Linearly Homomorphic Signatures with Designated Combiner

Abstract

Linearly homomorphic signatures provide authenticity services for a series of scenarios such as network coding routing mechanisms and verifiable computation mechanisms. However, most of the present constructions are publicly combinable and verifiable. Motivated by the problem proposed by Rivest, we introduce the concept of designated combiner into linearly homomorphic signatures. In the new notion, the verification procedure remains public, nevertheless, the homomorphic operation is infeasible for other entities except the one designated by the signer (we call it the designated combiner). In addition, we present a specific construction with provable security in the random oracle model.

Appendices

5 Proof of Theorem 1

Proof (Adapted from [9]). As mentioned above, we assume that \(\mathcal {A}\) is an adversary that breaks the UF\(_{1}\) with success probability \(Succ^{UF_{1}}_{\mathcal {A,S}}\), and our goal is to construct an algorithm \(\mathcal {B}\) that solves co-CDH problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\): given a bilinear group tuple \(\mathcal {G}=(\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,\varphi )\), and \(g\in \mathbb {G}_{1}\), \(h,u\in \mathbb {G}_{2}\) with \(u=h^{\alpha _{A}}\) for an unknown integer \(\alpha _{A}\in \mathbb {F}^{*}_{p}\), output an element \(\omega \in \mathbb {G}_{1}\) such that \(\omega =g^{\alpha _{A}}\).

In the first place, two lists \(H_{1}\)-List and \(H_{2}\)-List were maintained by \(\mathcal {B}\) to record \(H_{1}\) queries and \(H_{2}\) queries. \(H_{1}\)-List consists of tuples \((id,i,H_{1}(id,i))\), and \(H_{2}\)-List consists of pairs \((\mathbf {v},H_{2}(\mathbf {v}))\). While the other hash functions \(H_{3},H\) are viewed as two ordinary hash functions in this proof.

\(\mathtt {Setup}\). \(\mathcal {B}\) chooses a positive integer N, then

1. 1.

   Chooses \(s_{j},t_{j}\xleftarrow {R} \mathbb {F}_{p}\), and sets \(g_{j}=g^{s_{j}}\varphi (h)^{t_{j}}\) for \(j\in [N]\). Chooses \(a\xleftarrow {R}\mathbb {F}^{*}_{p}\) and calculates \(u_{A}=u^{a}\). Let \(PK_{A}=u_{A}\), and \(cp=(\mathcal {G},p\), \(H_{3}\), H, h, \(\{g_{j}\}_{j=1}^N)\).

2. 2.

   Sends the pair \((cp,PK_{A})\) to \(\mathcal {A}\).

As response, \(\mathcal {A}\) sends the designated combiner’s public key \(PK_{B}=u_{B}\) to \(\mathcal {B}\).

\(\mathtt {H}_{1}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H_{1}(id,i)\), \(\mathcal {B}\):

1. 1.

   If there exists a tuple \((id,i,H_{1}(id\), i)) in the \(H_{1}\)-List, returns \(H_{1}(id,i)\).

2. 2.

   Otherwise, randomly chooses \(\varsigma _{i},\tau _{i}\xleftarrow {R}\mathbb {F}_{p}\) and sets \(H_{1}(id,i)=g^{\varsigma _{i}}\varphi (h)^{\tau _{i}}\). The new tuple \((id,i,H_{1}(id,i))\) is added into the \(H_{1}\)-List. \(\mathcal {B}\) returns \(H_{1}(id,i)\) to \(\mathcal {A}\).

\(\mathtt {H}_{2}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H_{2}(\mathbf {v})\), \(\mathcal {B}\):

1. 1.

   If there exists a tuple \((\mathbf {v},H_{2}(\mathbf {v}))\) in the \(H_{2}\)-List, returns \(H_{2}(\mathbf {v})\).

2. 2.

   Otherwise, randomly chooses \(k\xleftarrow {R}\mathbb {F}_{p}\) and sets \(H_{2}(\mathbf {v})=\varphi (h)^{k}\). The new pair \((\mathbf {v},H_{2}(\mathbf {v}))\) is added into the \(H_{2}\)-List and \(H_{2}(\mathbf {v})\) is sent to \(\mathcal {A}\).

\(\mathtt {Sign\ Queries}\). When \(\mathcal {A}\) requests the designated signature on the vector subspace \(V\subset \mathbb {F}^{N}_{p}\) represented by the augmented vectors \(\mathbf {v}_{1},\ldots ,\mathbf {v}_{m}\in \mathbb {F}^{N}_{p}\), \(\mathcal {B}\):

1. 1.

   Chooses an identifier \(id\xleftarrow {R}\{0,1\}^{k}\). If there exists a tuple \((id,\cdot ,\cdot )\) in the \(H_{1}\)-List, then this simulation is aborted.

2. 2.

   For any \(i\in [m]\), calculates \(\varsigma _{i}=-\sum ^{n}_{j=1}s_{j}v_{ij}\), and sets \(\mathbf {s}=(s_{1}\), \(\ldots \), \(s_{n}\), \(\varsigma _{1}\), \(\ldots \), \(\varsigma _{m})\). \(\mathcal {B}\) chooses \(\tau _{1},\ldots ,\tau _{m}\in \mathbb {F}_{p}\), and sets \(\mathbf {t}=(t_{1}\), \(\ldots \), \(t_{n}\), \(\tau _{1}\), \(\ldots \), \(\tau _{m})\).

3. 3.

   For any \(i\in [m]\), calculates \(H_{1}(id,i)=g^{\varsigma _{i}}\varphi (h)^{\tau _{i}}\) and \(H_{2}(\mathbf {v}_{i})\) is calculated as in the \(H_{2}\) queries.

4. 4.

   Calculates \(\widehat{\sigma }_{i}=\varphi (u_{A})^{\mathbf {v}_{i}\cdot \mathbf {t}}\cdot H_{3}(e(\varphi (u_{A}),u_{B})^{k_{i}})\) for every \(i\in \{1,\ldots ,m\}\).

5. 5.

   Returns id and the designated signature \(\widehat{\sigma }=(\widehat{\sigma }_{1},\ldots ,\widehat{\sigma }_{m})\).

\(\mathtt {Output}\). If \(\mathcal {B}\) does not abort, and a successful adversary \(\mathcal {A}\) outputs an identifier \(id^{*}\), a signature \(\sigma ^{*}\), and a nonzero vector \(\mathbf {v}^{*}\), \(\mathcal {B}\):

1. 1.

   If there is no tuple \((id^{*},\cdot ,\cdot )\) appeared on the signature queries, calculates the value of \(H_{1}(id^{*},i)\) for all \(i\in \{1,\ldots ,m\}\) as in \(H_{1}\) queries, and sets \(\mathbf {s}=(s_{1}\), \(\ldots \), \(s_{n}\), \(\varsigma _{1}\), \(\ldots \), \(\varsigma _{m})\) and \(\mathbf {t}=(t_{1},\ldots ,t_{n},\tau _{1},\ldots ,\tau _{m})\).

2. 2.

   If there exists a tuple \((id^{*},\cdot ,\cdot )\) appeared on the signature queries, we obtain directly the two vectors \(\mathbf {s}\) and \(\mathbf {t}\) from the corresponding signature query.

3. 3.

   Calculates \(\omega =(\frac{(\frac{T}{g^{c}})^{\frac{1}{S}}}{\varphi (u_{A})^{(\mathbf {t}\cdot \mathbf {v}^{*})}})^{\frac{1}{a(\mathbf {s}\cdot \mathbf {v}^{*})}}\), and outputs \(\omega \) finally.

The random oracles \(H_{1}\), \(H_{2}\), and the \(\mathtt {Setup}\) algorithm have been correctly simulated by \(\mathcal {B}\), because all of the hash values and \(\{g_{j}\}_{j=1}^N\) are uniformly random in the group \(\mathbb {G}_{1}\). Next, we show that if the simulator does not abort, \(\mathcal {B}\) will correctly simulate the \(\mathtt {Sign}\) algorithm. In fact, setting the public key \(PK_{A}\) and hash queries as above, we have

$$\begin{aligned} \begin{aligned}&\big (\prod \limits ^{m}_{i=1}H_{1}(id,i)^{v_{i,n+i}}\prod \limits ^{n}_{j=1}g^{v_{ij}}_{j}\big )^{\alpha _{A}a}H_{3}(e(H_{2}(\mathbf {v}_{i}),u_{B})^{\alpha _{A}a})\\ =\,&\big (\prod \limits ^{m}_{i=1}(g^{\varsigma _{i}}\varphi (h)^{\tau _{i}})^{v_{i,n+i}}\prod \limits ^{n}_{j=1}(g^{s_{j}}\varphi (h)^{t_{j}})^{v_{ij}}\big )^{\alpha _{A}a}H_{3}(e(\varphi (h)^{\alpha _{A}a},u_{B})^{k_{i}})\\ =\,&\varphi (u_{A})^{\mathbf {v}_{i}\cdot \mathbf {t}}H_{3}(e(\varphi (u_{A}),u_{B})^{k_{i}})\\ \end{aligned} \end{aligned}$$

(1)

for \(i=1,\ldots ,m\). From the construction of \(\mathbf {s}\) in signature queries, we have \(\mathbf {s}\cdot \mathbf {v}_{i}=0\) for any i (i.e., \(\mathbf {s}\in V^{\bot }\)), which follows that the last two formulas in (1) are equal. Thus, the \(\mathtt {Sign}\) algorithm has been correctly simulated by \(\mathcal {B}\).

Right now, we show the probability that \(\mathcal {B}\) aborts the simulation is negligible. Such abort situation includes the following two aspects:

• \(\mathcal {B}\) chooses the same identifier id in two different signature queries. This probability is at most \(\frac{q_{s}\cdot q_{s}}{2^{k}}\).

• \(\mathcal {B}\) chooses an identifier in a signature query while there exists a tuple \((id,\cdot ,\cdot )\) already in the \(H_{1}\) queries. This probability is at most \(\frac{q_{s}\cdot q_{h_{1}}}{2^{k}}\).

Assume that the simulator does not abort and the adversary \(\mathcal {A}\) finally outputs a signature \(\sigma ^{*}\), an identifier \(id^{*}\), and a nonzero vector \(\mathbf {v}^{*}\) such that \(\mathtt {Verify}(PK_{A}\), \(id^{*},m\), \(\mathbf {v}^{*}\), \(\sigma ^{*})=1\), where \(\sigma ^{*}=(S,T)\), \(S=H(\mathbf {v}^{*},R)\), and \(R=e(g,h)^{c}\) for an integer \(c\in \mathbb {F}_{p}\) chosen by \(\mathcal {A}\), we have

$$\begin{aligned} \begin{aligned} R'&=e(T,h)e(\sigma '_{\mathbf {v}^{*}},(u_{A})^{-1})^{S}\\&=e(\sigma ^{S}_{\mathbf {v}^{*}}\cdot g^{c},h)e\bigg (\big (\prod \limits ^{m}_{i=1}H_{1}(id,i)^{v^{*}_{n+i}}\prod \limits ^{n}_{j=1}g_{j}^{v^{*}_{j}}\big )^{-a\alpha _{A}},h\bigg )^{S}\\&=e(g,h)^{c}e(\sigma _{\mathbf {v}^{*}},h)^{S}e\bigg (\big (\prod \limits ^{m}_{i=1}(g^{\varsigma _{i}}\varphi (h)^{\tau _{i}})^{v^{*}_{n+i}}\prod \limits ^{n}_{j=1}(g^{s_{j}}\varphi (h)^{t_{j}})^{v^{*}_{j}}\big )^{-a\alpha _{A}},h\bigg )^{S}\\&=e(g,h)^{c}e(\sigma _{\mathbf {v}^{*}},h)^{S}e(g^{-a\alpha _{A}(\mathbf {s}\cdot \mathbf {v}^{*})}\varphi (u_{A})^{-(\mathbf {t}\cdot \mathbf {v}^{*})},h)^{S}\\&=e(g,h)^{c}=R, \end{aligned} \end{aligned}$$

which means that \(\sigma _{\mathbf {v}^{*}}=(\frac{T}{g^{c}})^{\frac{1}{S}}=g^{a\alpha _{A}(\mathbf {s}\cdot \mathbf {v}^{*})}\varphi (u_{A})^{(\mathbf {t}\cdot \mathbf {v}^{*})}\).

Therefore, \(\omega =(\frac{(\frac{T}{g^{c}})^{\frac{1}{S}}}{\varphi (u_{A})^{(\mathbf {t}\cdot \mathbf {v}^{*})}})^{\frac{1}{a(\mathbf {s}\cdot \mathbf {v}^{*})}}=g^{\alpha _{A}}\) if \(\mathbf {s}\cdot \mathbf {v}^{*}\ne 0\). The probability of \(\mathbf {s}\cdot \mathbf {v}^{*}= 0\) is showed in the following:

1. 1.

   There is no tuple \((id^{*},\cdot ,\cdot )\) in the signature queries which means that \((id^*,\sigma ^{*},\) \(\mathbf {v}^{*})\) is a type 1.1 forgery. The knowledge about \(\varsigma _{i}\) for this \(id^{*}\) can be acquired by \(\mathcal {A}\) is only the value of \(H_{1}(id^{*},i)\) (i.e., the functions of \(\varsigma _{i}\)). We also have all coordinates of the vector \(\mathbf {s}\) are uniform in \(\mathbb {F}_{p}\) and leak no information to \(\mathcal {A}\), and have the fact that \(\mathbf {v}^{*}\) is a nonzero vector, then \(\mathbf {s}\cdot \mathbf {v}^{*}\) is uniform in \(\mathbb {F}_{p}\), implying that the probability of \(\mathbf {s}\cdot \mathbf {v}^{*}= 0\) is \(\frac{1}{p}\) and hence is at most \(\frac{1}{2^{k}}\).

2. 2.

   There exists a tuple \((id^{*},\cdot ,\cdot )\) in the signature queries, and \(\mathbf {v}^{*}\notin V\) (assuming \(id^{*}\) is the identifier of the vector subspace V) which means that \((id^*,\sigma ^{*},\mathbf {v}^{*})\) is a type 1.2 forgery. Just like above case, \(s_{1},\ldots ,s_{N}\) are uniformly distributed in \(\mathbb {F}_{p}\) and leak no information to \(\mathcal {A}\), which follows that the vector \(\mathbf {s}\) is uniformly distributed in \(V^{\bot }\). Assuming that \((\mathbf {y}_{1},\ldots ,\mathbf {y}_{n})\) is a basis of space \(V^{\bot }\), and let \(\mathbf {s}=\sum ^{n}_{i=1}x_{i}\mathbf {y}_{i}\). Based on the fact that \(\mathbf {s}\) is uniformly distributed in \(V^{\bot }\), we have all \(x_{i}\) are uniformly distributed in \(\mathbb {F}_{p}\). Because \(\mathbf {v}^{*}\notin V\), so there must be some \(j\in \{1,\ldots ,n\}\) such that \(\mathbf {v}^{*}\cdot \mathbf {y}_{j}\ne 0\), which follows that \(\mathbf {s}\cdot \mathbf {v}^{*}=\sum ^{n}_{i=1}x_{i}(\mathbf {y}_{i}\cdot \mathbf {v}^{*})\) is uniform in \(\mathbb {F}_{p}\), i.e., the probability of \(\mathbf {s}\cdot \mathbf {v}^{*}= 0\) also is \(\frac{1}{p}\) and hence is at most \(\frac{1}{2^{k}}\).

In conclusion, \(\mathcal {B}\) can output \(\omega =g^{\alpha _{A}}\) with success probability

\(Adv^{co-CDH}_{\mathcal {B},(\mathbb {G}_{1},\mathbb {G}_{2})}\ge Succ^{UF_{1}}_{\mathcal {A,S}}-\frac{q_{s}(q_{s}+q_{h_{1}})+1}{2^{k}}\).

This completes the proof of Theorem 1.   \(\square \)

6 Proof of Theorem 2

Proof (Adapted from [18]). We assume that \(\mathcal {A}\) is an adversary that breaks the UF\(_{2}\) with success probability \(Succ^{UF_{2}}_{\mathcal {A,S}}\), and our goal is to construct an algorithm \(\mathcal {B}\) that solves CDH problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\): given a bilinear group tuple \(\mathcal {G}=(\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,\varphi )\), and a tuple of \((\varphi (h),\varphi (u),g)\), where \(\varphi (h),\varphi (u),g\in \mathbb {G}_{1}\), and \(h,u\in \mathbb {G}_{2}\) with \(u=h^{\alpha _{A}}\), outputs an element \(\omega \in \mathbb {G}_{1}\) such that \(\omega =g^{\alpha _{A}}\). Note that \(H_{2},H_{3}\) are viewed as an ordinary hash function in this proof.

\(\mathtt {Setup}\). \(\mathcal {B}\) chooses a positive integer N, then

1. 1.

   Chooses \(k_{j}\xleftarrow {R} \mathbb {F}_{p}\), and sets \(g_{j}=\varphi (h)^{k_{j}}\) for \(j\in [N]\), \(cp=(\mathcal {G},p\), \(H_{2}\), \(H_{3}\), h, \(\{g_{j}\}_{j=1}^N)\) and sets the signer’s public key as \(PK_{A}=u_{A}\).

2. 2.

   Chooses \(\alpha _{B}\xleftarrow {R}\mathbb {F}^{*}_{p}\) and calculates \(u_{B}=h^{\alpha _{B}}\), and then sets the designated secret/public key pair as \((\alpha _{B},u_{B})\). \(\mathcal {B}\) sends cp, \(PK_{A}\), and \(PK_{B}\) to \(\mathcal {A}\).

\(\mathtt {H}_{1}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H_{1}(id,i)\), \(\mathcal {B}\):

1. 1.

   If (id, i) has already been defined, directly returns \(H_{1}(id,i)\) to \(\mathcal {A}\).

2. 2.

   Otherwise, sets \(H_{1}(id,i)=\varphi (h)^{\tau _{li}}\) where \(\tau _{l}=(\tau _{l1},\ldots ,\tau _{lN})\in \mathbb {F}^{N}_{p}\) and \(\tau =(\tau _{l})_{l=1,2,\ldots }\) constitutes a random tape. \(\mathcal {B}\) returns the tuple \((id,i,H_{1}(id,i))\).

\(\mathtt {Sign\ Queries}\). When \(\mathcal {A}\) requests the designated signature on the vector subspace \(V_{l}\subset \mathbb {F}^{N}_{p}\) represented by the augmented vectors \(\mathbf {v}_{1}\), \(\ldots \), \(\mathbf {v}_{m}\in \mathbb {F}^{N}_{p}\), \(\mathcal {B}\):

1. 1.

   Chooses a random identifier \(id_{l}\).

2. 2.

   For any \(i\in [m]\), calculates \(H_{1}(id_l,i)\) as in the \(H_{1}\) queries, and then sets \(\mathbf {s}_{li}=(k_{1},\ldots ,k_{n},\overbrace{\underbrace{0,\ldots ,0,\tau _{li}}_{i},0,\ldots ,0}^{m})\).

3. 3.

   For any basis vector \(\mathbf {v}_{i}=(v_{i1}\), \(\ldots \), \(v_{iN})\) and \(i\in [m]\), calculates \(\widehat{\sigma }_{li}=\varphi (u_{A})^{\mathbf {s}_{li}\cdot \mathbf {v}_{i}}\cdot H_{3}(e(H_{2}(\mathbf {v}_{i}),u_{A})^{\alpha _{B}})\).

4. 4.

   Returns \(id_{l}\), and the designated signature \(\widehat{\sigma }_{l}=(\sigma _{l1},\ldots ,\sigma _{lm})\).

\(\mathtt {H}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H(\mathbf {v},R)\), \(\mathcal {B}\):

1. 1.

   If \((\mathbf {v},R)\) has already been defined, returns \(H(\mathbf {v},R)\) to \(\mathcal {A}\).

2. 2.

   Otherwise, takes a random \(S_{j}\in \mathbb {F}^{*}_{p}\) successively from a random tape \(\varsigma =(S_{j})_{j=1,2,\ldots }\), and sets \(H(\mathbf {v},R)=S_{j}\).

\(\mathtt {Combine\ Queries}\). When \(\mathcal {A}\) submits (id, \(\{(\mathbf {v}_{k}\), \(\widehat{\sigma }_{k}\), \(\beta _{k})\}_{k=1}^{l})\) to the combine oracle. \(\mathcal {B}\) checks whether the identifier id already appears in the sign queries, and if so, further checks whether \(\widehat{\sigma }_{k}\) is the valid signature on the vector \(\mathbf {v}_{k}\) for all \(k=1,\ldots ,l\). If both of the above two conditions are met, \(\mathcal {B}\):

1. 1.

   Calculates \(\mathbf {v}=\sum ^{l}_{k=1}\beta _{k}\mathbf {v}_{k}=(v_{1},\ldots ,v_{N})\) and \(\sigma _{\mathbf {v}_{k}}=\widehat{\sigma }_{k}\cdot (H_{3}(e(H_{2}(\mathbf {v}_{k})\), \(u_{A})^{\alpha _{B}}))^{-1}\) for all \(k\in [l]\).

2. 2.

   Calculates \(\sigma _{\mathbf {v}}=\prod ^{l}_{k=1}\sigma _{\mathbf {v}_{k}}^{\beta _{k}}\).

3. 3.

   Chooses a random \(T\in \mathbb {G}^{*}_{1}\), and a random integer \(S\in \mathbb {F}^{*}_{p}\) which are successively taken from the random tapes \(\eta \) and \(\varsigma \), respectively.

4. 4.

   Computes \(R=\frac{e(T,h)}{e(\sigma _{\mathbf {v}},h)^{S}}\). We remark that the procedure fails if \(H(\mathbf {v},R)\) has already been defined. Because R is random, the probability of failure during the \(q_{2}\) hash H and combine queries is at most \(2q^{2}_{2}/2^{k}\).

Since \(\mathcal {A}\) can break UF\(_{2}\) with success probability \(Succ^{UF_{2}}_{\mathcal {A},\mathcal {S}}\) within time \(t_{A}\), and the failure probability of this simulation is at most \(2q^{2}_{2}/2^{k}\), \(\mathcal {A}\), within time \(t_{A}\), can output a valid signature (R, S, T) on vector \(\mathbf {v}\) with probability at least \(Succ^{UF_{2}}_{\mathcal {A,S}}-2q^{2}/2^{k}\ge \frac{Succ^{UF_{2}}_{\mathcal {A,S}}}{2}\ge \frac{7q}{2^{k}}\) in the simulation.

We assume that the vector \(\mathbf {v}\) belongs to the vector subspace \(V_{\beta }\) labeled as an identifier \(id_{\beta }\). Then, we replay the attack with the same \(\eta ,\varsigma \), and \(\tau =(\tau )_{l=1,2,\ldots }\) unchange for \(l<\beta \) and randomly chosen for \(l>\beta \). For \(l=\beta \) and all \(i\in [m]\) (m is the dimension of the vector subspace \(V_{\beta }\)), we randomly choose \(\lambda _{i}\in \mathbb {F}^{*}_{p}\) and set \(H_{1}(id_{\beta },i)=g^{\lambda _{i}}\). Note that \(\mathcal {A}\) now can not query the combine oracle for the identifier \(id_{\beta }\), because \(\mathcal {B}\) is unable to answer.

Using the forking lemma technique of [23] to control the values of the hashs \(H_{1}\) and H, we obtain, with probability at least 1/9, two valid signatures \((R,S_{1},T_{1})\) and \((R,S_{2},T_{2})\) on the vector \(\mathbf {v}\in V_{\beta }\) after at most \(2/Succ^{UF_{2}}_{\mathcal {A,S}}+14q/Succ^{UF_{2}}_{\mathcal {A,S}}\le 16q/Succ^{UF_{2}}_{\mathcal {A,S}}\) repetitions of the above attack.

We now observe that \(H_{1}(id_{\beta },i)=g^{\lambda _{1i}}\ne g^{\lambda _{2i}}=H'_{1}(id_{\beta },i)\) for all \(i=1\), \(\ldots \), m. We set \(\mathbf {k}=(k_{1}\), \(\ldots \), \(k_{n})\), \(\mathbf {\lambda }_{t}=(\lambda _{t1}\), \(\ldots \), \(\lambda _{tm})\) for \(t=1\), 2, \(\mathbf {v}_{1}=(v_{1}\), \(\ldots \), \(v_{n})\), and \(\mathbf {v}_{2}=(v_{n+1}\), \(\ldots \), \(v_{n+m})\) such that \(\mathbf {v}=(\mathbf {v}_{1}\parallel \mathbf {v}_{2})\), and then compute \(\rho _{1}=\prod ^{m}_{i=1}H_{1}(id_{\beta },i)^{v_{n+i}}\prod ^{n}_{j=1}g_{j}^{v_{j}}=g^{\mathbf {\lambda }_{1}\cdot \mathbf {v_{2}}}\varphi (h)^{\mathbf {k}\cdot \mathbf {v_{1}}}\) and \(\rho _{2}=\prod ^{m}_{i=1}H'_{1}(id_{\beta }\), \(i)^{v_{n+i}}\prod ^{n}_{j=1}g_{j}^{v_{j}}=g^{\mathbf {\lambda }_{2}\cdot \mathbf {v_{2}}}\varphi (h)^{\mathbf {k}\cdot \mathbf {v_{1}}}\).

Let \(\sigma _{1}=(S_{1},T_{1})\), and \(\sigma _{2}=(S_{2},T_{2})\). From \(\mathtt {Verify}(PK_{A},id_{\beta },m,\mathbf {v},\sigma _{t})=1\) for \(t=1,2\), we have

$$\begin{aligned} e(T_{1},h)=e(\rho _{1},u_{A})^{S_{1}}R, \end{aligned}$$

(2)

and

$$\begin{aligned} e(T_{2},h)=e(\rho _{2},u_{A})^{S_{2}}R. \end{aligned}$$

(3)

By dividing the Eq. 2 from the Eq. 3, we obtain the equation

$$\begin{aligned} \begin{aligned} e\left( \frac{T_{1}}{T_{2}},h\right) =\,&e\left( \frac{\rho _{1}}{\rho _{2}},u_{A}\right) ^{S_{1}-S_{2}}\\ =\,&e\left( g^{\mathbf {\lambda }_{1}\cdot \mathbf {v_{2}}-\mathbf {\lambda }_{2}\cdot \mathbf {v_{2}}},h^{\alpha _{A}}\right) ^{S_{1}-S_{2}}\\ =\,&e\left( g^{(\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}}\alpha _{A}(S_{1}-S_{2})},h\right) .\\ \end{aligned} \end{aligned}$$

(4)

Since the value of \((\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}}(S_{1}-S_{2})\) is random in \(\mathbb {F}_{p}\), the probability of \((\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}}(S_{1}-S_{2})=0\) is at most 1/p. Hence \(g^{\alpha _{A}}=(T_{1}/T_{2})^{((S_{1}-S_{2})(\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}})^{-1}}\) so that \(\mathcal {B}\) solves the CDH problem in time \(t_{B}\le \frac{16qt_{A}}{Succ^{UF_{2}}_{\mathcal {A,S}}}\) with probability \(Adv^{CDH}_{\mathcal {B},(\mathbb {G}_{1},\mathbb {G}_{2})}\ge \frac{1}{9}-\frac{1}{p}\). This completes the proof of Theorem 2.   \(\square \)