Abstract
Linearly homomorphic signatures provide authenticity services for a series of scenarios such as network coding routing mechanisms and verifiable computation mechanisms. However, most of the present constructions are publicly combinable and verifiable. Motivated by the problem proposed by Rivest, we introduce the concept of designated combiner into linearly homomorphic signatures. In the new notion, the verification procedure remains public, nevertheless, the homomorphic operation is infeasible for other entities except the one designated by the signer (we call it the designated combiner). In addition, we present a specific construction with provable security in the random oracle model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ahn, J.H., Boneh, D., Camenisch, J., Hohenberger, S., Shelat, A., Waters, B.: Computing on authenticated data. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 1–20. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_1
Ateniese, G., et al.: Provable data possession at untrusted stores. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, 28–31 October 2007, pp. 598–609. ACM (2007)
Ateniese, G., Kamara, S., Katz, J.: Proofs of storage from homomorphic identification protocols. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 319–333. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_19
Attrapadung, N., Libert, B.: Homomorphic network coding signatures in the standard model. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 17–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_2
Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_23
Bellare, M., Neven, G.: Transitive signatures based on factoring and RSA. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 397–414. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_25
Boneh, D., Freeman, D.M.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_10
Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_1
Boneh, D., Freeman, D., Katz, J., Waters, B.: Signing a linear subspace: signature schemes for network coding. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 68–87. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_5
Boyen, X., Fan, X., Shi, E.: Adaptively secure fully homomorphic signatures based on lattices. IACR Cryptol. ePrint Arch. 2014, 916 (2014)
Catalano, D., Fiore, D., Nizzardo, L.: Programmable hash functions go private: constructions and applications to (homomorphic) signatures with shorter public keys. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 254–274. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_13
Catalano, D., Fiore, D., Warinschi, B.: Efficient Network coding signatures in the standard model. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 680–696. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_40
Charles, D.X., Jain, K., Lauter, K.E.: Signatures for network coding. IJICoT 1(1), 3–14 (2009)
Chen, W., Lei, H., Qi, K.: Lattice-based linearly homomorphic signatures in the standard model. Theor. Comput. Sci. 634, 47–54 (2016)
Desmedt, Y.: Computer security by redefining what a computer is. In: Michael, J.B., Ashby, V., Meadows, C.A. (eds.) Proceedings on the 1992–1993 Workshop on New Security Paradigms, 22–24 September 1992 and 3–5 August 1993, Little Compton, RI, USA, pp. 160–166. ACM (1993)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Gennaro, R., Katz, J., Krawczyk, H., Rabin, T.: Secure network coding over the integers. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 142–160. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_9
Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_20
Huang, X., Xiang, Y., Bertino, E., Zhou, J., Xu, L.: Robust multi-factor authentication for fragile communications. IEEE Trans. Dependable Secure Comput. 11(6), 568–581 (2014)
Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_17
Li, J., et al.: Secure distributed deduplication systems with improved reliability. IEEE Trans. Comput. 64(12), 3569–3579 (2015)
Lin, C.-J., Huang, X., Li, S., Wu, W., Yang, S.-J.: Linearly homomorphic signatures with designated entities. In: Liu, J.K., Samarati, P. (eds.) ISPEC 2017. LNCS, vol. 10701, pp. 375–390. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72359-4_22
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)
Rivest, R.L.: Two signature schemes. Talk at Cambridge University, October 2000. http://people.csail.mit.edu/rivest/pubs/Riv00.slides.pdf
Steinfeld, R., Bull, L., Wang, H., Pieprzyk, J.: Universal designated-verifier signatures. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 523–542. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-40061-5_33
Traverso, G., Demirel, D., Buchmann, J.A.: Homomorphic Signature Schemes - A Survey. BRIEFSCOMPUTER, Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-319-32115-8
Wang, F., Hu, Y., Wang, B.: Lattice-based linearly homomorphic signature scheme over binary field. Sci. China Inf. Sci. 56(11), 1–9 (2013)
Acknowledgements
This work was supported by National Natural Science Foundation of China (Grant Number 61772514, 61822202, 62172096), and Beijing Municipal Science & Technology Commission (Project Number: Z191100007119006).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
5 Proof of Theorem 1
Proof (Adapted from [9]). As mentioned above, we assume that \(\mathcal {A}\) is an adversary that breaks the UF\(_{1}\) with success probability \(Succ^{UF_{1}}_{\mathcal {A,S}}\), and our goal is to construct an algorithm \(\mathcal {B}\) that solves co-CDH problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\): given a bilinear group tuple \(\mathcal {G}=(\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,\varphi )\), and \(g\in \mathbb {G}_{1}\), \(h,u\in \mathbb {G}_{2}\) with \(u=h^{\alpha _{A}}\) for an unknown integer \(\alpha _{A}\in \mathbb {F}^{*}_{p}\), output an element \(\omega \in \mathbb {G}_{1}\) such that \(\omega =g^{\alpha _{A}}\).
In the first place, two lists \(H_{1}\)-List and \(H_{2}\)-List were maintained by \(\mathcal {B}\) to record \(H_{1}\) queries and \(H_{2}\) queries. \(H_{1}\)-List consists of tuples \((id,i,H_{1}(id,i))\), and \(H_{2}\)-List consists of pairs \((\mathbf {v},H_{2}(\mathbf {v}))\). While the other hash functions \(H_{3},H\) are viewed as two ordinary hash functions in this proof.
\(\mathtt {Setup}\). \(\mathcal {B}\) chooses a positive integer N, then
-
1.
Chooses \(s_{j},t_{j}\xleftarrow {R} \mathbb {F}_{p}\), and sets \(g_{j}=g^{s_{j}}\varphi (h)^{t_{j}}\) for \(j\in [N]\). Chooses \(a\xleftarrow {R}\mathbb {F}^{*}_{p}\) and calculates \(u_{A}=u^{a}\). Let \(PK_{A}=u_{A}\), and \(cp=(\mathcal {G},p\), \(H_{3}\), H, h, \(\{g_{j}\}_{j=1}^N)\).
-
2.
Sends the pair \((cp,PK_{A})\) to \(\mathcal {A}\).
As response, \(\mathcal {A}\) sends the designated combiner’s public key \(PK_{B}=u_{B}\) to \(\mathcal {B}\).
\(\mathtt {H}_{1}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H_{1}(id,i)\), \(\mathcal {B}\):
-
1.
If there exists a tuple \((id,i,H_{1}(id\), i)) in the \(H_{1}\)-List, returns \(H_{1}(id,i)\).
-
2.
Otherwise, randomly chooses \(\varsigma _{i},\tau _{i}\xleftarrow {R}\mathbb {F}_{p}\) and sets \(H_{1}(id,i)=g^{\varsigma _{i}}\varphi (h)^{\tau _{i}}\). The new tuple \((id,i,H_{1}(id,i))\) is added into the \(H_{1}\)-List. \(\mathcal {B}\) returns \(H_{1}(id,i)\) to \(\mathcal {A}\).
\(\mathtt {H}_{2}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H_{2}(\mathbf {v})\), \(\mathcal {B}\):
-
1.
If there exists a tuple \((\mathbf {v},H_{2}(\mathbf {v}))\) in the \(H_{2}\)-List, returns \(H_{2}(\mathbf {v})\).
-
2.
Otherwise, randomly chooses \(k\xleftarrow {R}\mathbb {F}_{p}\) and sets \(H_{2}(\mathbf {v})=\varphi (h)^{k}\). The new pair \((\mathbf {v},H_{2}(\mathbf {v}))\) is added into the \(H_{2}\)-List and \(H_{2}(\mathbf {v})\) is sent to \(\mathcal {A}\).
\(\mathtt {Sign\ Queries}\). When \(\mathcal {A}\) requests the designated signature on the vector subspace \(V\subset \mathbb {F}^{N}_{p}\) represented by the augmented vectors \(\mathbf {v}_{1},\ldots ,\mathbf {v}_{m}\in \mathbb {F}^{N}_{p}\), \(\mathcal {B}\):
-
1.
Chooses an identifier \(id\xleftarrow {R}\{0,1\}^{k}\). If there exists a tuple \((id,\cdot ,\cdot )\) in the \(H_{1}\)-List, then this simulation is aborted.
-
2.
For any \(i\in [m]\), calculates \(\varsigma _{i}=-\sum ^{n}_{j=1}s_{j}v_{ij}\), and sets \(\mathbf {s}=(s_{1}\), \(\ldots \), \(s_{n}\), \(\varsigma _{1}\), \(\ldots \), \(\varsigma _{m})\). \(\mathcal {B}\) chooses \(\tau _{1},\ldots ,\tau _{m}\in \mathbb {F}_{p}\), and sets \(\mathbf {t}=(t_{1}\), \(\ldots \), \(t_{n}\), \(\tau _{1}\), \(\ldots \), \(\tau _{m})\).
-
3.
For any \(i\in [m]\), calculates \(H_{1}(id,i)=g^{\varsigma _{i}}\varphi (h)^{\tau _{i}}\) and \(H_{2}(\mathbf {v}_{i})\) is calculated as in the \(H_{2}\) queries.
-
4.
Calculates \(\widehat{\sigma }_{i}=\varphi (u_{A})^{\mathbf {v}_{i}\cdot \mathbf {t}}\cdot H_{3}(e(\varphi (u_{A}),u_{B})^{k_{i}})\) for every \(i\in \{1,\ldots ,m\}\).
-
5.
Returns id and the designated signature \(\widehat{\sigma }=(\widehat{\sigma }_{1},\ldots ,\widehat{\sigma }_{m})\).
\(\mathtt {Output}\). If \(\mathcal {B}\) does not abort, and a successful adversary \(\mathcal {A}\) outputs an identifier \(id^{*}\), a signature \(\sigma ^{*}\), and a nonzero vector \(\mathbf {v}^{*}\), \(\mathcal {B}\):
-
1.
If there is no tuple \((id^{*},\cdot ,\cdot )\) appeared on the signature queries, calculates the value of \(H_{1}(id^{*},i)\) for all \(i\in \{1,\ldots ,m\}\) as in \(H_{1}\) queries, and sets \(\mathbf {s}=(s_{1}\), \(\ldots \), \(s_{n}\), \(\varsigma _{1}\), \(\ldots \), \(\varsigma _{m})\) and \(\mathbf {t}=(t_{1},\ldots ,t_{n},\tau _{1},\ldots ,\tau _{m})\).
-
2.
If there exists a tuple \((id^{*},\cdot ,\cdot )\) appeared on the signature queries, we obtain directly the two vectors \(\mathbf {s}\) and \(\mathbf {t}\) from the corresponding signature query.
-
3.
Calculates \(\omega =(\frac{(\frac{T}{g^{c}})^{\frac{1}{S}}}{\varphi (u_{A})^{(\mathbf {t}\cdot \mathbf {v}^{*})}})^{\frac{1}{a(\mathbf {s}\cdot \mathbf {v}^{*})}}\), and outputs \(\omega \) finally.
The random oracles \(H_{1}\), \(H_{2}\), and the \(\mathtt {Setup}\) algorithm have been correctly simulated by \(\mathcal {B}\), because all of the hash values and \(\{g_{j}\}_{j=1}^N\) are uniformly random in the group \(\mathbb {G}_{1}\). Next, we show that if the simulator does not abort, \(\mathcal {B}\) will correctly simulate the \(\mathtt {Sign}\) algorithm. In fact, setting the public key \(PK_{A}\) and hash queries as above, we have
for \(i=1,\ldots ,m\). From the construction of \(\mathbf {s}\) in signature queries, we have \(\mathbf {s}\cdot \mathbf {v}_{i}=0\) for any i (i.e., \(\mathbf {s}\in V^{\bot }\)), which follows that the last two formulas in (1) are equal. Thus, the \(\mathtt {Sign}\) algorithm has been correctly simulated by \(\mathcal {B}\).
Right now, we show the probability that \(\mathcal {B}\) aborts the simulation is negligible. Such abort situation includes the following two aspects:
-
\(\mathcal {B}\) chooses the same identifier id in two different signature queries. This probability is at most \(\frac{q_{s}\cdot q_{s}}{2^{k}}\).
-
\(\mathcal {B}\) chooses an identifier in a signature query while there exists a tuple \((id,\cdot ,\cdot )\) already in the \(H_{1}\) queries. This probability is at most \(\frac{q_{s}\cdot q_{h_{1}}}{2^{k}}\).
Assume that the simulator does not abort and the adversary \(\mathcal {A}\) finally outputs a signature \(\sigma ^{*}\), an identifier \(id^{*}\), and a nonzero vector \(\mathbf {v}^{*}\) such that \(\mathtt {Verify}(PK_{A}\), \(id^{*},m\), \(\mathbf {v}^{*}\), \(\sigma ^{*})=1\), where \(\sigma ^{*}=(S,T)\), \(S=H(\mathbf {v}^{*},R)\), and \(R=e(g,h)^{c}\) for an integer \(c\in \mathbb {F}_{p}\) chosen by \(\mathcal {A}\), we have
which means that \(\sigma _{\mathbf {v}^{*}}=(\frac{T}{g^{c}})^{\frac{1}{S}}=g^{a\alpha _{A}(\mathbf {s}\cdot \mathbf {v}^{*})}\varphi (u_{A})^{(\mathbf {t}\cdot \mathbf {v}^{*})}\).
Therefore, \(\omega =(\frac{(\frac{T}{g^{c}})^{\frac{1}{S}}}{\varphi (u_{A})^{(\mathbf {t}\cdot \mathbf {v}^{*})}})^{\frac{1}{a(\mathbf {s}\cdot \mathbf {v}^{*})}}=g^{\alpha _{A}}\) if \(\mathbf {s}\cdot \mathbf {v}^{*}\ne 0\). The probability of \(\mathbf {s}\cdot \mathbf {v}^{*}= 0\) is showed in the following:
-
1.
There is no tuple \((id^{*},\cdot ,\cdot )\) in the signature queries which means that \((id^*,\sigma ^{*},\) \(\mathbf {v}^{*})\) is a type 1.1 forgery. The knowledge about \(\varsigma _{i}\) for this \(id^{*}\) can be acquired by \(\mathcal {A}\) is only the value of \(H_{1}(id^{*},i)\) (i.e., the functions of \(\varsigma _{i}\)). We also have all coordinates of the vector \(\mathbf {s}\) are uniform in \(\mathbb {F}_{p}\) and leak no information to \(\mathcal {A}\), and have the fact that \(\mathbf {v}^{*}\) is a nonzero vector, then \(\mathbf {s}\cdot \mathbf {v}^{*}\) is uniform in \(\mathbb {F}_{p}\), implying that the probability of \(\mathbf {s}\cdot \mathbf {v}^{*}= 0\) is \(\frac{1}{p}\) and hence is at most \(\frac{1}{2^{k}}\).
-
2.
There exists a tuple \((id^{*},\cdot ,\cdot )\) in the signature queries, and \(\mathbf {v}^{*}\notin V\) (assuming \(id^{*}\) is the identifier of the vector subspace V) which means that \((id^*,\sigma ^{*},\mathbf {v}^{*})\) is a type 1.2 forgery. Just like above case, \(s_{1},\ldots ,s_{N}\) are uniformly distributed in \(\mathbb {F}_{p}\) and leak no information to \(\mathcal {A}\), which follows that the vector \(\mathbf {s}\) is uniformly distributed in \(V^{\bot }\). Assuming that \((\mathbf {y}_{1},\ldots ,\mathbf {y}_{n})\) is a basis of space \(V^{\bot }\), and let \(\mathbf {s}=\sum ^{n}_{i=1}x_{i}\mathbf {y}_{i}\). Based on the fact that \(\mathbf {s}\) is uniformly distributed in \(V^{\bot }\), we have all \(x_{i}\) are uniformly distributed in \(\mathbb {F}_{p}\). Because \(\mathbf {v}^{*}\notin V\), so there must be some \(j\in \{1,\ldots ,n\}\) such that \(\mathbf {v}^{*}\cdot \mathbf {y}_{j}\ne 0\), which follows that \(\mathbf {s}\cdot \mathbf {v}^{*}=\sum ^{n}_{i=1}x_{i}(\mathbf {y}_{i}\cdot \mathbf {v}^{*})\) is uniform in \(\mathbb {F}_{p}\), i.e., the probability of \(\mathbf {s}\cdot \mathbf {v}^{*}= 0\) also is \(\frac{1}{p}\) and hence is at most \(\frac{1}{2^{k}}\).
In conclusion, \(\mathcal {B}\) can output \(\omega =g^{\alpha _{A}}\) with success probability
\(Adv^{co-CDH}_{\mathcal {B},(\mathbb {G}_{1},\mathbb {G}_{2})}\ge Succ^{UF_{1}}_{\mathcal {A,S}}-\frac{q_{s}(q_{s}+q_{h_{1}})+1}{2^{k}}\).
This completes the proof of Theorem 1. \(\square \)
6 Proof of Theorem 2
Proof (Adapted from [18]). We assume that \(\mathcal {A}\) is an adversary that breaks the UF\(_{2}\) with success probability \(Succ^{UF_{2}}_{\mathcal {A,S}}\), and our goal is to construct an algorithm \(\mathcal {B}\) that solves CDH problem in \((\mathbb {G}_{1},\mathbb {G}_{2})\): given a bilinear group tuple \(\mathcal {G}=(\mathbb {G}_{1},\mathbb {G}_{2},\mathbb {G}_{T},e,\varphi )\), and a tuple of \((\varphi (h),\varphi (u),g)\), where \(\varphi (h),\varphi (u),g\in \mathbb {G}_{1}\), and \(h,u\in \mathbb {G}_{2}\) with \(u=h^{\alpha _{A}}\), outputs an element \(\omega \in \mathbb {G}_{1}\) such that \(\omega =g^{\alpha _{A}}\). Note that \(H_{2},H_{3}\) are viewed as an ordinary hash function in this proof.
\(\mathtt {Setup}\). \(\mathcal {B}\) chooses a positive integer N, then
-
1.
Chooses \(k_{j}\xleftarrow {R} \mathbb {F}_{p}\), and sets \(g_{j}=\varphi (h)^{k_{j}}\) for \(j\in [N]\), \(cp=(\mathcal {G},p\), \(H_{2}\), \(H_{3}\), h, \(\{g_{j}\}_{j=1}^N)\) and sets the signer’s public key as \(PK_{A}=u_{A}\).
-
2.
Chooses \(\alpha _{B}\xleftarrow {R}\mathbb {F}^{*}_{p}\) and calculates \(u_{B}=h^{\alpha _{B}}\), and then sets the designated secret/public key pair as \((\alpha _{B},u_{B})\). \(\mathcal {B}\) sends cp, \(PK_{A}\), and \(PK_{B}\) to \(\mathcal {A}\).
\(\mathtt {H}_{1}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H_{1}(id,i)\), \(\mathcal {B}\):
-
1.
If (id, i) has already been defined, directly returns \(H_{1}(id,i)\) to \(\mathcal {A}\).
-
2.
Otherwise, sets \(H_{1}(id,i)=\varphi (h)^{\tau _{li}}\) where \(\tau _{l}=(\tau _{l1},\ldots ,\tau _{lN})\in \mathbb {F}^{N}_{p}\) and \(\tau =(\tau _{l})_{l=1,2,\ldots }\) constitutes a random tape. \(\mathcal {B}\) returns the tuple \((id,i,H_{1}(id,i))\).
\(\mathtt {Sign\ Queries}\). When \(\mathcal {A}\) requests the designated signature on the vector subspace \(V_{l}\subset \mathbb {F}^{N}_{p}\) represented by the augmented vectors \(\mathbf {v}_{1}\), \(\ldots \), \(\mathbf {v}_{m}\in \mathbb {F}^{N}_{p}\), \(\mathcal {B}\):
-
1.
Chooses a random identifier \(id_{l}\).
-
2.
For any \(i\in [m]\), calculates \(H_{1}(id_l,i)\) as in the \(H_{1}\) queries, and then sets \(\mathbf {s}_{li}=(k_{1},\ldots ,k_{n},\overbrace{\underbrace{0,\ldots ,0,\tau _{li}}_{i},0,\ldots ,0}^{m})\).
-
3.
For any basis vector \(\mathbf {v}_{i}=(v_{i1}\), \(\ldots \), \(v_{iN})\) and \(i\in [m]\), calculates \(\widehat{\sigma }_{li}=\varphi (u_{A})^{\mathbf {s}_{li}\cdot \mathbf {v}_{i}}\cdot H_{3}(e(H_{2}(\mathbf {v}_{i}),u_{A})^{\alpha _{B}})\).
-
4.
Returns \(id_{l}\), and the designated signature \(\widehat{\sigma }_{l}=(\sigma _{l1},\ldots ,\sigma _{lm})\).
\(\mathtt {H}\) \(\mathtt {Queries}\). When \(\mathcal {A}\) requests the value of \(H(\mathbf {v},R)\), \(\mathcal {B}\):
-
1.
If \((\mathbf {v},R)\) has already been defined, returns \(H(\mathbf {v},R)\) to \(\mathcal {A}\).
-
2.
Otherwise, takes a random \(S_{j}\in \mathbb {F}^{*}_{p}\) successively from a random tape \(\varsigma =(S_{j})_{j=1,2,\ldots }\), and sets \(H(\mathbf {v},R)=S_{j}\).
\(\mathtt {Combine\ Queries}\). When \(\mathcal {A}\) submits (id, \(\{(\mathbf {v}_{k}\), \(\widehat{\sigma }_{k}\), \(\beta _{k})\}_{k=1}^{l})\) to the combine oracle. \(\mathcal {B}\) checks whether the identifier id already appears in the sign queries, and if so, further checks whether \(\widehat{\sigma }_{k}\) is the valid signature on the vector \(\mathbf {v}_{k}\) for all \(k=1,\ldots ,l\). If both of the above two conditions are met, \(\mathcal {B}\):
-
1.
Calculates \(\mathbf {v}=\sum ^{l}_{k=1}\beta _{k}\mathbf {v}_{k}=(v_{1},\ldots ,v_{N})\) and \(\sigma _{\mathbf {v}_{k}}=\widehat{\sigma }_{k}\cdot (H_{3}(e(H_{2}(\mathbf {v}_{k})\), \(u_{A})^{\alpha _{B}}))^{-1}\) for all \(k\in [l]\).
-
2.
Calculates \(\sigma _{\mathbf {v}}=\prod ^{l}_{k=1}\sigma _{\mathbf {v}_{k}}^{\beta _{k}}\).
-
3.
Chooses a random \(T\in \mathbb {G}^{*}_{1}\), and a random integer \(S\in \mathbb {F}^{*}_{p}\) which are successively taken from the random tapes \(\eta \) and \(\varsigma \), respectively.
-
4.
Computes \(R=\frac{e(T,h)}{e(\sigma _{\mathbf {v}},h)^{S}}\). We remark that the procedure fails if \(H(\mathbf {v},R)\) has already been defined. Because R is random, the probability of failure during the \(q_{2}\) hash H and combine queries is at most \(2q^{2}_{2}/2^{k}\).
Since \(\mathcal {A}\) can break UF\(_{2}\) with success probability \(Succ^{UF_{2}}_{\mathcal {A},\mathcal {S}}\) within time \(t_{A}\), and the failure probability of this simulation is at most \(2q^{2}_{2}/2^{k}\), \(\mathcal {A}\), within time \(t_{A}\), can output a valid signature (R, S, T) on vector \(\mathbf {v}\) with probability at least \(Succ^{UF_{2}}_{\mathcal {A,S}}-2q^{2}/2^{k}\ge \frac{Succ^{UF_{2}}_{\mathcal {A,S}}}{2}\ge \frac{7q}{2^{k}}\) in the simulation.
We assume that the vector \(\mathbf {v}\) belongs to the vector subspace \(V_{\beta }\) labeled as an identifier \(id_{\beta }\). Then, we replay the attack with the same \(\eta ,\varsigma \), and \(\tau =(\tau )_{l=1,2,\ldots }\) unchange for \(l<\beta \) and randomly chosen for \(l>\beta \). For \(l=\beta \) and all \(i\in [m]\) (m is the dimension of the vector subspace \(V_{\beta }\)), we randomly choose \(\lambda _{i}\in \mathbb {F}^{*}_{p}\) and set \(H_{1}(id_{\beta },i)=g^{\lambda _{i}}\). Note that \(\mathcal {A}\) now can not query the combine oracle for the identifier \(id_{\beta }\), because \(\mathcal {B}\) is unable to answer.
Using the forking lemma technique of [23] to control the values of the hashs \(H_{1}\) and H, we obtain, with probability at least 1/9, two valid signatures \((R,S_{1},T_{1})\) and \((R,S_{2},T_{2})\) on the vector \(\mathbf {v}\in V_{\beta }\) after at most \(2/Succ^{UF_{2}}_{\mathcal {A,S}}+14q/Succ^{UF_{2}}_{\mathcal {A,S}}\le 16q/Succ^{UF_{2}}_{\mathcal {A,S}}\) repetitions of the above attack.
We now observe that \(H_{1}(id_{\beta },i)=g^{\lambda _{1i}}\ne g^{\lambda _{2i}}=H'_{1}(id_{\beta },i)\) for all \(i=1\), \(\ldots \), m. We set \(\mathbf {k}=(k_{1}\), \(\ldots \), \(k_{n})\), \(\mathbf {\lambda }_{t}=(\lambda _{t1}\), \(\ldots \), \(\lambda _{tm})\) for \(t=1\), 2, \(\mathbf {v}_{1}=(v_{1}\), \(\ldots \), \(v_{n})\), and \(\mathbf {v}_{2}=(v_{n+1}\), \(\ldots \), \(v_{n+m})\) such that \(\mathbf {v}=(\mathbf {v}_{1}\parallel \mathbf {v}_{2})\), and then compute \(\rho _{1}=\prod ^{m}_{i=1}H_{1}(id_{\beta },i)^{v_{n+i}}\prod ^{n}_{j=1}g_{j}^{v_{j}}=g^{\mathbf {\lambda }_{1}\cdot \mathbf {v_{2}}}\varphi (h)^{\mathbf {k}\cdot \mathbf {v_{1}}}\) and \(\rho _{2}=\prod ^{m}_{i=1}H'_{1}(id_{\beta }\), \(i)^{v_{n+i}}\prod ^{n}_{j=1}g_{j}^{v_{j}}=g^{\mathbf {\lambda }_{2}\cdot \mathbf {v_{2}}}\varphi (h)^{\mathbf {k}\cdot \mathbf {v_{1}}}\).
Let \(\sigma _{1}=(S_{1},T_{1})\), and \(\sigma _{2}=(S_{2},T_{2})\). From \(\mathtt {Verify}(PK_{A},id_{\beta },m,\mathbf {v},\sigma _{t})=1\) for \(t=1,2\), we have
and
By dividing the Eq. 2 from the Eq. 3, we obtain the equation
Since the value of \((\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}}(S_{1}-S_{2})\) is random in \(\mathbb {F}_{p}\), the probability of \((\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}}(S_{1}-S_{2})=0\) is at most 1/p. Hence \(g^{\alpha _{A}}=(T_{1}/T_{2})^{((S_{1}-S_{2})(\mathbf {\lambda }_{1}-\mathbf {\lambda }_{2})\cdot \mathbf {v_{2}})^{-1}}\) so that \(\mathcal {B}\) solves the CDH problem in time \(t_{B}\le \frac{16qt_{A}}{Succ^{UF_{2}}_{\mathcal {A,S}}}\) with probability \(Adv^{CDH}_{\mathcal {B},(\mathbb {G}_{1},\mathbb {G}_{2})}\ge \frac{1}{9}-\frac{1}{p}\). This completes the proof of Theorem 2. \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Lin, C., Xue, R., Huang, X. (2021). Linearly Homomorphic Signatures with Designated Combiner. In: Huang, Q., Yu, Y. (eds) Provable and Practical Security. ProvSec 2021. Lecture Notes in Computer Science(), vol 13059. Springer, Cham. https://doi.org/10.1007/978-3-030-90402-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-90402-9_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90401-2
Online ISBN: 978-3-030-90402-9
eBook Packages: Computer ScienceComputer Science (R0)