Compact Structure-Preserving Signatures with Almost Tight Security

In structure-preserving cryptography, every building block shares the same bilinear groups. These groups must be generated for a specific, a priori fixed security level, and thus, it is vital that the security reduction in all involved building blocks is as tight as possible. In this work, we present the first generic construction of structure-preserving signature schemes whose reduction cost is independent of the number of signing queries. Its chosen-message security is almost tightly reduced to the chosen-plaintext security of a structure-preserving public-key encryption scheme and the security of Groth–Sahai proof system. Technically, we adapt the adaptive partitioning technique by Hofheinz (Eurocrypt 2017) to the setting of structure-preserving signature schemes. To achieve a structure-preserving scheme, our new variant of the adaptive partitioning technique relies only on generic group operations in the scheme itself. Interestingly, however, we will use non-generic operations during our security analysis. Instantiated over asymmetric bilinear groups, the security of our concrete scheme is reduced to the external Diffie–Hellman assumption with linear reduction cost in the security parameter, independently of the number of signing queries. The signatures in our schemes consist of a larger number of group elements than those in other non-tight schemes, but can be verified faster, assuming their security reduction loss is compensated by increasing the security parameter to the next standard level.


Background
A structure-preserving signature (SPS) scheme [4] is designed over bilinear groups, and features public keys, messages, and signatures that only consist of source group elements. Furthermore, signature verification only uses group membership testing and relations that can be expressed as pairing product equations. Coupled with the Groth-Sahai noninteractive proof system [40] (GS proofs for short), SPS schemes are a powerful tool in constructing a wide range of cryptographic applications. Various SPS schemes based on compact standard assumptions exist in the literature [3][4][5]22,24,25,39,46,49,53]. When looking at schemes from standard assumptions, the state-of-the-art scheme in [47] yields signatures as compact as consisting of six source group elements.
In this paper, we address the tightness of security proofs for SPS schemes with compact parameters, i.e., constant-size signatures and standard (non-q-type) assumptions. Formally, a security reduction constructs an adversary A on a computational assumption out of an adversary A on the security of a cryptographic scheme. If we let and t denote the success probability and runtime of A, and and t the success probability and runtime of A , then we define the security loss of the reduction, or simply the reduction cost, as ( t)/( t ) [26]. The reduction is tight if the security loss is a small constant or almost tight if it grows only (as a preferably small function) in the security parameter λ. In particular, we are concerned about security loss with less dependence to the number q s of A 's signing queries in a chosen-message attack that can be as large as 2 30 .

.3)
(n 1 , n 2 ) (14,14) (n 2 + 19, n 1 + 12) O(log q s ) SXDH JOR [45] (n 1 , 0) (11, 6) (7, n 1 + 16) O(λ) SXDH GHKP [35] (n 1 , 0) (8, 6) ( 2, n 1 + 9) O(log q s ) SXDH AJOR [8] (n 1 , 0) (6, 6) ( n 1 + 11, 2n 1 + 12) O(log q s ) SXDH AJOPRW [7] (n 1 , 0) (7, 4) ( 2, n 1 + 11) O(log q s ) SXDH CH [29] (n 1 , 0) (7, 2) ( 7, n 1 + 8) O(log q s ) SXDH, extKerMDH Smallest possible parameters are set to parameterized assumptions. Notation (x, y) means x and y elements in G 1 and G 2 , respectively. The |M|, |σ |, |pk| columns mean the number of group elements in a message vector, the number of group elements in a signature, and the number of group elements in a public key, respectively. The "Sec. Loss" column means reduction costs. The "Assumptions" column means the underlying assumptions for proving security. For HJ, parameter d limits number of signing to 2 d . Parameters q s and λ represent number of signing queries and security parameter, respectively. Schemes in boldface were proposed after our work had been published at CRYPTO 2017. More discussions about these schemes are given in "Follow-up Works and Open Problems" Third column indicates number of scalar multiplications in G 1 and G 2 for signing. Multi-scalar multiplication is counted as 1.5. For JR, a constant pairing is included. Column "Batched" shows the number of pairings in a verification when pairing product equations are merged into one by using a batch verification technique [18] the security loss in reality. Besides, we stress that increasing the security parameter for a building block in structure-preserving cryptography is more costly than usual as it results in losing efficiency in all other building blocks using the same bilinear groups. Thus, the demand for tight security is stronger in structure-preserving cryptography. Even in ordinary (i.e., non-structure-preserving) signature schemes, most of the constructions satisfying tight security are either in the random oracle model, e.g., [1,16,28,48], rely on q-type or strong RSA assumptions, e.g., [20,54], or lead to large signatures and/or keys, e.g., [27,51]. Hofheinz presented the first tightly secure construction with compact signatures and keys under a standard compact assumption over bilinear groups [41]. However, his construction can only be used to sign integer messages (and not group elements or, e.g., its own public key), so it is not structure-preserving.

Our Contributions
We propose the first (almost) tightly secure SPS schemes with constant number of group elements in signatures. Our schemes are proven secure based on standard assumptions (e.g., the symmetric external Diffie-Hellman (SXDH) assumption). Concretely, we first present a generic construction of an almost tightly secure SPS scheme from a structurepreserving public-key encryption secure against chosen-plaintext attacks and the GS proof system. With ElGamal encryption and the GS proofs over asymmetric pairing groups, we obtain concrete SPS schemes with compact signature size whose unforgeability against adaptive chosen-message attacks (UF-CMA) is reduced from the SXDH assumption with security loss at most O(λ), which is independent of q s . 1 The primary benefit of our tightly secure SPS schemes is their availability in structurepreserving cryptography under the current standard security level. For a system modularly built with structure-preserving building blocks, a compact and tightly secure SPS scheme has been a missing piece, since other useful building blocks, such as one-time signatures and commitments, are known to be tightly secure. Plugging in our scheme, one can increase the proven security in applications of structure-preserving cryptography such as blind signatures [4], group signatures [53], and unlinkable redactable signatures [23] used in anonymous credential systems.
The second benefit of our result is the removal of q s from the security bound, which aims to simplify the systems design. With previous schemes, there are trade-offs among security, efficiency, and usability; if one desires stronger security guarantees without sacrificing efficiency, a rigid limitation has to be put on the number of signatures per public key, or, if more flexibility on the number of possible signatures is important in considered applications, one has to take the risk with weaker security guarantees or less efficiency. With our schemes, one no longer needs to fix q s in advance and can focus on desirable security and permissible efficiency for the targeted system. Nevertheless, the performance as a stand-alone signature scheme is of a concern. We summarise several parameters that dominate the space and computation costs in Table 1 and 2. The bare numbers in the tables imply that our schemes are outperformed by those in the literature if they are used at the same security level. Taking the security loss into consideration, however, the tightness of our schemes offsets the difference in terms of computational complexity. We elaborate this point in the following. Though concrete complexity varies widely depending on platforms and implementations, it is safe to say that computing a pairing in the 192-bit security level is slowed by a factor of δ := 6 to 7 on ordinary personal computers [13,31] and δ := 9 to 12 on processors for embedded systems [9,38,56] compared to those in the 128-bit security level. (This slowdown factor should increase if we take recent update of key sizes as suggested in [12].) According to the number of pairings in Table 2, our scheme for bilateral messages at the 128-bit security level verifies a signature with batch verification 4.6 < δ(n 1 +n 2 +14)/(n 1 +n 2 + 18) < 9.3 times faster than the KPW scheme at the 192-bit security setting for offsetting its security loss of 60 bits. Applying the same argument to the case of unilateral messages, ours in the 128-bit security level will be 2.2 < δ(n 1 + 6)/(n 1 + 16) < 4.5 times faster compared to the JR scheme in the 192-bit security level. Even with plain verification, i.e., without batch technique, the advantage remains depending on the platform and the size of messages.
We note that the above simple argument ignores dedicated techniques for computing pairing products, e.g., [55], and costs for subtle computations. It may not be fair to ignore the concrete security loss in our schemes, which can be as large as 11 bits for at most 2 40 signing queries, as mentioned in Sect. 4. Nevertheless, taking into account the fact that the performance gap between different security levels will be larger than those shown in the above benchmarks published previously [50] (i.e., slowdown factor δ in the above argument will be much larger), even the simple estimation is aimed to show the practical significance of tightly secure schemes.

Technical Overview
Eliminating any representation-dependent computation in the construction is a crucial technical challenge. Towards this goal, we adapt the "adaptive partitioning" technique of Hofheinz [42] (which in turn builds upon [27]) to the setting of structure-preserving signatures. Thus, in our security proof, we gradually transform the conditions necessary for a successful forgery until a valid forgery is impossible. This will require O(log q s ) game hops.
Concretely, in the scheme itself, we require that every valid signature must carry an (encrypted) "authentication tag" Z = X , where X ∈ G is a fixed group element. We will gradually transform this requirement Z = X into the following combination of requirements on the authentication tag Z * from a valid forgery: (a) We must have Z * = X · M * , where X ∈ G is a fixed random group element, and M * ∈ G is the signed message in the forgery. (b) Also, we must have Z * = X · M i for some previously signed message M i .
Since we may assume M * / ∈ {M i } in the (non-strong) existential unforgeability experiment, any attempted forgery will thus be invalid.
The key technique to establishing these modified requirements is a "partitioning argument" similar to the one from [42]. That is, in the proof, we will enforce more and more dependencies of the authentication tag Z on the bit representation of M. Note that this bit representation is not used in the real scheme; this would in fact be problematic in the context of structure-preserving constructions. For instance, to establish a dependence of Z on the k-th bit b M of the bit representation of M, we proceed as follows: 1. First, we "partition" the set of all messages into two subsets, depending on b M . This means that signatures issued by the experiment now carry (an encryption of) b M in a special component. The reason for this partitioning is that we can now, depending on the encrypted b M , use different verification rules. However, the encrypted bit b * from the forgery is not necessarily identical to b M * (since this property cannot be easily enforced in a structure-preserving way). As a consequence, we cannot force the adversary to respect the additional dependencies in his forgery. Yet, we will show that we can force the adversary to reuse one Z = X · M i from a signing query. This leads to requirement (b) in verification forgeries, and requirement (a) will finally be enforced by a regular GS proof in signatures (that GS proof is simulated in all intermediate steps). This line of reasoning borrows from Chen and Wee's [27] general idea of establishing tight security through a repeated partitioning of the message space (resp. identity space in an identity-based encryption scheme) into two sets, each time adjusting signatures for messages from one of the two sets in the process. However, their approach, as well as other follow-up approaches (e.g., [11,19,34,41,52]), embeds the partitioning already in the scheme (in the sense that the scheme must already contain all potentially possible "partitioning rules," for instance according to each message bit). Since these rules in the mentioned schemes are based on the message bits (or an algebraic predicate on the discrete logarithm of the message [41]), this would not lead to a structure-preserving scheme.
Instead, we adapt the "adaptive partitioning" (AP) technique of Hofheinz [42], in which the partitioning is performed dynamically, through an encrypted partitioning bit embedded in signatures. This allows us to separate partitioning from the way messages are bound to signatures in the scheme. We thus bind a message through an authentication tag, as mentioned above, that is more algebraic and admits structure-preserving GS proofs. The encrypted partitioning bit is fixed to a constant in the real scheme and turned into a variable only in the security proof where non-generic computations are allowed.
In adapting AP to our setting, we face two difficulties, however: the partitioning used in AP is bit-based (which is incompatible with our requirement of a structurepreserving scheme), and its complexity leads to comparatively complex schemes. More specifically, AP leads to several expensive "OR"-proofs in ciphertexts, resp. signatures. As a consequence, the (encryption) schemes in [42] are not competitive in complexity to non-tightly secure schemes, even when taking into account a potentially larger security level for non-tightly secure schemes. On the other hand, our signature schemes are carefully designed so that GS proofs in signatures are done only for less costly linear relations (except for one crucial "OR"-proof). We further use optimization techniques of Escala and Groth [32] to reduce the size of GS proofs in our instantiation.
Moreover, AP crucially relies on the bit representation of messages (resp. encryption tags that are hash values in [42]). In particular, the encryption scheme from [42] is not structure-preserving. For our purposes, we thus have to modify this technique to work with group elements instead of hash values. This leads to a very simple and clean structure-preserving signature scheme whose security proof still crucially uses the bit representation of group elements. We find this property surprising and conceptually interesting.

Difference to the Previous Version
The constructions in both the previous and current versions are the same, but here we apply a (slightly) different proof technique to improve the security loss of the scheme, namely, from O(λ) to O(log q s ). Typically, we will have q s 2 λ (e.g., λ = 128 and q s ≈ 2 40 ), so this improvement might be significant. This proof technique is motivated by [35].

Follow-up Works and Open Problems
Our work is the first tightly secure SPS with compact public keys, and it laid the foundation for many follow-up schemes, such as [7,8,29,35,45]. Among them, [8,45] use more efficient NIZK proof systems to implement our framework, while [7,29,35] construct tightly secure SPS schemes from compact and tightly secure message authentication code schemes.
While being compact and tightly secure, our concrete SPS schemes and the follow-up works contain a moderate number of group elements in a signature. We note that our scheme still has larger public key and signature sizes than the non-tight schemes, but it paved a way to the aforementioned, more efficient follow-up works. We suppose that eventually we will have a truly practical tightly secure scheme, and we leave this as an open problem. Another interesting open problem is to decrease the security loss from O(log q s ) to O(1).

Organization
The rest of the paper is organized as follows. After introducing notations, security definitions, and building blocks in Sect. 2, we present our generic construction and its security proof in Sect. 3. We discuss an instantiation over asymmetric bilinear groups in Sect. 4.

Notations
For an integer p, define Z p as the residual ring Z/ pZ. If B is a set, then x $ ← − B denotes the process of sampling an element x from set B uniformly at random. All our algorithms are probabilistic polynomial time (p.p.t. for short) unless stated otherwise. If A is an algorithm, then a $ ← − A(b) denotes the random variable, which is defined as the output of A on input b. To make the randomness explicit, we use the notation a ← A(b; r ), meaning that the algorithm is executed on input b and randomness r . Note that A's execution is now deterministic. For an element μ ∈ Z p , we denote by μ| k ∈ {0, 1} k the first k bits of μ's binary representation and by μ[k] ∈ {0, 1} the k-th bit of μ's binary representation. An empty string is denoted by .
We say that a function is negligible in security parameter λ if, for all constant c > 0 and all sufficiently large λ, ν(λ) < λ −c holds.

Pairing Groups and Diffie-Hellman Assumptions
Let PGGen be an algorithm that on input security parameter λ returns a description par = ( p, G 1 , G 2 , G T , e, G 1 , G 2 ) of pairing groups, where p is a poly(λ)-bit prime, G 1 , G 2 , G T are cyclic groups of order p, G 1 and G 2 are generators of G 1 and G 2 , respectively, and e : G 1 × G 2 → G T is an efficiently computable non-degenerate bilinear map. Pairing group par is said to be a Type-III asymmetric pairing group if G 1 = G 2 , and there does not exist an efficiently computable isomorphism between G 1 and G 2 . When distinction between source groups is not important, we use G and G to represent G 1 and/or G 2 , and their default generator, respectively. When a group element is given to an algorithm as an input, its membership to the intended group must be tested, but we make it implicit throughout the paper for conciseness of the description.
Our instantiation in Sect. 4 is based on the following standard assumption over asymmetric pairing groups.

Definition 2.1. (Decisional Diffie-Hellman assumption) The decisional Diffie-Hellman assumption (DDH s ) holds relative to PGGen in group
is negligible in security parameter λ, where the probability is taken over • The key generation algorithm Gen(par) takes par $ ← − PGGen(1 λ ) as input and returns a public/secret key pair, (pk, sk), where pk ∈ G n pk for some n pk ∈ poly(λ). Message space M := G n for some constant n ∈ poly(λ) is implicitly determined by pk. • The signing algorithm Sign(sk, M) returns a signature σ ∈ G n σ for some n σ ∈ poly(λ). • The deterministic verification algorithm Ver(pk, M, σ ) solely evaluates pairing product equations and returns 1 (accept) or 0 (reject). Though our final goal is to achieve security against adaptive chosen-message attacks, we use the following slightly relaxed notion in the generic construction.
As we are concerned with structure-preserving schemes, we fix R(M, m) to a relation that returns 1 iff M = G m where G is a generator in a group. This relation is sufficient for our purpose, that is, combining with a partial one-time signature scheme described below. By letting R be a constant function R = 1, we obtain a standard notion of unforgeability against chosen-message attacks (UF-CMA-secure) and denote its advantage function by Adv uf-cma SPS (A). UF-XCMA is slightly stronger than unforgeability against extended random message attacks (UF-XRMA) introduced by Abe et al. [3]. While UF-XRMA is relative to a preliminary fixed algorithm that chooses messages to sign, it is the adversary that selects messages in UF-XCMA. Thus, UF-XCMA implies UF-XRMA.
From UF-XCMA to UF-CMA: In this paper, we focus on constructing UF-XCMA secure structure-preserving signature and then, transform it to a UF-CMA secure SPS by using a partial one-time signature (POS) scheme [3,17] in the standard way [3,49]. POS is also known as two-tier signature schemes and is a variation of one-time signatures where parts of keys are updated after every signing. Here, we recall useful definitions of POS and the transform. • G(par) generates a long-term public key pk and secret key sk, and implicitly defines the associated message space M o and the one-time public key space K opk . • Update(par) takes par as input, and outputs a one-time key pair (opk, osk). • S(sk, osk, M) outputs a signature σ on message M based on sk and osk.
• V(pk, opk, M, σ ) outputs 1 for acceptance or 0 for rejection. We require POS to be unforgeable against one-time non-adaptive chosen-message attacks (OT-nCMA), which is defined as follows. Here "one-time" means an adversary cannot forge a second signature with respect to an opk.

Definition 2.5. (OT-nCMA Security)
A POS scheme is unforgeable against one-time non-adaptive chosen-message attacks (OT-nCMA) if for any algorithm A, the following advantage function Adv ncma Let POS := (G, Update, S, V) be a structure-preserving partially one-time signature scheme with message space M and one-time public key space K opk , and xSPS := (Gen , Sign , Ver ) be a structure-preserving signature scheme with message space K opk . The transformed UF-CMA secure SPS scheme, SPS := (Gen, Sign, Ver), is defined as follows.

Gen(par):
Sign(sk, M): Ver(pk, M, σ ): Return (opk, σ 1 , σ 2 ) then return 1 Return (pk, sk) Else return 0 The correctness and structure-preserving property of SPS are implied by those of POS and xSPS in a straightforward way. The following theorem ([3, Theorem 3]) states UF-CMA security of SPS. • The key generation algorithm Gen PKE (par) takes par $ ← − PGGen(1 λ ) as input and generates a pair of public and secret keys (pk, sk). Message space M is implicitly defined by pk. • The encryption algorithm Enc(pk, M) returns a ciphertext ct.
• The deterministic decryption algorithm Dec(sk, ct) returns a message M.

The Groth-Sahai Proof System
We recall the Groth-Sahai proof system and its properties as a commit-and-prove scheme. We follow definitions by Escala and Groth in [32] in a simplified form that is sufficient for our purpose. For a given pairing group par $ ← − PGGen(1 λ ), the GSproof system is a non-interactive zero-knowledge proof (NIZK) system for satisfiability of a set of equations over par. Let L par be a family of NP languages defined over par. For a language L ∈ L par , let R L := {(x, ω) : x ∈ L and ω ∈ W (x)} be a witness relation, where W (x) is the set of witnesses for x ∈ L. As our construction fixes the language in advance, it is sufficient for our purpose to define the proof system to be specific to L as follows. • BG(par) is a binding common reference string generation algorithm that outputs crs. • Com(crs, ω; r ) is a commitment algorithm that outputs a commitment c for given witness ω with randomness r ← R c and crs.
is a deterministic verification algorithm that returns 0 (reject) or 1 (accept).
(Perfect correctness.) For all par When witness ω consists of several objects and only part of them are committed to c, commitments for the remaining part of the witness is prepared by P and included in the proof.
The following properties of the GS-proof system are used in this paper. For a fully formal treatment, we refer to [32].
• Dual-mode Commitment: For all crs ∈ BG(par), Com is perfectly binding. Namely, for all For all (crs, trap) ∈ HG(par), Com is perfectly hiding. Namely, for all ω 0 = ω 1 , the following two distributions are identical: such that, for all (crs, trap) ∈ HG(par), and (x, ω) ∈ R L , the following two distributions are identical: Since the above distributions are identical, it also holds for reused commitments and multiple adaptively chosen statements x that involve the same witness and commitment.
The GS-proof system is structure-preserving for proving satisfiability of linear multiscalar multiplication equations (MSEs) and a nonlinear quadratic equation (QE). Regarding security, it is known that its CRS indistinguishability is tightly reduced to the SXDH assumption (cf. Theorem 4.3).

Generic Construction
In this section, we focus on a generic construction of a UF-XCMA-secure SPS scheme, xSPS. By coupling it with an off-the-shelf structure-preserving POS scheme, we obtain a UF-CMA-secure SPS scheme via Theorem 2.6.

Scheme Description
Let par $ ← − PGGen(1 λ ) be a set of system parameters. We represent a source group and its generator by G and G, respectively. Let PKE := (Gen PKE , Enc, Dec) be a PKE scheme, and GS := (BG, Com, P, V) be the Groth-Sahai proof system for languages L 0 and L 1 defined below. Our SPS scheme xSPS := (Gen, Sign, Ver) is defined in Fig. 1.
The correctness of xSPS is implied by that of the Groth-Sahai proof system, and the structure-preserving property is implied by that of the PKE scheme and the Groth-Sahai proof system. Remark 3.1. (Role of proof ρ 0 ) The main role is to bind a message into a signature. In the real scheme, it is just a proof of the signing key x 0 in ct 0 (and c 0 ) since x 1 is fixed to 0. Yet the proof is bound to message M through randomness r 1 used for committing to x 1 . In the security proof, it can be seen as an encrypted one-time message authentication code (MAC) of M and forces the adversary to reuse given signatures since, intuitively, the adversary cannot generate a new MAC for hidden keys x 0 and x 1 .
Remark 3.2. (Role of proof ρ 1 ) ρ 1 is used for partitioning. It proves that two ciphertexts ct 0 and ct 1 are consistent (namely, the same plaintext is encrypted) or the plaintext in the ciphertext ct 2 is committed to in c 2 . In the real scheme, ρ 1 proves the consistency of double encryption ct 0 and ct 1 . In the security proof, ρ 1 enables us to achieve two (seemingly incompatible) functionalities under a binding mode CRS. One is forcing the adversary to use consistent ciphertexts in its forgery. A simulator guesses z * 2 in the forgery and makes x 2 = z * 2 hold. The other is letting the simulator use inconsistent ciphertexts in a special situation achieved using a partitioning technique (see Sect. 3.2 for more details). In that situation, the simulator can make x 2 = z 2 hold and use a real witness of ρ 0 .

Remark 3.3.
(On the range of z 2 ) The range of z 2 is Z p since z 2 is the plaintext of ct 2 . Readers might think we should bind z 2 on {0, 1} by using a Groth-Sahai proof since the simulator in the security proof guesses z * 2 in the forgery as explained in the previous remark. This is not the case. In fact, even if an adversary uses z * 2 such that z * 2 / ∈ {0, 1}, it has no advantage because the simualtor uses x 2 such that x 2 ∈ {0, 1} in the security proof. Value z 2 affects ρ 1 . However, to make a valid forgery by using x 2 = z * 2 as a witness in ρ 1 , adversaries have no choice but to use z * 2 ∈ {0, 1} as long as x 2 ∈ {0, 1}. Accordingly, we do not need to bind z 2 on {0, 1}. This intuition is implemented formally in the proof of Lemma 3.20.  . This is achievable if ρ 0 is generated as a proof of "pairing product equations (PPEs)" (in both the real and simulated schemes). If the simulator has exponents, then ρ 0 is generated as a proof of "(linear) multiscalar multiplication equations", which is more efficient than that of PPEs. We not only up-grade UF-XCMA to UF-CMA but also achieve an SPS scheme for vector messages by combining our xSPS with (partial) one-time signature at very low cost [3]. Thus, we select the UF-XCMA-secure scheme. See also Sect. 4 for efficiency.

Overview of Security Proof
Our main goal is to implement an additional check of A's forgery σ * := (ct * 0 , ct * 1 , ct * 2 , ρ * 0 , ρ * 1 ). We not only verify Groth-Sahai proofs, but also check if . That is, we will force A to reuse an M i in queried messages for Z * 0 (we will set x 1 := 1 to achieve this during the game transitions). This explicit check will be introduced when x 1 = 0, so that only one fixed value of Z * 0 = G x 0 is consistent with the language L 0 . In this case, with crs 0 for ρ * 0 being still in perfect soundness mode, we will be able to establish this explicit check by relying on this perfect soundness. Once this explicit check is introduced, we can switch crs 0 to simulation mode to be able to prepare simulated signatures with simulated proofs ρ 0 , and to eventually switch to x 1 = 1. Since A is not allowed to reuse a signed message in its forgery, this leads to a contradiction and A never wins.
To change the success forgery condition, we replace the value z 0 := x 0 in signatures of the signing oracle and the additional forgery check with a value z 0 := RF k (μ| k ) where RF k : {0, 1} k → Z p is truly random, and μ| k is the k-bit prefix of a binary encoding μ ∈ {0, 1} L of a signed message M ∈ G, where L is the smallest even integer that is equal to or larger than the bit size of p. Note that encoding μ appears only in the security proof (not in the real scheme). We start with RF 0 ( ) := x 0 for the empty string . We will introduce more dependencies of z 0 on x 2 and z * 2 in ct * 2 . To increase the entropy of z 0 (this will make z 0 unpredictable for M * and force A to reuse z 0 from the signing oracle) and eventually set z 0 := RF L (μ), we replace z 0 := RF k (μ| k ) with z 0 := RF k+1 (μ| k+1 ) step by step. At each step, we partition the signature space into two halves according to the (k + 1)-th bit of μ. The partitioning bit is dynamically changed by z * 2 hidden in ct * 2 . At the beginning of the game, the simulator guesses the bit z * 2 used in a forgery and aborts if the guess is incorrect (z * 2 is accessible with the decryption key sk 2 ). Signature queries are created with a case distinction depending on the (k + 1)-th bit μ[k + 1] of μ. If μ[k + 1] is equal to the guessed z * 2 from the forgery, nothing is changed in the signing process. However, if μ[k + 1] is different from z * 2 , we use another independent random function RF k and set z 1 := RF k (μ| k ) in the generated signature (i.e., more randomness is supplied).
Note that at this point, we want to change the encrypted values z 0 , z 1 in the generated signature, while being able to decrypt the value z * 0 from the forgery (to implement the additional check mentioned above). Intuitively, we can do so since the proved statement (z 0 − z 1 )(x 2 − z 2 ) = 0 guarantees a consistent double encryption with z 0 = z 1 precisely when x 2 = z 2 . Hence, if we initially set up x 2 as 1 − z * 2 (using our guess for z * 2 ), it is possible for the simulator to generate inconsistent double encryptions (with z 0 = z 1 ) whenever μ[k + 1] = z 2 = z * 2 . On the other hand, a decryption key for either z * 0 or z * 1 can be used to implement the final check on the adversary's forgery (since z * 0 = z * 1 ). These observations enable a Naor-Yung-like double encryption argument to modify the z 0 , z 1 values in all generated signatures with μ[k + 1] = z * 2 .
After the above transition is iterated, all signatures are generated with (or checked for) z 0 := z 1 := RF L (μ) for a truly random function RF L . At this point, we can replace z 0 and z 1 with z 0 := z 1 := RF L (μ) + m since RF L (μ) is an independently and uniformly random element.
We can replace z 0 := z 1 := RF L (μ) + m with z 0 := z 1 := x + m in a similar way to the case from RF 0 ( ) = x to RF L (μ) (see the proof for the detail). Thus, we can force A to reuse an M i in queried messages for Z * 0 , as we explained at the beginning of this section.

Improvement on the Security Loss
Motivated by [35], the above strategy can also be implement by using an index i (which denotes the i-th signing query from the adversary) as inputs to the random functions RF k and RF L , since the encoding μ is not explicitly used in the scheme and we only require q s -many random values to randomize the signatures in order to finish the transition from z 0 = x 0 to random z 0 . By doing this, we can only apply the hybrid argument on the length of the index i (1 ≤ i ≤ q s ) and reduce the security loss from O(λ) to O( log q s ). Note that q s is less or even much less than 2 λ . In the following, we present our updated proof with security loss O( log q s ) in details. The proof is almost the same as the previous one, but with less hybrid repetitions. Proof. Let A be an adversary against UF-XCMA security of xSPS. We prove Theorem 3.6 via Games G 0 -G 3 defined in Fig. 2. We use AdvG α to denote the advantage of A in Game G α . G 0 is the real attack game. We have lemmata below.    Proof. The changes in G 2 are:

Security Proof
• Switching x 1 from 0 to 1: since c 1 is already simulated and is independent of x 1 in G 1 , pk is distributed identically in both G 1 and G 2 . • Switching Z 0 and Z 1 from G F( j) to G F( j) · M j : since F is a truly random function,  After switching z 0,i and z 1,i from F(i) to F(i) + m i in G 2 , G 3 switches them from F(i) + m i to x 0 + m i , which is exactly the step from G 0 to G 1 , but in a reverse direction. The proof of Lemma 3.10 is similar to that of Lemma 3.8. The details are in Sect. 3.3.2.   3. Overview of transitions in Lemma 3.8. In the "crs 0 " and "crs 1 " columns, "B" (resp. "H") means that commitments are perfectly binding and proofs are perfectly sound (resp. commitments are perfectly hiding and proofs are perfectly zero-knowledge). In the "ρ 0 " column, "real" (resp. "sim") means that proofs are generated by using the real witness w 0 (resp. the trapdoor trap). In the "reduction" column, we write what kind of security is used. "Soundness" (resp. "ZK") means the perfect soundness (resp. zero-knowledge) of the Groth-Sahai proof system. z 0,i and z 1,i are the value used in simulating the i-th signing query. 0 ≤ k ≤ L − 1 and L := log q s are integers.
Proof. In G 3 , crs 0 $ ← − BG(par) is in the binding mode. By the perfect soundness,  Proof. Games H 2 and H 1 only differ in the distribution of crs 0 returned by Init, namely, crs 0 is in the hiding or binding mode. From that, we obtain a straightforward reduction to CRS indistinguishability of GS. Proof. Instead of using the prover algorithm P, H 3 generates ρ 0 and relevant commitments with the zero-knowledge simulator, Sim. By the perfect zero-knowledge property, In H 4,0 , we syntactically define x 0 by RF 0 ( ), which is a fixed random element from Z p , and we have Proof. We define the games between H 4,k and H 4,k+1 in Fig. 5, and an overview of the game transitions is presented in Fig. 6.   This is a summary of the game transition in Lemma 3.17. In "crs 1 " column, "B" (resp. "H") means that commitments are perfectly binding and proofs are perfectly sound (resp. commitments are perfectly hiding and proofs are perfectly zero-knowledge). In the "guess" column, if the simulator chooses a random guess β ∈ {0, 1}, then β is written. In "w 1 " column, "z 0,i = z 1,i " and "z 2,i = x 2 " means that each equation holds in In the "abort cond." column, if Z * 2 = G β holds, the simulator aborts. In the "reduction" column, we write what kind of security is used. "CRS IND", "Soundness", and "Hiding" mean the CRS indistinguishability, perfect soundness, perfect binding of the Groth-Sahai proof system, respectively. "Stat. Diff." means the statistical difference between the two advantages. Note that RF Proof. In H 4,k,2 , ct 2 encrypts Z 2,i = G i[k+1] , instead of Z 2,i = G 0 . Observe that sk 2 is used only in making commitment k 2 and proof ρ 1 with crs 1 generated by HG(par) in both games. Thus, we can construct a straightforward reduction to bound the difference by IND − mCPA security of PKE by using perfect zero-knowledge simulator Sim for making ρ 1 and relevant commitments. Proof. In H 4,k,3 , β and b are independent of adversary's view and chosen uniformly at random. c 2 perfectly hides β since crs 1 is generated by HG(par) and the simulation of Sign is independent of β. Thus, the event Abort is independent of adversary's success event and where z * 2 is the discrete log of Z * 2 based on G and independent of b. This only halves A's advantage. We note that, for all accepted forgeries in Games H 4,k,3 to H 4,k,8 , the following equation holds: In the following games, we define the random function for an integer i ∈ Z p : where RF k and RF k are two independent random functions from {0, 1} k → Z p . As stated in Sect. 2.1, i| k ∈ {0, 1} k denotes the first k bits of i's binary representation and by i[k] ∈ {0, 1} the k-th bit of i's binary representation. By the definition, we note that RF k+1 : {0, 1} k+1 → Z p is a random function. Proof. In game H 4,k,4 , Thus, in either case, (z 0,i − z 1,i )(x 2 − z 2,i ) = 0 holds and ins 1 ∈ L 1 . Another difference between AdvH 4,k,3 and H 4,k,4 is that ct 1 is a ciphertext either of AdvH 4,k,3 ). Moreover, sk 1 is used only for making k 1 and ρ 1 with respect to crs 1 generated by HG(par) in both games. Thus, as well as Lemma 3.19, we can construct a straightforward reduction to bound this difference by IND − mCPA-security of PKE using Sim for simulating ρ 1 and relevant commitments. Lemma 3.21 is concluded.  Proof. In H 4,k,5 , Ver rejects a forgery if In these games, Eq. (1) holds and we can switch crs 1 to be binding and argue that Z * k mod 2 = Z * 1−(k mod 2) must hold by z * 2 = x 2 and the perfect soundness of GS for language L 1 . More formally, we prove that via the game sequence in Fig. 7. Here, we only change the simulation of Init and Ver, and the simulation of Sign is the same as in H 4,k,4 . As shown in Lemma 3.21, ins 1 is always in L 1 and we can construct a straightforward reduction to show that there exists an adversary B against CRS indistinguishability of GS with Adv crsind GS (B) ≥ |AdvH 1 − AdvH 4,k,4 |.
Since crs 1 is binding in both H 1 and H 2 , by the perfect soundness of GS and Eq. (1), Z * k mod 2 = Z * 1−(k mod 2) holds if ρ * 1 gets verified. Hence, the changes between H 1 and H 2 are only conceptual, and thus, AdvH 2 = AdvH 1 . By the CRS indistinguishability of GS, we have Adv crsind GS (B) ≥ |AdvH 3 − AdvH 2 |. It is clear that AdvH 3 = AdvH 4,k,5 Proof. In H 4,k,6 , z 0,i = z 1,i is used as w 1 . It holds that (z 0,i − z 1,i )(x 2 − z 2,i ) = 0 and ins 1 ∈ L 1 as the case in H 4,k,5 . In the signing oracle of H 4,k,6 , ct 0 encrypts Z 0,i = G RF k+1 (i| k+1 ) instead of Z 0,i = G RF k (i| k ) . Observe that sk 0 is used only in making k 0 and ρ 1 with crs 1 generated by HG(par) in both games. We thus can construct a straightforward reduction to bound the difference between H 4,k,5 and H 4,k,6 by IND − mCPA security using zero-knowledge simulator Sim for making ρ 1 and relevant commitments.
Proof. According to Eq. (2), the difference between H 4,k,6 and H 4,k,7 is that the accepted forgery with a Z * 1−(k mod 2) in either: We note that, for the i-th messages M where i[k + 1] = 1 − β and i| k ∈ CM := { j| k : We note that S is not empty, since each element G RF k ( j| k ) depends on the k-bit prefix of j. Thus, we can rewrite We define the following game H 4,k,6 between H 4,k,6 and H 4,k,7 . H 4,k,6 simulates Init and Sign as in H 4,k,6 , but differs in simulating Ver, where it only accepts forgery with Z * 1−(k mod 2) ∈ S 1 . Precisely, H 4,k,6 simulates Ver as follows: We note that the value RF k ( j| k ) is perfectly hidden from A for j[k + 1] = 1 − β and j| k / ∈ CM since A only learns RF k ( j| k ) from Sign by Eq. (2) and RF and RF are two independent random functions. Thus, even an unbounded adversary A can output a We syntactically define F(i) := RF L (i) in G 1 since the binary representation of a group element is unique and have Proof. We note that L = log q s and thus, for every signing query z 0,i = z 1,i = F(i) and F : {1, ..., q s } → Z p is a random function. The only difference between G 1 and H 4,L is the simulation of crs 1 , which is generated by either BG (in G 1 ) or HG (in H 4,L ). From that, we obtain a straightforward reduction to the CRS indistinguishability of GS.
Combining Lemmata 3.12 to 3.17 and Lemma 3.29, we have AdvG 0 ≤ AdvG 1 + 3Adv crsind The proof of Lemma 3.10 is essentially the same as Lemma 3.8, but the game sequence is defined in the reverse order. For completeness, we define the game sequence in Fig. 8. For the game sequence S 0,k , the index k starts with L and decreases till 0. We use AdvS i to denote the advantage of A in Game S i .
By defining RF L (i| L ) := F(i) and the same argument as in Lemma 3.16, we have Proof. The proof of Lemma 3.31 is essentially the same as the one of Lemma 3.17, but here we derandomize z 0,i and z 1,i from RF k (i| k ) to RF k−1 (i| k−1 ) instead of randomizing z 0,i and z 1,i from RF k−1 (i| k−1 ) to RF k (i| k ). We define the detailed games in Fig. 9 and sketch the proof as follows. By the same arguments as in Lemmata 3.18 to 3.20, we have the following Lemmata.  In the following games, for an integer i ∈ Z p we define the random function: where β is a random bit chosen in Init. We note that RF k−1 : {0, 1} k−1 → Z p is a random function, since RF k is a random function. Proof. The proof is similar to that of Lemma 3.21. First observe that, in S 0,k,4 , if Thus, (z 0,i − z 1,i )(x 2 − z 2,i ) = 0 holds and ins 1 ∈ L 1 in either case. By the perfect WI of GS, this difference is perfectly hidden from the adversary. Then, the difference between S 0,k,4 and S 0,k,3 is that ct 1 is a ciphertext either of Since sk 1 is used only for making k 1 and ρ 1 with respect to crs 1 generated by HG(par) in both games, we can construct a straightforward reduction to bound this difference by IND − mCPA-security of PKE using zero-knowledge simulator Sim to make ρ 1 and relevant commitments. The lemma is concluded. Proof. Similar to Lemma 3.24, the difference between S 0,k,6 and S 0,k,7 is that the accepted forgery with a Z * 1−(k mod 2) in either: according to Eq. (3). We define the following game S 0,k,6 between S 0,k,6 and S 0,k,7 . S 0,k,6 simulates Init and Sign as in S 0,k,6 , but it differs in simulating Ver, where it only accepts forgery with Z * 1−(k mod 2) ∈ S 1 . More precisely, S 0,k,6 simulates Ver as follows: From answers of Sign, adversaries A only learn value RF k ( j| k−1 , β) for all signing messages M j . Thus, if RF k : {0, 1} k → Z p is a random function, then values RF k ( j| k−1 , 1 − β) are perfectly hidden from A until Ver is asked. We have that, even for an unbounded adversary A, it can only output a value in S 2 with probability at most q s p and the following holds AdvS 0,k,6 − AdvS 0,k,6 ≤ q s p .

Instantiation
We instantiate our generic construction in Type-III bilinear groups under the SXDH assumption. Throughout this section, we denote group elements in G 1 with plain uppercase letters, such as X , and elements in G 2 such letters with tilde, such asX . Scalar values in Z p are denoted with lower-case letters. We may also put a tilde to scalar values or other objects when they are related to group elements in G 2 in a way that is clear from the context.
We begin with optimizations in Sect. 4.1 made on top of the generic construction. We then present a concrete scheme for signing unilateral messages in Sect. 4.2 and for bilateral messages in Sect. 4.3 followed by full details of the Groth-Sahai proofs in Sect. 4.4.

ElGamal Encryption with Common Randomness
Observe that relation (z 0 − z 1 )(x 2 − z 2 ) = 0 in L 1 is a quadratic equation and it can be proved efficiently by a GS proof if z 0 and z 1 are committed in the same group and z 2 is committed in the other group. Relevant encryptions should follow the deployment of groups. We thus build the first two ciphertexts, ct 0 and ct 1 in G 1 , and ct 2 in G 2 .
To gain efficiency, we consider using the same randomness for making ct 0 and ct 1 . For this to be done without spoiling the security proof, it is sufficient that one of the ciphertext ct b is perfectly simulated given the other ciphertext ct 1−b . Formally, we assume that there exists a function, say SimEnc, such that, for any key pairs (pk, sk) $ ← − Gen PKE (par) and (pk , sk ) $ ← − Gen PKE (par), any messages m and m in the legitimate message space, and any randomness s, it holds that Enc(pk , m ; s) = SimEnc(sk , m , Enc(pk, m; s)). In [15], Bellare et al. formally defined such a property as reproducibility. Given reproducible PKE and its ciphertext ct b $ ← − Enc(pk b , G z b ; s), we can compute another ciphertext ct 1−b $ ← − SimEnc(sk 1−b , G z 1−b , ct b ) without knowing sk b or s. All reduction steps with respect to the CPA security of PKE go through using SimEnc and simulated GS proofs. Precisely, we use SimEnc in Lemma 3.21 to compute ct 0 from given ct 1 . Similar adjustment applies to Lemma 3.23, 3.35 and 3.37.
As shown in [15], ElGamal encryption (EG) is reproducible. Let (y, G y ) and (y , G y ) ∈ Z p × G 1 be two key pairs of ElGamal encryption. Given ciphertext (M · (G y ) s , G s ) of message M with s and public key G y , one can compute (M · (G s ) y , G s ) for any M using secret key y . It is exactly the same ciphertext obtained from the regular encryption with common randomness s. We thus encrypt z 0 and z 1 with ElGamal encryption in G 1 using the same randomness and removing redundant G s . For encrypting z 2 , we also use ElGamal but in G 2 . Bellare et al. show that the multi-message chosen-plaintext security for each encryption holds under the DDH assumption in respective groups, which is directly implied by the SXDH assumption [14]. We thus have:

Concrete Scheme for Unilateral Messages
We present a concrete scheme, SPSu1, for signing messages in G 1 . We use a structurepreserving one-time signature scheme, POSu1, taken from the results of Abe et al. [3], and the SXDH-based instantiation of GS proof system. The description of POSu1 is blended into the description of SPSu1. For the GS proofs, however, we only show concrete relations in this section and present details of computation in Sect. 4.4. We use notations [x] i and [x] 1 as a shorthand of Com(crs i , x) and Com( crs 1 , x), respectively. We abuse these notations to present witnesses in a relation. It is indeed useful to keep track which CRS and which source group is used to commit to a witness. This notational convention is used in the rest of the paper.
Since computational cost largely depends on available resources and implementation, we only show basic parameters that can be dominant factors in computation. First, for signature generation, the number of elements in a signature almost counts a number of scalar multiplications. To be slightly more accurate, we count the number of multi-scalar multiplications and add them as 1.5 scalar multiplications. Element R in POSu1 and all elements in proofs ρ 0,0 , ρ 0,1 , ρ 1,1 , ρ 1,2 , ρ 1,0 , ρ 1,3 that sum up to (4, 6) elements in total are computed through multi-scalar multiplications. The remaining (9, 6) elements in a signature are those in commitments and ElGamal encryptions for binary values and counted as scalar multiplications. Accordingly, we estimate the signing cost as 15(= 4×1.5+9) and 15(= 6×1.5+6) scalar multiplications in G 1 and G 2 , respectively. Computational workload for verification is much more implementation dependent. The number of equations and pairings are 15 and n 1 + 57, respectively, from simple counting in the description. With the most aggressive batch verification that wraps all equations into one, we merge pairings with respect to default generators G andG, and CRSes. It reduces the number of pairings down to n 1 + 16 in exchange of increasing the number of multi-scalar multiplications (which is ignored in Table 2) for randomizing each element. Note that the size of randomness in batching is an additional statistical parameter for the soundness of verification. We consider full-size randomness for minimizing the loss.

Security
Regarding POSu1 used in the above construction, the following statement is proven in [3]. With asymmetric pairing groups, CRS indistinguishability of GS proof system is tightly reduced from the SXDH assumption. Namely, the following theorem holds.
If we set the number of possible signing queries to q s = 2 40 , i.e., L = log 2 q s = 40, the security loss of SPSu1 is approximately in 11 bits (2 10.6 ).

Concrete Scheme for Bilateral Messages
To sign bilateral messages (M 1 , M 2 ) ∈ G n 1 1 × G n 2 2 , we use SPSu1 in the previous section to sign M 1 ∈ G n 1 1 and combine it with another POS, say POSu2, that signs M 2 ∈ G n 2 2 . Since a one-time public key of POSu2 is in G 1 , it can be appended to M 1 and authenticated by SPSu1 by extending the message space to G n 1 +1 2 . We give the details below. Scheme SPSb: SPSb.Gen(par): Given par, proceeds with the same steps, except for generating keys for POSb instead of POSu1.
-Verifies GS proofs as well as SPSu1.

Performance
The only difference compared to SPSu1 is extra POSu2. It adds (n 2 + 1, 1) and (1, 2) elements and results in (n 2 + 19, n 1 + 12) and (14,14) elements in a public-key and a Default generators G andG are not included in CRS. Column #(s.mult) indicates number of scalar multiplications in G 1 and G 2 for generating object by counting multi-scalar multiplication as 1.5. Linear MSE and nonlinear QE are specific to relations in Eq. (5) to (10) signature, respectively. Among (1, 2) elements newly added to a signature, only one in G 2 is computed by multi-scalar multiplication. Hence, the cost for signature generation increases by 2.5 and 1 scalar multiplications in G 1 and G 2 , respectively. In verification, the additional POS requires 1 more equation and n 2 +4 pairings, resulting in 16 equations and n 1 +n 2 +61 pairings. Two of the new pairings include G andG, they are merged with pairings with respect to those elements, and the remaining n 2 + 2 pairings are counted as an additional cost in the case of batch verification. Hence, we have n 1 + n 2 + 18 pairings.

Security
Theorem 4.2 holds for POSu2 under the DDH 1 assumption. Combining it with Theorem 4.4, we obtain the following.

Specific Groth-Sahai Proofs under SXDH
Among wide variations of relations that are provable with GS proofs, our instantiation involves only three types of relations; linear multiscalar multiplication equations (MSEs) in G 1 and G 2 , and nonlinear quadratic equations (QEs). Witnesses are committed in either G 1 or G 2 depending on the relations to prove. We summarize the space and computation complexity in Table 3 and give details in the sequel.
where r x is a random coin used to commit to x. The verification evaluates