Abstract
We describe a new technique for conducting “partitioning arguments”. Partitioning arguments are a popular way to prove the security of a cryptographic scheme. For instance, to prove the security of a signature scheme, a partitioning argument could divide the set of messages into “signable” messages for which a signature can be simulated during the proof, and “unsignable” ones for which any signature would allow to solve a computational problem. During the security proof, we would then hope that an adversary only requests signatures for signable messages, and later forges a signature for an unsignable one.
In this work, we develop a new class of partitioning arguments from simple assumptions. Unlike previous partitioning strategies, ours is based upon an algebraic property of the partitioned elements (e.g., the signed messages), and not on their bit structure. This allows to perform the partitioning efficiently in a “hidden” way, such that already a single “slot” for a partitioning operation in the scheme can be used to implement many different partitionings sequentially, one after the other. As a consequence, we can construct complex partitionings out of simple basic (but algebraic) partitionings in a very spaceefficient way.
As a demonstration of our technique, we provide the first signature and publickey encryption schemes that achieve the following properties simultaneously: they are (almost) tightly secure under a simple assumption, and they are fully compact (in the sense that parameters, keys, and signatures, resp. ciphertexts only comprise a constant number of group elements).
Supported by DFG grants HO 4534/22, HO 4534/41.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Partitioning Arguments. Many security reductions rely on a partitioning argument. Informally, a partitioning argument divides the parts of a large system into those parts that are under the control of the simulation, and those parts into which a computational challenge can be embedded. For instance, a partitioning argument for a signature scheme could divide the set of message into “signable messages” (for which a signature can be generated by the security reduction), and “unsignable messages” (for which any signature would solve an underlying problem). During the security reduction, we hope that an adversary only asks for the signatures of signable messages, but forges a signature for an unsignable one. Partitioning arguments are a popular means for proving the security of signature schemes (e.g., [17, 29, 35, 38]), identitybased encyption schemes (e.g., [9, 10, 14, 38]), or tightly secure cryptosystems (e.g., [6, 15, 32]).
The Complexity of Bitbased Partitioning. All of the above works (except for [10, 17], which use a programmable random oracle to implement a partitioning) partition messages or identities according to their bit representation. For instance, in the signature scheme from [29], messages are signable precisely if they do not start with a particular bit prefix. This nonalgebraic approach requires a certain preparation in the scheme itself: already the scheme must establish certain distinctions of messages based on their bit representation. For instance, the signature scheme of [38] uses a hash function of the form \(H(M)=h_0\prod _j h_{j,M _j}\), where \(M _j\) are the bits of the signed message \(M\), and \(h_0\) and the \(h_{j,b}\) are public group elements. This leads to comparatively large public parameters or keys, in particular because all potential distinctions (based on the values of the \(M _j\)) are already present in the scheme.
Our Contribution. In this work, we develop an entirely different partitioning approach: instead of partitioning based on the bit representation, we partition according to a simple algebraic predicate. Namely, we view a message \(M\) as above as a \(\mathbb {Z} _p\)element, and consider various Legendre symbols \(L_j=\big (\frac{f _j(M)}{p}\big ) \) for different affine functions \(f _j\). Taken together, sufficiently many \(L_j\) uniquely determine \(M\), but the computation of each \(L_j\) can be encoded as a series of \(\mathbb {Z} _p\)operations.^{Footnote 1} Intuitively, this algebraic property allows to “internalize” and hide the computations of the \(L_j\), e.g., by hiding the \(f _j\) inside a homomorphic commitment. As a consequence, only one “universal” partitioning (according to a single \(L_j\)) needs to be performed in the scheme itself; in the analysis, several simple partitionings can then be implemented sequentially, by varying the \(f _j\).
Comparison with Previous Partitioning Techniques. Compared to previous, bitbased partitioning approaches, our new strategy has the advantage that it simultaneously leads to compact schemes and to a tight security reduction. Previous partitioning strategies were either based on more complex partitionings (such as [9, 29, 35, 38]) that lead to a nontight security reduction, or on a sequence of simple bitbased partitionings (such as [6, 15, 32]) that lead to large public parameters or keys. In contrast, we support many simple algebraic partitionings (and thus a tight security reduction), but we occupy only one “partitioning slot” in the public parameters. This leads to tightly secure and very compact applications, as we will detail next.
Applications. Specifically, we demonstrate the usefulness of our partitioning technique by describing the first (almost) tightly secure signature and PKE schemes that are fully compact, in the sense that parameters, keys, and signatures (resp. ciphertexts) only contain a constant number of group elements. Our security reduction loses only a factor of \(\mathbf {O} (k)\), where \(k\) is the security parameter. In particular, our security reduction does not degrade in the number of users or signatures, resp. ciphertexts. The security of our schemes is based upon the Decisional DiffieHellman (DDH) assumption in both preimage groups of a pairing. (This assumption is also called “Symmetric External DiffieHellman” or SXDH.) Tables 1 and 2 give a more detailed comparison with existing schemes.
In the following, we give more details on our techniques and results. To do so, we start with a little background concerning our applications.
Tight Security Reductions. To argue for the security of a given cryptographic scheme \(S\), we usually employ a security reduction. That is, we try to argue that every hypothetical adversary \(\mathcal {A} _S\) on \(S\) can be converted into an adversary \(\mathcal {A} _P\) on an allegedly hard computational problem \(P\). In that sense, the only way to break \(S\) is to solve \(P\). Of course, we are mostly interested in reductions to wellinvestigated problems \(P\). Furthermore, there are reasons to consider the tightness of the reduction: a tight reduction guarantees that \(\mathcal {A} _P\)’s success \(\varepsilon _P\) in solving \(P\) (in a reasonable metric) is about the same as \(\mathcal {A} _S\)’s success \(\varepsilon _S\) in attacking \(S\).
To explain the impact of a (non)tight reduction in more detail, consider a publickey encryption (PKE) scheme \(S\) that is deployed in a manyuser environment. In this setting, an adversary \(\mathcal {A} _S\) on \(S\) may observe, say, \(n_C \) ciphertexts generated for each of the, say, \(n_U\) users. Most known security reductions in this setting are nontight, in the sense that \(\varepsilon _P\le \frac{\varepsilon _S}{n_U\cdot n_C}\). As a consequence, keylength recommendations should also take \(n_U\) and \(n_C \) into account; no “universal” keylength recommendation can be given for such a scheme. This is particularly problematic in settings that grow significantly beyond initial expectations.
Tightly Secure Encryption and Signature Schemes. The construction of tightly secure cryptographic schemes appears to be a nontrivial task. For instance, although already explicitly considered in 2000 [3], tightly secure PKE schemes have only been constructed very recently [2, 6, 15, 28, 32].^{Footnote 2} \(^,\) ^{Footnote 3} Moreover, the schemes from [2, 28] have rather large ciphertexts, and the schemes induced by [6, 15] and from [32] require large parameters (but offer small keys and ciphertexts).
The situation for tightly secure signature schemes is somewhat brighter, but results are still limited. There are efficient signature schemes that are tightly secure under “\(q\)type” [8, 16, 36] or interactive [21] assumptions, or in the random oracle model [5, 24, 30]. There are also more recent and somewhat less efficient schemes tightly secure under simple^{Footnote 4} assumptions [6, 12, 15, 28, 32] (see also [1, 2]). Some of these latter schemes can even be converted into tightly secure PKE schemes; however, all of the schemes [2, 6, 12, 15, 28, 32] suffer from asymptotically large parameters, keys, or signatures (resp. ciphertexts).
The Scheme of Chen and Wee. Our technical ideas are best presented with our signature scheme. At a very high level, we follow the strategy of Chen and Wee [15] (see also [6]), where we interpret their IBE scheme as a signature scheme using Naor’s trick [11]. In their scheme, signatures are of the form
where \( sigk \) is the secret key, \(M =(M _i)_{i=1}^n\in \{0,1\}^n\) is the bit representation of the signed message, and \(h_0,(h_{i,0},h_{i,1})_{i=1}^n\) are group elements chosen from a joint public distribution.^{Footnote 5}
During their proof of existential unforgeability (EUFCMA security), Chen and Wee gradually modify signatures generated by the security experiment for an adversary \(\mathcal {A}\). This is done via a small hybrid argument over the bit indices of messages, and thus yields a security proof that loses a factor of \(\mathbf {O} (n)\). Concretely, in the \(i\)th hybrid, generated signatures are of the form \(\sigma =(h_0, sigk _{M _1,\dots ,M _i}\cdot \prod _{j=1}^n h_{j,M _j})\), where \( sigk _{M _1,\dots ,M _i}=\mathcal {R}(M _1,\dots ,M _i)\) for a truly random function \(\mathcal {R}\). Similarly, a forged messagesignature pair \((M ^*,\sigma ^*)\) from \(\mathcal {A}\) is only considered valid if it is consistent with \( sigk _{M ^*_1,\dots ,M ^*_i}\) (instead of \( sigk \)). In other words, in the \(i\)th hybrid, the secret key used in signatures depends on the first \(i\) bits of the signed message.
Thus, the difference between the \((i1)\)th and the \(i\)th hybrid is an additional dependency of used secret keys on the \(i\)th message bit \(M _i\). To progress from hybrid \(i1\) to hybrid \(i\), Chen and Wee first partition the message space in two halves (according to \(M _i\)). Then, using an elaborate argument, they consistently modify the secret keys used for messages from one half, and thus essentially decouple those keys from the keys used for messages from the other half. This creates an additional dependency on \(M _i\). After \(n=M \) such steps, each signature uses a different secret key (up to multiple signatures of the same message). In particular, \(\mathcal {A}\) gets no information about the secret key \( sigk _{M ^*_1,\dots ,M ^*_n}\) used to verify its own forgery, and existential unforgeability follows.
We would like to highlight the partitioning character of their analysis: in their proof, Chen and Wee introduce more and more dependencies of signatures on the corresponding messages, and each such dependency is based upon a different partitioning of the message space.^{Footnote 6} Now observe that already regular signatures (as in (1)) feature distinctions based on all bits of \(M\). These distinctions provide the technical tool to introduce dependencies in the security proof. However, as a consequence, rather complex joint distributions need to be sampled during signature generation, which results in public parameters of \(\mathbf {O} (n)\) group elements.
Algebraic Partitioning. In a nutshell, our main technical tool is a new way to partition the message space of a signature scheme. We call this tool “algebraic partitioning.” Concretely, a signature for a message \(M \in \mathbb {Z} _p\) in our scheme consists essentially of an encryption of the secret key \(X\), along with a consistency proof:
The corresponding encryption key \( pk \) is part of the verification key \( vk \), and the consistency proof \(\pi \) proves the following statement:
“Either \(C \) encrypts the secret key \(X\), or \(f (M)\in \mathbb {Z} _p\) is a quadratic residue (or both).”
Here, \(p\) is the order of the underlying group, and \(f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\) is an affine function fixed (but hidden) in the verification key. Implicitly, this provides a single partitioning of messages into those for which \(f (M)\) is a quadratic residue, and those for which \(f (M)\) is not. However, since \(f\) is hidden, many partitionings can be induced (one after the other) by varying \(f\) during a proof.
In fact, during the security proof, this partitioning will fulfill the same role as the bitbased partitioning in the analysis of Chen and Wee. In particular, it will help to introduce additional dependencies of the signature on the message. More specifically, in the \(i\)th hybrid of the security proof, \(C \) will not encrypt \(X\), but a value \(X _{M}\) that depends on the \(i\) Legendre symbols \(\big (\frac{f _j(M)}{p}\big ) \) for randomly chosen (but fixed) affine functions \(f _1,\dots ,f _i\). Each new such dependency is introduced by first refreshing the affine function \(f\) hidden in \( vk \), and then modifying all values encrypted in signatures whenever possible (i.e., whenever \(f (M)\) is a quadratic residue).^{Footnote 7} Observe that the single explicit partitioning in regular signatures is used several times (for different \(f _j\)) to introduce many dependencies of signatures on messages in the proof. The remaining strategy can then be implemented as in [15].
Our different strategy to partition the message space results in a very compact scheme. Namely, since only one explicit partitioning step is performed in the scheme, parameters, keys, and signatures comprise only a constant number of group elements. Specifically, parameters, keys, and signatures contain \(14\), \(6\), and \(25\) group elements, respectively. Besides, our scheme is compatible with GrothSahai proofs [26]. Hence, when used in the construction of [28], we immediately get the first compact (in the above sense) PKE scheme that is tightly INDCCA secure under a simple assumption.^{Footnote 8}
Different Perspective: Our Scheme as a MAC. So far our highlevel discussion can be equally used to justify a similar message authentication code (MAC), in which verification is nonpublic. Such a MAC can then be converted into a signature scheme, e.g., using the technique of Bellare and Goldwasser [4].^{Footnote 9} One could hope that this yields a more modular construction, possibly with a MAC as a simpler basic building block. (In particular, this approach was suggested by a reviewer.)
In this work, we still present our idea directly in terms of a signature scheme. One reason is that a MAC following the strategy described above would actually not be significantly less complex than a full signature scheme. In particular, already a MAC would require GrothSahai proofs. Moreover, a modular approach in the spirit of [4] would require “algebraically compatible” building blocks (to allow for an efficient and tightly secure overall scheme), and would seem to lead to a more complex presentation.
Open Problems. Besides of course obtaining more efficient (and compact) schemes, it would be interesting to apply similar ideas in the identitybased setting. Specifically, currently there is no fully compact identitybased encryption (IBE) scheme whose security can be tightly based on a standard assumption.^{Footnote 10} However, it is not obvious how to use algebraic partitioning in the identitybased setting. Specifically, it is not clear how to “derive functionality” from valid signature proofs, in the following sense.
Namely, first note that IBE schemes can be interpreted as signature schemes, in a sense noted by Naor (cf. [11]): IBE user secret keys for an identity \(M\) correspond to signatures for message \(M\), and verification simply checks whether the alleged signature works as a decryption key for identity \(M\). It is natural to use the same interpretation to try to “upgrade” a signature scheme to an IBE scheme. For this strategy, however, one must find a way to make a signature \(\sigma \) act as a decryption trapdoor, and thus to “derive functionality from \(\sigma \)” (as opposed to just check \(\sigma \) for validity). In common discretelogbased IBE schemes, this functionality property is achieved by the fact that a pairing operation is used to pair IBE user secret keys with ciphertext elements. The result of this pairing operation is then a common secret that is shared between encryptor and decryptor.
Our strategy, however, crucially uses quadratic \(\mathbb {Z} _p\)equations in signatures (to implement the algebraic partitioning of messages). In particular, our signature scheme uses a pairing operation already to implement these quadratic equations (even though signatures in our scheme consist solely of group elements in the source group of the pairing). As a consequence, the pairing operation cannot be used anymore to derive a common secret shared with the encryptor. Hence, at least a straightforward way to turn our signature scheme into an IBE scheme fails.^{Footnote 11}
Roadmap. After recalling some basic definitions, we present our signature scheme in Sect. 3. In Sect. 4, we give a direct construction of a PKE scheme derived from our signature scheme. In Sect. 5, we give more details on the exact GrothSahai equations arising from the consistency proofs of signatures and ciphertexts. In Appendix A, we provide additional illustrations for the proof of our signature scheme.
2 Preliminaries
Notation. Throughout the paper, \(k\in \mathbb {N} \) denotes the security parameter. For \(n\in \mathbb {N} \), let \([n]:=\{1,\ldots ,n\}\). For a finite set \(S\), we denote with \(s\leftarrow S\) the process of sampling \(s\) uniformly from \(S\). For a probabilistic algorithm \(A\), we denote with \(y\leftarrow A(x;R)\) the process of running \(A\) on input \(x\) and with randomness \(R\), and assigning \(y\) the result. We write \(y\leftarrow A(x)\) for \(y\leftarrow A(x;R)\) with uniformly chosen \(R\), and we write \(A(x)=y\) for the event that \(A(x;R)\) (for uniform \(R\)) outputs \(y\). If \(A\)’s running time is polynomial in \(k\), then \(A\) is called probabilistic polynomialtime (PPT). A function \(f:\mathbb {N} \rightarrow \mathbb {R} \) is negligible if it vanishes faster than the inverse of any polynomial (i.e., if \(\forall c\exists k_0\forall k\ge k_0:f(x)\le 1/k^c\)).
CollisionResistant Hashing. A hash function generator is a PPT algorithm \(\mathcal {H}\) that, on input \(1^k\), outputs (the description of) an efficiently computable function \(\mathrm {H}:\{0,1\}^*\rightarrow \{0,1\}^k\).
Definition 1
(CollisionResistance). We say that a hash function generator \(\mathcal {H}\) outputs collisionresistant functions \(\mathrm {H}\) (or, when the reference to \(\mathcal {H}\) is clear, that such an \(\mathrm {H}\) is collisionresistant), if
is negligible for every PPT adversary \(\mathcal {A}\).
Signature Schemes. A signature scheme \(\mathrm {SIG}\) consists of four PPT algorithms \(\mathrm {SPars},\mathrm {SGen},\mathrm {Sig},\mathrm {Ver} \). Parameter generation \(\mathrm {SPars} (1^k)\) outputs public parameters \( spp \) that are shared among all users. Key generation \(\mathrm {SGen} ( spp )\) takes public parameters \( spp \), and outputs a verification key \( vk \) and a signing key \( sigk \). The signature algorithm \(\mathrm {Sig} ( spp , sigk ,M)\) takes public parameters \( spp \), a signing key \( sigk \), and a message \(M\), and outputs a signature \(\sigma \). Verification \(\mathrm {Ver} ( spp , vk ,M,\sigma )\) takes public parameters \( spp \), a verification key \( vk \), a message \(M\), and a potential signature \(\sigma \), and outputs a verdict \(b\in \{0,1\}\). For correctness, we require that \(1\leftarrow \mathrm {Ver} ( spp , vk ,M,\sigma )=1\) always and for all \(M\), all \(( vk , sigk )\leftarrow \mathrm {SGen} (1^k)\), and all \(\sigma \leftarrow \mathrm {Sig} ( spp , sigk ,M)\). For the sake of readability, we will omit the public parameters \( spp \) from invocations of \(\mathrm {Sig}\) and \(\mathrm {Ver}\) when the reference is clear.
Definition 2
(Multiuser (OneTime) Existential Unforgetability). Let \(\mathrm {SIG}\) be a signature scheme as above, and consider the following experiment for an adversary \(\mathcal {A}\):

1.
\(\mathcal {A}\) specifies (in unary) the number \(n_U\in \mathbb {N} \) of desired scheme instances.

2.
The experiment then samples parameters \( spp \leftarrow \mathrm {SPars} (1^k)\) as well as \(n_U\) keypairs \(( vk ^{(\ell )}, sigk ^{(\ell )})\leftarrow \mathrm {SGen} ( spp )\).

3.
\(\mathcal {A}\) is invoked on input \((1^k, spp ,( vk ^{(\ell )})_{\ell =1}^{n_U})\), and gets access to signing oracles \(\mathrm {Sig} ( sigk ^{(\ell )},\cdot )\) for all \(\ell \in [n_U]\). Finally, \(\mathcal {A}\) outputs an index \(\ell ^*\in [n_U]\) and a potential forgery \((M ^*,\sigma ^*)\).

4.
\(\mathcal {A}\) wins iff \(\mathrm {Ver} ( vk ^{(\ell ^*)},M ^*,\sigma ^*)=1\) and \(M ^*\) was not queried to \(\mathrm {Sig} ( sigk ^{(\ell ^*)},\cdot )\).
Let \(\mathrm {Adv}^{ eufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) denote the probability that \(\mathcal {A}\) wins in the above experiment. We say that \(\mathrm {SIG}\) is existentially unforgeable under chosenmessage attacks in the multiuser setting (EUFmCMA secure) iff \(\mathrm {Adv}^{ eufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) is negligible for every PPT \(\mathcal {A}\). Let \(\mathrm {Adv}^{ oteufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) be the probability that \(\mathcal {A}\) wins in the slightly modified experiment in which only one \(\mathrm {Sig}\)query to each scheme instance \(\ell \) is allowed. We say that \(\mathrm {SIG}\) is existentially unforgeable under onetime chosenmessage attacks in the multiuser setting (OTEUFmCMA secure) iff \(\mathrm {Adv}^{ oteufmcma }_{\mathrm {SIG},\mathcal {A}} (k)\) is negligible for every PPT \(\mathcal {A}\).
Publickey Encryption Schemes. A publickey encryption (PKE) scheme \(\mathrm {PKE}\) consists of four PPT algorithms \((\mathrm {EPars},\mathrm {EGen},\mathrm {Enc},\mathrm {Dec})\). The parameter generation algorithm \(\mathrm {EPars} (1^k)\) outputs public parameters \( epp \). Key generation \(\mathrm {EGen} ( epp )\) outputs a public key \( pk \) and a secret key \( sk \). Encryption \(\mathrm {Enc} ( epp , pk ,M)\) takes parameters \( epp \), a public key \( pk \), and a message \(M\), and outputs a ciphertext \(C \). Decryption \(\mathrm {Dec} ( epp , sk ,C)\) takes public parameters \( epp \), a secret key \( sk \), and a ciphertext \(C \), and outputs a message \(M\). For correctness, we require \(\mathrm {Dec} ( epp , sk ,C)=M \) always and for all \(M\), all \( epp \leftarrow \mathrm {EPars} (1^k)\), all \(( pk , sk )\leftarrow \mathrm {EGen} ( epp )\), and all \(C \leftarrow \mathrm {Enc} ( epp , pk ,M)\). As with signatures, we usually omit the public parameters \( epp \) from invocations of \(\mathrm {Enc}\) and \(\mathrm {Dec}\).
Definition 3
(Multiuser, Multichallenge Indistinguishability of Ciphertexts). For a publickey encryption scheme \(\mathrm {PKE}\) and an adversary \(\mathcal {A}\), consider the following security experiment \(\mathrm {Exp}^{ indmcca }_{\mathrm {PKE},\mathcal {A}} (k)\):

1.
\(\mathcal {A}\) specifies (in unary) the number \(n_U\in \mathbb {N} \) of desired scheme instances.

2.
The experiment samples parameters \( epp \leftarrow \mathrm {EPars} (1^k)\), and \(n_U\) keypairs through \(( pk ^{(\ell )}, sk ^{(\ell )})\leftarrow \mathrm {EGen} ( epp )\), and uniformly chooses a bit \(b\leftarrow \{0,1\}\).

3.
\(\mathcal {A}\) is invoked on input \((1^k, epp ,( pk ^{(\ell )})_{\ell =1}^{n_U})\), and gets access to challenge oracles \(\mathcal {O}^{(\ell )} \) and decryption oracles \(\mathrm {Dec} ( sk ^{(\ell )},\cdot )\) for all \(\ell \in [n_U]\). Here, challenge oracle \(\mathcal {O}^{(\ell )} \), on input two messages \(M _0,M _1\), outputs an encryption \(C \leftarrow \mathrm {Enc} ( pk ^{(\ell )},M _b)\) of \(M _b\).

4.
Finally, \(\mathcal {A}\) outputs a bit \(b'\), and the experiment outputs \(1\) iff \(b=b'\).
A PPT adversary \(\mathcal {A}\) is valid if every pair \((M _0,M _1)\) of messages submitted to an \(\mathcal {O}^{(\ell )} \) by \(\mathcal {A}\) satisfies \(M _0=M _1\), and if \(\mathcal {A}\) never submits any challenge ciphertext (previously received from an \(\mathcal {O}^{(\ell )} \)) to the corresponding decryption oracle \(\mathrm {Dec} ( sk ^{(\ell )},\cdot )\). Let
We say that \(\mathrm {PKE}\) has indistinguishable ciphertexts under chosenciphertext attacks in the multiuser, multichallenge setting (short: is INDmCCA secure) iff \(\mathrm {Adv}^{ indmcca }_{\mathrm {PKE},\mathcal {A}} (k)\) is negligible for all valid \(\mathcal {A}\). Let \(\mathrm {Adv}^{ indmcpa }_{\mathrm {PKE},\mathcal {A}} \) be defined similarly, except that \(\mathcal {A}\) has no access to any \(\mathrm {Dec}\) oracles. \(\mathrm {PKE}\) has indistinguishable ciphertexts under chosenplaintext attacks in the multiuser, multichallenge setting (short: is INDmCPA secure) iff \(\mathrm {Adv}^{ indmcpa }_{\mathrm {PKE},\mathcal {A}} (k)\) is negligible for all valid \(\mathcal {A}\).
Quadratic Residues and Legendre Symbols. Let \(p\) be a prime. Then, \(\mathrm {QR} _p\subseteq \mathbb {Z} _p^*\) is the set of quadratic residues modulo \(p\), i.e., the set of all \(x\in \mathbb {Z} _p^*\) for which an \(r\in \mathbb {Z} _p^*\) with \(r^2=x~\mathrm{mod}~p\) exists. Given \(p\) and an \(x\in \mathrm {QR} _p\), such an \(r\) can be computed efficiently. For \(x\in \mathbb {Z} _p\), we let \(\big (\frac{x}{p}\big ) =x^{\frac{p1}{2}}\mathrm{mod}~p\) denote the Legendre of \(x\) modulo \(p\). We have \(\big (\frac{x}{p}\big ) \in \{1,0,1\}\), and in particular \(\big (\frac{x}{p}\big ) =1\,\Leftrightarrow \, x\in \mathrm {QR} _p\), as well as \(\big (\frac{x}{p}\big ) =0\,\Leftrightarrow \, x=0\), and \(\big (\frac{x}{p}\big ) =1\,\Leftrightarrow \, x\in \mathbb {Z} _p^*\setminus \mathrm {QR} _p\).
Group and Pairing Generators. A group generator \(\mathcal {G}\) is a PPT algorithm that, on input \(1^k\), outputs the description of a group \(\mathbb {G}\), along with its (prime) order \(p\), and a generator \(g \) of \(\mathbb {G}\). A pairing generator \(\mathcal {P}\) is a PPT algorithm that, on input \(1^k\), outputs descriptions of:

three groups \(\mathbb {G},\mathbb {\hat{G}},\mathbb {G}_T \) of the same prime order \(p\), along with \(p\), and generators \(g,\hat{g} \) of \(\mathbb {G},\mathbb {\hat{G}} \),

a bilinear map \(e:\mathbb {G} \times \mathbb {\hat{G}} \rightarrow \mathbb {G}_T \) that is nondegenerate in the sense of \(e (g,\hat{g})\ne 1\in \mathbb {G}_T \).
Occasionally, it will also be useful to consider a pairing generator \(\mathcal {P}\) as a group generator (that only outputs \((\mathbb {G},p,g)\) or \((\mathbb {\hat{G}},p,\hat{g})\)).
Assumption 1
(Decisional DiffieHellman). For a group generator \(\mathcal {G}\) and an adversary \(\mathcal {A}\), let \(\mathrm {Adv}^{ ddh }_{\mathcal {G},\mathcal {A}} (k)\) be the following difference:
Here, the probability is over \((\mathbb {G},p,g)\leftarrow \mathcal {G} (1^k)\) and uniformly chosen \(x,y,z\in \mathbb {Z} _p\). We say that the Decisional DiffieHellman (DDH) assumption holds with respect to \(\mathcal {G}\) iff \(\mathrm {Adv}^{ ddh }_{\mathcal {G},\mathcal {A}} \) is negligible for every PPT \(\mathcal {A}\). When the reference to \(\mathcal {G}\) is clear, we also say that the DDH assumption holds in \(\mathbb {G}\) (and write \(\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {A}}\)). On occasion, we might also say that the DDH assumption holds in groups \(\mathbb {G}\) or \(\mathbb {\hat{G}}\) sampled by a pairing generator, with the obvious meaning.
ElGamal Encryption. The ElGamal encryption scheme \(\mathrm {PKE}_{\mathrm {eg}}\) is defined as follows, where we assume a suitable group generator \(\mathcal {G}\).

\(\mathrm {EPars}_{\mathrm {eg}} (1^k)\) runs \((\mathbb {G},p,g)\leftarrow \mathcal {G} (1^k)\) and outputs \( epp =(\mathbb {G},p,g)\).

\(\mathrm {EGen}_{\mathrm {eg}} ( epp )\) picks a uniform \( sk \leftarrow \mathbb {Z} _p\), sets \( pk =g^{ sk } \), and outputs \(( pk , sk )\).

\(\mathrm {Enc} ( pk ,M)\), for \(M \in \mathbb {G} \), picks an \(R \leftarrow \mathbb {Z} _p\), and outputs \(C =(g^{R}, pk ^{R}\cdot M)\).

\(\mathrm {Dec} ( sk ,C)\), for \(C =(C _1,C _2)\in \mathbb {G} ^2\), outputs \(M =C _2/C _1^{ sk }\).
The ElGamal scheme is tightly INDmCPA secure under the DDH assumption in \(\mathbb {G}\). Concretely, for every valid INDmCPA adversary \(\mathcal {A}\), there is a DDH adversary \(\mathcal {B}\) (of roughly the same complexity as the INDmCPA experiment with \(\mathcal {A}\)) with \(\mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {B}} (k)=\mathrm {Adv}^{ indmcpa }_{\mathrm {PKE}_{\mathrm {eg}},\mathcal {A}} (k)\).
GrothSahai Proofs. In a setting with a pairing generator, GrothSahai proofs [26] provide a very versatile and efficient way to prove the satisfiability of very general classes of equations over \(\mathbb {G}\) and \(\mathbb {\hat{G}}\). We will not need them in full generality, and the next definition only captures a number of abstract properties of GrothSahai proofs we will use. In particular, we will not formalize the exact classes of languages amenable to GrothSahai proofs. (For the exact languages used in our application, however, we give more details in Sect. 5.1.) Like [18, 19], we formalize GrothSahai proofs as commitandprove systems:
Definition 4
(GS Proofs [26]). The GrothSahai proof system for a given pairing generator \(\mathcal {P}\) consists of the following PPT algorithms, where \( gpp \) denotes group parameters sampled by \(\mathcal {P}\).

Common Reference Strings. \(\mathrm {HGen} ( gpp )\) and \(\mathrm {BGen} ( gpp )\) sample hiding, resp. binding common reference strings (CRSs) \(\mathrm {CRS}\).

Commitments. For a (hiding or binding) CRS \(\mathrm {CRS}\) and a \(\mathbb {G}\), \(\mathbb {\hat{G}}\), or \(\mathbb {Z} _p\)element \(v\), the commitment algorithm \(\mathrm {Com} ( gpp ,\mathrm {CRS},v;R)\) outputs a commitment C, where \(R\) denotes the used random coins.

Proofs. Let \(\mathrm {CRS}\) be a CRS, and let \(\mathcal {X}\) be a system of equations. Each equation may be over \(\mathbb {G}\), \(\mathbb {\hat{G}}\), or \(\mathbb {Z} _p\), and involve variables and constants. Let \((v _i)_i\) be a variable assignment that satisfies \(\mathcal {X}\), and let \((R _i)_i\) be a vector of random coins for \(\mathrm {Com}\). Then \(\mathrm {Prove} ( gpp ,\mathrm {CRS},\mathcal {X},(v _i,R _i)_i)\) outputs a proof \(\pi \).

Verification. For a CRS \(\mathrm {CRS}\), a system \(\mathcal {X}\) of equations, a commitment vector \((C_i)_i\) to an assignment of the variables in \(\mathcal {X}\), and a proof \(\pi \), the verification algorithm \(\mathrm {Verify} ( gpp ,\mathrm {CRS},\mathcal {X},(C_i)_i,\pi )\) outputs a verdict \(b\in \{0,1\}\).

Simulation. For a hiding CRS generated as \(\mathrm {CRS} \leftarrow \mathrm {HGen} ( gpp ;R _{\mathrm {CRS}})\), a system \(\mathcal {X}\) of equations, and a vector \((R _i)_i\) of commitment random coins, we have that \(\mathrm {Sim} ( gpp ,R _{\mathrm {CRS}},\mathcal {X},(R _i)_i)\) outputs a simulated proof \(\pi \).
As with signatures and encryption, we usually omit the group parameters \( gpp \) on invocations of \(C,\mathrm {Prove},\mathrm {Verify},\mathrm {Sim} \) when the reference is clear.
Theorem 1
(Properties of GS Proofs [26]). The algorithms from Definition 4 satisfy the following for all choices group parameters \( gpp \leftarrow \mathcal {P} (1^k)\) (unless noted otherwise):

Homomorphic Commitments. For any (hiding or binding) CRS \(\mathrm {CRS}\), any two given commitments \(\mathrm {Com} (\mathrm {CRS},v;R)\) and \(\mathrm {Com} (\mathrm {CRS},v ';R ')\) to \(\mathbb {G}\)elements \(v,v '\) allow to efficiently compute a commitment \(\mathrm {Com} (\mathrm {CRS},v \cdot v ';R \cdot R ')\) to \(v \cdot v '\). (Note that the corresponding random coins \(R \cdot R '\) can be efficiently computed from \(R\) and \(R '\).) The same holds for two commitments to \(\mathbb {\hat{G}}\)elements, and two commitments to \(\mathbb {Z} _p\)elements (where the homomorphic operation on \(\mathbb {Z} _p\)elements is addition).

DualMode Commitments. Consider a commitment \(C\leftarrow \mathrm {Com} (\mathrm {CRS},v;R)\). If \(\mathrm {CRS}\) is binding, then C uniquely determines \(v\), and if \(\mathrm {CRS}\) is hiding, then the distribution of C does not depend on \(v\).

CRS Indistinguishability. For every PPT adversary \(\mathcal {A}\), there are PPT adversaries \(\mathcal {A} _1\) and \(\mathcal {A} _2\) with
$$\begin{aligned}&\left \Pr \left[ {\mathcal {A} (1^{k},\mathrm {HGen} ( gpp ))=1}\right]  \Pr \left[ {\mathcal {A} (1^{k},\mathrm {BGen} ( gpp ))=1}\right] \right \\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \le \left \mathrm {Adv}^{ ddh }_{\mathbb {G},\mathcal {A} _1} (k) \right + \left \mathrm {Adv}^{ ddh }_{\mathbb {\hat{G}},\mathcal {A} _2} (k) \right , \end{aligned}$$where the probability is over \( gpp \leftarrow \mathcal {P} (1^k)\), and the random coins of \(\mathrm {HGen}\), \(\mathrm {BGen}\), and \(\mathcal {A}\).

Perfect Completeness. For every (hiding or binding) CRS \(\mathrm {CRS}\), every system \(\mathcal {X}\) of equations, every satisfying assignment \((v _i)_i\) of \(\mathcal {X}\), and every possible vector \((C_i)_i\) of commitments generated through \(C_i\leftarrow \mathrm {Com} (\mathrm {CRS},v _i;R _i)\), we have \(\mathrm {Verify} (\mathrm {CRS},\mathcal {X},(C_i)_i,\mathrm {Prove} (\mathrm {CRS},\mathcal {X},(v _i,R _i)_i))=1\) with probability \(1\).

Perfect Soundness. For every binding CRS \(\mathrm {CRS}\), every system \(\mathcal {X}\) of equations that is not satisfiable, and every \((C_i)_i\) and \(\pi \), \(\mathrm {Verify} (\mathrm {CRS},\mathcal {X},(C_i)_i,\pi )=0\) always.

Perfect Simulation. For every hiding CRS \(\mathrm {CRS} \leftarrow \mathrm {HGen} ( gpp ;R _{\mathrm {CRS}})\), and every system \(\mathcal {X}\) of equations that is satisfied by a variable assignment \((v _i)_i\), the following two distributions are identical:
$$\begin{aligned} \bigl ( (C_i)_i,\;\mathrm {Prove} (\mathrm {CRS},\mathcal {X},(v _i,R _i)_i) \bigr )&\quad \text {for}\,\, C_i\leftarrow \mathrm {Com} (\mathrm {CRS},v _i;R _i) \,\mathrm{and~fresh} R _i, \\ \bigl ( (C_i)_i,\;\mathrm {Sim} (R _{\mathrm {CRS}},\mathcal {X},(R _i)_i) \bigr )&\quad \text {for}\,\, C_i\leftarrow \mathrm {Com} (\mathrm {CRS},1;R _i) \,\mathrm{and~fresh} R _i. \end{aligned}$$(The probability space consists of the \(R _i\) and the coins of \(\mathrm {Prove}\) and \(\mathrm {Sim}\).)
Since simulation is perfect (in the sense above), it also holds for reused commitments (i.e., when multiple adaptively chosen statements \(\mathcal {X}\) that involve the same variables and commitments are proven, see also [18]). Besides, perfect simulation directly implies perfect witnessindistinguishability (under a hiding CRS): for any two vectors \((v _i)_i\) and \((v '_i)_i\) of satisfying assignments of a given system \(\mathcal {X}\) of equations, the corresponding commitments and proofs \(((C_i)_i,\pi )\) and \(((C'_i)_i,\pi ')\) are identically distributed. Again, this holds even if the same commitments are used in several proofs for adaptively generated statements \(\mathcal {X}\).
3 The Signature Scheme
3.1 Scheme Description
Setting and Ingredients. We assume the following ingredients:

A pairing generator \(\mathcal {P}\) that outputs groups \(\mathbb {G} =\langle g \rangle \) and \(\mathbb {\hat{G}} =\langle \hat{g} \rangle \) of prime order \(p>2^{k}\) and an asymmetric pairing \(e:\mathbb {G} \times \mathbb {\hat{G}} \rightarrow \mathbb {G}_T \). We make the DDH assumption in both \(\mathbb {G}\) and \(\mathbb {\hat{G}}\).

The ElGamal encryption scheme (given by algorithms \(\mathrm {EGen}_{\mathrm {eg}},\mathrm {Enc}_{\mathrm {eg}},\mathrm {Dec}_{\mathrm {eg}} \)) over \(\mathbb {G}\). (That is, we will use \(\mathcal {P}\) in place of \(\mathrm {EPars}_{\mathrm {eg}}\) to generate the group \(\mathbb {G}\) for ElGamal.)

A GrothSahai proof system for \(\mathcal {P}\) (see Definition 4), given by algorithms \(\mathrm {HGen},\mathrm {BGen},\mathrm {Com},\mathrm {Prove},\mathrm {Verify},\mathrm {Sim} \).
Public Parameters. \(\mathrm {SPars} (1^k)\) samples group parameters
and sets \( epp _{\mathrm {eg}} =(\mathbb {G},p,g)\). Then, \(\mathrm {SPars}\) generates two binding GrothSahai CRSs and two ElGamal keypairs:
The public parameters are then defined as
Key Generation. \(\mathrm {SGen} ( spp )\) first sets up the exponents
and commits to them using fresh random coins \(R_{Z},R_{\alpha },R_{\beta } \):
We will use that \(\alpha ,\beta \) define an affine function \(f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\) through \(f (x)=\alpha \cdot x+\beta \,\mathrm{mod}\, p\).
Verification and signing key are given by
Signature Generation. \(\mathrm {Sig} ( sigk ,M)\), for \(M \in \mathbb {Z} _p\), picks fresh random coins \(R\) and encrypts
for \(Z _0=Z _1=X \in \mathbb {Z} _p\), using the same coins \(R\) in both encryptions for efficiency. Then, \(\mathrm {Sig}\) generates proofs \(\pi _1\) and \(\pi _2\) for the respective statements
Here, \(Z _0,Z _1,Z,f \) refer to the values encrypted (resp. committed to) in \(C _0,C _1,C_{Z},(C_{\alpha },C_{\beta })\). Concretely, \(\mathrm {Sig}\) generates a proof \(\pi _1\) for \(S 1\vee S 2\) under \(\mathrm {CRS} _1\), using as witness \(Z _0=Z _1=X \) and the encryption coins \(R\). Also, \(\mathrm {Sig}\) computes a proof \(\pi _2\) for \(S 3\) under \(\mathrm {CRS} _2\), using as witness \(X\) and \(R_{Z},R \). We stress that \(\pi _1\) and \(\pi _2\) are independently generated, with different (fresh) GrothSahai commitments to the respective witnesses. We describe the exact GrothSahai equations for these proofs in Sect. 5.1, and give some intuition on the meaning of the statements \(S 1\)\(S 3\) in Sect. 3.2 below.
The signature is then defined as
Verification. \(\mathrm {Ver} ( spp , vk ,M,\sigma )\) outputs \(1\) if and only if both proofs \(\pi _1\) and \(\pi _2\) in \(\sigma \) are valid with respect to \(M,C _0,C _1,C_{Z},C_{\alpha },C_{\beta } \).
Correctness. The completeness of GrothSahai proofs implies the correctness of \(\mathrm {SIG}\).
Efficiency. \(\mathrm {SIG}\) has the following efficiency characteristics (cf. Section 5.1):

The public parameters consist of \(8\) \(\mathbb {G}\) and \(6\) \(\mathbb {\hat{G}}\)elements, plus the group parameters \( gpp \).

Each verification key contains \(2\) \(\mathbb {G}\) and \(4\) \(\mathbb {\hat{G}}\)elements.

Each signing key contains \(7\) \(\mathbb {Z} _p\)exponents.

Each signature contains \(11\) \(\mathbb {G}\) and \(14\) \(\mathbb {\hat{G}}\)elements.
3.2 Security Analysis
More Details on the Role of \(\pi _1\) and \(\pi _2\) in Signatures. Before we proceed to the proof, we give some intuition on the proofs \(\pi _1\) and \(\pi _2\) published in signatures (and the statements \(S 1\)\(S 3\)):

\(\pi _1\) proves that either \(C _0\) and \(C _1\) encrypt the same value or that the signed message satisfies a special property \(S 2\) (or both). In the scheme, all messages are special in this sense (because \(f (M)=0\) for all \(M\)). However, in the proof, we can adjust \(f\) and, e.g., partition the set of messages into special and nonspecial ones in a random and roughly balanced way. Intuitively, this provides a means to make the double encryption \((C _0,C _1)\) inconsistent (and subsequently change the encrypted values) in signatures for special messages. At the same time, any valid adversarial forgery on a nonspecial message (that does not satisfy \(S 2\)) must carry a consistent double encryption \((C _0,C _1)\).

In the scheme, \(\pi _2\) ties the plaintext encrypted in \(C _0\) to the master secret \(Z\). In the simulation, we will remove that connection by simulating \(\pi _2\). Specifically, recall that \(\pi _1\) and \(\pi _2\) are independently generated, using independently generated GrothSahai commitments to the respective witnesses. Thus, in the proof, we can simulate \(\pi _2\) without witness (by choosing a hiding \(\mathrm {CRS} _2\) and using \(\mathrm {Sim} \)), while preserving the soundness of \(\pi _1\) (assuming \(\mathrm {CRS} _1\) is binding). This simulation of \(\pi _2\) will be instrumental in changing the message encrypted in \(C _0\) (when the signed message is special in the above sense).
Theorem 2
(Security of \(\mathrm {SIG}\) ). Under the DDH assumptions in \(\mathbb {G}\) and \(\mathbb {\hat{G}}\), the signature scheme \(\mathrm {SIG}\) from Sect. 3.1 is EUFmCMA secure. Concretely, for every EUFmCMA adversary \(\mathcal {A}\) on \(\mathrm {SIG}\), there exist DDH adversaries \(\mathcal {B}\) and \(\mathcal {B} '\) (of roughly the same complexity as the EUFmCMA experiment with \(\mathcal {A}\) and \(\mathrm {SIG}\)) with
for \(n=2\lceil \log _2(p)\rceil +k\), where \(p\) denotes the order of \(\mathbb {G}\) and \(\mathbb {\hat{G}}\), and \(k\) is the security parameter.
Proof Outline. The proof starts with a number of preparations for the core argument. Our main goal during this phase will be to implement an additional and explicit check of \(\mathcal {A}\) ’s forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) for \(\mathrm {Dec}_{\mathrm {eg}} ( sk _0,C _0^*)=g^{X^{*}} \). (Note that in the default key setup, this explicit check is redundant, since valid signatures must fulfill statement \(S 3\) from (3).)
In the core argument (from Game 4 to Game 5, detailed in Lemma 1), we replace the value \(X\) used in generated signatures and the additional forgery check with a value \({\mathcal {H}}(M)\) that depends on the signed message. We start with a constant function \({\mathcal {H}}(M)=X \) (which corresponds to Game 4), and then introduce more and more dependencies of \({\mathcal {H}}(M)\) on the Legendre symbols \(\big (\frac{f _j(M)}{p}\big ) \) for independently and randomly selected (invertible) affine functions \(f _j\).
Each such dependency is introduced as follows. We start by committing to (the coefficients of) a new random function \(f ^*\) in \(C_{\alpha },C_{\beta } \). This change allows us to modify the messages \(Z _0,Z _1\) encrypted in generated signatures for all \(M\) with \(f ^*(M)\in \mathrm {QR} _p\cup \{0\}\) (and only for those \(M\)), by proving \(S 2\) (and not \(S 1\)) in signatures. We will also abort if \(\mathcal {A}\) ’s forgery satisfies \(f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}\), and we will keep enforcing our forgery check on \(C _0^*\). Hence, from \(\mathcal {A}\) ’s point of view, an additional dependency on \(\big (\frac{f ^*(M)}{p}\big ) \) is consistently introduced on all signatures. More importantly, this dependency is also enforced during the additional forgery check.
After sufficiently many such dependencies are introduced (for several different \(f ^*\)), all signatures are consistently generated with (or checked for) \(Z _0=Z _1=\mathcal {R}(M)\) for a truly random function \(\mathcal {R}\). At this point, \(\mathcal {A}\) has to predict a truly random function \(\mathcal {R}\) on a fresh input \(M ^*\) in order to produce a valid forgery. Hence, \(\mathcal {A}\) ’s forgery success must be negligible.
Figures 1 and 2 (on page 27 and page 28) give a more technical summary of the game transitions of the proof (also taking into account the notation for the multiuser case). The remainder of this section is devoted to a detailed proof.
Proof
(Proof of Theorem 2 ) We proceed in games. Let \( out _{i}\) denote the output of Game i.
Game 1 is the original EUFmCMA game with \(\mathcal {A}\) and \(\mathrm {SIG}\). Of course,
In the following, we apply a superscript to variables to denote to which \(\mathrm {SIG}\) instance they belong. For instance, we denote with \(X^{(\ell )} \) and \( sk ^{(\ell )} _0, sk ^{(\ell )} _1\) the respective values from the \(\ell \)th used \(\mathrm {SIG}\) instance. Furthermore, we write \(X^{*} \) for \(X^{(\ell ^*)} \) for the challenge instance \(\ell ^*\) selected by \(\mathcal {A}\) for his forgery, and similarly for \( sk ^{*} _0\) and \( sk ^{*} _1\).
Thus, in Game 2, we implement an additional “forgery check”. Concretely, we only consider a forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) from \(\mathcal {A}\) as valid if \(\pi _1^*\) and \(\pi _2^*\) are valid and if \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=g^{X^{*}} \). (Otherwise, the game outputs \(0\).) This change is purely conceptual: indeed, since \(\mathrm {CRS} _2\) is binding, we can use the soundness of GrothSahai proofs. Thus, any valid proof \(\pi _2^*\) guarantees that \(S 3\) (from (3)) holds, and so \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=g^{X^{*}} \). We obtain
In Game 3, we generate both \(\mathrm {CRS} _1\) and \(\mathrm {CRS} _2\) as hiding CRSs, using \(\mathrm {HGen}\). The CRS indistinguishability of GrothSahai proofs yields
for suitable DDH adversaries \(\mathcal {B} _{3}\) and \(\mathcal {B} '_{3}\). (Here, we use the rerandomizability of DDH tuples. This enables a reduction that loses only a factor of \(1\) instead of \(2\).)
In Game 4, we simulate all proofs \(\pi _2\) in signatures generated for \(\mathcal {A}\), using the GrothSahai simulator \(\mathrm {Sim}\) (on input the random coins \(R _{\mathrm {CRS}}\) used to prepare \(\mathrm {CRS}\)). We also generate the corresponding commitments \(C_{Z}\) in all verification keys as \(C_{Z} \leftarrow \mathrm {Com} (\mathrm {CRS} _2,1)\). We stress that all \(X^{(\ell )} \) are still chosen randomly, and all signatures are generated with encryptions \(C _0,C _1\) of \(X^{(\ell )} \). By the simulation property of GrothSahai proofs (see Theorem 1 and the following comment concerning the reuse of commitments), these changes do not affect \(\mathcal {A}\) ’s view:
In Game 5, we change the generation of signatures and the forgery check from Game 2 as follows. To describe these changes, let \(\mathcal {R}^{{(\ell )}} :\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*\) (for all scheme instances \(\ell \in [n_U]\)) be truly random functions. Our changes in Game 5 are then as follows:

All signatures generated for \(\mathcal {A}\) contain encryptions \(C _0,C _1\) of exponents \(Z _0=Z _1=\mathcal {R}^{{(\ell )}}(M)\) (encoded as \(g^{Z _0},g^{Z _1} \)) instead of \(Z _0=Z _1=X^{(\ell )} \), where \(M\) is the signed message. As in Game 4, the corresponding proof \(\pi \) is generated using witnesses for \(S 1\) and \(S 3\) from (3).

Any forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) for a (fresh) message \(M ^*\) from \(\mathcal {A}\) is considered valid only if \(\pi _1^*\) and \(\pi _2^*\) are valid and \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {R}^*(M ^*)\) holds. Otherwise, the game outputs \(0\). (Again, we use the shorthand notation \(\mathcal {R}^*=\mathcal {R}^{({\ell ^{*}})}\) for the challenge instance \(\ell ^*\).)
In particular, the second change implies that
since \(\mathcal {R}^*(M ^*)\) is informationtheoretically hidden from \(\mathcal {A}\).
Hence, it remains to relate Game 4 and Game 5:
Lemma 1
For \(n=2\lceil \log _2(p)\rceil +k\) and suitable DDH adversaries \(\mathcal {B} _{5}\) and \(\mathcal {B} '_{5}\), we have
Before we prove Lemma 1, we remark that putting together (5–10), we obtain (4), which is sufficient to show Theorem 2.
Proof
(of Lemma 1 ) We will consider a series of hybrid games between Game 4 and Game 5. Concretely, Game 4.i (for \(i\ge 0\)) is defined like Game 4, except for the following changes:

We initially uniformly and independently choose \(i\) invertible affine functions \(f _j:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\) (for \(j\in [i]\)). The \(f _j\) define a “partial fingerprint” function \(\mathcal {L}_{i}:\mathbb {Z} _p\rightarrow \{1,0,1\}^i\) through
$$\begin{aligned} \mathcal {L}_{i} (M) = \left( \left( \frac{f _1(M)}{p}\right) , \dots , \left( \frac{f _i(M)}{p}\right) \right) . \end{aligned}$$(11)For every scheme instance \(\ell \in [n_U]\), let \(\mathcal {H} ^{(\ell )}_{i}:\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*\) be the composition of \(\mathcal {L}_{i} \) with a truly random function \(\mathcal {R}^{{(\ell )}}_{i} :\{1,0,1\}^i\rightarrow \mathbb {Z} _p^*\) (so that \(\mathcal {H} ^{(\ell )}_{i}(M)=\mathcal {R}^{{(\ell )}}_{i}(\mathcal {L}_{i} (M))\)).

Signatures for \(\mathcal {A}\) contain encryptions \(C _0,C _1\) of exponents \(Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\).

Any forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\) for a (fresh) message \(M ^*\) from \(\mathcal {A}\) is considered valid only if \(\pi _1^*\) and \(\pi _2^*\) are valid and \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {H} ^{(\ell )}_{i}(M ^*)\).
Note that every \(\mathcal {H} ^{(\ell )}_{0}\) is a constant function that maps every input \(M\) to the same random value. Hence, Game 4.0 is identical to Game 4:
Conversely, for large enough \(i\) and with high probability, the “fingerprint function” \(\mathcal {L}_{i} \) becomes injective, so that all \(\mathcal {H} ^{(\ell )}_{i}\) become independent truly random functions from \(\mathbb {Z} _p\) to \(\mathbb {Z} _p^*\):
Lemma 2
For \(n=2\lceil \log _2(p)\rceil +k\), the function \(\mathcal {L}_{n} \) from (11) is injective, except with probability \(1/2^k\) (over the choice of the invertible affine functions \(f _j:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\)).
We postpone a proof of Lemma 2 for now.
Hence, the functions \(\mathcal {H} ^{(\ell )}_{n}=\mathcal {R}^{{(\ell )}}_{n}\circ \mathcal {L}_{n} \) used in Game 4.n (for \(n=2\lceil \log _2(p)\rceil +k\)) are statistically close to truly random functions \(\mathcal {R}^{{(\ell )}}\) (as used in Game 5):
The Algebraic Partitioning Step. Thus, we only need to show that there is no detectable difference between Game 4.i and Game 4.(i+1) for any \(i\). We do so using a hybrid argument (i.e., a sequence of games) that interpolates between Game 4.i and Game 4.(i+1). (See Fig. 2 for an overview.) In short, we first refresh the affine function \(f \) from \(C_{\alpha },C_{\beta } \) to a fresh random (but invertible) affine function \(f ^*\). Next, we use \(f ^*\) to implement a different treatment of signatures, depending on \(\big (\frac{f (M)}{p}\big ) \). We detail these steps in the following.
Concretely, Game 4.i.0 is identical to Game 4.i. Thus,
Step 1: Refresh \(f \) . In Game 4.i.1, we initially choose an invertible affine function \(f ^*:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\) uniformly, and we abort (with output \(0\)) if the message \(M ^*\) for which \(\mathcal {A}\) finally prepares a forgery satisfies \(f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}\). We stress that \(f ^*\) is not (yet) committed to in any \(C_{\alpha },C_{\beta } \), and thus completely hidden from \(\mathcal {A}\). Hence, an abort occurs with probability \(\frac{p+1}{2p}=\frac{1}{2}+\frac{1}{2p}\), independently of \(\mathcal {A}\) ’s view, so
In Game 4.i.2, we commit to the coefficients \(f ^*_0,f ^*_1\) of \(f ^*\) from Game 4.i.1 in \(C_{\alpha },C_{\beta } \) for all verification keys (instead of the coefficients \(\alpha =\beta =0\)). Accordingly, we generate all signatures for \(\mathcal {A}\) by proving statement \(S 2\) (and not \(S 1\)) from (3) whenever possible (i.e., upon all signature queries with \(f ^*(M)\in \mathrm {QR} _p\cup \{0\}\)). Since \(\mathrm {CRS} _1\) is hiding, we can use the witnessindistinguishability of GrothSahai proofs to obtain
Step 2: Use \(f ^*\) to Decouple Signatures. To describe our change in Game 4.i.3, recall that in Game 4.i.2, functions \(\mathcal {H} ^{(\ell )}_{i}\) is used to determine both the values \(Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\) encrypted in \(C _0,C _1\) upon signature queries, and to implement the forgery check. In Game 4.i.3, we use three such functions \(\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}:\mathbb {Z} _p\rightarrow \mathbb {Z} _p^*\). Each of these functions is defined like \(\mathcal {H} ^{(\ell )}_{i}\), for the same fingerprint function \(\mathcal {L}_{i} \), but with different (i.e., independently chosen) random functions \(\mathcal {R}^{{(\ell )}}_{i}\). (In other words, we can write \(\mathcal {H} ^{(\ell )}_{i}=F \circ \,\mathcal {L}_{i} \), and \(\mathcal {Z} ^{(\ell )}_{i}=F'\circ \mathcal {L}_{i} \), and \(\mathcal {Q} ^{(\ell )}_{i}=F''\circ \,\mathcal {L}_{i} \) for independently random functions \(F,F',F'':\{1,0,1\}^i\rightarrow \mathbb {Z} _p^*\). Intuitively, thus, \(\mathcal {Z} ^{(\ell )}_{i}\) and \(\mathcal {Q} ^{(\ell )}_{i}\) are “decoupled copies” of \(\mathcal {H} ^{(\ell )}_{i}\).)
Our goal will be to use the functions \(\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}\) for messages \(M\) satisfying \(f ^*(M)\notin \mathrm {QR} _p\), \(f ^*(M)=0\), and \(f ^*(M)\in \mathrm {QR} _p\), respectively. (Hence the symbols \({\mathcal {Z}}\) and \({\mathcal {Q}}\).)This will be conceptually identical to using a single function \(\mathcal {H} ^{(\ell )}_{i+1}\) for all messages of a given scheme instance \(\ell \). At this point, however, we can only partially implement this strategy, since we can only replace the messages encrypted in \(C _1\), but not those from \(C _0\). (Indeed, \( sk ^{*} _0\) is still required to implement the additional forgery check in Game 4.i.3.)
Thus, in Game 4.i.3, for every scheme instance \(\ell \in [n_U]\), we use the respective function \(\mathcal {H} ^{(\ell )}_{i}\) to generate all ciphertexts \(C _0,C _1\) in signatures (as in Game 4.i.2), with the following exceptions:

For signature queries with \(f ^*(M)=0\), we encrypt \(Z _1=\mathcal {Z} ^{(\ell )}_{i}(M)\) (instead of \(Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\)) in the ciphertext \(C _1\) of the generated signature.

For signature queries with \(f ^*(M)\in \mathrm {QR} _p\), we encrypt \(Z _1=\mathcal {Q} ^{(\ell )}_{i}(M)\) in \(C _1\).
Note that for signatures with \(f ^*(M)\in \mathrm {QR} _p\cup \{0\}\), the random coins used to generate \(C _1\) (or \(C _0\)) are not used as a witness in the process of constructing \(\pi \). Furthermore, no secret key \( sk ^{(\ell )} _1\) has to be known to the game. A reduction to the (tight) INDmCPA security of ElGamal yields
for a suitable DDH adversary \(\mathcal {B} _{4.i.3}\). (We note that even though the random coins \(R\) of \(C _1\) are not known explicitly to \(\mathcal {B} _{4.i.3}\), a \(C _0\) with reused \(R\) can be constructed from \( sk ^{(\ell )} _0\) and a given \(g^{R} \).)
Our next step will be to replace the values encrypted in \(C _0\) in a similar way. To do so, however, we need some preparations, since Game 4.i.3 still knows the secret keys \( sk ^{(\ell )} _0\) (to finally implement the forgery check). Fortunately, however, we can alternatively use the \( sk ^{(\ell )} _1\) to implement this check. (To see why this yields the same functionality, recall that by our abort rule from Game 1, we may restrict to forgeries with \(f ^*(M ^*)\notin \mathrm {QR} _p\cup \{0\}\). However, by (3), a valid forgery for such a message must contain \(C _0^*\) and \(C _1^*\) that encrypt the same message.)
As a first step, in Game 4.i.4, we initially generate a binding CRS \(\mathrm {CRS} _1\) (using \(\mathrm {CRS} _1\leftarrow \mathrm {BGen} ( gpp )\)). The CRS indistinguishability of GrothSahai proofs ensures that
for suitable DDH adversaries \(\mathcal {B} _{4.i.4}\) and \(\mathcal {B} '_{4.i.4}\).
Next, in Game 4.i.5, we implement the forgery check rule from Game 2 using \( sk ^{*} _1\) (and not \( sk ^{*} _0\)). That is, when \(\mathcal {A}\) submits a forgery \(\sigma ^*=(C _0^*,C _1^*,\pi _1^*,\pi _2^*)\), we check if \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _1,C _1^*)=\mathcal {H} ^{*}_{i}(M ^*)\) holds (and reject the forgery if not). We may assume that \(M ^*\notin \mathrm {QR} _p\cup \{0\}\) (since otherwise, we trivially abort anyway). But for such \(M ^*\), a valid forgery must fulfill \(S 1\) from (3), since at this point, \(\mathrm {CRS} _1\) is binding. In other words, we have \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _1,C _1^*)=\mathcal {H} ^{*}_{i}(M ^*)\) if and only if \(\mathrm {Dec}_{\mathrm {eg}} ( sk ^{*} _0,C _0^*)=\mathcal {H} ^{*}_{i}(M ^*)\). Hence, the change in Game 4.i.5 is purely conceptual, and we get:
Since we no longer use \( sk ^{*} _0\) (or the random coins from any \(C _1\) generated upon a signature query), we can continue with our strategy. Specifically, in Game 4.i.6, we generate all ciphertexts \(C _0,C _1\) in signatures as follows:

For queries with \(f ^*(M)\notin \mathrm {QR} _p\), we encrypt \(Z _0=Z _1=\mathcal {H} ^{(\ell )}_{i}(M)\) in \(C _0\) and \(C _1\).

For queries with \(f ^*(M)=0\), we encrypt \(Z _0=Z _1=\mathcal {Z} ^{(\ell )}_{i}(M)\) in \(C _0\) and \(C _1\).

For queries with \(f ^*(M)\in \mathrm {QR} _p\), we encrypt \(Z _0=Z _1=\mathcal {Q} ^{(\ell )}_{i}(M)\) in \(C _0\) and \(C _1\).
Observe that the only difference to Game 4.i.5 is that the messages \(Z _0\) encrypted in ciphertexts \(C _0\) in signatures with \(f ^*(M)\in \mathrm {QR} _p\cup \{0\}\) are changed. For such encryptions, neither secret key nor random coins are used by the game. Hence, a reduction to the (tight) INDmCPA security of ElGamal yields
for a suitable DDH adversary \(\mathcal {B} _{4.i.6}\). (Again, a reuse of random coins between \(C _0\) and \(C _1\) is possible since the secret key \( sk _1\) is known to \(\mathcal {B} _{4.i.6}\) during the reduction.)
Step 3: Clean Up. Now in Game 4.i.6, we handle both signature queries and \(\mathcal {A}\) ’s forgery with either \(\mathcal {H} ^{(\ell )}_{i}\), \(\mathcal {Z} ^{(\ell )}_{i}\), or \(\mathcal {Q} ^{(\ell )}_{i}\), depending on the Legendre symbol \(\big (\frac{M}{p}\big ) \) of \(M\). This is equivalent to handling all messages with a single function \(\mathcal {H} ^{(\ell )}_{i+1}\) by the definition of \(\mathcal {H} ^{(\ell )}_{i}\) (see also (11)). Hence, we already “almost” implement the rules of Game 4.(\(i + 1\)), and we only need to clean up things a little.
Namely, in Game 4.i.7, we again implement the forgery check from Game 2 using \( sk ^{*} _0\) (and not \( sk ^{*} _1\)). With the same reasoning as in Game 5, we get:
Next, in Game 4.i.8, we again set up \(\mathrm {CRS} _1\) as a hiding CRS (using \(\mathrm {HGen}\)). Again, CRS indistinguishability guarantees
for suitable DDH adversaries \(\mathcal {B} _{4.i.8}\) and \(\mathcal {B} '_{4.i.8}\).
In Game 4.i.9, we again set up the commitments \(C_{\alpha },C_{\beta } \) in all verification keys as commitments to \(\alpha =\beta =0\). Accordingly, we generate all signatures for \(\mathcal {A}\) by proving statement \(S 1\) from (3). (Note that this is possible again since all generated pairs \((C _0,C _1)\) do encrypt the same message.) By the witnessindistinguishability of GrothSahai proofs,
Finally, in Game 4.i.10, we do not abort anymore. (That is, we take back the abort rule from Game 1.) To see how this change affects the game’s output, we make a few observations. First, note that in both Game 4.i.9 and Game 4.i.10, \(\mathcal {A}\) ’s view only depends on the way \(f ^*\) partitions the set of messages depending on \(\big (\frac{f ^*(M)}{p}\big ) \), but not on which messages \(M\) are mapped by \(f ^*\) to squares, and which to nonsquares. (Indeed, any partitioning of the \(M\) is invariant under multiplying \(f ^*\) with an invertible nonsquare modulo \(p\). However, multiplication with an invertible nonsquare inverts the Legendre symbol of \(f ^*(M)\).)
Thus, the probability for \(\mathcal {A}\) to successfully forge a signature with \(\big (\frac{f ^*(M ^*)}{p}\big ) =1\) is exactly the same as that to forge a signature with \(\big (\frac{f ^*(M ^*)}{p}\big ) =1\). Hence, if we cease to abort upon \(f ^*(M ^*)\in \mathrm {QR} _p\cup \{0\}\), we at least double \(\mathcal {A}\) ’s success probability:
At the same time, Game 4.i.10 is identical to Game 4.(\(i + 1\)). (As argued, the use of three functions \(\mathcal {H} ^{(\ell )}_{i},\mathcal {Z} ^{(\ell )}_{i},\mathcal {Q} ^{(\ell )}_{i}\) for each scheme instance \(\ell \) is equivalent to the use of a single function \(\mathcal {H} ^{(\ell )}_{i+1}\) in Game 4.(\(i + 1\)). Furthermore, \(\mathrm {CRS} _1\) is hiding, the \(C_{\alpha },C_{\beta } \) are set up as commitments to \(\alpha =\beta =0\), and the signatures use proofs of statement \(S 1\).) Thus,
Collecting all differences of probabilities from (14–25), we obtain
for DDH adversaries \(\mathcal {B} _{5}\) and \(\mathcal {B} '_{5}\) that combine all adversaries from the collected differences. Together with (12) and (13), we obtain (10).
It remains to prove Lemma 2:
Proof
(of Lemma 2 ) For any distinct \(M _0,M _1\in \mathbb {Z} _p\) and a uniformly chosen invertible affine function \(f:\mathbb {Z} _p\rightarrow \mathbb {Z} _p\), we have \( \Pr \left[ {\left( \frac{f (M _0)}{p}\right) =\left( \frac{f (M _1)}{p}\right) }\right] \le 1/2 \), since \(f\) is pairwise independent. As all \(f _j\) from (11) are chosen independently, we get
for any two distinct \(M _0,M _1\). A union bound over all \(\mathbf {O} (p^2)\) such pairs \((M _0,M _1)\) shows the claim.
4 Compact and (almost) Tightly Secure PublicKey Encryption
Our signature scheme \(\mathrm {SIG}\) from Sect. 3 is “almost” automorphic (in the sense of [1]). Namely, while its verification can be expressed as a system of equations that is compatible with GrothSahai proofs, its messages are exponents (as opposed to group elements). However, our scheme can still be used in the generic construction of [28]. This yields an (almost) tightly secure publickey encryption scheme with compact parameters, keys and ciphertexts. (Here, “compact” means “comprised of only a constant number of group elements or exponents.”)
But although compact in the above sense, the resulting encryption scheme would be rather inefficient (in particular since it would use nested GrothSahai proofs). Thus, here we describe an optimized and more compact (almost) tightly secure publickey encryption scheme \(\mathrm {PKE}\).
Setting and Ingredients. The basis for our PKE construction is the signature scheme \(\mathrm {SIG}\) from Sect. 3, and we assume similar ingredients. In particular, we assume groups \(\mathbb {G}\) and \(\mathbb {\hat{G}}\), along with the ElGamal encryption and GrothSahai proofs over \(\mathbb {G}\). Additionally, we assume:

An OTEUFmCMA secure signature scheme with message space \(\mathbb {Z} _p\), given by algorithms \(\mathrm {OPars},\mathrm {OGen},\mathrm {OSig},\mathrm {OVer} \). For concreteness, in all of the following, we assume the onetime signature scheme \(\mathsf {TOTS}\) from [28] in \(\mathbb {G}\). Its OTEUFmCMA security can be tightly reduced to the discrete logarithm assumption in \(\mathbb {G}\) (which is implied by the DDH assumption in \(\mathbb {G}\)).

A generator \(\mathcal {H}\) of collisionresistant hash functions \(\mathrm {H}:\{0,1\}^*\rightarrow \{0,1\}^k\). We will interpret \(\mathrm {H}\)outputs as \(\mathbb {Z} _p\)elements in the natural way. (Recall that \(p>2^k\).)
All ingredients can be instantiated under the DDH assumptions in \(\mathbb {G}\) and \(\mathbb {\hat{G}}\).
Public Parameters. \(\mathrm {EPars} (1^k)\) first proceeds like the parameter generation of \(\mathrm {SIG}\), and samples group parameters \( gpp \), a hiding GrothSahai CRS, and two ElGamal public keys \( pk _0, pk _1\). Then, \(\mathrm {EPars}\) sets up exponents \(Z,\alpha ,\beta \) and ciphertexts
Note that here, we encrypt (and do not commit to) \(Z,\alpha ,\beta \) in order to be able to produce slightly more compact proofs involving \(Z,\alpha ,\beta \) later on. However, we note that conceptually, we could have as well committed to \(Z,\alpha ,\beta \) as with \(\mathrm {SIG}\).
Finally, \(\mathrm {EPars}\) chooses parameters \( opp \leftarrow \mathrm {OPars} (1^k)\) and a hash function \(\mathrm {H}\), and outputs \( epp =( gpp ,\mathrm {CRS}, pk _0, pk _1, opp ,\mathrm {H},C_{\alpha },C_{\beta },C_{Z})\).
Key Generation. \(\mathrm {EGen} ( epp )\) samples two ElGamal keypairs \(( pk '_0, sk '_0), ( pk '_1, sk '_1)\leftarrow \mathrm {EGen}_{\mathrm {eg}} (\mathbb {G},p,g)\), and outputs a public and a secret key as
for a uniformly chosen bit \(d\leftarrow \{0,1\}\).
Encryption. Intuitively, encryption corresponds to a NaorYung style double encryption with consistency proof [34]. The consistency proof itself proceeds as in [28], and essentially proves that either the double encryption is consistent, or a signature to a fresh value is known. (A suitable fresh value will be hash of a freshly sampled verification key of the onetime signature scheme.) Concretely, \(\mathrm {Enc} ( pk ,M)\), for \(M \in \mathbb {G} \), chooses a onetime signature keypair \(( ovk , osk )\leftarrow \mathrm {OGen} ( opp )\), and encrypts the values \(Z '_0=Z '_1=M \in \mathbb {G} \) and \(Z _0=Z _1=0\) as
(Note that for efficiency and to simplify proofs involving these values, we reuse the encryption random coins \(R '\) and \(R\).) Then, \(\mathrm {Enc}\) generates a proof \(\pi \) (under \(\mathrm {CRS}\)) of the statement
\(\mathrm {Enc}\) will prove the left branch \(S 1'\) of the outer \(\vee \) clause, using as witness the encryption randomness \(R '\). Hence, \(\pi \) essentially proves consistency of \(C '_0,C '_1\), or the same statement as for a \(\mathrm {SIG}\)signature for \(\mathrm {H} ( ovk )\). (There are some slight differences compared to a \(\mathrm {SIG}\)signature: first, we use only one CRS. Hence, we cannot simulate proofs for substatement \(Z _0=Z \) during the proof. Instead, however, we can set \(Z =0\) to be able to generate proofs for \(S 3'\) without knowledge of \(Z _0\). Second, because the random coins used for \(C_{\alpha },C_{\beta },C_{Z} \) are not known at encryption time, the proof of quadratic residuosity becomes somewhat less efficient than the one in \(\mathrm {SIG}\) ’s signing algorithm. We refer to Sect. 5.2 for more details on the exact proof equations.)
Finally, \(\mathrm {Enc}\) signs \(\sigma \leftarrow \mathrm {OSig} ( osk ,\mathrm {H} (C '_0,C '_1,C _0,C _1,\pi ))\) and outputs the ciphertext \(C =(C '_0,C '_1,C _0,C _1,\pi , ovk ,\sigma )\).
Decryption. \(\mathrm {Dec} ( sk ,C)\) checks the validity of \(\sigma \) and \(\pi \). If both \(\sigma \) and \(\pi \) are valid, \(\mathrm {Dec}\) outputs \(M \leftarrow \mathrm {Dec}_{\mathrm {eg}} ( sk '_d,C '_d)\); otherwise, \(\mathrm {Dec}\) outputs \(\bot \).
Efficiency. \(\mathrm {PKE}\) has the following efficiency characteristics (cf. Section 5.2):

The public parameters consist of \(12\) \(\mathbb {G}\) and \(3\) \(\mathbb {\hat{G}}\)elements, plus the group parameters \( gpp \), and a description of the hash function \(\mathrm {H}\).

Each public key contains \(2\) \(\mathbb {G}\)elements.

Each secret key contains one \(\mathbb {Z} _p\)exponent and a bit.

Each ciphertext contains \(27\) \(\mathbb {G}\) and \(30\) \(\mathbb {\hat{G}}\)elements, and \(3\) \(\mathbb {Z} _p\)exponents.
Theorem 3
(Security of \(\mathrm {PKE}\) ). Under the DDH assumptions in \(\mathbb {G}\) and \(\mathbb {\hat{G}}\), and assuming that \(\mathrm {H}\) is collisionresistant, the PKE scheme \(\mathrm {PKE}\) described above is INDmCCA secure. Concretely, for every EUFmCMA adversary \(\mathcal {A}\) on \(\mathrm {SIG}\), there exist DDH adversaries \(\mathcal {B}\) and \(\mathcal {B} '\), and an adversary \(\mathcal {C} \) on the collisionresistance of \(\mathrm {H}\) (of roughly the same complexity as the EUFmCMA experiment with \(\mathcal {A}\) and \(\mathrm {SIG}\)) with
Proof
(Proof sketch) The proof combines the strategy from [28] with our concrete signature scheme, and thus we outline only the main strategy. This strategy proceeds in games, and modifies an INDmCCA attack with adversary \(\mathcal {A}\) as follows:

First, the consistency proofs in all ciphertexts are prepared with different witnesses. More specifically, instead of proving \(Z '_0=Z '_1\), we prove the right branch of (26). (Note that this right branch corresponds to the validity of a \(\mathrm {SIG}\)signature for message \(\mathrm {H} ( ovk )\).) Thanks to the witnessindistinguishability of GrothSahai proofs, this change is not detectable by \(\mathcal {A}\).

Next, all challenge ciphertexts generated for \(\mathcal {A}\) are made inconsistent. (This is possible since the ciphertext consistency proofs are prepared from signature witnesses now.) Concretely, recall that so far we have encrypted the respective challenge message \(M ^*_b\) (for the secret bit \(b\) chosen by the INDmCCA experiment) in both \(C '_0\) and \(C '_1\) of all challenge ciphertexts. Now we encrypt \(M ^*_b\) in \(C '_{d}\) and \(M ^*_{1b}\) in \(C '_{1{d}}\), where \(d\) is the bit chosen for the respective \(\mathrm {PKE}\) instance \(i\). Hence, we change the encrypted message for all ElGamal instances whose secret key is not used. Since only the secret keys \( sk '_d\) (but not the \( sk '_{1d}\)) are used in the experiment, this game modification can be justified with the (tight) security of ElGamal.

We now reject all inconsistent (in the sense \(\mathrm {Dec}_{\mathrm {eg}} ( sk '_0,C '_0)\ne \mathrm {Dec}_{\mathrm {eg}} ( sk '_1,C '_1)\)) decryption queries from \(\mathcal {A}\). At this point in the proof, we know both \( sk '_0\) and \( sk '_1\) for all \(\mathrm {PKE}\)instances, and can thus recognize the first inconsistent (in the above sense) decryption query with a valid consistency proof. Note that any such query implies a valid \(\mathrm {SIG}\)signature for a message \(\mathrm {H} ( ovk )\). The security of the onetime signature scheme guarantees that this message is fresh, so that \(\mathcal {A}\) has essentially forged a \(\mathrm {SIG}\)signature. Any such forgery can be excluded with the same strategy as in the proof of Theorem 2 (with the differences described above). This step entails the dominant terms in (27) related to DDH reductions.
At this point, \(\mathcal {A}\) gets no information about the INDmCCA secret \(b\) anymore. Namely, each challenge ciphertext contains ElGamal encryptions of both \(M ^*_0\) and \(M ^*_1\), in an order determined by \(d\oplus b\), where \(d\) denotes which ElGamal secret key \( sk '_d\) the experiment uses to decrypt for this instance. Now since inconsistent ciphertexts are rejected, the game’s answer to \(\mathcal {A}\) ’s decryption queries does not depend on the any of the bits \(d\). Moreover, unless (any) \(d\) is known, also \(b\) is hidden. Hence, \(\mathcal {A}\) ’s view is now completely independent of \(b\), and thus \(\mathcal {A}\) ’s INDmCCA success is zero.
5 Details on the Exact GrothSahai Equations in Our Schemes
5.1 The Exact GrothSahai Equations for the Proofs in Signatures
We now give details on the proofs \(\pi _1\) and \(\pi _2\) in signatures from \(\mathrm {SIG}\). Recall that \(\pi _1\) and \(\pi _2\) shall prove the respective statements
The Statements \(S 1\)\(S 3\) . We now discuss the three individual statements \(S 1\)\(S 3\) from (28) in more detail. To this end, let us write the ElGamal ciphertexts \(C _0,C _1\) from a signature as
(Of course, the reused value \(A=g^{R} \) will only appear once in a signature.)
 \(S 1\).:

The statement \(Z _0=Z _1\) holds if and only if \((g, pk _1/ pk _0,A,B_1/B_0)\) is a DiffieHellman tuple. Thus, \(S 1\) is equivalent to the equations \(A=g^{R} \) and \(B_1/B_0=( pk _1/ pk _0)^{R}\), with witness \(R\).
 \(S 2\).:

The statement \(f (M)\in \mathrm {QR} _p\cup \{0\}\) is equivalent to the existence of an exponent \(W\in \mathbb {Z} _p\) with \(f (M)=W^{2} \,\mathrm{mod}\, p\). (Recall that a commitment to \(f (M)\) can be homomorphically computed from \(M\) and the commitments \(C_{\alpha },C_{\beta } \).) Hence, a witness to \(S 2\) is given by \((\alpha ,\beta ,W)\).
 \(S 3\).:

We can express \(Z _0=Z \) as an equation \(B_0= pk _0^{R}\cdot g^{Z} \) with witness \((R,Z)\).
All involved commitment random coins are additionally required to construct a valid proof. Besides, so far we have neglected that in a setting with an asymmetric pairing, not all combinations of, e.g., \(\mathbb {Z} _p\)products can be directly expressed. (For instance, a square \(W^2\) needs to be rephrased as \(W\cdot \widehat{W}\), with an additional proof that \(W=\widehat{W}\).) Hence, in the rest of this section, we will decorate variables that correspond to a \(\mathbb {\hat{G}}\)commitment with a hat (e.g., \(\widehat{W}\)).
The Equations for \(\pi _1\) . Equations for the disjunction \(S 1\vee S 2\) can be derived using standard techniques. However, if we optimize a little, we obtain the following equations for \(S 1\vee S 2\):
(For instance, if we want to prove \(S 2\), we can set \(\widehat{U}=\widehat{V}=0\) and \(W=\widehat{W}\) such that \(f (M)=W^2\).) The involved variables from the verification key are \(\widehat{\alpha }\) and \(\widehat{\beta }\) (used to homomorphically construct \(\widehat{f (M)}\)). The variables whose commitments are placed in the signature are \(\widehat{U},\widehat{V},W,\widehat{W}\). All of these variables are committed to using \(\mathrm {CRS} _1\).
The Equations for \(\pi _2\) . Similarly, we obtain the following equations for \(S 3\):
The variables are \(Z\) (committed to in \( vk \)) and \(\widehat{S}\) (from \(\sigma \)), both committed to using \(\mathrm {CRS} _2\).
Remarks and Efficiency Summary. We emphasize that hence, the proofs \(\pi _1\) and \(\pi _2\) are independent (and in particular do not share commitments). Furthermore, thanks to the composability of GrothSahai proofs, the commitments \(C_{\alpha },C_{\beta },C_{Z} \) to \(\alpha ,\beta ,Z \) that are placed in the verification key can be directly (re)used in proofs. Each commitment occupies \(2\) group elements. In total, the equations above comprise \(4\) linear equations over \(\mathbb {G}\), and \(2\) quadratic equations over \(\mathbb {Z} _p\). Thus, \(\pi _1\) contains \(4\cdot 2+2\cdot 1+2\cdot 4=18\) group elements (\(12\) of them from \(\mathbb {\hat{G}}\)), and \(\pi _2\) contains \(1\cdot 2+2\cdot 1=4\) group elements (\(2\) of them from \(\mathbb {\hat{G}}\)).
5.2 The Exact GrothSahai Equations for the Proofs in Ciphertexts
We now detail the proof \(\pi \) in ciphertexts from \(\mathrm {PKE}\). Recall that \(\pi \) shall prove the statement
The variables in (29) refer to the messages encrypted in \(\mathrm {PKE}_{\mathrm {eg}}\)ciphertexts from the public parameters and the \(\mathrm {PKE}\)ciphertext at hand. We make these \(\mathrm {PKE}_{\mathrm {eg}}\)ciphertexts explicit as
Besides, a \(\mathrm {PKE}_{\mathrm {eg}}\)ciphertext \(C _{f}=\mathrm {Enc}_{\mathrm {eg}} ( pk _0,g^{f (\mathrm {H} ( ovk ))};R _{f})=(A_{f},B_{f})\) that determines the variable \(f (\mathrm {H} ( ovk ))\) can be homomorphically computed from the ciphertexts \(C_{\alpha },C_{\beta } \), and \(\mathrm {H} ( ovk )\).
The Statements \(S 1'\)\(S 5'\) . Let us take a closer look at the individual statements \(S 1'\)\(S 5'\):
 \(S 1',S 2'\).:

These statements can be formalized like statement \(S 1\) for \(\mathrm {SIG}\). For instance, \(S 1'\) holds if and only if \((g, pk '_1/ pk '_0,A',B'_1/B'_0)\) is a DiffieHellman tuple; a suitable witness is \(R '\).
 \(S 4',S 5'\).:

Similarly, \(S 4'\) holds precisely if \((g, pk _0,A/A_{Z},B_0/B_{Z})\) is a DiffieHellman tuple; a witness is \(RR _{Z}\). (Statement \(S 5'\) can be formalized analogously, with a witness \(R _{Z}\).)
 \(S 3'\).:

As with \(\mathrm {SIG}\), \(S 3'\) holds if and only if there is a \(W\in \mathbb {Z} _p\) with \(f (\mathrm {H} ( ovk ))=W^2 \,\mathrm{mod}\, p\). A suitable witness consists of \(W\), and the encryption randomness \(R _{f}\) of \(C _{f}\).
A Reformulation. The composed statement from (29) is equivalent to
By the above, the first substatement \(S 1'\vee S 2'\vee S 3'\) is implied by the equations
for new variables \(\widehat{U},\widehat{V},\widehat{U'},\widehat{V'},\widehat{U_{f}},\widehat{V_{f}},\widehat{F},W,\widehat{W}\). (We adopt the notation from Sect. 5.1 to decorate variables in \(\mathbb {\hat{G}}\) with a hat.) Roughly, the last equation guarantees that one of \(\widehat{U},\widehat{U'},\widehat{U_{f}}\) is nonzero, and in fact that \(\widehat{U_{f}}=1\) once \(\widehat{U}=\widehat{U'}=0\). Furthermore, we have \(\widehat{U'}\ne 0\Rightarrow S 1'\), and \(\widehat{U}\ne 0\Rightarrow S 2'\), and \(\widehat{U_{f}}\ne 0\Rightarrow S 3'\). Finally, a witness for (30) can be produced from either a witness for \(S 1'\), or for \(S 2'\), or for \(S 3'\). (For instance, we can set \(\widehat{U'}=\widehat{V'}=0\) whenever a witness for \(S 1'\) is not available.)
Similarly, substatement \(S 1'\vee S 4'\vee S 5'\) yields additional equations
for new variables \(\widehat{U_0},\widehat{V_0},\widehat{U_{Z}},\widehat{V_{Z}}\).
Summary. Summing up, \(\pi \) contains commitments to \(13\) variables (\(12\) of them from \(\mathbb {\hat{G}}\)), and proves \(10\) \(\mathbb {G}\)linear, \(2\) \(\mathbb {Z} _p\)linear, and \(3\) quadratic equations over \(\mathbb {Z} _p\). This yields a proof of \(13\cdot 2+10\cdot 1+3\cdot 4=48\) group elements (\(30\) of them from \(\mathbb {\hat{G}}\)) and \(2\cdot 1=2\) exponents from \(\mathbb {Z} _p\).
Notes
 1.
Technically, we will not even need to explicitly compute \(L_j\), but only prove that \(L_j=1\). This is possible using a quadratic equation over \(\mathbb {Z} _p\).
 2.
Actually, [6, 15] construct tightly secure identitybased encryption (IBE) schemes. However, those IBE schemes can be viewed as tightly secure signature schemes (using Naor’s trick [11]), and then converted into tightly secure PKE schemes using the transformation from [28]. In fact, the PKE scheme of [32] can be viewed as a (modified and highly optimized) conversion of the IBE scheme from [15].
 3.
 4.
With a “simple” assumption, we mean one in which the adversary gets a challenge whose size only depends on the security parameter, and is then supposed to output a unique solution without further interaction. Examples of simple assumptions are DLOG, DDH, \(d\)LIN, or RSA, but not, say, Strong DiffieHellman [8] or \(q\)ABDHE [22].
 5.
We note that although their scheme can be viewed as a generalization of Waters signatures [38], their analysis is entirely different. Also, we omit here certain subtleties regarding the used distributions of group elements.
 6.
 7.
This neglects a number of details. For instance, in the somewhat simplified scheme above, \(\pi \) always ties the ciphertexts in signatures for quadratic nonresidues \(f (M)\) to a single value \(X\). In our actual proof, we will thus simulate a part of \(\pi \), such that the encrypted values can be decoupled from the original secret key \(X\).
 8.
Actually, plugging our scheme directly into the construction of [28] yields an asymptotically compact, but not very efficient scheme. Thus, we provide a more direct and efficient explicit PKE construction with parameters, public keys, and ciphertexts comprised of \(15\), \(2\), and \(60\) group elements, respectively.
 9.
In a signature scheme derived using the conversion of Bellare and Goldwasser, the verification key contains an encryption of the MAC secret key. A signature for a message \(M\) then consists of a MAC tag \(\tau \) for \(M\), along with a noninteractive zeroknowledge proof that \(\tau \) is valid relative to the encrypted MAC key.
 10.
 11.
We realize that this explanation is somewhat technical and may not seem very compelling. We wish we had a better one.
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)
Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013)
Bellare, M., Boldyreva, A., Micali, S.: Publickey encryption in a multiuser setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)
Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on noninteractive zero knowledge proofs. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990)
Bernstein, D.J.: Proving tight security for RabinWilliams signatures. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 70–87. Springer, Heidelberg (2008)
Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) Identitybased encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014)
Boldyreva, A.: Strengthening Security of RSAOAEP. In: Fischlin, M. (ed.) CTRSA 2009. LNCS, vol. 5473, pp. 399–413. Springer, Heidelberg (2009)
Boneh, D., Boyen, X.: Efficient selectiveID secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004)
Boneh, D., Franklin, M.: Identitybased encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 213. Springer, Heidelberg (2001)
Boneh, D., Franklin, M.K.: Identitybased encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)
Boneh, D., Mironov, I., Shoup, V.: A secure signature scheme from Bilinear maps. In: Joye, M. (ed.) CTRSA 2003. LNCS, vol. 2612, pp. 98–110. Springer, Heidelberg (2003)
Cash, D.M., Kiltz, E., Shoup, V.: The twin DiffieHellman problem and applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008)
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)
Chen, J., Wee, H.: Fully, (Almost) tightly secure IBE and dual system groups. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 435–460. Springer, Heidelberg (2013)
ChevallierMames, B., Joye, M.: A practical and tightly secure signature scheme without hash function. In: Abe, M. (ed.) CTRSA 2007. LNCS, vol. 4377, pp. 339–356. Springer, Heidelberg (2006)
Coron, J.S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000)
Escala, A., Groth, J.: Finetuning grothsahai proofs. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 630–649. Springer, Heidelberg (2014)
Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011)
Galindo, D., Martín, S., Morillo, P., Villar, J.L.: Easy verifiable primitives and practical public key cryptosystems. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 69–83. Springer, Heidelberg (2003)
Gennaro, R., Halevi, S., Rabin, T.: Secure hashandsign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)
Gentry, C.: Practical identitybased encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006)
Gentry, C., Halevi, S.: Hierarchical identity based encryption with polynomially many levels. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437–456. Springer, Heidelberg (2009)
Goh, E.J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight reductions to the DiffieHellman problems. J. Cryptology 20(4), 493–514 (2007)
Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985)
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
Hofheinz, D.: Allbutmany lossy trapdoor functions. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 209–227. Springer, Heidelberg (2012)
Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012)
Hohenberger, S., Waters, B.: Short and stateless signatures from the RSA assumption. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 654–670. Springer, Heidelberg (2009)
Kakvi, S.A., Kiltz, E.: Optimal security proofs for full domain hash, revisited. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 537–553. Springer, Heidelberg (2012)
Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010)
Libert, B., Joye, M., Yung, M., Peters, T.: Concise multichallenge CCAsecure encryption and signatures with almost tight security. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 1–21. Springer, Heidelberg (2014)
Naor, M., Reingold, O.: Numbertheoretic constructions of efficient pseudo random functions. In: Proceedings of the FOCS 1997, pp. 458–467. IEEE Computer Society (1997)
Naor, M., Yung, M.: Publickey cryptosystems provably secure against chosen ciphertext attacks. In: Proceedings of the STOC 1990, pp. 427–437. ACM (1990)
Naor, M., Yung, M.: Universal oneway hash functions and their cryptographic applications. In: Proceedings of the STOC 1989, pp. 33–43. ACM (1989)
Schäge, S.: Tight proofs for signature schemes without random oracles. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 189–206. Springer, Heidelberg (2011)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009)
Waters, B.: Efficient identitybased encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Acknowledgments
The author would like to thank Eike Kiltz, Julia Hesse, Willi Geiselmann, and the anonymous reviewers for helpful feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 International Association for Cryptologic Research
About this paper
Cite this paper
Hofheinz, D. (2016). Algebraic Partitioning: Fully Compact and (almost) Tightly Secure Cryptography. In: Kushilevitz, E., Malkin, T. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9562. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662490969_11
Download citation
DOI: https://doi.org/10.1007/9783662490969_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662490952
Online ISBN: 9783662490969
eBook Packages: Computer ScienceComputer Science (R0)