of the optimal tag size of [2]. In [1], the proofs of XMRA security rely on the property that, when the reduction signs random groups elements of its choice, it is allowed to know their discrete logarithms. However, this property is only used in the security proof and not in the scheme itself. Here, we also use the discrete logarithm of the tag in the SPS construction itself, which allows our Funforgeable signature to supersede the XRMAsecure signature. By exploiting the smaller message space of our Funforgeable signature, we can leverage the optimal tag size of [2]. Unlike the SPS of [2], we do not need to expand the tag from one to three group elements before certifying it.

Keygen \((\mathsf {cp},n)\) : given the length n of messages to be signed and common parameters \(\mathsf {cp}\) specifying the description of bilinear groups \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\) of prime order \(p>2^{\lambda }\), do the following.
 a.Generate a key pair \((\mathsf {sk}_{fsig},\mathsf {pk}_{fsig}) \leftarrow \mathsf {Setup}(\mathsf {cp})\) for the Funforgeable signature of Sect. 3. Namely,
 1.
Choose \(\omega ,a \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\), \(g \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\), \(\hat{g} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\) and set \(h=g^a\), \(\varOmega =h^{\omega }\). Then, choose \( v ,w \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\).
 2.Define a matrix \(\mathbf {{M}}=(M_{j,i})_{j,i} \) given by
 3.
Generate a key pair \((\mathsf {sk}_{hsps},\mathsf {pk}_{hsps})\) for the linearly homomorphic signature of Sect. 2.2 in order to sign vectors of dimension \(n=6\). Let \(\mathsf {sk}_{hsps}=\{(\chi _{0,i},\gamma _{0,i})\}_{i=1}^{6}\) be the private key, of which the corresponding public key is \( \mathsf {pk}_{hsps} = \big ( \hat{g_z}, ~ \hat{g_r},~\{ \hat{g}_i \}_{i=1}^{6} \big )\).
 4.
Using \(\mathsf {sk}_{hsps}=\{ \chi _{0,i}, \gamma _{0,i} \}_{i=1}^{6} \), generate onetime homomorphic signatures \(\{({z}_j,{r}_j)\}_{j=1}^{3}\) on the rows \({{\varvec{M}}}_{j}=({M}_{j,1},\cdots ,{M}_{j,6})\in {\mathbb {G}}^{6}\) of \(\mathbf {{M}}\). These are obtained as \( ({z}_{j},{r}_{j}) = \left( \prod _{i=1}^{6} {M}_{j,i}^{\chi _{0,i}},~\prod _{i=1}^{6} {M}_{j,i}^{\gamma _{0,i}} \right) ,\) for \(j \in \{1,2,3\}\) and, as part of the common reference string for the QANIZK proofs of [47], they will be included in the public key.
 1.
 b.Generate a key pair \((\mathsf {pk}_{pots},\mathsf {sk}_{pots})\) for the partial onetime SPS of Abe et al. [1]. Namely, choose \(w_z,w_r,\mu _z,\mu _u ,w_t \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and setThen, for \(i=1\) to n, choose \(\chi _i,\gamma _i,\delta _i \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute \(\hat{G_i}=\hat{G_z}^{\chi _i} \cdot \hat{G_r}^{\gamma _i}\) and \(\hat{H_i}=\hat{G_z}^{\chi _i} \cdot \hat{G_r}^{\delta _i}\). Define \(\mathsf {sk}_{pots}:=\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\) and$$\begin{aligned} \hat{G_z}= & {} \hat{g}^{w_z}, \qquad \hat{G_r}=\hat{g}^{w_r}, \qquad \hat{G_t}=\hat{g}^{w_t}, \qquad \hat{H_z}=\hat{g}^{\mu _z}, \qquad \hat{H_u}=\hat{g}^{\mu _u} \\ {G_z}= & {} {g}^{w_z}, \qquad {G_r}= {g}^{w_r}, \qquad {G_t}={g}^{w_t}, \qquad {H_z}= {g}^{\mu _z}, \qquad {H_u}= {g}^{\mu _u} \end{aligned}$$$$\mathsf {pk}_{pots}:=\big (G_z,G_r,G_t,H_z,H_u,\hat{G_z},\hat{G_r},\hat{G_t},\hat{H_z},\hat{H_u},\{\hat{G_i},\hat{H_i}\}_{i=1}^n \big ).$$
The private key is \( SK=(\omega ,w_r,\mu _u,\mathsf {sk}_{pots}) \) and the public key consists of$$ PK=\Bigl ( ~g,~h,~\hat{g}, ~(v,w),~\varOmega =h^\omega ,~\mathsf {pk}_{pots},~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{3} \Bigr ).$$  a.
 Sign \((SK,{{\varvec{M}}})\) : given \( SK=(\omega ,w_r,\mu _u,\mathsf {sk}_{pots}) \) and \({{\varvec{M}}}=(M_1,\ldots ,M_n)\in \mathbb {G}^n \),
 1.Choose \(s,\tau \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) to computeThen, generate a QANIZK proof that the vector \((\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5,\varOmega ) \) is in the row space of \(\mathbf {M}\). This proof \((z,r) \in \mathbb {G}^2\) is computed as$$\begin{aligned} \sigma _1= & {} g^\omega \cdot (v^\tau \cdot w)^{s} , \quad \qquad \quad ~~~ \sigma _2=g^{s \cdot \tau }, \qquad \qquad ~~~~ \sigma _3 = g^{s }, \\ \sigma _4= & {} h^{s \cdot \tau } \quad \qquad \qquad \qquad \qquad ~ \!\!\!\!\sigma _5=h^{s} ,\qquad \qquad \quad ~~\!\!\! \tilde{\sigma _6}=\hat{g}^\tau . \end{aligned}$$$$\begin{aligned} z= & {} z_1^\omega \cdot (z_2^\tau \cdot z_3)^{s} , \qquad \qquad r = r_1^\omega \cdot (r_2^\tau \cdot r_3)^{s}. \end{aligned}$$(7)
 2.Choose \(\zeta \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute \(Z = g^\zeta \cdot \prod _{i=1}^n M_i^{\chi _i}\) as well as$$\begin{aligned} R= (G_t^{ \tau } \cdot {G_z}^{\zeta } )^{1/w_r} \cdot \prod _{i=1}^n M_i^{\gamma _i} , \qquad \qquad U= (H_z^{\zeta })^{1/\mu _u} \cdot \prod _{i=1}^n M_i^{\delta _i} \end{aligned}$$
Return \(\sigma =\big (\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5,\hat{\sigma _6} ,z,r,Z,R ,U \big ) \in \mathbb {G}^5 \times \hat{\mathbb {G}} \times \mathbb {G}^5.\)
 1.
 Verify \((PK,\sigma ,{{\varvec{M}}})\) : given \({{\varvec{M}}}=(M_1,\ldots ,M_n) \in \mathbb {G}^n\), parse \(\sigma \) as above. Return 1 if and only if \(e(\sigma _2,\hat{g}) = e(\sigma _3,\hat{\sigma _6} )\) and \( e(\sigma _4,\hat{g}) = e(\sigma _5,\hat{\sigma _6} )\) as well as$$\begin{aligned} \nonumber e({z},\hat{g_z}) \cdot e({r},\hat{g_r})= & {} \prod _{i=1}^5 e(\sigma _i,\hat{g_i})^{1} \cdot e(\varOmega ,\hat{g_{6}})^{1} \\ e(G_t,\hat{\sigma _6})= & {} e(Z,\hat{G_z}) \cdot e(R,\hat{G_r}) \cdot \prod _{i=1}^n e(M_i,\hat{G_i}) \\ \nonumber 1_{\mathbb {G}_T}= & {} e(Z,\hat{H_z}) \cdot e(U,\hat{H_u}) \cdot \prod _{i=1}^n e(M_i,\hat{H_i}). \end{aligned}$$(8)
Each signature requires 10 elements of \(\mathbb {G}\) and one element of \(\hat{\mathbb {G}}\). Using the optimized Funforgeable signature based on the JutlaRoy QANIZK proof [41], we can also save one more element of \(\mathbb {G}\) and obtain signatures in \(\mathbb {G}^9 \times \hat{\mathbb {G}}\), which shortens the signatures of Abe et al. [1] by \(26\,\%\). In the full version of the paper, we give more detailed comparisons among all SPS based on noninteractive assumptions.
In the application to group signatures, it is desirable to minimize the number of signature components that need to appear in committed form. To this end, signatures must be randomizable in such a way that \((\sigma _3,\sigma _5)\) can appear in the clear modulo a rerandomization of \(s\in \mathbb {Z}_p\). To enable this randomization, it is necessary to augment signatures (similarly to [6]) with a randomization token \((g^\tau ,h^\tau ,v^\tau ,z_2^\tau ,r_2^\tau )\). We will prove that the scheme remains unforgeable even when the signing oracle also outputs these randomization tokens at each invocation.^{2} We call this notion extended existential unforgeability (or EUFCMA\(^*\) for short).
When the rerandomization tokens are used, proving the knowledge of a signature on a committed message \({{\varvec{M}}} \in \mathbb {G}^n\) requires \(2n+24\) elements of \(\mathbb {G}\) and 12 elements of \(\hat{\mathbb {G}}\). In comparison, the best previous solution of Abe et al. costs \(2n+26\) elements of \(\mathbb {G}\) and 18 elements of \(\hat{\mathbb {G}}\).
Theorem 3
The scheme provides EUFCMA\(^*\) security if the SXDH and XDLIN\(_2\) assumptions hold in \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\). (The proof is given in the full version of the paper).
In short, the proof of Theorem 3 considers two kinds of forgeries. In Type I forgeries, the adversary’s forgery contains an element \(\hat{\sigma _6}^\star \) that did not appear in any signature obtained by the forger during the game. In contrast, Type II forgeries are those for which \(\hat{\sigma _6}^\star \) is recycled from a response of the signing oracle. It is easy to see that a Type I forger allows breaking the security of the Funforgeable signature. As for Type II forgeries, they are shown to contradict the XDLIN\(_2\) assumption via a careful adaptation of the proof given by Abe et al. for their TOTS scheme [2]. While the latter was originally presented in symmetric pairings, it goes through in Type 3 pairings modulo natural changes that consist in making sure that most handled elements of \(\hat{\mathbb {G}}\) have a counterpart in \(\mathbb {G}\). One difficulty is that, at each query, the reduction must properly simulate the randomization tokens \((v^\tau ,g^\tau ,h^\tau ,z_2^\tau ,r_2^\tau )\) as well as an instance of the Funforgeable signature without knowing the discrete logarithm \(\log _{\hat{g}}(\hat{\sigma _6})=\hat{g}^\tau \) or that of its shadow \(\log _{{g}}({\sigma _6})={g}^\tau \) in \(\mathbb {G}\). Fortunately, this issue can be addressed by letting the reduction know \(\log _g(v)\) and \(\log _g(w)\).
In an independent work [45], Kiltz, Pan and Wee obtained even shorter signatures, which live in \(\mathbb {G}^6 \times \hat{\mathbb {G}}\) under the SXDH assumption. On the other hand, their security reduction is looser than ours as the gap between the adversary’s advantage and the reduction’s probability to break the underlying assumption is quadratic (instead of linear in our case) in the number of signing queries.
6 A Publicly Verifiable TagBased Encryption Scheme
As a tool for constructing a CCA2anonymous group signature, we describe a new tagbased encryption scheme [44, 48] which is inspired by the lossy encryption scheme [13] of [39]. In our group signature, we will exploit the fact that the DDHbased lossy encryption scheme of Bellare et al. [13] can also be seen as a GrothSahai commitment.

Keygen \((\mathsf {cp} )\) : Given public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) specifying asymmetric bilinear groups of prime order \(p>2^\lambda \), conduct the following steps.
 1.
Choose \({g},{h} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\). Choose \(x,\alpha ,\beta \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and set \({X}_1={g}^{x}\), \({X}_2={h}^{x}\), \({S}={g}^\alpha \), \({T}={g}^\beta \), \({W}={h}^\alpha \) and \({V}={h}^\beta \).
 2.
Generate a key pair \((\mathsf {pk}_{hsig}',\mathsf {sk}_{hsig}')\) for the homomorphic signature of Sect. 2.2 in order to sign vectors in \({\mathbb {G}}^{3}\). Let \(\mathsf {pk}_{hsig}' = \bigl ( \hat{G_z},\hat{G_r}, \{ \hat{G_i} \}_{i=1}^{3} \bigr )\) be the public key and let \(\mathsf {sk}_{hsig}'= \{ ( \varphi _i, \vartheta _i) \}_{i=1}^{3} \) be the private key.
 3.Use \(\mathsf {sk}_{hsig}'\) to generate linearly homomorphic signatures \(\{({Z}_i,{R}_i)\}_{i=1}^4\) on the rows of the matrix which form a subspace of rank 2. The key pair consists of \(\mathsf {sk}= (x,\alpha ,\beta ) \) and \(\mathsf {pk} := \Big ( {g},{h}, {X}_1,{X}_2, {S},{W} , {T},{V},\mathsf {pk}_{hsig}',\{({Z}_i,{R}_i)\}_{i=1}^4 \Big )\).
 1.
 Encrypt \((\mathsf {pk},{M} ,\tau )\) : To encrypt \({M} \in {\mathbb {G}}\) under the tag \(\tau \), choose \(\theta _{1},\theta _{2} \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute the ciphertext \({{\varvec{C}}} = ({C}_0,{C}_1,{C}_2 ,{Z},{R}) \) asHere, (Z, R) serves as a proof that the vector \(({C}_1,{C}_1^\tau ,{C}_2)\) is in the row space of \(\mathbf {{L}}\) and satisfies$$\begin{aligned} {{\varvec{C}}} = \big ( {M} \cdot {X}_1^{\theta _{1}} \cdot {X}_2^{\theta _{2}}, ~&{g}^{\theta _{1}} \cdot {h}^{\theta _{2}}, ~({S}^\tau \cdot {T})^{\theta _{1}} \cdot ({W}^\tau \cdot {V})^{\theta _{2}}, \\ ~&({Z}_{3}^\tau \cdot {Z}_1)^{\theta _{1}} \cdot ({Z}_4^\tau \cdot {Z}_2)^{\theta _{2}} , ({R}_{3}^\tau \cdot {R}_1)^{\theta _{1}} \cdot ({R}_4^\tau \cdot {R}_2)^{\theta _{2}} \big ). \end{aligned}$$$$\begin{aligned} e(Z,\hat{G_z}) \cdot e(R,\hat{G_r})= & {} e(C_1,\hat{G_1}^\tau \cdot \hat{G_2})^{1} \cdot e(C_2,\hat{G_2})^{1} \end{aligned}$$(9)

Decrypt \((\mathsf {sk},{{\varvec{C}}},\tau )\) : Parse \({{\varvec{C}}}\) as above. Return \(\perp \) if (Z, R) does not satisfy (9). Otherwise, return \({M} = {C}_0 /{C}_1^x\).
We observe that \(({C}_0,{C}_1)\) form a GrothSahai commitment based on the DDH assumption in \({\mathbb {G}}\). If \(\log _{{g}}({X}_1)=\log _{{h}}({X}_2)\), the commitment is extractable. Otherwise, it is perfectly hiding. We will use this CCA2secure scheme as a commitment that is extractable on all tags, except one \(\tau ^\star \) where it behaves as a perfectly hiding commitment. The above system achieves this while only expanding the original GrothSahai commitment \((C_0,C_1)\) by 3 elements of \(\mathbb {G}\).
This scheme will save our group signatures from having to contain (beyond \(({C}_0,{C}_1)\)) an additional CCA2secure encryption and a NIZK proof that the plaintext coincides with the content of a GrothSahai commitment. The above technique allows saving the equivalent of 16 elements of \(\mathbb {G}\). We thus believe this cryptosystem to be of interest in its own right since it can be used in a similar way to shorten other group signatures (e.g., [36]) based on GrothSahai proofs.
In the full paper, the scheme is proved secure in the sense of [44].
Theorem 4
The above scheme is selectivetag weakly INDCCA2secure if the SXDH assumption holds. (The proof is given in the full paper).
7 Short Group Signatures in the BMW Model
The TBE scheme of Sect. 6 allows us to achieve anonymity in the CCA2 sense by encrypting an encoding of the group member’s identifier. In order to minimize the signature length, we let the TBE ciphertext live in \(\mathbb {G}\) instead of \(\hat{\mathbb {G}}\). To open signatures in constant time, however, the opening algorithm uses the extraction trapdoor of a GrothSahai commitment in \(\hat{\mathbb {G}}^2\) rather than the private key \(\mathsf {sk}_{tbe}\) of the TBE system. The latter key is only used in the proof of anonymity where the reduction uses a somewhat inefficient opening algorithm of complexity O(N).

Keygen \((\lambda ,N)\) : given a security parameter \(\lambda \in \mathbb {N}\) and the number of users N , choose asymmetric bilinear groups \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) of order \(p>2^\lambda \).
 1.Generate a key pair \( (\mathsf {msk},\mathsf {mpk})\) for the twolevel hierarchical signature of Sect. 4. Letbe the master public key and \(\mathsf {msk} :=\omega \in \mathbb {Z}_p\) be the master secret key.$$ \mathsf {mpk} :=\Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~p, ~g,~h,~ \hat{g}, ~ (t,v,w) ,~\varOmega =h^{\omega },~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{4} \Bigr )$$
 2.
Generate a key pair \((\mathsf {sk}_{tbe},\mathsf {pk}_{tbe})\) for the tagbased encryption scheme of Sect. 6. Let \(\mathsf {pk}_{tbe} = \Big ( {g},{h}, {X}_1,{X}_2, {S},{W} , {T},{V},\mathsf {pk}_{hsig}',\{({Z}_i,{R}_i)\}_{i=1}^4 \Big ) \) be the public key and \(\mathsf {sk}_{tbe}=(x,\alpha ,\beta )\) be the underlying private key. For simplicity, the element g can be recycled from \(\mathsf {mpk}\).
 3.
Choose a vector \({\hat{{\varvec{u}}_\mathbf{1}}}=(\hat{u}_{11},\hat{u}_{12}) \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}^2\) and set \({\hat{{\varvec{u}}_\mathbf{2}}}={\hat{{\varvec{u}}_\mathbf{1}}}^{\xi }\), where \(\xi \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\). Also, define the vectors \({{{\varvec{u}}}_\mathbf{1}}=({g},{X}_1)\) and \({{\varvec{u}}_\mathbf{2}}=(h,{X}_2)\). These vectors will form GrothSahai CRSes \(({{{\varvec{u}}}_1},{{\varvec{u}}_\mathbf{2}})\) and \(({\hat{{\varvec{u}}_\mathbf{1}}},{\hat{{\varvec{u}}_\mathbf{2}}})\) in the perfectly binding setting. Although \(\mathsf {sk}_{tbe}\) serves as an extraction trapdoor for commitments generated on the CRS \(({{\varvec{u}}_\mathbf{1}},{{\varvec{u}}_\mathbf{2}})\), the group manager will more efficiently use \(\zeta =\log _{\hat{u}_{11}}(\hat{u}_{12})\) to open signatures.
 4.
Choose a chameleon hash function \(\mathsf {CMH} =(\mathsf {CMKg},\mathsf {CMhash},\mathsf {CMswitch})\) with a key pair (hk, tk) and randomness space \(\mathcal {R}_{hash}\).
 5.For each group member i, choose an identifier \(\mathsf {ID}_i \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and use \(\mathsf {msk}\) to compute \(K_{\mathsf {ID}_i}=(K_1,K_2,K_3,K_4,K_5,K_6,\hat{K_7},z,r,z_d,r_d)\), where and \((z_{d},r_d) = (z_4^s,r_4^{s})\). For each \(i \in \{1,\ldots ,N\}\), the ith group member’s private key is \(\mathsf {gsk}[i]=(\mathsf {ID}_i,K_{\mathsf {ID}_i }).\)
The group manager’s secret key is \(\mathsf {gsk}:=\big (\mathsf {msk}, \zeta =\log _{\hat{u}_{11}}(\hat{u}_{12}) \big )\) while the group public key consists of$$\begin{aligned} \mathsf {gpk} := \Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~\mathsf {mpk},~ \mathsf {pk}_{tbe},~({{\varvec{u}}_\mathbf{1}},{{\varvec{u}}_\mathbf{2}}),~({\hat{{\varvec{u}}_\mathbf{1}}},{\hat{{\varvec{u}}_\mathbf{2}}}) ,~\mathsf {CMH}, ~hk \Bigr ) . \end{aligned}$$  1.

Sign \((\mathsf {gpk},\mathsf {gsk}{[i]},M )\) : In order to sign a message \(M \in \mathbb {Z}_p\) using the ith group member’s private key \( \mathsf {gsk}[i]= (\mathsf {ID}_i,K_{\mathsf {ID}_i}) \), conduct the following steps.
 1.Using \(K_{\mathsf {ID}_i}=(K_1,K_2,K_3,K_4,K_5,K_6,\hat{K_7},z,r,z_d,r_d)\), derive a secondlevel hierarchical signature. Namely, choose \(s' \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and computeand \(\hat{\sigma _6}=\hat{K_7} \), where \(\tilde{s}=s+s'\), as well as$$\begin{aligned} \sigma _1= & {} K_1 \cdot K_6^M \cdot (v^{\mathsf {ID}_i} \cdot t^M \cdot w)^{s'} \qquad \qquad \sigma _2=K_2 \cdot g^{s' \cdot \mathsf {ID}_i} = g^{\tilde{s} \cdot \mathsf {ID}_i} \qquad \qquad ~~~ \\= & {} g^\omega \cdot (v^{\mathsf {ID}_i} \cdot t^M \cdot w)^{\tilde{s}} \qquad \qquad \qquad \! ~~~ \sigma _3=K_3 \cdot g^{s'} = g^{\tilde{s}} \qquad \qquad \\ \sigma _4= & {} K_4 \cdot h^{s' \cdot \mathsf {ID}_i} = h^{\tilde{s} \cdot \mathsf {ID}_i} \qquad \qquad \qquad ~~~ \sigma _5 = K_5 \cdot h^{s'} = h^{\tilde{s}} , \qquad \qquad \qquad ~~~~~ \end{aligned}$$$$\begin{aligned} \tilde{z}= & {} z \cdot z_d^M \cdot (z_2^{\mathsf {ID}_i} \cdot z_4^M \cdot z_3 )^{s'} \qquad \qquad \qquad \tilde{r}= r \cdot r_d^M \cdot (r_2^{\mathsf {ID}_i} \cdot r_4^M \cdot r_3 )^{s'} \\= & {} z_1^\omega \cdot (z_2^{\mathsf {ID}_i} \cdot z_4^M \cdot z_3 )^{\tilde{s}} \qquad \qquad \qquad \qquad ~ \! = r_1^\omega \cdot (r_2^{\mathsf {ID}_i} \cdot r_4^M \cdot r_3 )^{\tilde{s}}. \end{aligned}$$
 2.Choose \(\theta _1,\ldots ,\theta _{12} \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute GrothSahai commitmentsNote that \({{\varvec{C}}}_{{\sigma _2}}\) can be written as \((C_1,C_0)=({g}^{\theta _3} \cdot {h}^{\theta _4}, \sigma _2 \cdot {X}_1^{\theta _3} \cdot {X}_2^{\theta _4})\).$$\begin{aligned} {{\varvec{C}}}_{\sigma _1}= & {} (1,\sigma _1) \cdot {{{\varvec{u}}}_\mathbf{1}}^{\theta _{ 1}} \cdot {{\varvec{u}}_\mathbf{2}}^{\theta _2}, \qquad \quad {{\varvec{C}}}_{\sigma _2}=(1,\sigma _2) \cdot {{\varvec{u}}_\mathbf{1}}^{\theta _{ 3}} \cdot {{\varvec{u}}_\mathbf{2}}^{\theta _4}, \qquad \quad \\ {{\varvec{C}}}_{\sigma _4}= & {} (1,\sigma _4) \cdot {{\varvec{u}}_\mathbf{1}}^{\theta _{5}} \cdot {{\varvec{u}}_\mathbf{2}}^{\theta _{6}}, \qquad \quad {{\varvec{C}}}_{\hat{\sigma _6}}=(1,\hat{\sigma _6}) \cdot {\hat{{{\varvec{u}}}_\mathbf{1}}}^{\theta _{7}} \cdot {\hat{{\varvec{u}}_\mathbf{2}}}^{\theta _{8}}.\\ {{\varvec{C}}}_{\tilde{z}}= & {} (1,\tilde{z}) \cdot {{\varvec{u}}_1}^{\theta _{ 9}} \cdot {{\varvec{u}}_2}^{\theta _{10}}, \qquad \quad ~~ {{\varvec{C}}}_{\tilde{r}} = (1,\tilde{r}) \cdot {{\varvec{u}}_1}^{\theta _{11}} \cdot {{\varvec{u}}_2}^{\theta _{12}} \end{aligned}$$
 3.Generate GrothSahai NIWI proofs \({\varvec{\pi }}_1 \in \hat{\mathbb {G}}^2\), \({\varvec{\pi }}_2 \in \mathbb {G}^2 \times \hat{\mathbb {G}}^2\) and \({\varvec{\pi }}_3 \in \mathbb {G}^2 \times \hat{\mathbb {G}}^2\) that committed variables \((\tilde{z},\tilde{r},\sigma _1,\sigma _2,\sigma _4,\hat{\sigma _6})\) satisfyand$$\begin{aligned} e(\boxed {\tilde{z}},\hat{g_z}) \cdot e(\boxed {\tilde{r}},\hat{g_r})= & {} e(\boxed {\sigma _1},\hat{g_1})^{1} \cdot e(\boxed {\sigma _2},\hat{g_2})^{1} \cdot e(\sigma _3,\hat{g_3} \cdot \hat{g_6}^M)^{1} \quad \\ \nonumber&\qquad \qquad \cdot e(\boxed {\sigma _4}, \hat{g_4})^{1} \cdot e(\sigma _5,\hat{g_5} \cdot \hat{g_7}^M)^{1} \cdot e(\varOmega ,\hat{g_{8}})^{1} \end{aligned}$$(10)$$\begin{aligned} e(\boxed {\sigma _2},\hat{g})= & {} e(\sigma _3,\boxed {\hat{\sigma _6}}), \qquad \qquad e(\boxed {\sigma _4},\hat{g}) = e(\sigma _5,\boxed {\hat{\sigma _6}}). \end{aligned}$$(11)
 4.Choose \(r_{hash} \mathop {\leftarrow }\limits ^{ _R } \mathcal {R}_{hash}\) and compute a chameleon hash valueThen, using \(\tau \) and \((\theta _3,\theta _4) \in \mathbb {Z}_p^2\), compute \({C}_2=({S}^\tau \cdot {T})^{\theta _3} \cdot ({W}^\tau \cdot {V})^{\theta _4}\). Using \(\mathsf {pk}_{hsig}'\), compute \(({Z},{R})=\big ( ({Z}_3^\tau \cdot {Z}_1)^{\theta _3} \cdot ({Z}_4^\tau \cdot {Z}_2)^{\theta _4}, ({R}_3^\tau \cdot {R}_1)^{\theta _3} \cdot ({R}_4^\tau \cdot {R}_2)^{\theta _4} \big )\) as a QANIZK argument that \(({C}_1,{C}_1^\tau ,{C}_2) \) is in the row space of \(\mathbf {{L}}\). This allows turning \({{\varvec{C}}}_{{\sigma _2}}=(C_1,C_0)\) into a TBE ciphertext \({\tilde{{\varvec{C}}}}_{{\sigma _2}} = ({C}_0,{C}_1,{C}_2,{Z},{R})\) as$$\tau =\mathsf {CMhash}(hk, ({{\varvec{C}}}_{\sigma _1}, {{\varvec{C}}}_{\sigma _2}, \sigma _3, {{\varvec{C}}}_{\sigma _4},\sigma _5,{{\varvec{C}}}_{\hat{\sigma _6}} ,{{\varvec{C}}}_{\tilde{z}}, {{\varvec{C}}}_{\tilde{r}},{\varvec{\pi }}_1,{\varvec{\pi }}_2,{\varvec{\pi }}_3 ) ,r_{hash}).$$for the tag \(\tau \). Note that \({\tilde{{\varvec{C}}}}_{{\sigma _2}} \) contains the original commitment \({{\varvec{C}}}_{{\sigma _2}}\).$$\begin{aligned} {\tilde{{\varvec{C}}}}_{{\sigma _2}} = \big ( ~\sigma _2&\cdot {X}_1^{\theta _3} \cdot {X}_2^{\theta _4},~{g}^{\theta _3} \cdot {h}^{\theta _4}, ~({S}^\tau \cdot {T})^{\theta _3} \cdot ({W}^\tau \cdot {V})^{\theta _4} ,\\ ~&({Z}_3^\tau \cdot {Z}_1)^{\theta _3} \cdot ({Z}_4^\tau \cdot {Z}_2)^{\theta _4} , ~ ({R}_3^\tau \cdot {R}_1)^{\theta _3} \cdot ({R}_4^\tau \cdot {R}_2)^{\theta _4} \big ) \in {\mathbb {G}}^5 \end{aligned}$$
Return \(\sigma = \bigl ( {{\varvec{C}}}_{\sigma _1} ,{\tilde{{\varvec{C}}}}_{\sigma _2},\sigma _3,{{\varvec{C}}}_{\sigma _4}, \sigma _5,{{\varvec{C}}}_{\hat{\sigma _6}}, {{\varvec{C}}}_{\tilde{z}},{{\varvec{C}}}_{\tilde{r}}, {\varvec{\pi }}_1,{\varvec{\pi }}_2,{\varvec{\pi }}_3,r_{hash} \bigr )\).
 1.

Verify \((\mathsf {gpk},M,\sigma )\) : Parse \(\sigma \) as above. Return 1 if and only if: (i) The proofs \({\varvec{\pi }}_1, {\varvec{\pi }}_2,{\varvec{\pi }}_3 \) verify; (ii) \({\tilde{{\varvec{C}}}}_{{\sigma _2}}\) is a valid TBE ciphertext (i.e., (9) holds) for the tag \(\tau =\mathsf {CMhash}(hk, ({{\varvec{C}}}_{\sigma _1}, {{\varvec{C}}}_{\sigma _2}, \sigma _3, {{\varvec{C}}}_{\sigma _4},\sigma _5,{{\varvec{C}}}_{\hat{\sigma _6}} ,{{\varvec{C}}}_{\tilde{z}}, {{\varvec{C}}}_{\tilde{r}}, {\varvec{\pi }}_1, {\varvec{\pi }}_2,{\varvec{\pi }}_3 ) ,r_{hash}).\)

Open \((\mathsf {gpk},\mathsf {gmsk},M,\sigma )\) : To open \(\sigma \) using \(\mathsf {gmsk} =\big (\mathsf {msk},\zeta \big )\), parse \(\sigma \) as above and return \(\perp \) if it is not a valid signature w.r.t. \(\mathsf {gpk}\) and M. Otherwise, use \(\zeta =\log _{\hat{u}_{11}}(\hat{u}_{12})\) to decrypt the Elgamal ciphertext \({{\varvec{C}}}_{\hat{\sigma _6}} \in \hat{\mathbb {G}}^2\). Then, check if the resulting plaintext is \(\hat{g}^{\mathsf {ID}}\) for some group member’s identifier \(\mathsf {ID}\). If so, output \(\mathsf {ID}\). Otherwise, return \(\perp \).
The signature consists of 19 elements of \(\mathbb {G}\), 8 elements of \(\hat{\mathbb {G}}\) and one element of \(\mathbb {Z}_p\). If each element of \(\mathbb {G}\) (resp. \(\hat{\mathbb {G}}\)) has a 256bit (resp. 512bit) representation, the entire signature fits within 9216 bits (or 1.125 kB). By using the technique of Jutla and Roy [41] to shorten the hierarchical signature, it is possible to shorten the latter by one group element (as explained in Sect. 4), which saves two elements of \(\mathbb {G}\) in the group signature without modifying the underlying assumption. In this case, the signature length reduces to 8704 bits (or 1.062 kB). Using the technique of Boyen, Mei and Waters [19], it is also possible to eliminate the randomness \(r_{hash}\) and replace the chameleon hash function by an ordinary collisionresistant hash function, as explained in the full version of the paper. By doing so, at the expense of a group public key made of \(\varTheta (\lambda )\) elements of \(\hat{\mathbb {G}}\), we can further compress signatures down to 8448 bits (or 1.031 kB).
To give a concrete comparison with earlier constructions, an implementation of the BoyenWaters group signature [21] in asymmetric prime order groups requires 8 elements of \(\mathbb {G}\) and 8 elements of \(\hat{\mathbb {G}}\) for a total of 6400 bits per signature. However, besides the SXDH assumption, the resulting scheme relies on the nonstandard qHidden Strong DiffieHellman assumption [21] and only provides anonymity in the CPA sense.
Theorem 5
The scheme provides full traceability under the SXDH assumption.
The proof of Theorem 5 relies on the unforgeability of the twolevel hierarchical signature of Sect. 4. By preparing extractable GrothSahai CRSes \(({{\varvec{u}}}_\mathbf{1},{{\varvec{u}}}_\mathbf{2})\) and \(({\hat{{\varvec{u}}}_\mathbf{1}},{\hat{{\varvec{u}}}_\mathbf{2}})\), the reduction can always turn a full traceability adversary (see [12] for a definition) into a forger for the hierarchical signature. The proof is straightforward and the details are omitted.
Theorem 6
The scheme provides full anonymity assuming that: (i) The SXDH assumption holds in \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\); (ii) \(\mathsf {CMhash}\) is a collisionresistant chameleon hash function. (The proof is given in the full version of the paper).
In the full version of the paper, we extend the above system to obtain dynamic group signatures based on the SXDH and XDLIN\(_2\) assumption. The signature length is only 1.8 kB, which gives us the shortest dynamic group signatures based on constantsize assumptions to date. The construction builds on our structurepreserving signature and the encryption scheme of Sect. 6 in a modular manner. Detailed efficiency comparisons are given in the full paper.
Footnotes
Notes
Acknowledgements
The first author’s work was supported by the “Programme Avenir Lyon SaintEtienne de l’Université de Lyon” in the framework of the programme “Inverstissements d’Avenir” (ANR11IDEX0007). The second author was supported by the European Research Council (FP7/20072013 Grant Agreement no. 339563 CryptoCloud). Part of this work of the third author was done while visiting the Simons Institute for Theory of Computing, U.C. Berkeley.
References
 1.Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constantsize structurepreserving signatures: generic constructions and simple assumptions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 4–24. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 2.Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 4.Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structurepreserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 5.Abe, M., Groth, J., Ohkubo, M.: Separating short structurepreserving signatures from noninteractive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 6.Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Unified, minimal and selectively randomizable structurepreserving signatures. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 688–712. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 7.Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Structurepreserving signatures from type II pairings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 390–407. Springer, Heidelberg (2014) Google Scholar
 8.Abe, M., Haralambiev, K., Ohkubom, M.: Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archive: Report 2010/133 (2010)Google Scholar
 9.Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. Cryptology ePrint Archive: Report 2005/385 (2005)Google Scholar
 10.Ateniese, G., Camenisch, J.L., Joye, M., Tsudik, G.: A practical and provably secure coalitionresistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 255. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 11.Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Psignatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 12.Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 13.Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 14.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security, pp. 62–73. ACM Press (1993)Google Scholar
 15.Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CTRSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 16.Boneh, D., Boyen, X.: Efficient selectiveID secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 17.Boneh, D., Boyen, X., Goh, E.J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 18.Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 19.Boyen, X., Mei, Q., Waters, B.: Direct chosenciphertext security from identitybased techniques. In: ACMCCS 2005, pp. 320–329. ACM Press (2006)Google Scholar
 20.Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 21.Boyen, X., Waters, B.: Fulldomain subgroup hiding and constantsize group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 22.Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 23.Camenisch, J., Dubovitskaya, M., Haralambiev, K.: Efficient structurepreserving signature scheme from standard assumptions. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 76–94. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 24.Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
 25.Cathalo, J., Libert, B., Yung, M.: Group encryption: noninteractive realization in the standard model. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 26.Chase, M., Kohlweiss, M.: A new hashandsign approach and structurepreserving signatures from DLIN. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 131–148. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 27.Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991) CrossRefGoogle Scholar
 28.Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, p. 13. Springer, Heidelberg (1998) CrossRefGoogle Scholar
 29.Cramer, R., Shoup, V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 45. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 30.Delerablée, C., Pointcheval, D.: Dynamic fully anonymous short group signatures. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 31.Fuchsbauer, G.: Automorphic signatures in bilinear groups and an application to roundoptimal blind signatures. Cryptology ePrint Archive: Report 2009/320 (2009)Google Scholar
 32.Gerbush, M., Lewko, A., O’Neill, A., Waters, B.: Dual form signatures: an approach for proving security from static assumptions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 25–42. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 33.Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 179–197. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 34.Groth, J., Ostrovsky, R., Sahai, A.: Perfect noninteractive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 35.Groth, J.: Simulationsound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 36.Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 37.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 38.Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 39.Hemenway, B., Libert, B., Ostrovsky, R., Vergnaud, D.: Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 70–88. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 40.Jutla, C.S., Roy, A.: Shorter quasiadaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 41.Jutla, C.S., Roy, A.: Switching lemma for bilinear tests and constantsize NIZK proofs for linear subspaces. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 295–312. Springer, Heidelberg (2014) Google Scholar
 42.Kiayias, A., Yung, M.: Secure scalable group signature with dynamic joins and separable authorities. Int. J. Secur. Netw. (IJSN) 1(1/2), 24–45 (2006)CrossRefGoogle Scholar
 43.Kiltz, E., Mityagin, A., Panjwani, S., Raghavan, B.: Appendonly signatures. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 434–445. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 44.Kiltz, E.: Chosenciphertext security from tagbased encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 45.Kiltz, E., Pan, J., Wee, H.: Structurepreserving signatures from standard assumptions, revisited. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 275295. Springer, Heidelberg (2015)Google Scholar
 46.Libert, B., Peters, T., Joye, M., Yung, M.: Linearly homomorphic structurepreserving signatures and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 289–307. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 47.Libert, B., Peters, T., Joye, M., Yung, M.: Nonmalleability from malleability: simulationsound quasiadaptive NIZK proofs and CCA2secure encryption from homomorphic signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 514–532. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 48.MacKenzie, P.D., Reiter, M.K., Yang, K.: Alternatives to nonmalleability: definitions, constructions, and applications. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 171–190. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 49.Shamir, A.: Identitybased cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) CrossRefGoogle Scholar
 50.Shoup, V.: A proposal for an ISO standard for public key encryption. Manuscript, 20 December 2001Google Scholar
 51.Waters, B.: Efficient identitybased encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) CrossRefGoogle Scholar