How to Obtain Fully Structure-Preserving (Automorphic) Signatures from Structure-Preserving Ones

Abstract

In this paper, we bridge the gap between structure-preserving signatures (SPSs) and fully structure-preserving signatures (FSPSs). In SPSs, all the messages, signatures, and verification keys consist only of group elements, while in FSPSs, even signing keys are required to be a collection of group elements. To achieve our goal, we introduce two new primitives called trapdoor signature and signature with auxiliary key, both of which can be derived from SPSs. By carefully combining both primitives, we obtain generic constructions of FSPSs from SPSs. Upon instantiating the above two primitives, we get many instantiations of FSPS with unilateral and bilateral message spaces. Different from previously proposed FSPSs, many of our instantiations also have the automorphic property, i.e., a signer can sign his own verification key. As by-product results, one of our instantiations has the shortest verification key size, signature size, and lowest verification cost among all previous constructions based on standard assumptions, and one of them is the first FSPS scheme in the type I bilinear groups.

Y. Wang—This author is supported by a JSPS Fellowship for Young Scientists.

Z. Zhang—Corresponding author whose current affiliation is Beihang University. The author is partly supported by the NSFC under No. 61303201. The work is done while the author is a postdoctoral researcher of AIST.

K. Tanaka—A part of this work was supported by a grant of I-System Co. Ltd., NTT Secure Platform Laboratories, Nomura Research Institute, Input Output Hongkong, and MEXT/JSPS KAKENHI 16H01705.

1 Introduction

1.1 Background

Structure-preserving signatures (SPSs). In [3], Abe et al. initiated the study of SPSs which denote pairing-based signatures where all the verification keys, messages, and signatures consist only of group elements and the verification algorithms only make use of pairing product equations (PPEs) to verify signatures.

SPSs are very useful since they can be combined with other structure-preserving (SP) primitives, e.g., ElGamal encryption [19] and Groth-Sahai proofs [29], to obtain efficient cryptographic protocols such as blind signatures [3, 23–25], group signatures [3, 25, 34], homomorphic signatures [33], delegatable anonymous credentials [22], compact verifiable shuffles [17], network coding [6], oblivious transfer [14, 37], tightly secure encryption [2, 30], and e-cash [7]. Motivated by this, there have been a large deal of works focusing on SPSs (e.g., [1, 3]) in the past few years, which provide us with various SPS schemes based on different assumptions and with high efficiency.

Automorphic signatures. In [3], Abe et al. noted that for elaborate applications, the SP property of a signature scheme is not sufficient. In addition, an SPS scheme has to be able to sign its own verification keys, i.e., verification keys have to lie in the message space. They called such kind of SPS automorphic signature and gave an instantiation of it, and also provided a generic transformation that converts automorphic signatures for messages of fixed length into ones for messages of arbitrary length.

As argued in [3], since automorphic signatures enable constructions of certification chains (i.e., sequences of verification keys linked by certificates from one key on the next one), they are useful in constructing anonymous proxy signatures and delegatable anonymous credentials. Abe et al. [3] also showed how to combine automorphic signatures with the Groth-Sahai proof system to construct a round-optimal blind signature scheme.

Fully structure-preserving signatures (FSPSs). In [5], Abe et al. introduced FSPSs, where signing keys also consist only of group elements and the correctness of signing keys with respect to verification keys can be verified by PPEs. Since the fully structure-preserving (FSP) property enables efficient signing key extraction, it could help us prevent rogue-key attacks in the public-key infrastructures (PKIs) [36], make anonymous credentials UC-secure [15], achieve privacy in group and ring signatures [10, 11, 13] in the presence of adversarial keys, and extend delegatable anonymous credentials [8, 18, 22] with all-or-nothing transferability [16], as noted in [5]. In this paper, we call an automorphic signature scheme that is FSP a fully automorphic signature (FAS) scheme.

Abe et al. [5] gave two generic constructions by combining FSPSs unforgeable (UF) against extended random message attacks (xRMA) [1] with other primitives such as one-time SPSs, two-tier SPSs (also called partial one-time SPSs), and trapdoor commitment schemes. Although these constructions are novel and neat, they suffer from three shortcomings due to the use of specific primitives, which make them less generic.

1. 1.

   As both constructions require a UF-xRMA secure FSPS scheme and one of them also requires a \(\gamma \)-blinding trapdoor commitment scheme, the underlying assumptions and bilinear map of their instantiations are limited. Concretely speaking, all the signature schemes derived from their constructions have to be based on at least the SXDH and XDLIN assumptions and be in the type III bilinear group.

2. 2.

   For the same reason, the efficiency of their instantiations is also potentially limited by the underlying UF-xRMA secure FSPS scheme and the \(\gamma \)-blinding trapdoor commitment scheme. For example, the verification keys and signatures of their most efficient FSPS scheme consist of more than 10n group elements in total if messages consist of \(n^2\) group elements.

3. 3.

   Their instantiations are not automorphic. The reason is that verification keys of the UF-xRMA secure FSPS scheme (which are also verification keys of the resulting schemes) consist of elements in both source groups, while the resulting signature schemes can only sign messages consisting only of elements in one source group.

Note that Abe et al. [5] also gave a variant of their constructions by combining a UF-xRMA secure signature scheme and a trapdoor commitment scheme with SPSs, which can be treated as a generic transformation from SPSs to FSPSs. If the instantiation of SPS is with a bilateral message space (i.e., messages consist of elements in both source groups), then the resulting signature scheme could be automorphic. However, as far as we know, besides the aforementioned shortcomings, all the previously proposed SPS schemes with a bilateral message space require verification keys to consist of elements in both source groups (except for ones that sign messages of “DDH form” [26, 27]), which result in very inefficient FSPS schemes, as noted in [5]. The verification keys and signatures (respectively, the verification algorithm) of the most efficient automorphic instantiation that can be derived from their generic construction consist of more than 12n group elements in total (respectively, more than 3n PPEs) if the messages consist of \(2n^2\) group elements.

Following the work of Abe et al. [5], Groth [28] gave an elegant construction of FSPS, which has the shortest verification keys and signatures, and needs the fewest PPEs for verification. Although this FSPS scheme is the most efficient one as far as we know, it is only known to be secure in the generic group model and is not automorphic.

Up until now, a lot of results are devoted to constructing efficient SPSs under different assumptions, while there are very few FSPS schemes. If we can find a generic method to transform existing SPSs into FSPSs or even FASs without directly using specific primitives, it will greatly alleviate the efforts to construct them from scratch.

1.2 Our Results

Generic construction of FSPS. In this paper, we formalize two extensions to ordinary signatures called trapdoor signatures (TSs) and signatures with auxiliary key (AKSs). We show that any well-formed¹ SPS scheme can be converted into a TS scheme satisfying the signing key structure-preserving (SKSP) property, in which signing keys consist only of group elements and the correctness with respect to verification keys can be verified by PPEs, while messages are not necessarily group elements. Furthermore, it is relatively straightforward to show that any SPS scheme with an algebraic key generation algorithm can be converted into a structure-preserving signature with auxiliary keys (SP-AKS). By combining SKSP-TS with SP-AKS, we obtain a generic construction of FSPS.² Our construction implies that for any two SPS schemes, if verification keys of one lie in the message space of the other (which is well-formed), then basically, they can be used to construct an FSPS scheme, without using any other specific primitives or additional assumptions. It also implies that most well-formed SPS schemes with a bilateral message space or unilateral verification key space (i.e., the verification keys consist only of elements in one source group) can be converted into an FSPS scheme.

This generic construction is proved to be secure based on building blocks satisfying different security, which allows us to obtain various instantiations of FSPS based on different assumptions.

Efficient instantiations of FSPSs. By extending the definition of AKSs to two-tier signatures with auxiliary keys (TT-AKSs) and substituting AKSs with TT-AKSs in the above generic construction, we obtain another generic construction, which enables us to obtain more efficient instantiations of FSPS. For instance, by using the TS scheme and TT-AKS scheme adapted from the SPS schemes proposed by Kiltz et al. [31, 32], we obtain instantiations of FSPS with unilateral and bilateral message spaces. We give an efficiency comparison between our instantiations and the ones proposed in [5] in Table 1.³ Note that like the FSPS scheme proposed in [28], a signing key in our instantiations consists of \(\varOmega (n)\) group elements (concretely, \(2n+1\) in [28] and \(4n+9\) and \(8n+13\) in our results), while that in “AKO+15” consists only of 4 elements. However, in many applications, the size of a signing key does not have to be “extremely short” since typically, a user generates only one proof for knowing a signing key (e.g., in PKIs and group/ring signatures), while proofs for knowing a signature or a verification key/signature pair are required to be generated for multiple times.⁴

Table 1. Comparison between the most efficient instantiations of FSPS based on standard assumptions derived from the main construction in [5] and the most efficient ones derived from our constructions. Notation (x, y) denotes x elements in \(\mathbb {G}_1\) and y elements in \(\mathbb {G}_2\). We do not count the two generators in the description of bilinear groups when giving the parameters.

Our FSPS schemes in Table 1 can also be based on the \(\mathcal{U}_k\)-matrix Diffie-Hellman (MDDH) assumptions [20] (see the full paper for the definition), while the parameters become \((|m|,|pk|+|par|,|\sigma |,\sharp \mathrm{PPE})=(n^2,(2n k+2k+3+\mathsf {RE}(\mathcal{D}_k))k+\mathsf {RE}(\mathcal{D}_k),(3k+1)n+4+3k+\mathsf {RE}(\mathcal{D}_k),kn+2k+1)\) and \((|m|,|pk|+|par|,|\sigma |,\sharp \mathrm{PPE})=(2n^2,(4nk+3k+3+2\mathsf {RE}(\mathcal{D}_k))k+2\mathsf {RE}(\mathcal{D})_k,2(3k+1)n+5k+5+2\mathsf {RE}(\mathcal{D}_k),2kn+3k+1)\), where \(\mathsf {RE}(\mathcal{D}_k)\) denotes the minimal number of group elements needed to present a matrix sampled from \(\mathcal{U}_k\).

Since our constructions only require the underlying schemes to have properties naturally satisfied by SPSs, further improvement on SPS schemes may contribute to the efficiency of FSPSs more via our constructions than the constructions in [5].

FASs. Since we can convert any (well-formed) SPS scheme into an SKSP-TS scheme and an SP-AKS scheme, our generic constructions also derive many instantiations of FAS from various combinations (including the ones in Table 1). As long as verification keys of the underlying TS scheme consist of no more group elements than messages of the underlying AKS scheme in both source groups, the resulting scheme is usually fully automorphic.

We can instantiate our first generic construction with the TS scheme and AKS scheme adapted from the SPS scheme proposed by Groth et al. [28] to obtain our most efficient FAS scheme, while the most efficient one from the generic construction in [5] can be obtained by letting the underlying SPS scheme be the one in [4] and the underlying one-time SPS scheme the one in [26]. For ease of understanding, we give an efficiency comparison in Table 2.

Table 2. Comparison between the most efficient instantiation of FAS derived from the main construction in [5] and the most efficient one derived from our constructions. Both of them are secure in the generic group model.

FSPS (FAS) schemes in the symmetric (type I) bilinear map. We also instantiate our generic constructions with the SPS scheme and the tag-based SPS scheme proposed in [2] to obtain the first FSPS and FAS schemes in the type I bilinear map, the most efficient one of which achieves \((|m|,|pk|+|par|,|\sigma |,\sharp \mathrm{PPE})=(n^2,6n+30,6n+12,2n+7)\).

1.3 High-Level Idea

Our generic construction can be treated as an extension of the well-known EGM paradigm [21]. In this paradigm a signer uses two signature schemes \(\varSigma _1\) and \(\varSigma _2\) to sign a message m. It first signs m by using the signing key \(sk_2\) of \(\varSigma _2\) and then signs the verfication key \(vk_2\) of \(\varSigma _2\) by using the signing key \(sk_1\) of \(\varSigma _1\). This paradigm was used to obtain SPSs in [1] and a generic construction of FSPS in [5]. To make sure that the resulting signature scheme is an FSPS scheme, it is natural to require \(sk_1\) to consist only of group elements. This is the reason why Abe et al. [5] instantiated \(\varSigma _1\) with the xRMA secure signature scheme proposed in [1], which was the only proposed FSPS scheme until then. However, we observe that it is possible to instantiate \(\varSigma _1\) with all the existing SPS schemes, which also provides us with more options when selecting instantiations of \(\varSigma _2\) to match \(\varSigma _1\).

Next, we explain how to choose \(\varSigma _1\) and \(\varSigma _2\), and the high level idea of our construction. Roughly speaking, starting from an SPS scheme with a signing key \(x\in \mathbb {Z}_p\), we can always derive a signature scheme in which the signing key becomes a group element \(X=G^x\in \mathbb {G}\) (where G denotes the generator of \(\mathbb {G}\)). It is obvious that in this case a message \(M\in \mathbb {G}\) cannot be signed by using X since we are not able to compute \(M^x\) from X and M. Supposing that \(M=G^m\), we can use X to sign m instead of M, i.e., compute \(X^m\) instead of \(M^x\) when generating a signature. Furthermore, since signatures generated in this way are the same as those generated by the real signing key, and the public key and verification algorithm remain the same, one can verify the signature by using M. We formalize such a signature scheme as a TS scheme. Although such a signature scheme is only “semi”-structure-preserving, we use it to sign the exponent \(v\in \mathbb {Z}_p\) of a verification key (called auxiliary keys) of another SPS scheme and use the latter SPS scheme to sign a message \(M'\in \mathbb {G}'\). This enables us to obtain an FSPS scheme. We formalize the latter signature scheme which generates auxiliary keys besides verification/signing key pairs as an AKS scheme.

To verify a signature, one only needs to know \(V=G^v\) and \(M'\), without knowing v. Furthermore, the original signing key x (called trapdoor key) of the TS scheme is never used in the signing process but is necessary as the reduction algorithm in the security proof signs verification keys without knowing the exponent.

Our main contributions lie in two aspects. First, we formalize the notions of TSs and AKSs in order to adapt the EGM paradigm to construct FSPSs. Second, we show that most of existing SPS schemes can be cast as our extended signatures, and consequently we can obtain a number of FSPSs and FASs based on existing SPSs.

Perhaps interestingly, although most of the previously proposed SPS schemes with a unilateral message space are not automorphic (since their verification keys and messages usually consist of elements in different source groups), when some of them are converted into FSPSs using our method, the resulting schemes become automorphic.⁵

Paper organization. We recall several definitions in Sect. 2. Then we formalize TSs and AKSs and show how to instantiate them from any (well-formed) SPS scheme in Sects. 3 and 4 respectively, and give generic constructions of FSPSs based on them in Sect. 5. Finally, we show instantiations of our generic constructions in Sect. 6.

2 Preliminaries

2.1 Notations

In this paper, we let \({ negl}\) be negligible functions, [n] the set \(\{1,\ldots ,n\}\), \(\mathbb {N}\) the set of natural numbers, |X| the number of elements in X (where X could be a space, a vector, or a matrix), and \(\widetilde{\mathbf{A}}\) the \(1\times {mn}\) vector \((a_{11},a_{12},\ldots a_{1n},a_{21},a_{22},\ldots a_{2n},\ldots ,a_{m1},a_{m2},\ldots a_{mn})\) where \(\mathbf A\) denotes the \(m\times n\) matrix \((a_{ij})_{i\in [m],j\in [n]}\). If \(\mathbf{A}\in \mathbb {Z}_p^{(k+1)\times k}\) lies in the matrix distribution \(\mathcal{U}_k\), then we use \(\overline{\mathbf{A}}\) to denote the upper square matrix of \(\mathbf A\). Furthermore, \(\vec {a}\in \mathbb {Z}_p^n\) denotes a column vector by default.

2.2 Pairing Group

In this paper, we let \(\mathcal G\) be an algorithm that takes as input \(1^\lambda \) and outputs \(gk=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,G_1,G_2)\) such that p is a prime satisfying \(p=\varTheta (2^\lambda )\), \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T)\) are descriptions of groups of order p, \(G_1\) and \(G_2\) generate \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively, and \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is an efficiently computable (non-degenerate) bilinear map. Following [28, 31], we use the additive notation in [20] such as \(e((a+b)[x]_1,[y]_2)=a\cdot e([x]_1,[y]_2)+b\cdot e([x]_1,[y]_2)\) where \([x]_1\) and \([y]_2\) denote \(G_1^x\) and \(G_2^y\) respectively, and \(e([x]_1,[y]_2)\) can be written as \([xy]_T\). Furthermore, \(e([\vec {a}]_1^\top ,[\vec {b}]_2)\) denotes \(\sum _{i=1}^n e([a_i]_1,[b_i]_2)\) where \([\vec {a}]_1=([a_1]_1,\ldots ,[a_n]_1)^\top \) and \([\vec {b}]_2=([b_1]_2,\ldots ,[b_n]_2)^\top \), and \(e([\mathbf{A}]_1^\top ,[\mathbf{B}]_2)\) denotes \((e([\vec {a}^\top _i]_1,[\vec {b}_j]_2))_{i\in [n], j\in [n']}\) where \([\mathbf{A}]_1=([\vec {a}_1]_1,\ldots ,[\vec {a}_n]_1)\) and \([\mathbf{B}]_2=([\vec {b}_1]_2,\ldots ,[\vec {b}_{n'}]_2)\).

2.3 Signatures

Definition 1 (Signature)

A signature scheme consists of four polynomial-time algorithms \(\mathsf {Setup}\), \(\mathsf {Gen}\), \(\mathsf {Sign}\), and \(\mathsf {Verify}\). \(\mathsf {Setup}\) takes as input a security parameter \(1^\lambda \) and generates a public parameter par, which determines the message space \(\mathcal M\) and the randomness space \(\mathcal R\) for signing. \(\mathsf {Gen}\) is a randomized algorithm that takes as input a public parameter par and outputs a verification/signing key pair (pk, sk). \(\mathsf {Sign}\) is a randomized algorithm that takes as input a signing key sk and a message m, and returns a signature \(\sigma \). \(\mathsf {Verify}\) is a deterministic algorithm that takes as input a verification key pk, a message M, and a signature \(\sigma \), and returns 1 (accept) or 0 (reject).

The correctness is satisfied if we have \(\mathsf {Verify}(pk,m,\mathsf {Sign}(sk,m;r))=1\) for all \(\lambda \in \mathbb {N}\), \(par\leftarrow \mathsf {Setup}(1^\lambda )\), \((pk,sk)\leftarrow \mathsf {Gen}(par)\), \(m\in \mathcal{M}\), and \(r\in \mathcal{R}\).

In [3], Abe et al. firstly defined SPSs, in which verification keys, messages, and signatures consist only of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and signatures are verified by evaluating pairing product equations (PPEs), which are of the form \(\sum _{ij} {a_{ij}} e([x_i]_1,[y_j]_2)=[0]_T\), where \(a_{ij}\) is an integer constant for all i and j.

Definition 2 (Structure-preserving signature (SPS))

A signature sch-eme is said to be structure-preserving over a bilinear group generator \(\mathcal G\) if we have (a) a public parameter includes a group description gk generated by \(\mathcal G\), (b) verification keys consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), (c) messages consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), (d) signatures consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and (e) the verification algorithm consists only of evaluating membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and relations described by PPEs.

SPSs are versatile since they mix well with other pairing-based protocols. Especially, they are compatible with the Groth-Sahai proof system [29]. However, as argued by Abe et al. in [3], Groth-Sahai compatibility of a signature scheme is not sufficient for elaborate applications such as anonymous signatures and delegatable anonymous credentials, which require signatures on verification keys to obtain anonymized certification chains. Abe et al. [3] called an SPS scheme that is able to sign its own verification keys an automorphic signature scheme.

Definition 3 (Automorphic signature)

A signature scheme is said to be an automorphic signature scheme over a bilinear group generator \(\mathcal G\) if it is structure-preserving and its (padded) verification keys lie in the message space.

In [5], Abe et al. introduced FSPSs, which also require a signing key to be group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and the correctness of a signing key with respect to a verification key can be verified by PPEs. Such signatures allow efficient key extraction when combined with non-interactive proofs (e.g., the Groth-Sahai proofs), which may help prevent rogue-key attacks [36], build UC-secure privacy preserving protocols [15], strengthen privacy in group and ring signatures [10, 11, 13] in the presence of adversarial keys, and extend delegatable anonymous credential systems [8, 18, 22] with all-or-nothing transferability [16].

Definition 4 (Fully structure-preserving signature (FSPS))

A structure-preserving signature scheme \((\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify})\) with the message space \(\mathcal M\) and randomness space \(\mathcal R\) for signing is said to be fully structure-preserving if we have (a) signing keys consist only of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and additionally, (b) there exists a polynomial-time deterministic algorithm \(\mathsf {VerifySK}\) that takes as input a verification/signing key pair and consists only of evaluating membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and relations described by PPEs, and it is required that for sufficiently large \(\lambda \in \mathbb {N}\), \(par\leftarrow \mathsf {Setup}(1^\lambda )\), the following holds:

• \(\mathsf {VerifySK}(pk,sk)=1\) if and only if \(\mathsf {Verify}(pk,m,\mathsf {Sign}(sk,m;r))=1\) holds for all \(m\in \mathcal{M}\) and \(r\in \mathcal{R}\).

In this paper, we call an automorphic signature scheme which is also FSP a fully automorphic signature (FAS) scheme.

Definition 5 (Fully automorphic signature (FAS))

An automorphic signature scheme is said to be fully automorphic if it is also fully structure-preserving.

Due to space limitation, we recall the UF-CMA, UF-RMA, UF-otCMA, and UF-otRMA security of a signature scheme in the full paper.

3 Trapdoor Signatures

3.1 Definition of Trapdoor Signatures

In this section, we formalize the notion of \(\gamma \) -trapdoor signature ( \(\gamma \) -TS) scheme, whose instantiations are used as building blocks to obtain FSPSs. Different from standard signatures, a TS scheme verifies the correctness of a signature \(\sigma \) on a message \(m\in \mathcal{M}\) by taking as input \((\gamma (m)\in \mathcal{M}_\gamma ,\sigma )\) where \(\gamma : \mathcal{M}\mapsto \mathcal{M}_\gamma \) is an efficiently computable bijection. Furthermore, there exists a trapdoor key with which we can generate a signature on m if we have \(\gamma (m)\) but not m itself.

Definition 6

( \(\gamma \) -Trapdoor signature ( \(\gamma \) -TS)). A \(\gamma \) -trapdoor signature scheme consists of five polynomial-time algorithms \(\mathsf {Setup}\), \(\mathsf {Gen}\), \(\mathsf {Sign}\), \(\mathsf {Verify}\), and \(\mathsf {TDSign}\). \(\mathsf {Setup}\) takes as input a security parameter \(1^\lambda \) and generates a public parameter par, which determines the message space \(\mathcal M\) for the signing algorithm, the message space \(\mathcal{M}_\gamma \) for the verification algorithm, and an efficiently computable bijection \(\gamma : \mathcal{M}\mapsto \mathcal{M}_\gamma \). \(\mathsf {Gen}\) is a randomized algorithm that takes as input par, and outputs a verification/signing key pair (pk, sk) and a trapdoor key tk. \(\mathsf {Sign}\) is a randomized algorithm that takes as input a signing key sk and a message \(m\in \mathcal{M}\), and returns a signature \(\sigma \), where the randomness space is denoted by \(\mathcal R\). \(\mathsf {Verify}\) is a deterministic algorithm that takes as input a verification key pk, a message \(M\in \mathcal{M}_\gamma \), and a signature \(\sigma \), and returns 1 (accept) or 0 (reject). \(\mathsf {TDSign}\) takes as input a trapdoor key tk and a message \(M\in \mathcal{M}_\gamma \), and returns a signature \(\sigma \). The randomness space of \(\mathsf {TDSign}\) is also \(\mathcal{R}\).

The correctness is satisfied if for all \(\lambda \in \mathbb {N}\), \(par\leftarrow \mathsf {Setup}(1^\lambda )\), \(((pk,sk),tk)\leftarrow \mathsf {Gen}(par)\), and \(m\in \mathcal{M}\), we have (a) \(\mathsf {Verify}(pk,\gamma (m),\mathsf {Sign}(sk,m))=1\), and (b) \(\mathsf {Sign}(sk,m;r)=\mathsf {TDSign}(tk,\gamma (m);r)\) for all \(r\in \mathcal{R}\).

Key generation algorithm \(\mathcal{T}_\mathsf {Gen}.\) We use \(\mathcal{T}_\mathsf {Gen}\) to denote an algorithm that runs \(\mathsf {Gen}\), which is the key generation algorithm of a TS scheme, in the following way. Taking as input a public parameter par, \(\mathcal{T}_\mathsf {Gen}\) gives par to \(\mathsf {Gen}\) and obtains an output ((pk, sk), tk). Then \(\mathcal{T}_\mathsf {Gen}\) outputs (pk, tk) as a verification/signing key pair.

For a TS scheme \(\varSigma =(\mathsf {Setup}, \mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {TDSign})\), we denote \((\mathsf {Setup},\mathcal{T}_\mathsf {Gen},\mathsf {TDSign},\mathsf {Verify})\) by \(\mathcal{T}_{\varSigma }\). According to the syntax of TS, it is not hard to see that \(\mathcal{T}_\varSigma \) forms a standard signature scheme whose message space is \(\mathcal{M}_\gamma \).

Now we define SKSP-TSs, in which verification keys, signing keys, and signatures (but not necessarily messages) consist only of group elements, and the correctness of signing keys with respect to verifications keys can be verified by PPEs.

Definition 7 (Signing key structure-preserving (SKSP))

A \(\gamma \)-TS sch-eme \(\varSigma =(\mathsf {Setup}, \mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {TDSign})\) with message space \(\mathcal M\) is said to be signing key structure-preserving over a bilinear group generator \(\mathcal G\) if we have (a) \(\mathcal{T}_\varSigma \) is an SPS scheme, (b) signing keys (rather than trapdoor keys) consist only of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and (c) \(\varSigma \) satisfies the condition (b) in Definition 4, where \(\mathsf {Verify}(pk,m,\mathsf {Sign}(sk,m;r))=1\) is replaced with \(\mathsf {Verify}(pk,\gamma (m),\mathsf {Sign}(sk,m;r))=1\).

Note that different from FSPSs, messages are not required to be group elements in SKSP-TSs.

3.2 Security of Trapdoor Signatures

We now define the UF-CMA security of TSs.

Definition 8 (UF-CMA of TSs)

A \(\gamma \)-TS scheme \((\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify},\mathsf {TDSign})\) is said to be unforgeable against chosen message attacks (UF-CMA) if for every probabilistic polynomial time (PPT) adversary \(\mathcal {A}\), we have

where \(\mathrm{SignO}(\cdot )\) is the signing oracle that takes as input \(m\in \mathcal{M}\), runs \(\sigma \leftarrow \mathsf {Sign}(sk,m)\), adds \(\gamma (m)\in \mathcal{M}_\gamma \) to \(\mathcal{Q}_m\), and returns \(\sigma \).

Unlike the UF-CMA security of standard signatures, a query m made by an adversary is in \(\mathcal{M}\), the signing oracle records \(\gamma (m)\in \mathcal{M}_\gamma \), and the message \(M^*\) output by the adversary is in \(\mathcal{M}_\gamma \).

The UF-CMA security of TSs is similar to the F-unforgeability of standard signatures defined by Belenkiy et al. [9]. Moreover, Libert et al. [35] gave an instantiation of F-unforgeable signatures and combined it with a tagged one-time signature scheme proposed by Abe et al. [2] to obtain a very efficient SPS scheme. However, they neither provided generic constructions nor considered the FSP property.

Now we show the relation between the UF-CMA security of \((\mathsf {Setup}, \mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {TDSign})\) and that of \((\mathsf {Setup},\mathcal{T}_\mathsf {Gen}, \mathsf {TDSign}, \mathsf {Verify})\) in Theorem 1. We refer the reader to the full paper for the proof.

Theorem 1

For a \(\gamma \)-TS scheme \(\varSigma =(\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify},\mathsf {TDSign})\), if \(\mathcal{T}_\varSigma =(\mathsf {Setup},\mathcal{T}_\mathsf {Gen}, \mathsf {TDSign}, \mathsf {Verify})\) is UF-CMA secure, then \(\varSigma \) is UF-CMA secure.

Now we give the definitions of unforgeability against random message attacks (RMA), one-time chosen message attacks (otCMA), and one-time random message attacks (otRMA) of TSs.

Definition 9 (UF-RMA, UF-otCMA, and UF-otRMA of TSs)

The UF-RMA security of TSs is the same as the UF-CMA security of TSs except that to answer a signing query, \(\mathrm{SignO}(\cdot )\) randomly chooses \(m\leftarrow \mathcal{M}\) itself, runs \(\sigma \leftarrow \mathsf {Sign}(sk,m)\), adds \(\gamma (m)\) to \(\mathcal{Q}_m\) (initialized with \(\emptyset \)), and returns \((m,\sigma )\).

The UF-otCMA (respectively, UF-otRMA) security is the same as the UF-CMA (respectively, UF-RMA) security of TSs, except that \(\mathcal {A}\) is only allowed to make one query to the signing oracle \(\mathrm{SignO}(\cdot )\).

3.3 Converting Structure-Preserving Signatures into Signing Key Structure-Preserving Trapdoor Signatures

Before showing our conversion, we define a class of SPSs called well-formed SPSs. Roughly speaking, for a well-formed SPS scheme, it is required that the spaces of randomness and exponents of messages are super-polynomially large in the security parameter, and generating a signature element only involves the group operation, while the scalars of group elements are computed as arithmetic circuits of elements in the signing key and the randomness.

Definition 10 (Well-formed SPS)

For an SPS scheme \(\varSigma \), let \(\mathbb {M}_1\times \mathbb {M}_2\times \ldots \times \mathbb {M}_n\) be the space of exponents (with \([1]_1\) and \([1]_2\) for bases) of elements in a message,⁶ and \(\mathbb {R}_1\times \mathbb {R}_2\times \ldots \times \mathbb {R}_{n'}\) the randomness space (for signing), where \(n,n'\in \mathbb {N}\). \(\varSigma \) is said to be well-formed if (a) for all i, \(\mathbb {M}_i,\mathbb {R}_i\subseteq \mathbb {Z}_p\) and \(|\mathbb {M}_i|\) and \(|\mathbb {R}_i|\) are super-polynomial in the security parameter,⁷ and (b) generating a group element \([B]_b\) where \(b\in \{1,2\}\) in a signature only involves computing

$$\begin{aligned}{}[B]_b=\sum _i ({\prod _j{a_{ij}^{c_{ij}}}}) [A_i]_b, \end{aligned}$$

(1)

where \(\{[A_i]_b\}_i\) denotes elements appearing in the public parameters, the message, and the signing key, \(\{a_{ij}\}_{ij}\) denotes elements (in \(\mathbb {Z}_p\)) appearing in the signing key and the randomness for signing, and integer constants, and \(\{{c_{ij}}\}_{ij}\) denotes integer constants. Here, elements in \(\{[A_i]_b\}_i\) may represent the same variables, and the same argument is made for \(\{a_{ij}\}_{ij}\).⁸

Note that there is no requirement on the distributions of the elements other than the space sizes in the above definition, and as far as we know, all the existing SPSs are well-formed. Now we show that any well-formed SPS scheme can be converted into an SKSP-TS scheme.

Theorem 2

Any well-formed SPS scheme, the messages of which are supposed to be of the form \(([\vec {M}]_1,[\vec {N}]_2)\), can be converted into a \(\gamma \)-SKSP-TS scheme for \(\gamma \) defined by \(\gamma (\vec {M},\vec {N})=([\vec {M}]_1,[\vec {N}]_2)\).

Schwartz-Zippel Lemma. Now we introduce Schwartz-Zippel Lemma [38], based on which we will give the proof of Theorem 2,

Lemma 1

([38]). Let \(P\in F[x]\) be a non-zero polynomial of total degree \(d\ge 0\) over a field, S a finite subset of F, and r a randomness uniformly chosen from S. Then, we have

$$ \Pr [P(r)=0]\le d/|S|. $$

This lemma indicates that a polynomial of degree d over \(\mathbb {Z}_p\) has at most d roots.

Proof (of Theorem 2)

We divide the proof of Theorem 2 into two parts. In the first part, we show that any well-formed SPS scheme can be converted into a \(\gamma \)-TS scheme satisfying the conditions (a) and (b) of the SKSP property in Definition 7. In the second part, we prove that the converted TS scheme also satisfies the condition (c).

Part I. Let a group element in a signature be generated as Eq. (1). For all i such that \(\{a_{ij}\}_{j}\) contains a set of variables in the signing key, denoted by \(\{s_{ij}\}_j\), we use \(c'_{ij}\) to denote the exponent of \(s_{ij}\) in Eq. (1), and do the following conversion.

• If \([A_i]_b\) is in the message, then we add \( [(\prod _j s_{ij}^{c'_{ij}})]_b\) to the signing key.

• Otherwise (i.e., if \([A_i]_b\) is in the signing key or the verification key), then we add \( [(\prod _j s_{ij}^{c'_{ij}})A_i]_b\) to the signing key,

For all other group elements in the signature, we execute the same conversions. Then we remove all elements in \(\mathbb {Z}_p\), all repeated elements, and elements never used in signing procedures from the original signing key, and set the original signing key as the trapdoor key.

By using the new signing key, we can generate a signature consisting of group elements in the forms of Eq. (1) when taking as input a message consisting of \(M_1,M_2,\ldots ,N_1,N_2,\ldots \in \mathbb {Z}_p\), which forms the signing algorithm for the resulting \(\gamma \)-TS scheme. Furthermore, taking as input \([M_1]_1,[M_2]_1,\ldots ,[N_1]_2,[N_2]_2,\ldots \) and the trapdoor key, we can generate the same signature if the randomness is the same, by using the original signing algorithm. As a result, we have obtained a \(\gamma \)-TS scheme for \(\gamma (\vec {M},\vec {N})=([\vec {M}]_1,[\vec {N}]_2)\).

It is straightforward to see that in this \(\gamma \)-TS scheme, the verification keys, signing keys, and signatures consist only of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and the verification consists only of evaluating membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and relations described by PPEs. This completes the first part of the proof. Here, the verification key size, signature size, and number of PPEs do not change during the conversion, while the signing key size changes depending on the concrete construction of the SPS scheme.⁹

Part II. Next we prove that for the above \(\gamma \)-TS scheme, there exists an algorithm that can check the correctness of signing keys with respect to verification keys by using only PPEs.

Since a group element in the signature is computed as Eq. (1), and a group element in the message \([M]_1\) or \([N]_2\) can be treated as \(M[1]_1\) or \(N[1]_2\), a PPE in the verification algorithm can be written as

$$\begin{aligned} {\begin{matrix}&\sum _i\Big (\prod _j{x_{ij}}^{d_{ij}}\Big ) [X_i]_T=[0]_T, \end{matrix}} \end{aligned}$$

(2)

where \(\{x_{ij}\}_{ij}\) denotes elements in the randomness, exponents of the message, and integer constants, \(\{d_{ij}\}_{ij}\) denotes integer constants, and \(\{[X_i]_T\}_i\) denotes pairings between elements in the verification key and the signing key. Here, elements in \(\{x_{ij}\}_{ij}\) may represent the same variables, and the same argument is made for \(\{[X_i]_T\}_{i}\).

We now show how to obtain PPEs that check the correctness of signing keys with respect to verification keys as follows. Let \(\mathcal{E}\) be the set of all the distinct variables in \(\{x_{ij}\}_{ij}\) (not including constants). Then for any \(x\in \mathcal{E}\), we rewrite Eq. (2) as

$$\begin{aligned} {\begin{matrix} \sum _ix^{d_i}[Y_i]_T=[0]_T, \end{matrix}} \end{aligned}$$

(3)

where \(\{d_i\}_i\) denotes fixed polynomials and \(\{[Y_i]_T\}_i\) denotes elements in \(\mathbb {G}_T\). Since the SPS scheme is well-formed, the left hand side of Eq. (3) can be treated as a polynomial in x by fixing all \([Y_{i}]_T\). We rewrite Eq. (3) as

$$\begin{aligned}{}[P_0]_T+x^1[P_1]_T+\ldots +x^n[P_n]_T=[0]_T, \end{aligned}$$

(4)

for some fixed polynomial n, where \([P_k]_T\) denotes the sum of coefficients of \(x^k\). According to the definition of well-formed SPSs, since the space of x is super-polynomial (in the security parameter) and n is a polynomial (in the security parameter), the number of possible values of x must be larger than n for sufficiently large security parameters. As a result, if Eq. (4) holds for all possible value of x, we have

$$\begin{aligned} {\begin{matrix} [P_0]_T=[0]_T, ~[P_1]_T=[0]_T,~\ldots , ~[P_n]_T=[0]_T, \end{matrix}} \end{aligned}$$

(5)

or the number of roots of Eq. (4) could be larger than n, which is against Schwartz-Zippel Lemma. On the other hand, it is obvious that if PPEs in (5) hold, Eq. (4) holds for any x. For each \([P_i]_T=0\), we cancel another variable in \(\mathcal E\) in the same way. Recursively, all the variables in PPEs in the verification algorithm can be cancelled, and we finally obtain a sequence of PPEs of the form

$$\begin{aligned} \sum _i c'_i[X'_i]_T=[0]_T, \end{aligned}$$

where \(\{c'_i\}_i\) denotes fixed integers, and \(\{[X'_i]_T\}_i\) denotes pairings between elements in the verification key and the signing key, and elements in \(\{[X'_i]_T\}_i\) may represent the same variables. Since such collection of PPEs hold if and only if PPEs in the verification algorithm holds for all possible randomness and messages, we obtain an algorithm that takes as input verification/signing key pairs and check their correctness using this collection of PPEs.¹⁰

In conclusion, any well-formed SPS scheme can be converted into an SKSP-TS scheme, completing the proof of Theorem 2. \(\square \)

Remark. It is not hard to see that the latter half of the proof can also be adopted to show that for a well-formed SPS scheme, if signing keys consist only of group elements, then it is an FSPS scheme.

3.4 Instantiations of Trapdoor Signature

UF-CMA secure TS scheme. Using the conversion described in the proof of Theorem 2, we can convert well-formed SPSs into SKSP-TSs. For ease of understanding, we give an instantiation of \(\gamma \)-TS \(\varSigma =(\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify},\mathsf {TDSign})\) in Fig. 1, which is converted from the SPS scheme (denoted by \(\mathcal{T}_\varSigma =(\mathsf {Setup},\mathcal{T}_\mathsf {Gen},\mathsf {TDSign},\mathsf {Verify})\)) proposed by Kiltz et al. [31]. Here, \(\mathcal{T}_\varSigma \) is UF-CMA secure under the \(\mathcal{U}_k\)-MDDH assumptions and \(\gamma :\mathbb {Z}_p^n\mapsto \mathbb {G}_1^n\) is defined by \(\gamma (x_1,\ldots ,x_n)=([x_1]_1,\ldots ,[x_n]_1)\), where n denotes the number of group elements in a message.

To generate a signature of \(\mathcal{T}_\varSigma \), \(\sigma _1=[(1,\vec {m}^\top )]_1\mathbf{K}+\vec {r}^\top [\mathbf{P}_0+\tau \mathbf{P}_1]_1\) is the only part that needs to be operated by using “\(\mathbb {Z}_p\)-elements” \(\mathbf{K}\in \mathbb {Z}_p^{(n+1)\times (k+1)}\) of the signing key. Following our conversion, we replace \(\mathbf K\) with \([\mathbf{K}]_1\) in the signing key, and keep the original signing key as the trapdoor key. By using \([\mathbf{K}]_1\), we can compute \(\sigma _1\) as \((1,\vec {m}^\top )[\mathbf{K}]_1+\vec {r}^\top [\mathbf{P}_0+\tau \mathbf{P}_1]_1\). Furthermore, we obtain PPEs that check the correctness of signing keys as follows.

Then we rewrite the second equation \(e(\sigma _2,\sigma _4)=e(\sigma _3,[1]_2)\) as \(e(\vec {r}^\top [\mathbf{B}^\top ]_1,[\tau ]_2)=e(\vec {r}^\top [\mathbf{B}^\top \tau ]_1,[1]_2)\). By cancelling \(\vec {r}\) and \(\tau \), we obtain \(e([\mathbf{B}^\top ]_1,[1]_2)=e([\mathbf{B}^\top ]_1,[1]_2)\), which is trivial.¹¹

Finally, we obtain the algorithm \(\mathsf {VerifySK}\) checking correctness of signing keys with respect to verification keys via the above three PPEs (derived from \(\mathop {\Rightarrow }\limits ^{*}\)).

Fig. 1.

A UF-CMA secure \(\gamma \)-TS scheme adapted from [31, Sect. 4.2]. The boxes indicate the main differences from the original scheme in [31].

Theorem 3

The instantiation described in Fig. 1 is a UF-CMA secure \(\gamma \)-SKSP-TS scheme under the \(\mathcal{U}_k\)-MDDH assumptions.

The SKSP property of this instantiation is implied by Theorem 2 and the UF-CMA security is implied by Theorem 1. We refer the reader to the full paper for the proof of Theorem 3.

UF-otRMA secure TS scheme. In Fig. 2, we give another instantiation of TS which satisfies the UF-otRMA security under the \(\mathcal{U}_k\)-MDDH assumptions. This scheme is converted from the UF-otRMA secure SPS scheme in [31]. The proof of correctness is straightforward and the correctness of a signing key with respect to a verification key can be verified by \(\mathsf {VerifySK}\) via \(e([\mathbf{K}]_1,[\overline{\mathbf{A}}]_2)=e([1]_1,[\mathbf{C}]_2)\).

Unlike the UF-CMA security proved in Theorem 1, the UF-otRMA security of \(\varSigma =(\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify},\mathsf {TDSign})\) is not automatically implied by the UF-otRMA security of \(\mathcal{T}_\varSigma =(\mathsf {Setup},\mathcal{T}_\mathsf {Gen},\mathsf {TDSign},\mathsf {Verify})\). However, according to [31], the proof of the UF-otRMA security of \(\mathcal{T}_\varSigma \) remains valid even when an adversary sees the exponents of the messages from the signing oracle, which implies the UF-otRMA security of \(\varSigma \). We refer the reader to [31] for details of the proof.

Fig. 2.

A UF-otRMA secure \(\gamma \)-SKSP-TS scheme adapted from [31, Sect. 5.2]. The boxes indicate the main differences from the original scheme in [31].

4 (Two-tier) Signatures with Auxiliary Key(s)

In this section, we introduce AKSs which are used as building blocks to achieve our generic construction of FSPS. In Sect. 4.1, we give the definition of AKSs, define their properties, and give an instantiation of AKS. In Sect. 4.2, we extend AKS to TT-AKS and give an instantiation of TT-AKS.

4.1 Signature with Auxiliary Key

Definition. Roughly speaking, a \(\gamma \)-AKS scheme is a signature scheme in which the key generation algorithm additionally generates auxiliary keys, and the verification key space and the auxiliary key space have a special (but natural) structure related with \(\gamma \).

Definition 11

( \(\gamma \) -signature with auxiliary key ( \(\gamma \) -AKS)). A signature scheme \(\varSigma =(\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify})\) with verification key space \(\mathcal{P}_\gamma \) is said to be a \(\gamma \)-AKS scheme for an efficiently computable bijection \(\gamma :\mathcal{P}\mapsto \mathcal{P}_\gamma \) if in addition to the verification/signing key pair (pk, sk), \(\mathsf {Gen}\) also outputs an auxiliary key \(ak\in \mathcal{P}\) such that \(pk=\gamma (ak)\).

Security. The UF-(ot)CMA security and UF-(ot)RMA security of \(\gamma \)-AKSs are exactly the same as those of standard signatures except that \(\mathsf {Gen}\) addtionally generates ak.

Key generation algorithm \({\mathcal{U}}_{\mathsf {Gen}}.\) Similarly to \(\mathcal{T}_\mathsf {Gen}\) defined in Sect. 3.1, we use \(\mathcal{U}_\mathsf {Gen}\) to denote an algorithm that runs \(\mathsf {Gen}\), which is the key generation algorithm of a \(\gamma \)-AKS scheme, in the following way.

Taking as input a public parameter par, \(\mathcal{U}_\mathsf {Gen}\) gives par to \(\mathsf {Gen}\) and obtains an output ((pk, sk), ak). Then \(\mathcal{U}_\mathsf {Gen}\) outputs (pk, sk) as a verification/signing key pair, without outputting ak. We use \(\mathcal{U}_\varSigma \) to denote \((\mathsf {Setup},\mathcal{U}_\mathsf {Gen},\mathsf {Sign},\mathsf {Verify})\) when \(\varSigma =(\mathsf {Setup},\mathsf {Gen},\mathsf {Sign},\mathsf {Verify})\).

Just like SPSs, we consider \(\gamma \)-AKSs with the SP property.

Definition 12

( \(\gamma \) -SP-AKS). A \(\gamma \)-AKS scheme \(\varSigma \) is said to be a \(\gamma \) -SP-AKS scheme if \(\mathcal{U}_\varSigma \) is an SPS scheme.

Converting SPSs into SP-AKSs. It is straightforward to see that any SPS scheme with an algebraic key generation algorithm, public keys of which are supposed to be of the form \(([\vec {u}]_1,[\vec {v}]_2)\), can be converted into a \(\gamma \)-SP-AKS scheme, where \(\gamma \) is defined by \(\gamma (\vec {u},\vec {v})=([\vec {u}]_1,[\vec {v}]_2)\), since we can force the setup of any SPS to output no common parameter except for the bilinear map description and let the key generation algorithm additionally output \((\vec {u}_1,\vec {v}_2)\).

We now define the random auxiliary key property for AKSs.

Definition 13 (Random auxiliary key property)

A \(\gamma \)-AKS scheme \((\mathsf {Setup},\mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify})\) with an auxiliary key space \(\mathcal{P}\) is said to satisfy the random auxiliary key property if there exists an additional algorithm \(\mathsf {AKGen}\) such that \(\mathsf {AKGen}\) takes as input par and an auxiliary key ak, and outputs a verification/signing key pair (pk, sk) where \(\gamma (ak)=pk\). Furthermore, for any PPT adversary \(\mathcal A\) and all \(\lambda \in \mathbb {N}\), we have

where \({\mathrm{GenO}}\) runs \(((pk,sk),ak)\leftarrow \mathsf {Gen}(par)\), and returns (pk, sk, ak), and \(\mathrm{AKGenO}\) uniformly chooses ak from \(\mathcal P\), runs \((pk,sk)\leftarrow \mathsf {AKGen}(par,ak)\), and returns (pk, sk, ak).

Instantiation of AKS. Now we give an instantiation of AKS satisfying UF-otCMA security under the \(\mathcal{U}_k\)-MDDH assumptions (see the full paper) in Fig. 3. This signature scheme is actually the same as the UF-otCMA secure signature scheme in [31] except that \(\mathsf {Gen}\) additionally generates exponents of a verification key as an auxiliary key. For this instantiation, the bijection \(\gamma \) is defined by \(\gamma (\mathbf{X})=[\mathbf{X}]_2\in \mathbb {G}_2^{(n+1)\times k}\times \mathbb {G}_2^{(k+1)\times k}\) for n which denotes the length of a message.

We refer the reader to [31] for the proof of the UF-otCMA security of this instantiation.

Fig. 3.

A UF-otCMA secure \(\gamma \)-SP-AKS scheme adapted from [31, Sect. 3].

Theorem 4

The instantiation described in Fig. 3 satisfies the random auxiliary key property.

This proof follows from the fact that when the distribution of \(\mathbf C\) is uniform, the distribution of \(\underline{\mathbf{K}}=(\mathbf{C}-\vec {k}\vec {a}^\top )\overline{\mathbf{A}}^{-1}\) is uniform as well. We give the proof of Theorem 4 in the full paper due to page limitation.

4.2 Two-Tier Signature with Auxiliary Keys

Definition. Besides AKSs, we also give the definition of \((\gamma _p,\gamma _s)\)-TT-AKSs, which is the same as that of two-tier signatures [1, 12, 32] except that the key generation algorithms additionally generate primary/secondary auxiliary keys. The primary/secondary verification key space and the primary/secondary auxiliary key space have a special (but natural) structure related with \(\gamma _p\)/\(\gamma _s\). Combining SP-TT-AKSs with SKSP-TSs enables us to obtain more efficient instantiations of FSPS and FAS.

Definition 14

( \((\gamma _p,\gamma _s)\) -TT-AKS). A \((\gamma _p,\gamma _s)\)-TT-AKS scheme consists of five polynomial-time algorithms \(\mathsf {Setup}\), \(\mathsf {PGen}\), \(\mathsf {SGen}\), \(\mathsf {TTSign}\), and \(\mathsf {TTVerify}\). \(\mathsf {Setup}\) is a randomized algorithm that takes as input \(1^\lambda \), and outputs a public parameter par, which determines the message space \(\mathcal M\), the primary/secondary verification key spaces \(\mathcal{P}_\gamma \)/\(\mathcal{S}_\gamma \), the primary/secondary auxiliary key spaces \(\mathcal{P}\)/\(\mathcal{S}\), and the efficiently computable bijections \(\gamma _p:\mathcal{P}\mapsto \mathcal{P}_\gamma \) and \(\gamma _s:\mathcal{S}\mapsto \mathcal{S}_\gamma \). \(\mathsf {PGen}\) is a randomized algorithm that takes as input par, and outputs a primary verification/signing key pair (Ppk, Psk) where \(Ppk\in \mathcal{P}_\gamma \) and a primary auxiliary key \(Pak\in \mathcal{P}\). \(\mathsf {SGen}\) is a randomized algorithm that takes as input a primary verification/signing key pair (Ppk, Psk) and a primary auxiliary key Pak, and outputs a secondary verification/signing key pair (opk, osk) where \(opk\in \mathcal{S}_\gamma \) and a secondary auxiliary key \(oak\in \mathcal{S}\). \(\mathsf {TTSign}\) is a randomized algorithm that takes as input a primary signing key Psk, a secondary signing key osk, and a message m, and returns a signature \(\sigma \). \(\mathsf {TTVerify}\) is a deterministic algorithm that takes as input a primary verification key Ppk, a secondary verification key opk, a message m, and a signature \(\sigma \), and returns 1 (accept) or 0 (reject).

The correctness is satisfied if for all \(\lambda \in \mathbb {N}\), \(par\leftarrow \mathsf {Setup}(1^\lambda )\), \(((Ppk,Psk),Pak)\leftarrow \mathsf {PGen}(par)\), and \(((opk,osk), oak)\leftarrow \mathsf {SGen}(Ppk,Psk,Pak)\), we have (a) \(\mathsf {TTVerify}(Ppk,opk,m,\mathsf {TTSign}(Psk,osk,m))=1\) for all messages \(m\in \mathcal{M}\), and (b) \(\gamma _p(Pak)=Ppk\) and \(\gamma _s(oak)=opk\).

Unlike the definition of standard two-tier signatures, \(\mathsf {SGen}\) takes as input (Ppk, Psk, Pak) (instead of (Ppk, Psk)) in the above definition. However, the interface of \(\mathsf {SGen}\) is not essentially changed since Pak can be treated as part of Psk.

Security. Now we give the definition of unforgeability against two-tier chosen message attacks (UF-TT-CMA).

Definition 15 (UF-TT-CMA)

A TT-AKS scheme \((\mathsf {PGen},\mathsf {SGen},\mathsf {TTSign},\mathsf {TTVerify})\) is said to be unforgeable against two-tier chosen message attacks if for any PPT adversary \(\mathcal A\), we have

where \(\mathrm{TTSignO}(\cdot )\) is the signing oracle that takes a message \(m\in \mathcal{M}\) as input, runs \(i=i+1\) (initialized with 0), samples \((opk_i,osk_i)\leftarrow \mathsf {SGen}(Ppk,Psk,Pak)\), and computes \(\sigma \leftarrow \mathsf {TTSign}(Psk,osk_i,m)\). Then it adds (i, m) to \(\mathcal{TQ}_m\) (initialized with \(\emptyset \)) and returns \((opk_i,\sigma )\).

Next we define the SP property of TT-AKS as follows.

Definition 16 (Structure-preserving TT-AKS (SP-TT-AKS))

A TT-AKS scheme is said to be structure-preserving over a bilinear group generator \(\mathcal G\) if we have (a) a public parameter includes a group description gk generated by \(\mathcal G\), (b) primary and secondary verification keys consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), (c) messages consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and (d) the verification algorithm consists only of evaluating membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and relations described by PPEs.

Converting SP two-tier signatures into SP-TT-AKSs. Like SP-AKSs, an SP two-tier signature scheme, primary and secondary verification keys of which are supposed to be of the form \(([\vec {u}]_1,[\vec {v}]_2)\) and \(([\vec {u}']_1,[\vec {v}']_2)\) respectively, can be converted into a \((\gamma _p,\gamma _s)\)-SP-TT-AKS scheme, where \(\gamma _p\) and \(\gamma _s\) are defined as \(\gamma _p(\vec {u},\vec {v})=([\vec {u}]_1,[\vec {v}]_2)\) and \(\gamma _s(\vec {u}',\vec {v}')=([\vec {u}']_1,[\vec {v}']_2)\) respectively, as long as the key generation algorithms are algebraic and primary signing keys consist only of elements in \(\mathbb {Z}_p\).¹²

We define the random primary and secondary auxiliary key properties of TT-AKSs as follows.

Definition 17 (Random primary/secondary auxiliary key properties)

A \((\gamma _p,\gamma _s)\)-TT-AKS scheme \((\mathsf {Setup}, \mathsf {PGen}, \mathsf {SGen}, \mathsf {TTSign}, \mathsf {TTVerify})\) is said to satisfy the random primary auxiliary key property if there exists an additional polynomial-time algorithm \(\mathsf {AKPGen}\) that takes as input par and a primary auxiliary key Pak, and outputs a primary verification/signing key pair (Ppk, Psk) where \(\gamma _p(Pak)=Ppk\). Furthermore, for any PPT adversary \(\mathcal A\) and all \(\lambda \in \mathbb {N}\), we have

where \({\mathrm{PGenO}}\) runs \(((Ppk,Psk),Pak)\leftarrow \mathsf {PGen}(par)\) and returns \(((Ppk,Psk),Pak)\), and \(\mathrm{AKPGenO}\) uniformly chooses Pak from the primary auxiliary key space \(\mathcal{P}\), runs \((Ppk,Psk)\leftarrow \mathsf {AKPGen}(par,Pak)\), and returns ((Ppk, Psk), Pak).

Furthermore, it is said to satisfy the random secondary auxiliary key property if there exists another polynomial-time algorithm \(\mathsf {AKSGen}\) that takes as input a primary verification/signing key pair (Ppk, Psk), a primary auxiliary key Pak, and a secondary auxiliary key oak, and outputs a secondary verification/signing key pair (opk, osk) where \(\gamma _s(oak)=opk\). Furthermore, for any PPT adversary \(\mathcal A\) and all \(\lambda \in \mathbb {N}\), we have

Here, on input a polynomial \(n=n(\lambda )\), \({\mathrm{SGenO}}(\cdot )\) runs \(((Ppk,Psk),Pak)\leftarrow \mathsf {PGen}(par)\) and \(((opk_i,osk_i),oak_i)\leftarrow \mathsf {SGen}(Ppk,Psk,Pak)\) for \(i=1,\ldots ,n\), and returns \((Ppk,Psk,Pak,\{(opk_i,osk_i,oak_i)\}_{i=1}^n)\). On input a polynomial \(n=n(\lambda )\), \(\mathrm{AKSGenO}(\cdot )\) runs \(((Ppk,Psk),Pak)\leftarrow \mathsf {PGen}(par)\), uniformly chooses \(oak_i\) from the secondary auxiliary key space \(\mathcal S\), runs \((opk_i,osk_i)\leftarrow \mathsf {AKSGen}(Ppk,Psk,Pak,oak_i)\) for \(i=1,\ldots ,n\), and returns \((Ppk,Psk,Pak,\{(opk_i,osk_i,oak_i)\}_{i=1}^n)\).

Instantiation of \((\gamma _p,\gamma _s)\) -SP-TT-AKS. Now we give an instantiation of \((\gamma _p,\gamma _s)\)-SP-TT-AKS satisfying UF-TT-CMA security under the \(\mathcal{U}_k\)-MDDH assumptions. This signature scheme is the same as the SP two-tier signature scheme in [32] except that \(\mathsf {PGen}\) and \(\mathsf {SGen}\) additionally generate the auxiliary keys, and \(\mathsf {SGen}\) addtionally takes as input the primary auxiliary key. For this instantiation, the bijections \((\gamma _p,\gamma _s)\) are defined by \(\gamma _p(\mathbf{X})=[\mathbf{X}]_2\in \mathbb {G}_2^{n\times k}\times \mathbb {G}_2^{(k+1)\times k}\) and \(\gamma _s(\vec {x})=[\vec {x}]_2\in \mathbb {G}_2^{1\times k}\) respectively for some fixed integer n which denotes the length of a message.

Fig. 4.

A UF-TT-CMA secure \((\gamma _p,\gamma _s)\)-SP-TT-AKS scheme adapted from [32, Sect. 6.1].

Theorem 5

The instantiation described in Fig. 4 satisfies the random primary and secondary auxiliary key properties.

This proof follows from the fact that when the distributions of \(\mathbf C'\) and c are uniform, the distribution of \(\underline{\mathbf{K}'}=(\mathbf{C'}-\vec {k}\vec {a}^\top )\overline{\mathbf{A}}^{-1}\) and \(\vec {k}'=(\vec {c}-k\vec {a}^\top )\overline{\mathbf{A}}^{-1}\) are uniform as well. We give the proof of Theorem 5 in the full paper due to page limitation.

5 Generic Constructions of Fully Structure-Preserving Signatures (and Fully Automorphic Signatures)

In this section, we give generic constructions of FSPSs and FASs from SKSP-TSs and (TT-)AKSs. Such constructions can be derived from SPSs that are based on various assumptions and with different efficiency performance. In Sects. 5.1, 5.2, and 5.3, we give three generic constructions of UF-CMA secure FSPS schemes respectively. The first two constructions are based on SKSP-TSs and SP-AKSs, and the third one is based on SKSP-TSs and SP-TT-AKSs.

5.1 Generic Construction \(\mathsf {Sig}_1\): Trapdoor Signature + Signature with Auxiliary Key

We give a generic construction of FSPSs (and FASs) based on a \(\gamma \)-SKSP-TS scheme and a \(\gamma '\)-SP-AKS scheme, where \(\gamma \) and \(\gamma '\) satisfy a suitable compatibility that we explain shortly.

Let \(\varSigma _t=(\mathsf {Setup}, \mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {TDSign},\mathsf {VerifySK})\) be a \(\gamma \)-SKSP-TS scheme with message spaces \(\mathcal{M}\) and \(\mathcal{M}_\gamma \), and \(\varSigma _s=(\mathsf {Setup}, \mathsf {Gen}', \mathsf {Sign}', \mathsf {Verify}')\) ¹³ a \(\gamma '\)-SP-AKS scheme with verification key space \(\mathcal{M}_\gamma \), auxiliary key space \(\mathcal{M}\), and message space \(\mathcal{M}'\), and we have \(\gamma '(x)=\gamma (x)\). Then the generic construction of FSPS denoted by \(\mathsf {Sig}_1=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) with message space \(\mathcal{M}'\) is described as in Fig. 5.

Fig. 5.

Generic construction \(\mathsf {Sig}_1\): TS + AKS (UF-otCMA).

Next we give a theorem for this generic construction.

Theorem 6

If \(\varSigma _t\) is a UF-CMA secure SKSP-TS scheme, and \(\varSigma _s\) a UF-otCMA secure SP-AKS scheme, then \(\mathsf {Sig}_1=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) is a UF-CMA secure FSPS scheme.

Proof sketch. The proof of Theorem 6 follows from the fact that if there exists a PPT adversary \(\mathcal {A}\) that outputs a successful forgery \((\sigma _1^*,\sigma _2^*,\sigma _3^*)\), where \(\sigma _2^*\) was not queried before (respectively, was queried before), with non-negligible probability, then we can construct a PPT adversary \(\mathcal {B}_1\) (respectively, \(\mathcal {B}_2\)) that breaks the UF-CMA security of \(\varSigma _t\) (respectively, the UF-otCMA security of \(\varSigma _s\)). Note that to answer a query from \(\mathcal {A}\), \(\mathcal {B}_2\) may have to use the signing key of \(\varSigma _t\) to sign an auxiliary key \(ak'\) of \(\varSigma _s\), while it only learns the corresponding verification key \(pk'\) from the challenger. In this case, it signs \(pk'\) by using the trapdoor key of \(\varSigma _t\) instead. According to the correctness of a TS scheme, \(\mathcal {A}\) cannot distinguish such a signature with an honestly generated one, which means that \(\mathcal {B}_2\) can perfectly simulate the signing oracle of \(\mathcal {A}\). We refer the reader to the full paper for the proof.

UF-RMA secure TSs + UF-otCMA secure AKSs. Now we give another theorem showing that for the generic construction in Fig. 5, the security of the TS scheme can be weakened to the UF-RMA security if the AKS scheme satisfies the random auxiliary key property.

Theorem 7

If \(\varSigma _t\) is a UF-RMA secure SKSP-TS scheme, and \(\varSigma _s\) a UF-otCMA secure SP-AKS scheme satisfying the random auxiliary key property, then \(\mathsf {Sig}_1=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) is a UF-CMA secure FSPS scheme.

Proof sketch. The proof sketch of Theorem 7 is the same as that of Theorem 6 except that \(\mathcal {B}_1\) is against the UF-RMA security of \(\varSigma _t\) instead of the UF-CMA security. To answer a query from \(\mathcal {A}\), \(\mathcal {B}_1\) makes a query to the signing oracle of \(\varSigma _t\) to obtain a randomly chosen auxiliary key \(ak'\) and the corresponding signature \(\sigma _1\). Then \(\mathcal {B}_1\) runs the additional algorithm \(\mathsf {AKGen}\) (defined in Definition 13) on input \((par,ak')\) to generate a verification/signing key pair \((pk',sk')\), which is indistinguishable from an honestly generated one according to the random auxiliary key property. Then it lets \(pk'\) be \(\sigma _2\) and use \(sk'\) to sign the message. We refer the reader to the full paper for the proof of Theorem 7.

Instantiations of \(\mathsf {Sig}_1.\) By combining the UF-CMA (respectively, UF-otRMA) secure TS scheme in Fig. 1 (respectively, Fig. 2) with the UF-otCMA secure AKS scheme in Fig. 3 (where \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are swapped), we obtain an FSPS scheme satisfying UF-CMA (respectively, UF-otCMA) security. We refer the reader to the full paper for the resulting signature schemes.

Furthermore, by converting other previously proposed SPSs into SKSP-TSs and SP-AKSs, we obtain various FSPSs. We list some of them in Table 3 in Sect. 6.

5.2 Variation of \(\mathsf {Sig}_1\): Trapdoor Signature + Signature with Auxiliary Key (UF-CMA)

Now we give a variation of the generic construction in Fig. 6 by letting \(\varSigma _s\) be a UF-CMA secure SP-AKS scheme and sign n message blocks with one signing key. Each block is signed with an element indicating its number. This change reduces the signature and verification key sizes from \(\varOmega (n^2)\) to \(\varOmega (n)\) when signing \(n^2\) group elements.

Let \(\varSigma _t=(\mathsf {Setup}, \mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {TDSign},\mathsf {VerifySK})\) be a \(\gamma \)-SKSP-TS scheme with message spaces \(\mathcal{M}\) and \(\mathcal{M}_\gamma \), and \(\varSigma _s=(\mathsf {Setup}, \mathsf {Gen}', \mathsf {Sign}', \mathsf {Verify}')\) ¹⁴ a \(\gamma \)-SP-AKS scheme with verification key space \(\mathcal{M}_\gamma \), auxiliary key space \(\mathcal{M}\), and message space \(\mathcal{M}'\times \mathcal{M}_I\), where \(\mathcal{M}_I\) is the space for elements indicating numbers of blocks. Then a generic construction of FSPS denoted by \(\mathsf {Sig}_1^*=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) with message space \(\mathcal{M}'^n\), where n is some fixed integer, is described as in Fig. 6.

Fig. 6.

Generic construction \(\mathsf {Sig}_1^*\): TS + AKS (UF-CMA).

For this generic construction, the following two theorems hold.

Theorem 8

If \(\varSigma _t\) is a UF-CMA secure SKSP-TS scheme, and \(\varSigma _s\) a UF-CMA secure SP-AKS scheme, then \(\mathsf {Sig}_1^*=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) is a UF-CMA secure FSPS scheme.

Theorem 9

If \(\varSigma _t\) is a UF-RMA secure SKSP-TS scheme, and \(\varSigma _s\) a UF-CMA secure SP-AKS scheme satisfying the random auxiliary key property, then \(\mathsf {Sig}_1^*=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) is a UF-CMA secure FSPS scheme.

We omit the proofs of Theorems 8 and 9 since they are similar to the proofs of Theorems 6 and 7, respectively. We list several instantiations of \(\mathsf {Sig}^*\) in Table 3 in Sect. 6. Most of them achieve better efficiency than instantiations obtained from \(\mathsf {Sig}_1\), and are automorphic.

5.3 Generic Construction \(\mathsf {Sig}_2\): Trapdoor Signature + Two-Tier Signature with Auxiliary Keys

In this section, we give another generic construction of FSPS which provides us with FSPSs and FASs based on standard assumptions that have shorter verification keys and signatures.

Let \(\varSigma _t=(\mathsf {Setup}, \mathsf {Gen}, \mathsf {Sign}, \mathsf {Verify}, \mathsf {TDSign},\mathsf {VerifySK})\) be a \(\gamma \)-TS scheme with message spaces \(\mathcal{M}_p\times \mathcal{M}^n_s\) and \(\mathcal{M}_{\gamma p}\times \mathcal{M}^n_{\gamma s}\), \(\varSigma _s=(\mathsf {Setup},\mathsf {PGen},\mathsf {SGen},\mathsf {TTSign},\mathsf {TTVerify})\) ¹⁵ a \((\gamma _p,\gamma _s)\)-TT-AKS with primary/secondary verification key spaces \(\mathcal{M}_{\gamma p}\)/\(\mathcal{M}_{\gamma s}\), auxiliary key spaces \(\mathcal{M}_p\)/\(\mathcal{M}_s\), and message space \(\mathcal{M}'\), where n is some fixed integer and \((\gamma _p(x_1),\gamma _s(x_2), \ldots ,\gamma _s(x_{n+1}))=\gamma (x_1,x_2\ldots ,x_{n+1})\). A generic construction of FSPS denoted by \(\mathsf {Sig}_2=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) with message space \(\mathcal{M}'^n\) is as described as in Fig. 7.

Fig. 7.

Generic construction \(\mathsf {Sig}_2\): TS + TT-AKS.

For this generic construction, the following two theorems hold.

Theorem 10

If \(\varSigma _t\) is a UF-CMA secure SKSP-TS scheme, and \(\varSigma _s\) a UF-TT-CMA secure SP-TT-AKS scheme, then \(\mathsf {Sig}_2=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) is a UF-CMA secure FSPS scheme.

Theorem 11

If \(\varSigma _t\) is a UF-RMA secure SKSP-TS scheme, and \(\varSigma _s\) a UF-TT-CMA secure SP-TT-AKS scheme satisfying the random primary and secondary auxiliary key properties, then \(\mathsf {Sig}_2=(\widehat{\mathsf {Setup}},\widehat{\mathsf {Gen}},\widehat{\mathsf {Sign}},\widehat{\mathsf {Verify}},\widehat{\mathsf {VerifySK}})\) is a UF-CMA secure FSPS scheme.

The proofs of Theorems 10 and 11 are similar to the proofs of Theorems 6 and 7, respectively. We give them in the full paper.

Instantiations of \(\mathsf {Sig}_2.\) By combining the UF-CMA (respectively, UF-otRMA) secure TS scheme in Fig. 1 (respectively, Fig. 2) with the UF-TT-CMA secure AKS scheme in Fig. 4 (where \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are swapped), we obtain an FSPS scheme satisfying UF-CMA (respectively, UF-otCMA) security. We refer the reader to the full paper for the resulting signature schemes. Furthermore, we list several instantiations of \(\mathsf {Sig}_2\) in Table 3, Sect. 6.

6 Instantiations

In this section, we give several instantiations derived from our generic constructions, which are summarized in Table 3. For notational convenience, we denote these schemes as (A), (B), (C), (D), (E), (F), (G), (H), (I) (see the first column of Table 3) respectively. Many of these instantiations are FAS schemes.¹⁶ It is not hard to see that typically, when signing \(n^2\) group elements, \(\mathsf {Sig}_1\) needs \(O(n^2)\) verification/signature key elements and O(1) PPEs,¹⁷ while \(\mathsf {Sig}_1^*\) and \(\mathsf {Sig}_2\) need O(n) verification/signature key elements and PPEs.

Besides the UF-CMA secure FSPS schemes in Table 3, we give several UF-otCMA instantiations derived from our generic constructions, which have relatively better efficiency. We refer the reader to the full paper for details.

In Sects. 6.1, 6.2, and 6.3, we give remarks on the instantiations of \(\mathsf {Sig}_1\), \(\mathsf {Sig}_1^*\), and \(\mathsf {Sig}_2\), respectively. Due to page limitation, we refer the reader to the full paper for signing key sizes and numbers of pairings required in verification.

Table 3. Previously proposed FSPSs and FSPSs derived from our work. “Const.” is short for “Construction” and “Auto.” is short for “Automorphic”. We use “(A): KPW15 [31] (CMA) + KPW15 [31] (otCMA)” to denote that the underlying TS (respectively, AKS) scheme of (A) is adapted from the UF-CMA secure (respectively, UF-otCMA secure) SPS scheme in [31]. We use the same argument for others except that the three FSPSs in the top denote the ones proposed in [5, 28]. Especially, “ADK+13 [2] (TT(TOS))” denotes the tagged one-time signature scheme in [2]. Notation (x, y) denotes x elements in \(\mathbb {G}_1\) and y elements in \(\mathbb {G}_2\). As noted in Introduction, we do not count the two generators in the bilinear groups in the parameters.

6.1 \(\mathsf {Sig}_1\): SKSP-TS + SP-AKS

We give parameters of three instantiations for \(\mathsf {Sig}_1\), which are (A), (B), and (C). Especially, (B) is an FSPS scheme in the type I bilinear map and (C) is an FSPS scheme in the generic group model.

The verification key size |pk| of (C) is \((n_1,0)\le (n_1^2,0)\), which makes it automorphic, while its efficiency (considering public parameter size, signature size, and verification cost) is very close to (G) (i.e., the FSPS scheme in [28]). As far as we know, (C) is the most efficient FAS scheme by now. Note that if we follow the definition of basic signatures in [3], which allows no trusted setup except for bilinear group generation, then (C) is not automorphic, and the most efficient FAS scheme becomes (F), in Table 3.

6.2 \(\mathsf {Sig}_1^*\): SKSP-TS + SP-AKS (UF-CMA)

We give parameters of two instantiations for \(\mathsf {Sig}_1^*\), which are (D) and (E), while (E) is in the type I bilinear map. Both of them are automorphic.

It is obvious that most instantiations derived from \(\mathsf {Sig}_1\) have verification key and signature sizes linear in the message size, which makes them less efficient and not automorphic (since verification keys have larger size than messages). However, as shown in Table 3, as a variation of \(\mathsf {Sig}_1\), \(\mathsf {Sig}_1^*\) allows us to obtain FSPSs with shorter signatures and verification keys if the underlying SP-AKS scheme is UF-CMA secure. This fact shows that many existing SPSs imply the existence of a corresponding efficient FSPS scheme since any well-formed SPS scheme (respectively, SPS scheme with an algebraic key generation algorithm) can be converted into an SKSP-TS (respectively, SP-AKS) scheme.

6.3 \(\mathsf {Sig}_2\): SKSP-TS + SP-TT-AKS

We give parameters of four instantiations for \(\mathsf {Sig}_2\), which are (F), (G), (H), and (I), while (H) is in the type I bilinear map. The only one that is not automorphic among them is (I). Here, (G) is achieved by using a UF-CMA secure SKSP-TS scheme to sign auxiliary keys of two SP-TT-AKS schemes with verification keys consisting of elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) respectively, and (H) is achieved by using a SKSP-TS scheme to sign auxiliary keys of the tag-based one-time signature scheme in [2]. Tag based one-time signatures can be treated as a special case of two-tier signatures where secondary signing keys are the same as secondary verification keys.

For \(k=1\) (SXDH), we have \((|m|,|pk+par|, |\sigma |,\sharp \mathrm{PPEs})=(n_1^2,2n_1+7,4n_1+8,n_1+3)\) in (F), while the most efficient instantiation given in [5] achieves \((|m|,|pk|+|par|, |\sigma |, \sharp \mathrm{PPEs})=(n_1^2,6n_1+17,4n_1+11,n_1+5)\) and is not automorphic. Furthermore, by sacrificing efficiency, (F) can be based on weaker assumptions.

\(\texttt {(G)}\) achieves \((|m|,|pk|+|par|, |\sigma |, \sharp \mathrm{PPEs})=(n_1^2,2n_1+2n_2+10,4n_1+4n_2+12,n_1+n_2+4)\) for \(k=1\) (SDXH), which has the shortest verification key size, signature size, and lowest cost in verification among all FSPS and FAS schemes with a bilateral message space based on standard assumptions by now, as far as we know.

\(\texttt {(H)}\) is the most efficient FSPS and FAS scheme in the type I bilinear map, as far as we know.