On Proving Equivalence Class Signatures Secure from Non-interactive Assumptions

Abstract

Equivalence class signatures (EQS), introduced by Hanser and Slamanig (AC’14, J. Crypto’19), sign vectors of elements from a bilinear group. Their main feature is “adaptivity”: given a signature on a vector, anyone can transform it to a (uniformly random) signature on any multiple of the vector. A signature thus authenticates equivalence classes and unforgeability is defined accordingly. EQS have been used to improve the efficiency of many cryptographic applications, notably (delegatable) anonymous credentials, (round-optimal) blind signatures, group signatures and anonymous tokens. EQS security implies strong anonymity (or blindness) guarantees for these schemes which holds against malicious signers without trust assumptions.

Unforgeability of the original EQS construction is proven directly in the generic group model. While there are constructions from standard assumptions, these either achieve prohibitively weak security notions (PKC’18) or they require a common reference string (AC’19, PKC’22), which reintroduces trust assumptions avoided by EQS.

In this work we ask whether EQS schemes that satisfy the original security model can be proved secure under standard (or even non-interactive) assumptions with standard techniques. Our answer is negative: assuming a reduction that, after running once an adversary breaking unforgeability, breaks a non-interactive computational assumption, we construct efficient meta-reductions that either break the assumption or break class-hiding, another security requirement for EQS.

1 Introduction

Structure-preserving signatures (SPS) [AFG+10] are defined over groups of prime order p equipped with a bilinear map (pairing), and their messages are group elements. SPS on equivalence classes, or equivalence class signatures (EQS) for short, introduced by Hanser and Slamanig [HS14] and later refined [FHS19], sign vectors of (non-zero) group elements, that is, messages are from \(M=(\mathbb {G}^*)^\ell \) for a group \(\mathbb {G}\) (where \(\ell =2\) suffices for most applications). Compared to standard signature schemes, EQS provide an additional functionality Adapt: given the public key, a signature \(\sigma \) on \(m\in M\) and \(\mu \in \mathbb {Z}_p^*\), Adapt returns, without requiring the signing key, a signature on the message \(\mu \cdot m\). Signing \(m\in M\) thus authenticates the equivalence class \([m]_\sim \), where \(m\sim m':\Leftrightarrow \exists \,\mu \in \mathbb {Z}_p^*:m'=\mu \cdot m\). Unforgeability means that after querying signatures on (polynomially many) messages \(m_1,m_2,\dots \), no adversary can compute a signature for any \(m^*\) with \(m^*\notin [m_1]\cup [m_2]\cup \dots \)

A second security notion is class-hiding, meaning that it is hard to distinguish a random message pair \((m,m')\) from the same class (i.e., \(m\sim m'\)) from a random pair . Note that this is equivalent to the hardness of the decisional Diffie-Hellman (DDH) problem in \(\mathbb {G}\). The third property is signature adaptation (under malicious keys): it states that, even if a public key pk was set up maliciously, when running \(\sigma '\leftarrow \) Adapt\((\textit{pk},m,\sigma ,\mu )\) for a \(\sigma \) valid on m, then \(\sigma '\) is uniformly random in the set of all valid signatures on \(\mu \cdot m\).

Together with class-hiding, this yields the following guarantee against malicious signers, which lies at the core of applications of EQS: after issuing a signature \(\sigma \) on a message m, when later given \(\mu \cdot m\) and \(\sigma '\leftarrow \textsf{Adapt}({ pk},m,\sigma ,\mu )\) for , the signer cannot distinguish \((\sigma ',\mu \cdot m)\) from a random signature on a random message valid under \(\textit{pk}\).

The original work [FHS19] gives a very efficient construction of EQS with signatures consisting of 2 elements from \(\mathbb {G}\) and 1 from \(\hat{\mathbb {G}}\) (the other source group of the asymmetric pairing). Unforgeability is proved directly in the generic group model [Nec94, Sho97, Mau05].

Applications of EQS. Since their introduction, equivalence class signatures have been used to instantiate numerous cryptographic concepts.

Anonymous Credentials. The first application of EQS were attribute-based credentials (ABC) [CL03]. In an ABC scheme, users are issued credentials for a set of attributes they possess. Users can then selectively disclose attributes, that is, show that they possess any subset of their attributes. Anonymity requires that no one can tell whether two showings were done by the same user and that they reveal nothing about the non-disclosed attributes.

To showcase the power of EQS, the authors [FHS19] use it to construct the first ABC scheme for which the communication complexity of showing a credential is independent of the number of (possessed or showed) attributes. In their scheme, a credential is an EQS signature \(\sigma \) on a (randomizable) commitment \(c\in M\) to the user’s attributes; when a user wants to prove she owns certain attributes, she adapts \(\sigma \) for \(\mu \cdot c\) for and opens the commitment \(\mu \cdot c\) to the disclosed attributes. Anonymity (even against malicious credential issuers) follows from the adaptivity properties of EQS. Note that this construction avoids using zero-knowledge proofs to hide signatures, which are a source of inefficiency in many prior constructions. (Interactive proofs could still be required to prevent replay attacks.¹) Slamanig and others added the possibility of revoking users to the credential scheme [DHS15] and construct credentials that allow outsourcing of sensitive computation to a restricted device [HS21].

EQS were generalized by considering adaptivity within equivalence classes not only for messages but also for keys, termed “signatures with flexible public key” [BHKS18] or “mercurial signatures” [CL19, CL21, CLPK22]. Mercurial signatures were used to construct delegatable anonymous credentials [BCC+09] with non-interactive delegation [Fuc11]. New credentials constructions from EQS are still being proposed [MSBM23, MBG+23].

Group Signatures. EQS were used to construct efficient group signatures [DS16, CS20], in particular supporting dynamic adding of members [DS18]. Group signatures, as well as ring signatures, have also been constructed from the generalization of EQS to adaptable public keys [BHKS18].

Blind Signatures. Another line of research uses EQS to construct blind signatures, which let a user obtain a signature on a message that remains hidden from the signer. This builds on earlier work [BFPV13], which use randomizable zero-knowledge proofs [FP09] and thus require a trusted common reference string (CRS). In contrast, the EQS-based schemes [FHS15, FHKS16] do not assume common reference strings or random oracles and achieve blindness against malicious signers, leveraging the adaptivity property of EQS. Moreover, the schemes are round-optimal [Fis06], meaning the signing protocol consists of one message from the user to the signer and one message back; such schemes are thus concurrently secure [HKKL07] by default. Hanzlik [Han23] went further and uses the FHS EQS scheme to construct non-interactive blind signatures on random messages.

Other Cryptographic Primitives. EQS also yield [HRS15] verifiably encrypted signatures. Access-control encryption [DHO16] was efficiently instantiated using EQS [FGKO17], as well as [BLL+19] sanitizable signatures [ACdMT05] and privacy-preserving incentive systems from EQS [BEK+20]. The FHS scheme [FHS19] was used [HPP20] to instantiate highly scalable mix nets and [ST21] the anonymous authentication protocol EPID. It was also used for the most efficient instantiation of anonymous counting tokens [BRS23].

Constructions from Standard Assumptions. Despite applications of EQS requiring neither CRS nor random oracles, the first instantiation of EQS [FHS19] only has a proof in the generic group model (GGM). Therefore, calling constructions using that scheme “standard-model” has attracted some criticism [KM19]. This motivated the search for constructions from falsifiable [Nao03] assumptions, that is, assumptions where the challenger that sets up the problem instance can efficiently decide whether an adversary has broken the assumption. The assumption that a given EQS satisfies unforgeability is for example not falsifiable, since, by the class-hiding property, deciding whether the adversary’s message lies in one of the queried classes is hard.

The first EQS from falsifiable assumptions was proposed by Fuchsbauer and Gay [FG18], based on Matrix-Diffie-Hellman assumptions [EHK+13]. However, its signatures can only be adapted once (after which they change format) and the scheme only satisfies a weakened security notion: when querying a signature, the unforgeability adversary must provide the discrete logarithms of the queried messages. Note that this unforgeability notion is efficiently decidable.²

Unfortunately, the notion of signature adaption that the scheme achieves assumes honest keys and honest signatures, which excludes all applications except to access control encryption, as later argued [KSD19].

Motivated by this, Khalili, Slamanig and Dakhilalian [KSD19] propose an EQS construction from the SXDH assumption (i.e., DDH is hard in \(\mathbb {G}\) and \(\hat{\mathbb {G}}\)) with signatures in \(\mathbb {G}^8\times \hat{\mathbb {G}}^9\). Building on this work, Connolly, Lafourcade and Perez-Kempner [CLPK22] propose a more efficient scheme (with signatures in \(\mathbb {G}^9\times \hat{\mathbb {G}}^4\)), which requires an additional assumption (extKerMDH). A drawback of both schemes is that they assume a trusted CRS to achieve signature adaption under malicious keys. Sadly, this foils the main security benefit of EQS-based constructions: anonymity guarantees (against blind signers or credential issuers, etc.) without any trust assumptions in the standard model. We note that for schemes with a uniform CRS (of group elements) the CRS could be generated “transparently” by hashing (into the group). Formally, one would then need to prove adaptation security in the ROM.

A recent work [BFR24] points out a flaw in the security proofs of the CRS-based schemes [KSD19, CLPK22] and thus their security is currently unclear. (A game hop in the unforgeability proofs modifies the adversary’s view and the change in its advantage is then bounded by the advantage of a reduction in solving a computational problem. But since EQS-unforgeability is not efficiently decidable, the reduction would not be efficient.³)

The current state of affairs remains thus that the only scheme enabling trust-less applications is FHS [FHS19], and it is only proven secure in the GGM. This poses two independent questions: can we prove stronger security guarantees for FHS; and do there exist more efficient schemes? Since any EQS scheme can be transformed into a structure-preserving signature (SPS) scheme without changing the signature format [FHS15], known impossibility results for SPS imply the following: First, the signature size of FHS is optimal, since 3 group elements per signature are necessary [AGHO11]. Second, FHS cannot be proven secure from a non-interactive assumption via an algebraic reduction, since this is the case for all 3-element schemes [AGO11].

Since the second result only applies to 3-element schemes, the question that has been open for a decade remains: do there exist (less efficient) instantiations of EQS with a security proof from a non-interactive assumption at all? We answer this in the negative for black-box reductions that run the unforgeability adversary once.

Impossibility Results. To prove our result, we use the meta-reduction technique: one assumes that a reduction \(\mathcal R\) (with certain properties, such as being algebraic or being tight) exists; that is, when given access to an adversary that breaks the scheme, \(\mathcal R\) can efficiently solve a (conjectured-to-be-hard) computational problem. One then derives a contradiction by showing how to use \(\mathcal R\) to break a computational assumption. Building on earlier work [BV98], Coron [Cor02] first used this technique to show that there is no tight security proof for the RSA full-domain hash signature scheme. (A reduction has tightness \(\phi \) if it can use an adversary breaking the scheme with probability \(\epsilon \) to break the underlying assumption with probability at least \(\phi \cdot \epsilon \)). His result was later revisited by Kakvi and Kiltz [KK12].

Hofheinz, Jager and Knapp [HJK12] extended Coron’s ideas to Waters signatures [Wat05] and, more generally, any re-randomizable signature scheme. These schemes let anyone transform a signature on a message into a random signature on that message. They show that a reduction can have tightness at most \(\phi =1/\varOmega (q)\), where q is the number of signing queries, as follows. Assume there exists a reduction \(\mathcal R\), which must thus break the computational assumption using the following (inefficient) adversary: \(\mathcal A\) makes queries on random messages and then returns a random signature on a random message \(m^*\). The authors construct a(n efficient) meta-reduction \(\mathcal M\) that simulates \(\mathcal A\): to obtain the signature on \(m^*\), \(\mathcal M\) rewinds \(\mathcal R\), that is, it runs \(\mathcal R\) again on the same randomness; \(\mathcal M\) then queries a signature on \(m^*\), randomizes it and returns it as the forgery in the first run (re-randomizability is thus crucial for the simulation of the adversary).

If the hardness assumption holds, then it must be the case that either \(\mathcal R\) cannot provide a signature on \(m^*\), or \(\mathcal R\) cannot use the randomized signature to break the assumption. Intuitively, every message m is thus “signable” (i.e., the reduction can provide a signature), or “exploitable” (i.e., the reduction can use a forgery on m to break the assumption). The probability that all messages queried by \(\mathcal A\) are signable and \(\mathcal A\)’s forgery is exploitable is thus bounded by the inverse of the number of signing queries, which yields the upper-bound on tightness. Since EQS are randomizable (by running Adapt with \(\mu =1\)), this readily implies that EQS cannot be proven tightly secure.⁴

Meta-reductions have also been used to prove impossibility or optimality results about Schnorr signatures [PV05, Seu12, GBL08, FJS14], and more general statements [FF13]. Bader et al. [BJLS16] consider the multi-user setting and extend Coron’s technique to other cryptographic primitives.

Fischlin and Schröder [FS10] show that no three-move blind signature scheme can be proved secure from non-interactive assumptions if it satisfies certain conditions. One might wonder whether, together with the fact that EQS were used by FHS [FHS15] to construct round-optimal (i.e., two-move) blind signatures, this already implies the impossibility of EQS from non-interactive assumptions.

This is not the case. The blind-signature construction [FHS15] only satisfies computational blindness, a case Fischlin and Schröder deal with in their full version.⁵ For their impossibility to hold, they must assume that blindness of the scheme holds relative to two oracles (Definition A.3 in the full version), of which “\(\varSigma ^c_\textsf {sk}\)”, given a public key, returns a matching secret key. For FHS this means solving discrete logarithms, which can be used to break blindness.⁶

Our Result

Statement. Our result can be (simplified and) summarized as follows (as done in Corollary 1):

Let \(\varSigma \) be an EQS scheme with signature-adaptivity under malicious keys. Let \(\varPi \) be a (non-interactive) computational problem and \(\mathcal {R}\) be a reduction from \(\varPi \) that runs an adversary \(\mathcal A\) against unforgeability of \(\varSigma \) once, so that if \(\mathcal A\) wins with probability \(\epsilon \), then \(\mathcal {R}\) breaks \(\varPi \) with probability at least \(\phi \cdot \epsilon \).

Then there exist an adversary \(\mathcal {B}\) against unforgeability of \(\varSigma \) running in constant time, as well as the following, which run in time linear in that of \(\mathcal {R}\): meta-reductions \(\mathcal {M}\), attacking \(\varPi \), and \(\mathcal {D}\), attacking class-hiding (CH) of \(\varSigma \), such that

$$\begin{aligned} \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}} + \textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}} + \textsf{Adv}^{{{\textrm{CH}}}}_{\varSigma ,\mathcal {D}^\mathcal {R}} \ge {\phi ^5}/{384}\ . \end{aligned}$$

(1)

(By \(\textsf{Adv}^{{{\textrm{X}}}}_{[\varSigma ,]\mathcal Y}\) we denote \(\mathcal Y\)’s advantage in breaking the notion X [for scheme \(\varSigma \)] and \(\mathcal{Y}^{\mathcal{Z}}\) denotes that \(\mathcal Y\) has oracle access to \(\mathcal{Z}\).)

This implies that if the reduction for unforgeability is successful (i.e., \(\phi \) is not “small”) then either \(\varSigma \) does not satisfy CH, or the problem \(\varPi \) is not hard. Considering asymptotic security would yield that if the three advantages in Eq. (1) are negligible then so will be the success probability of the reduction.

Implications for Extensions of EQS. Since mercurial signatures and “signatures with flexible public key” are EQS with additional functionality, one would expect our result to carry over. However, all existing constructions [CL19, BHKS18, CL21, CLPK22] only consider adaptation under honest keys (arguably, because anonymity of the resulting delegatable credential schemes is only weak anyway), whereas our result requires adaptation under malicious keys.

Proof Ideas. The central idea for our impossibility result is to leverage the following discrepancy: for falsifiable assumptions the challenger can efficiently determine whether the adversary has won, whereas this cannot be efficiently done for unforgeability of an EQS scheme \(\varSigma \). In particular, consider an unforgeability adversary \(\mathcal A\) that queries a signature on a single message m and then returns a signature on some \(m^*\). According to the definition of EQS-unforgeability, if \(m\sim m^*\), that is, they are from the same class, then the adversary has not won; if \(m\not \sim m^*\) then it has won. Now consider a reduction \(\mathcal {R}\) to a falsifiable assumption \(\varPi \), which runs such an adversary. In case (\(\not \sim \)) the reduction must break \(\varPi \) with good probability. However, whereas in case (\(\sim \)) it cannot: this is because a case-(\(\sim \)) adversary \(\mathcal{A}_\sim \) can be efficiently implemented using signature adaptation: it queries a signature on m and adapts it to one on \(m^*\). The reduction combined with the adversary (\(\mathcal {R}^{\mathcal{A}_\sim }\)) would thus be an efficient algorithm for solving \(\varPi \).

Distinguishing case (\(\sim \)) from (\(\not \sim \)) corresponds to breaking class-hiding (CH), where CH is equivalent to DDH being hard in the underlying group. It seems thus that we can use reduction \(\mathcal {R}\) to break CH, i.e., DDH: Construct the following meta-reduction \(\mathcal{M}_1\) that is given \((m,m^*)\) and has to decide if \(m\sim m^*\): \(\mathcal{M}_1\) queries a signature \(\sigma ^*\) on \(m^*\), rewinds the reduction, queries m and returns \((m^*,\sigma ^*)\). The meta-reduction concludes that \(m\sim m^*\) iff \(\mathcal {R}\) fails to solve \(\varPi \).

A problem ignored so far is that a reduction will typically not be able to exploit a signature \(\sigma ^*\) it created itself; otherwise, it could just solve \(\varPi \) on its own.⁷ We thus define the adversaries \(\mathcal{A}_\sim \) and \(\mathcal{A}_{\not \sim }\) simulated to \(\mathcal R\) as follows: given the public key, they sample (where M is the message space) and query a signature on m; next they sample \(m^*\): \(\mathcal{A}_\sim \) samples and \(\mathcal{A}_{\not \sim }\) samples ; they then sample a random signature \(\sigma ^*\) from the set of all valid signatures on \(m^*\) and return \(\sigma ^*\). (This is analogous to the proof of the impossibility of tight reductions for re-randomizable signatures [HJK12].)

Define meta-reduction \(\mathcal{M}_2\) as follows: given a class-hiding instance \((m,m^*)\), it simulates \(\mathcal{A}_\sim \) or \(\mathcal{A}_{\not \sim }\) (not knowing which) by obtaining a signature \(\sigma '\) on \(m^*\) via rewinding and using Adapt (with \(\mu =1\)) to transform \(\sigma '\) to a uniform \(\sigma ^*\); decide according to whether \(\mathcal {R}\) breaks \(\varPi \).

This proof strategy only works for perfect reductions, which break \(\varPi \) whenever an adversary returns a forgery. Using the ideas for re-randomizable signatures [HJK12], this could be used to show that there are no tight reductions. However, we have not yet excluded the existence of non-tight reductions, such as partitioning reductions [Cor00, BLS01, Wat05]: given the problem instance, such reductions set up the public key (or program the random oracle in a way) so that they can answer signing queries for a subset S of messages, whereas for messages from another subset E, they can “exploit” forgeries to solve the problem.

Reductions that Partition Along Classes. To see how \(\mathcal{M}_2\), defined above, fails for a non-tight reduction, assume \(\mathcal{R}^p\) partitions the message space M “along classes”, that is, if some m is in S (the set of “signable” messages) then all the messages of its class [m] are, and if \(m\in E\) (the set of “exploitable” messages) then \([m]\subseteq E\). We first observe that S and E must be (almost) disjoint, as otherwise \(\mathcal{R}^p\) can solve the problem \(\varPi \) on its own (by producing a signature and then exploiting it). This case is reflected in the first term in Eq. (1) via an adversary \(\mathcal {B}\) that simply aborts if it receives an invalid signature.

Applying \(\mathcal{M}_2\) to \(\mathcal{R}^p\) yields the following: if the signatures on m and \(m^*\) returned by \(\mathcal{R}^p\) are valid, they both come from S, either in the same class or not; in both cases, since S and E are (almost) disjoint, \(\sigma ^*\) will (almost certainly) not be exploitable by \(\mathcal{R}^p\). Thus, \(\mathcal{M}_2\) cannot exploit \(\mathcal{R}^p\): either one of the signatures is invalid, or \(\mathcal{R}^p\) will not solve the problem (no matter whether \(m\sim m^*\) or not).

While this shows that the strategy \(\mathcal{M}_2\) does not work for a reduction \(\mathcal{R}^p\) that partitions along classes, a different meta-reduction \(\mathcal D\) (which is the one used in our proof and appearing in Eq. (1)) can actually exploit \(\mathcal{R}^p\) to distinguish classes: given an instance \((m,m^*)\), \(\mathcal D\) queries a signature on m, and (after rewinding) it queries a signature on \(m^*\); if (a) one of them is valid and the other one isn’t, it deduces that \(m\not \sim m^*\), whereas if (b) they are both valid or both invalid, it guesses \(m\sim m^*\). Since \(\mathcal{R}^p\) partitions along classes, if (\(\sim \)) then (b) must occur, whereas if (\(\not \sim \)) then (a) occurs with good probability. For the last argument, we show, again via \(\mathcal {B}\), that the sets S and E must both be “big” for a “good” reduction.

Other Reductions. So far, we have discussed that no reduction that partitions entire classes (into “simulatable” and “exploitable”) can exist. The first question this raises is what to do about non-partitioning reductions. It turns out that we can view any reduction \(\mathcal {R}\) as partitioning: let r be \(\mathcal {R}\)’s randomness given to it as explicit input and let \(\textit{st}\) be \(\mathcal {R}\)’s internal state (which incorporates r) after returning the public key pk. For a fixed st, \(\mathcal {R}\)’s next step, \(\mathcal{R}.\) sign which takes input st and a query m and returns \(\sigma \), is then a deterministic function.

For any \((\textit{st},\textit{pk})\) we now define \(S_{\textit{st},\textit{pk}}\) as the set of messages m for which \(\mathcal{R}.\textsf{sign}(\textit{st},m)\) returns a signature valid under \(\textit{pk}\). Similarly, \(\mathcal{R}.\textsf{fin}\) taking a state and a forgery \((m,\sigma )\) and returning a solution for \(\varPi \) is deterministic. We define \(E_{\textit{st},\textit{pk}}\) as the set of messages \(m^*\) for which, if \(\mathcal {R}\) is given st and a uniform valid signature on \(m^*\), it solves the \(\varPi \)-instance with a probability greater than a threshold we set.

It remains to show that a reduction \(\mathcal{R}'\) that does not partition along classes cannot exist either. For such \(\mathcal{R}'\), there are (many) classes which contain (many) messages in S as well as (many) messages in E. Now we can use signature-adaptation to directly attack the underlying problem \(\varPi \) (and thus, if the problem is hard to begin with, then no such reduction can exist). We construct a meta-reduction \(\mathcal M\) (appearing in Eq. (1)) against \(\varPi \), analogous to \(\mathcal {R}^{\mathcal{A}_\sim }\) from the beginning of the proof intuition. Given an instance of \(\varPi \), \(\mathcal M\) runs \(\mathcal{R}'\) to receive \(\textit{pk}\) and queries a signature \(\sigma \) on a message ; it then runs \(\sigma ^*\leftarrow \) Adapt\((\textit{pk},m,\sigma ,\mu )\) for .⁸ The forgery returned by \(\mathcal M\) is thus a uniform signature on a random message \(m^*\) in [m]. Thus, since there are many classes with many elements in S and many elements in E, there is a “good” probability that \(m\in S\) and \(m^*\in E\), meaning \(\mathcal{R}'\) solves the problem instance.

Challenges. Turning the above intuition (with all its “many”, “big”, “almost certainly”, etc.) into a rigorous proof turns out quite tricky. We need to argue that our meta-reductions really cover all possible reduction strategies. That is, show that if both \(\mathcal B\) (the trivial adversary) and \(\mathcal M\) (the meta-reduction that returns a forgery on a multiple of the queried message) fail then the correlation between classes and the partitioning by S and E must be high enough so \(\mathcal D\) can decide whether two messages m and \(m^*\) are from the same class. What complicates the computation of probabilities are dependencies of random variables. Moreover, the above sets S and E depend on the intermediate values generated by the reduction (and these sets are of the form \(S_{\textit{st},\textit{pk}}\) and \(E_{\textit{st},\textit{pk}}\)), whereas the success of the reduction is guaranteed for random \(\textit{st}\) and \(\textit{pk}\).

Proof Overview. The first meta-reduction \(\mathcal M_1\) (simulating \(\mathcal{A}_\sim \) or \(\mathcal{A}_{\not \sim }\)) with which we started discussing proof ideas is not used in our proof. \(\mathcal M_1\) only works for reductions that have both signable and exploitable signature in many classes, but for these, \(\mathcal M\) (from two paragraphs above) can directly break \(\varPi \): it runs the reduction on a problem instance, queries a signature on a random message m, adapts it to a random multiple \(\mu \cdot m\), and returns it to the reduction. The latter solves the instance if m is signable (\(m\in S\)) and \(\mu \cdot m\) is exploitable (\(\mu \cdot m\in E\)).

Using \(\mathcal M\), our proof first establishes that for an exploitable message there cannot be many signable messages in the same class (Lemmas 1 and 2). This shows that (roughly) classes contain either signable or exploitable messages but not both. We also show that there must be many signable messages, as otherwise the reduction does not correctly simulate the game to the adversary (Lemma 3, which constructs a “trivial” adversary \(\mathcal B\)); moreover, there cannot be too few exploitable messages either, as otherwise the reduction is not successful (Lemmas 5 and 6).

Together, this yields that while overall there are many signable messages, there are also many classes that contain (almost) none (since the exploitable messages must also be somewhere). This can be leveraged by the meta-reduction \(\mathcal D\) (also previously discussed) against class-hiding: given an instance \((m,m^*)\), \(\mathcal D\) asks the reduction for signatures on both. If exactly one of the messages is signable, then they are likely to be in different classes. This suffices to obtain an advantage solving class-hiding. (Note that \(\mathcal D\) need not “fully” simulate an adversary outputting a forgery.)

To make this argument formal, we port the above properties to the level of state/public-key pairs \((\textit{st},\textit{pk})\), which corresponds to the point when the reduction starts running the adversary on \(\textit{pk}\). This is done to then leverage the conditional independence of uniformly sampled messages falling into S or E respectively in the proof. Let \(I^{(S)}\) be the set of pairs \((\textit{st},\textit{pk})\) for which there are “sufficiently many” signable messages and let \(I^{(\cap )}\) be the set of pairs \((\textit{st},\textit{pk})\) which have very few classes that have many signable and exploitable messages. We show that \(I^{(S)}\) is large (Lemma 4), that \(I^{(\cap )}\) is large (Lemmas 7 and 8) and their intersection is large (Lemma 9).

These lemmas yield that (for many state/public-key pairs) there is a correlation between whether two messages are in the same class and whether these two messages are signable, which is what the success of the meta-reduction \(\mathcal D\) against class-hiding relies on. This is made formal in Theorem 1.

2 Preliminaries

2.1 Notation

For a prime p, by \(\mathbb {Z}_p^*\) we denote the non-zero elements of the finite field \(\mathbb {Z}_p := \mathbb {Z}/p\mathbb {Z}\). In this paper we will consider a fixed group \((\mathbb {G},+)\) of prime order p. Define its non-zero elements \(\mathbb {G}^*:=\mathbb {G}\setminus \{0_\mathbb {G}\}\). We will denote by \(k\cdot g := \sum _1^k g\). Note that \(\mathbb {G}\) having prime order implies that for \(g \ne 0_\mathbb {G}\) and \(k\ne 0\) we have \(k\cdot g \ne 0_\mathbb {G}\). We will naturally extend this operation to vectors by applying the operation “\(\cdot \)” defined above component-wise: for \(m = (g_1,g_2) \in (\mathbb {G}^*)^2\) and \(k\in \mathbb {Z}_p^*\) define \(k \cdot m := (k\cdot g_1,k\cdot g_2)\). Let g denote a fixed generator of \(\mathbb {G}\), which exists due to p being prime. For a set A denote by \(\bar{A}\) the complement of A.

Assigning a value b to a variable a is denoted by \(a := b\). When a denotes the output of a probabilistic algorithm B write \(a \leftarrow B\), while drawing a value a uniformly from a finite set A is denoted by .

2.2 DDH

In this work we consider concrete security treatment, that is, we do not consider “negligible” advantages, but concretely relate the security of a scheme to the hardness of an underlying computational problem. The decisional Diffie-Hellamn (DDH) problem will be of central importance.

Definition 1

Define for a group \(\mathbb {G}\) of prime order p with g generating \(\mathbb {G}\) the \(\textrm{DDH}\)-Game, played by an adversary \(\mathcal {A}\) for \(b\in \{0,1\}\) as:

Define the advantage of an adversary \(\mathcal {A}\) as

$$ \textsf{Adv}^{{{\textrm{DDH}}}}_{\mathbb {G},\mathcal {A}}:= \left| \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \textrm{DDH}_{\mathbb {G},\mathcal {A}}^1= 1\right] - \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \textrm{DDH}_{\mathbb {G},\mathcal {A}}^0=1\right] \right| . $$

2.3 EQS Signature Schemes

For concreteness, we consider Equivalence Class Signature schemes for the message space \(M:= (\mathbb {G}^*)^2\). (All our results easily generalize to \((\mathbb {G}^*)^\ell \) for \(\ell >2\)). This message space is partitioned into equivalence classes by the following relation for \(m,m' \in M\):

$$ m \sim m'\,:\Leftrightarrow \, \exists \, \mu \, \in \mathbb {Z}^*_p : m' = \mu \cdot m. $$

Define the set of classes of \(M\) as \(\mathcal {C}:= M/_\sim \). An EQS Scheme for message space \(M\) consists of the following algorithms:

• \({ \textsf {Keygen}}()\): a probabilistic algorithm that outputs a key pair \((\textit{sk},\textit{pk})\) with \(\textit{pk}\in PK \), the public key space.

• \({ \textsf {Sign}}(\textit{sk},m)\): a probabilistic algorithm that takes a secret key \(\textit{sk}\) and a message \(m\in M\) and outputs a signature \(\sigma \in \mathbb {S}\), where \(\mathbb {S}\) is the (finite) signature space.

• \({ \textsf {Verify}}(\textit{pk},m,\sigma )\): a deterministic algorithm taking a public key \(\textit{pk}\), a message \(m\in M\) and a signature \(\sigma \) and outputting 1 if the triple is valid and 0 otherwise.

• \({ \textsf {Adapt}}(\textit{pk},m,\sigma ,\mu )\): a probabilistic algorithm taking a public key \(\textit{pk}\), a message \(m\in M\), a signature \(\sigma \) on m and a scalar \(\mu \in \mathbb {Z}_p^*\) as inputs and outputting a signature \(\sigma ' \in \mathbb {S}\) on the message \(\mu \cdot m\).

By \([{ \textsf {Keygen}}]\) we will denote the set of pairs \((\textit{sk},\textit{pk})\) that have non-zero probability of being output by \({ \textsf {Keygen}}\). The next definition ensures that \({ \textsf {Sign}}\) and \({ \textsf {Adapt}}\) generate valid signatures.

Definition 2

An EQS scheme is correct if for all \(m \in M\) and for all \((\textit{sk},\textit{pk})\in [{ \textsf {Keygen}}]\) and for all \(\mu \in \mathbb {Z}^*_p\) it holds that

$$\begin{aligned} &\mathop {\mathrm {\textrm{Pr}}}\limits [{ \textsf {Verify}}(\textit{pk},m,{ \textsf {Sign}}(\textit{sk},m))=1]=1 \qquad \text {and}\\ &\mathop {\mathrm {\textrm{Pr}}}\limits [{ \textsf {Verify}}(\textit{pk}, \mu \cdot m, { \textsf {Adapt}}(pk, m, { \textsf {Sign}}(\textit{sk},m), \mu )) =1]=1. \end{aligned}$$

The following definition [FHS19, Definition 20] guarantees that signatures returned by Adapt are distributed uniformly.

Definition 3

An EQS scheme perfectly adapts signatures under malicious keys if for all tuples \((\textit{pk},m,\sigma ,\mu ) \in \textit{PK} \times M \times \mathbb {S} \times \mathbb {Z}^*_p\) for which

$$ { \textsf {Verify}}(\textit{pk},m,\sigma )=1 $$

the output of \(\sigma '\leftarrow { \textsf {Adapt}}(\textit{pk},m,\sigma ,\mu )\) is a uniformly random element of \(\mathbb {S}\) conditioned on \({ \textsf {Verify}}(\textit{pk},\mu \cdot m, \sigma ')=1\).

Unforgeability is defined via a game. It starts by generating a key pair and initializing the set Q of messages for whose class a query has been issued. It then hands over the public key to \(\mathcal {A}\), giving it access to an oracle \(\mathcal {O}\). The oracle, when queried with a message m, adds the class of m to Q. In the end \(\mathcal {A}\) outputs a message/signature pair \((m^*,\sigma ^*)\), which is considered a forgery if it is valid and no oracle query has been asked on the equivalence class of \(m^*\).

Definition 4

For an EQS scheme \(\varSigma \) and for a forger \(\mathcal {A}\) that has access to a signing oracle \(\mathcal {O}\), which can modify the set Q and has access to \(\textit{sk}\), we define the \(\textrm{UNF}\) game as follows:

where \([m] := \{m' \in M\mid m \sim m'\}\) is the equivalence class of m. Define the advantage of an adversary \(\mathcal {A}\) as

$$ \textsf{Adv}^{{{\textrm{UNF}}}}_{\varSigma ,\mathcal {A}} := \mathop {\mathrm {\textrm{Pr}}}\limits [\textrm{UNF}_{\varSigma ,\mathcal {A}} = 1]. $$

The next definition requires it to be hard to distinguish message pairs from the same class from random pairs.

Definition 5

Let \(\varSigma \) be an EQS scheme with message space M. Define the Class-hiding game played by an adversary \(\mathcal {D}\) for \(b\in \{0,1\}\):

The advantage of \(\mathcal {D}\) is defined as

$$ \textsf{Adv}^{{{\textrm{CH}}}}_{\varSigma , \mathcal {D}} := \left| \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \textrm{CH}_{\varSigma ,\mathcal {D}}^1 = 1\right] - \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \textrm{CH}_{\varSigma ,\mathcal {D}}^0 = 1\right] \right| . $$

The proof of the following is straightforward and given in [FHS19].

Proposition 1

([FHS19, Proposition 1]). Let \(\mathbb {G}\) be a group of prime order p and \(\varSigma \) an EQS scheme with \(M=(\mathbb {G}^*)^2\). Then \(\varSigma \) is class-hiding if and only if \(\textrm{DDH}\) is hard in \(\mathbb {G}\), in particular, we have \(\textsf{Adv}^{{{\textrm{CH}}}}_{\varSigma , \mathcal {A}}= \textsf{Adv}^{{{\textrm{DDH}}}}_{\mathbb {G},\mathcal {A}}\) for all \(\mathcal {A}\).

2.4 Computational Problems

The following definition is due to [HJK12].

Definition 6

A computational problem \(\varPi := (C_\varPi ,S_\varPi )\) consists of a set of challenges \(C_\varPi \) and a family of sets of solutions \(S_\varPi \) for each challenge c, i.e. \(S_\varPi := \left( S_c\right) _{c\in C_\varPi }\). Additionally, we require the existence of two deterministic (polynomial-time) algorithms.

• \({ \textsf {Sample}}(\rho )\) takes randomness \(\rho \) and outputs \(c \in C_\varPi \).

• \({ \textsf {Check}}(\rho ,s)\) takes randomness \(\rho \) and an element s and checks whether \(s \in S_c\) for \(c:={{ \textsf {Sample}}(\rho )}\).

We will denote the randomness space of \({ \textsf {Sample}}\) by \(\textrm{P}\). For an algorithm \(\mathcal {A}\) define the game \(\varPi \) played by \(\mathcal {A}\) below.

3 Our Impossibility Result

We strengthen our impossibility result in that we only consider adversaries that make one single signing query. That is, we show that even reductions that only work for single-query adversaries do not exist.

We will first establish some definitions and notations used throughout this section. Let \(\textrm{R}\) denote the randomness space of \(\mathcal {R}\), then fixing its randomness lets us think of \(\mathcal {R}\) as deterministic. When talking about a reduction \(\mathcal {R}\) from \(\varPi \) to \(\textrm{UNF}\) that is being run by a meta-reduction \(\mathcal {D}\), which simulates an adversary \(\mathcal {A}\) for \(\textrm{UNF}\) that uses at most one signing query, we can think of \(\mathcal {R}\) as split into three deterministic algorithms:

• \(\mathcal {R}.{ \textsf {init}}(c, r)\): is the initialization routine of \(\mathcal {R}\), which takes a challenge c of \(\varPi \) and some randomness and returns the state \(\textit{st}\) of \(\mathcal {R}\) and the public key \(\textit{pk}\) of the \(\textrm{UNF}\) game;

• \(\mathcal {R}.{ \textsf {sign}}(\textit{st}, m)\): implements the signing oracle of \(\mathcal {R}\). Given a state \(\textit{st}\) which is output by \(\mathcal {R}.{ \textsf {init}}\) and a message m it outputs a new state \(\textit{st}'\) and a signature \(\sigma \);

• \(\mathcal {R}.{ \textsf {fin}}(\textit{st}, m^*,\sigma ^*)\): takes a state \(\textit{st}\) returned by either \(\mathcal {R}.{ \textsf {init}}\) or \(\mathcal {R}.{ \textsf {sign}}\) (in the former case the adversary made no signing queries); it also takes a message \(m^*\) and a purported forgery \(\sigma ^*\) for \(m^*\). The algorithm then outputs its solution s to the problem c received in \(\mathcal {R}.{ \textsf {init}}\).

Definition 7

We say \(\mathcal {R}\) reducing \(\varPi \) to \(\textrm{UNF}\) communicating with an adversary \(\mathcal {A}\) for \(\textrm{UNF}\) has a (multiplicative) reduction tightness \(\phi \in (0,1]\) if the following holds:

$$ \phi \cdot \textsf{Adv}^{{{\textrm{UNF}}}}_{\mathcal {A}} \le \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {A}}. $$

To condense notation and make calculations more readable, we introduce the following shorthand.

Definition 8

Define \({ \textsf {Init}}\) as the code fragment given below.

Definition 9

Let \(\varPi \) be a computational problem. Let \(\mathcal {R}\) be a reduction from \(\varPi \) to \(\textrm{UNF}\) with tightness \(\phi \). Given \((\textit{st},\textit{pk})\in [{ \textsf {Init}}]\) we define for a message m the set of valid signatures \(V_{m,\textit{pk}} := \{\sigma \in \mathbb {S}\mid { \textsf {Verify}}(\textit{pk},m,\sigma ) = 1\}\). We then define subsets of \(M\):

where \(S_{\textit{st},\textit{pk}}\) (signable messages) corresponds to the set of messages for which \(\mathcal {R}\) is able to provide a valid signature, and \(E_{\textit{st},\textit{pk}}\) (exploitable messages) corresponds to the set of messages for which \(\mathcal {R}\) is “likely” to win game \(\varPi \) when given a uniform forgery on that message. Note that \(\rho \) is implicitly defined in the execution of \({ \textsf {Init}}\).

The following result will show that whenever there is a message m that is “exploitable”, then the probability of finding a multiple of m to be “signable” is bounded by the advantage of an efficient adversary winning \(\varPi \). Intuitively this means that whenever we can find a message that \(\mathcal {R}\) can sign, which can then be adapted into a message which \(\mathcal {R}\) can exploit, then \(\varPi \) can be solved efficiently.

Lemma 1

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys (Definition 3). Let \(\mathcal {R}\) be a reduction from \(\varPi \) to \(\textrm{UNF}\) running in time \(\tau \) with reduction tightness \(\phi \). Then there exists a meta-reduction \(\mathcal {M}\) running in time \(\approx \!\tau \) such that

Proof

Consider the meta-reduction \(\mathcal {M}^\mathcal {R}\) playing \(\varPi \) that rewinds \(\mathcal {R}\) given in Fig. 1. Then it holds that

by the definition of \(E_{\textit{st},\textit{pk}}\) we have that \(\mathcal {R}\) wins with probability \(\ge \tfrac{\phi }{2}\) when \(\zeta \cdot m \in E_{\textit{st},\textit{pk}}\). Therefore

   \(\square \)

The following result will be analogous to Lemma 1. It intuitively shows that if the problem \(\varPi \) is computationally hard then when sampling two random messages from an equivalence class, it is unlikely that the reduction can sign one of them while exploiting the other one to solve \(\varPi \). In particular, we bound the probability that a random message is “signable” and there are many “exploitable” messages in its class, where “signable” and “exploitable” are as described in Definition 9. This is the case because when \(\mathcal {R}\) is able to provide signatures on messages which can be adapted to exploitable ones, it could solve \(\varPi \) on its own.

Lemma 2

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys (Definition 3). Let \(\mathcal {R}\) be a reduction from \(\varPi \) to \(\textrm{UNF}\) running in time \(\tau \) with reduction tightness \(\phi \). Let \(\delta \in [0,1]\). Then there exists a meta-reduction \(\mathcal {M}\) aiming to solve \(\varPi \) and running in time \(\approx \!\tau \) such that

Fig. 1.

The meta-reduction \(\mathcal {M}\)

Proof

Consider the meta-reduction \(\mathcal {M}^\mathcal {R}\) playing \(\varPi \) that rewinds \(\mathcal {R}\) which is given in Fig. 1 (note that \(\mathcal {M}\) runs \(\mathcal {R}.{ \textsf {fin}}\) on \(\textit{st}\) and not \(\textit{st}'\)). The reason for \(\mathcal {M}\)’s need to rewind \(\mathcal {R}\) is that this allows us to view the sets \(S_{\textit{st},\textit{pk}}\) and \(E_{\textit{st},\textit{pk}}\) as fixed for each execution, as opposed to them changing after each call of the signing oracle. Then we can show the following .

where \((b) \ge \delta \), while \( (a) \ge \frac{\phi }{2}\) since \(\mathcal {R}\) wins with probability \(\frac{\phi }{2}\) if \(\mu \cdot m \in E_{\textit{st},\textit{pk}}\) and a uniformly random valid signature is given to \(\mathcal {R}\), which is the case due to \(\varSigma \) fulfilling Definition 3. Therefore

which concludes the lemma.    \(\square \)

Having established how \(E_{\textit{st},\textit{pk}}\) is distributed with respect to \(S_{\textit{st},\textit{pk}}\), we will now shift our attention to \(S_{\textit{st},\textit{pk}}\), the set of all messages which \(\mathcal {R}\) can sign. The first result will establish a lower bound on the expected size of \(S_{\textit{st},\textit{pk}}\). Intuitively, this bound exists since in order to simulate \(\textrm{UNF}\) \(\mathcal {R}\) has to provide signatures on “many” messages.

Lemma 3

Let \(\varSigma \) be an EQS scheme. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Then there exists an adversary \(\mathcal {B}\) running in constant time such that the probability of a uniformly sampled m falling into \(S_{\textit{st},\textit{pk}}\), as defined in Definition 9, is lower-bounded as follows:

Proof

Consider the unbounded adversary \(\mathcal {U}_S\) (showing a bound on “S”) playing \(\textrm{UNF}\) which is defined in Fig. 2. \(\mathcal {U}_S\) wins with probability 1, since in the game \(\textrm{UNF}\) the signature returned by the oracle is always valid, and therefore \(\mathcal {U}_S\) never aborts. Now define the efficient adversary \(\mathcal {B}\) (Fig. 3), which queries a signature \(\sigma \) and then aborts. Conditioned on \(\sigma \) being invalid, \(\mathcal {B}\) perfectly simulates \(\mathcal {U}_S\). We obtain

$$\begin{aligned} \phi &\le \phi \cdot \textsf{Adv}^{{{\textrm{UNF}}}}_{\varSigma , \mathcal {U}_S} \\ {} & \le \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^{\mathcal {U}_S}}\\ {} & = \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \begin{array}{@{}l@{}}(\textit{st},\textit{pk})\leftarrow { \textsf {Init}},\\ (m',\sigma ')\leftarrow \mathcal {U}_S^{\mathcal {R}.{ \textsf {sign}}(\textit{st},.)}(\textit{pk})\end{array}: { \textsf {Check}}(\rho ,\mathcal {R}.{ \textsf {fin}}(m',\sigma '))=1 \right] , \end{aligned}$$

where \(\rho \) is implicitly defined in \({ \textsf {Init}}\),

where the m in the two left-handed factors refers to the one chosen in line 1 of \(\mathcal {U}_S\), and due to \(\mathcal {B}\) simulating \(\mathcal {U}_S\) in the case where \(\sigma \) is invalid we get

where the last inequality is due to

$$ \mathop {\mathrm {\textrm{Pr}}}\limits [\varPi _{\mathcal {R}^\mathcal {B}} = 1 \mid m\in \bar{S}_{\textit{st},\textit{pk}}] \le \frac{\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{\mathop {\mathrm {\textrm{Pr}}}\limits [ m\in \bar{S}_{\textit{st},\textit{pk}}]}. $$

   \(\square \)

Fig. 2.

The unbounded adversary \(\mathcal {U}_S\)

Fig. 3.

The a\(\mathcal {B}\)orting adversary \(\mathcal {B}\)

The next statement will translate the previous lemma to a setting where we will fix \((\textit{st},\textit{pk})\). Fixing \((\textit{st},\textit{pk})\) will enable us to remove dependencies of events at the expense of an additional condition, namely that of the fixed state/public-key pair. This tradeoff is well worth it due to the following lemma allowing us to reason with a similar bound about a reduced but still “large” set of state/public-key pairs. The intuition is that if for a random state/public-key pair generated by the experiment there is a bound, then the set of state/public-key pairs for which a similar bound holds must be large. Since \(S_{\textit{st},\textit{pk}}\) is “big”, there must also be “many” state/public-key pairs for which a slightly worse bound holds. We will denote subsets of \([{ \textsf {Init}}]\) with \(I^{(x)}\), where x will identify the subset in question. For example the next lemma will define the subset for which the set \(S_{\textit{st},\textit{pk}}\) is “big”.

Lemma 4

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Let \(\mathcal {B}\) be as defined in Fig. 3. Define a subset of \([{ \textsf {Init}}]\) for which it is “likely” to sample a message in \(S_{\textit{st},\textit{pk}}\) conditioned on the given state and public key:

$$ I^{(S)}:= \left\{ (\textit{st},\textit{pk}) \left| \mathop {\mathrm {\textrm{Pr}}}\limits \left[ m\leftarrow M: m\in S_{\textit{st},\textit{pk}}\right] \ge \frac{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2} \right\} \right. . $$

Then \(\mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st},\textit{pk})\leftarrow { \textsf {Init}}: (\textit{st},\textit{pk})\in I^{(S)}] \ge \frac{\phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2}\).

Proof

From Lemma 3 we have

And therefore

$$\begin{aligned} \mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st},\textit{pk})\leftarrow { \textsf {Init}}: (\textit{st},\textit{pk})\in I^{(S)}] \ge \frac{\phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2}. \end{aligned}$$

   \(\square \)

Similar to Lemma 3 we can obtain a bound on the size of \(E_{\textit{st},\textit{pk}}\). An obvious observation is that in order for \(\mathcal {R}\) to be successful, there must be many messages such that when given a forgery on said message it wins \(\varPi \). This follows because \(\mathcal {R}\) must keep its tightness guarantees even for very successful \(\textrm{UNF}\)-adversaries. This idea, captured rigorously, yields the next lemma.

Lemma 5

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Then the probability of sampling \(m\in M\) and it falling into \(E_{\textit{st},\textit{pk}}\), as defined in Definition 9, is lower-bounded as follows:

Proof

Consider the unbounded adversary \(\mathcal {U}_E\) (showing a bound on “E”) playing the \(\textrm{UNF}\) game and not making any signing queries defined as follows:

Then \(\mathcal {U}_E\) wins with probability 1. Note that \(\mathcal {U}_E\) is inefficient because (for a secure scheme) one cannot efficiently sample from \(V_{m,\textit{pk}}\). We get

$$\begin{aligned} \phi &= \phi \cdot \textsf{Adv}^{{{\textrm{UNF}}}}_{\varSigma ,\mathcal {U}_E} \le \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^{\mathcal {U}_E}}\nonumber \\ &= \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \begin{array}{@{}l@{}}(\textit{st},\textit{pk}) \leftarrow { \textsf {Init}},\\ (m,\sigma ) \leftarrow \mathcal {U}_E(\textit{pk})\end{array}: { \textsf {Check}}(\rho ,\mathcal {R}.{ \textsf {fin}}(m,\sigma )) = 1 \right] \nonumber \\ &\le \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \varPi _{\mathcal {R}^{\mathcal {U}_E}} = 1 \left| \ m\in E_{\textit{st},\textit{pk}}\right] \cdot \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \varPi _{\mathcal {R}^{\mathcal {U}_E}}: m\in E_{\textit{st},\textit{pk}}\right] \right. \nonumber \\ &\quad + \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \varPi _{\mathcal {R}^{\mathcal {U}_E}}=1\left| \ m\in \bar{E}_{\textit{st},\textit{pk}}\right] \cdot \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \varPi _{\mathcal {R}^{\mathcal {U}_E}}: m\in \bar{E}_{\textit{st},\textit{pk}}\right] \right. . \end{aligned}$$

(2)

Now by the definition of \(E_{\textit{st},\textit{pk}}\), if \(\mathcal {R}\) is given a uniform forgery on a message m which is not in \(E_{\textit{st},\textit{pk}}\), then its winning probability is less than \(\frac{\phi }{2}\), therefore

$$\begin{aligned} {(2)}&\le \mathop {\mathrm {\textrm{Pr}}}\limits \left[ \varPi _{\mathcal {R}^{\mathcal {U}_E}}: m\in E_{\textit{st},\textit{pk}}\right] + \frac{\phi }{2}. \end{aligned}$$

Rearranging yields the result.    \(\square \)

We just showed that if \(\mathcal {R}\) is “tight” then \(E_{\textit{st},\textit{pk}}\) is “big”. We will lift this result onto a level of classes by showing that there also must be “many” classes C, which we will call “heavy”, for which the proportion of \(E_{\textit{st},\textit{pk}}\)-elements is “big”. This partioning of the message space will be denoted by the superscript (C), indicating that we are operating on the level of classes. This will essentially be done by a variation of a technical lemma known as either the Splitting Lemma or Heavy Row Lemma, for which a version can be found in [PS00, Lemma 7]. Note that our “rows” much rather resemble the classes into which \(M\) is partitioned as opposed to “rows” in a two dimensional representation of \((\mathbb {G}^*)^2\) with a basis (g, g), which would correspond to the setting common in the literature.

Additionally we will show, in the spirit of Lemma 2, that finding messages in a “heavy” class for which \(\mathcal {R}\) can provide a signature can be used to solve \(\varPi \).

Lemma 6

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Define for \((\textit{st},\textit{pk})\in [{ \textsf {Init}}]\) the set of \(E_{\textit{st},\textit{pk}}\)-“heavy” classes

$$ E_{\textit{st},\textit{pk}}^{(C)}:= \left\{ m\in M\left| \frac{| E_{\textit{st},\textit{pk}} \cap [m]|}{|[m]|} \ge \frac{\phi }{4}\right\} \right. . $$

Then

1. 1.

   , and

2. 2.

   .

Proof

To show that \(E_{\textit{st},\textit{pk}}^{(C)}\) is “big” assume towards a contradiction that

. From Lemma 5 we get . Then since for m and \(\mu \) uniformly chosen, \(\mu \cdot m \in E_{\textit{st},\textit{pk}}\) has the same probability as \(m\in E_{\textit{st},\textit{pk}}\) we get

(3)

By the premise and since \(m\notin E_{\textit{st},\textit{pk}}^{(C)}\) implies that \(\mathop {\mathrm {\textrm{Pr}}}\limits _{\mu \in \mathbb {Z}_p^*}[\mu \cdot m \in E_{\textit{st},\textit{pk}}] < \phi /4\) we get

$$\begin{aligned} {(3)}&< \frac{\phi }{4} + \frac{\phi }{4} = \frac{\phi }{2}, \end{aligned}$$

a contradiction. This proves the first part.

To prove the second part, we apply Lemma 2 for \(\delta := \frac{\phi }{4}\) to get

(4)

Using the first part of this lemma,

Rearranging yields

which concludes the proof of the lemma.    \(\square \)

Similar to Lemma 4 we will transform the statement we just obtained into a setting where we fix the state and public-key, and then show that many such pairs exist for which a weaker bound holds. Since we are concerned with the state/public-key pairs for which the intersection of \(E_{\textit{st},\textit{pk}}\)-heavy classes and \(S_{\textit{st},\textit{pk}}\) is “small”, we will denote this subset of \([{ \textsf {Init}}]\) with “\(\cap \)”.

Lemma 7

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Let \(\mathcal {M}\) be the meta-reduction defined in Fig. 1. For \(\delta \in [0,1]\) define a subset of \([{ \textsf {Init}}]\) for which the size of the intersection of \(E_{\textit{st},\textit{pk}}^{(C)}\) and \(S_{\textit{st},\textit{pk}}\) obeys a weaker bound than the one in Lemma 6 once we condition the probability on that fixed state/public-key pair:

Then the probability of \((\textit{st},\textit{pk})\leftarrow { \textsf {Init}}\) falling into \(I^{(\cap )}_{\delta }\) has the following lower bound

$$\begin{aligned} \mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st},\textit{pk})\leftarrow { \textsf {Init}}: (\textit{st},\textit{pk})\in I^{(\cap )}_{\delta }] \ge 1 - \delta . \end{aligned}$$

Proof

From Lemma 6 we get

Rearranging yields \(\mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st},\textit{pk})\leftarrow { \textsf {Init}}: (\textit{st},\textit{pk})\in I^{(\cap )}_{\delta }] \ge 1 - \delta .\)    \(\square \)

In the same manner we can reason that if the bound from Lemma 7 holds for a random class, then a similar bound will hold for a “large” subset of classes when we fix the class.

Lemma 8

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Let \(\mathcal {M}\) be the meta-reduction defined in Fig. 1. For \(\delta \in [0,1]\), \((\textit{st},\textit{pk})\in I^{(\cap )}_{\delta }\) define the following subset of \(\mathcal {C}\): all classes for which the intersection of \(E_{\textit{st},\textit{pk}}^{(C)}\) and \(S_{\textit{st},\textit{pk}}\) is bounded by a multiple of \(\mathcal {M}\)’s advantage

Then .

Proof

Let \((\textit{st},\textit{pk})\in I^{(\cap )}_{\delta }\) then by definition of \(I^{(\cap )}_{\delta }\) in Lemma 7 we have

And therefore

Now using this and Lemma 6 we get

concluding the proof.    \(\square \)

Having established lower bounds on the sizes of both \(I^{(S)}\) and \(I^{(\cap )}_{\delta }\), we will reason that for an appropriate value for \(\delta \) their intersection must be “large” as well. This intersection contains state/public-key pairs for which both \(S_{\textit{st},\textit{pk}}\) is big and \(S_{\textit{st},pk}\) and \(E_{\textit{st},\textit{pk}}\) have a small intersection. This is of interest because the separation along classes will enable us to construct a reduction which leverages \(\mathcal {R}\)’s implicit separation of classes to break \(\textrm{DDH}\).

Lemma 9

Let \(\varSigma \) be an EQS scheme that adapts perfectly under malicious keys. Let \(\mathcal {R}\) have a reduction tightness \(\phi \). Let \(I^{(S)}\) be as defined in Lemma 4, \(I^{(\cap )}_{\delta }\) be as defined in Lemma 7 and \(\mathcal {B}\) be the aborting adversary defined in Fig. 3. Then for \(\delta := \phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}\) we get that \(I^{(S)}\cap I^{(\cap )}_{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}\) is “big”, namely

$$ |I^{(S)}\cap I^{(\cap )}_{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}| \ge \frac{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2}. $$

Proof

Fix \(\delta := \phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}\); then Lemma 7 and Lemma 4 yield

$$\begin{aligned} &|\overline{I^{(S)}\cap I^{(\cap )}_{\delta }} | = | \overline{ I^{(S)}} \cup \overline{ I^{(\cap )}_{\delta }} | \le |\overline{I^{(S)}}| + |\overline{I^{(\cap )}_{\delta }}| \\ &\qquad \qquad \qquad \qquad \qquad \le \frac{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2} + 1 - \phi + \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}} = 1 - \frac{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2}. \end{aligned}$$

And therefore \(|I^{(S)}\cap I^{(\cap )}_{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}| \ge ({\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}})/2\).    \(\square \)

With many lemmas in the bag we can now tackle the main result of this work. The intuitive statement is that if \(\mathcal {R}\) is “tight” then we can construct meta-reductions such that either one such meta-reduction will use \(\mathcal {R}\) to win \(\textrm{DDH}\), or a different meta-reduction will use \(\mathcal {R}\) to win \(\varPi \), or \(\mathcal {R}\) is able to win \(\varPi \) itself (formally, with the help of an efficient but trivial adversary).

Theorem 1

For all groups \(\mathbb {G}\) and all EQS schemes \(\varSigma \) over \(\mathbb {G}\) that adapt perfectly under malicious keys (as defined in Sect. 2.3), for all computational problems \(\varPi \) and all reductions \(\mathcal {R}\) that reduce \(\varPi \) to \(\textrm{UNF}\), running the adversary once, with a reduction tightness of \(\phi \) and running in time \(\tau \), there exist meta-reductions \(\mathcal {D}\) attacking \(\textrm{DDH}\) running in time \(\approx \!2\tau \) and \(\mathcal {M}\) attacking \(\varPi \) running in time \(\approx \!\tau \) as well as an adversary \(\mathcal {B}\) attacking \(\textrm{UNF}\) of \(\varSigma \) running in constant time such that

$$ \textsf{Adv}^{{{\textrm{DDH}}}}_{\mathbb {G},\mathcal {D}^\mathcal {R}}+ \frac{3\phi ^3}{32} \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}} + \frac{12}{\phi } \textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}} \ge \frac{\phi ^4}{32}. $$

Proof Idea. Let’s start by first giving an idea of the proof. For a reduction \(\mathcal {R}\) having defined the sets \(S_{\textit{st},\textit{pk}}\) and \(E_{\textit{st},\textit{pk}}\) we have established that both these sets must be reasonably “large” if \(\mathcal {R}\) is to be “successful”. Now if it is the case that both of these sets are spread evenly across the message space, then there exist (many) classes with both elements of \(S_{\textit{st},\textit{pk}}\) and \(E_{\textit{st},\textit{pk}}\). This can be used to solve \(\varPi \), as can be seen in the analysis of \(\mathcal {M}\) defined in Fig. 1. On the other hand, if the sets are separated into different classes, then we can construct a meta-reduction \(\mathcal D\) which extracts this information from \(\mathcal {R}\) in order to reason about \(\textrm{DDH}\). The main effort will be in establishing an appropriate lower bound on this latter process being successful.

The proof will use the following technical lemma.

Lemma 10

Let I be a finite set of indices. Let \(\lambda _i \ge 0\) for \(i\in I\) with \(\sum _i \lambda _i = 1\), \(x_i\in [0,1]\) for \(i\in I\), and \(y := \sum _i \lambda _i x_i\). Then

$$ \sum _{i\in I} \lambda _i x_i^2 - y^2 =\sum _{i\in I} \lambda _i (x_i - y)^2. $$

Proof

$$\begin{aligned} & \sum _i \lambda _i (x_i - y)^2 = \sum _i \lambda _i (x_i^2 - 2x_iy + y^2) =\sum _i \lambda _i x_i^2 - 2y \sum _i \lambda _i x_i + y^2\\ &\qquad \qquad \qquad \,\,\, = \sum _i \lambda _i x_i^2 -2 y^2 + y ^2 = \sum _i \lambda _i x_i^2 - y^2. \end{aligned}$$

   \(\square \)

Fig. 4.

The DDH distinguisher \(\mathcal {D}\)

Proof

of Theorem 1. Consider the efficient meta-reduction \(\mathcal {D}\) which rewinds the reduction \(\mathcal {R}\) and uses it in order to win the DDH-Game defined in Fig. 4. (Note that \(\mathcal D\) runs \(\mathcal {R}.{ \textsf {sign}}\) twice on the same value \(\textit{st}\).) The first four lines correspond to the \({ \textsf {Init}}\) experiment, in which \(\mathcal {D}\) obtains the problem instance c for \(\mathcal {R}\). It then groups its inputs into two messages m and \(m'\) and obtains a signature from \(\mathcal {R}\) on both messages. If the validity of both signatures matches, then \(\mathcal {D}\) outputs “DDH-pair”. For a fixed \((\textit{st},\textit{pk}) \in [{ \textsf {Init}}]\) we will write \(\mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st},\textit{pk})]\) instead of \(\mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st}',\textit{pk}')\leftarrow { \textsf {Init}}: (\textit{st}',\textit{pk}') = (\textit{st},\textit{pk})]\) to enhance readability. Then when \(\mathcal {D}\) plays the \(\textrm{DDH}\) game on a “random” instance, it will be right with the following probability:

(5)

Fixing \((\textit{st},\textit{pk})\) will remove the dependency between the events \(m\in S_{\textit{st},\textit{pk}}\) and \(m'\in \bar{S}_{\textit{st},\textit{pk}}\), since m and \(m'\) are independent

(6)

On the other hand, when \(\mathcal {D}\) plays the \(\textrm{DDH}\) game on a “DDH” instance, its guess will be wrong with the following probability:

(7)

For the second term in parenthesis we obtain the following upper bound.

From \(\bar{S}_{\textit{st},\textit{pk}} \cap \bar{E}_{\textit{st},\textit{pk}} \subseteq \bar{S}_{\textit{st},\textit{pk}}\) and both m and \(\mu \cdot m\) being a uniform element of a class C, we get

Plugging this result together with

into Eq. (7), we obtain

(8)

Putting Eqs. (6) and (8) together yields

(9)

Lemma 1 yields with \(\mathcal {M}\) as defined in Fig. 1, and therefore

(10)

Applying Lemma 10 for , and \(\lambda _C := \frac{1}{|\mathcal {C}|}\) yields

Let \(\mathcal {B}\) be the aborting adversary defined in Fig. 3. Let \(\delta := \phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}\). Then since \(I := I^{(S)}\cap I^{(\cap )}_{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}\subseteq [{ \textsf {Init}}]\) and \(\mathcal {C}_{\textit{st},\textit{pk}}^{(\cap )}:= \mathcal {C}_{\textit{st},\textit{pk},\phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {A}}}^{(\cap )}\subseteq \mathcal {C}\) we get

by the definition of \(I^{(S)}\) in Lemma 4 and by the definition of \(\mathcal {C}_{\textit{st},\textit{pk}}^{(\cap )}\) in Lemma 8 we get

$$\begin{aligned} &\ge 2\sum _{(\textit{st},\textit{pk})\in I}\mathop {\mathrm {\textrm{Pr}}}\limits [(\textit{st},\textit{pk})]\sum _{C\in \mathcal {C}_{\textit{st},\textit{pk}}^{(\cap )}}\frac{1}{|\mathcal {C}|}\nonumber \\ &\underbrace{\bigg ( \frac{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2} - \frac{64}{(\phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}})\phi ^3}\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}} \bigg )^2}_{(*)}\ -\frac{4}{\phi }\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}}. \end{aligned}$$

(11)

For the term \((*)\) we obtain the following bound by expanding the square and ignoring the squared terms:

$$\begin{aligned} (*) &= \frac{\phi ^2}{4} - \frac{\phi \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2} + \left( \frac{\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2}\right) ^2 -\frac{64\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}}}{\phi ^3} +\left( \frac{64\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}}}{(\phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}})\phi ^3}\right) ^2\\ &\ge \frac{\phi ^2}{4} - \frac{\phi \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2} - \frac{64\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}}}{\phi ^3} \end{aligned}$$

and therefore

Lemma 9 yields a bound on the size of \(I =I^{(S)}\cap I^{(\cap )}_{\phi -\textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}\) while Lemma 8 gives a bound on the size of \(\mathcal {C}_{\textit{st},\textit{pk}}^{(\cap )}\). These facts combine to

$$\begin{aligned} &\ge 2 \cdot \frac{\phi - \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}}{2} \cdot \frac{\phi }{8} \cdot \bigg ( \frac{\phi ^2}{4}- \frac{\phi }{2} \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}}- \frac{64}{\phi ^3}\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}} \bigg ) -\frac{4}{\phi }\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}}\\ &\ge \frac{\phi ^4}{32} -\bigg ( \frac{3\phi ^3}{32} \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}} + \frac{12}{\phi }\textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}}\bigg ), \end{aligned}$$

where the last inequality comes from discarding terms that contain products of advantages. Rearranging yields the result.    \(\square \)

Expanding denominators, upper-bounding \(\phi \le 1\), and using Proposition 1 stating equivalence of class-hiding and DDH, Theorem 1 implies the following:

Corollary 1

For all EQS schemes \(\varSigma \) as defined in Sect. 2.3, for all computational problems \(\varPi \) and all reductions \(\mathcal {R}\) that reduce \(\varPi \) to \(\textrm{UNF}\), running the adversary once, with a reduction tightness of \(\phi \) and running in time \(\tau \), there exist meta-reductions \(\mathcal {D}\) attacking class-hiding of \(\varSigma \) running in time \(\approx \!2\tau \) and \(\mathcal {M}\) attacking \(\varPi \) running in time \(\approx \!\tau \) as well as an adversary \(\mathcal {B}\) attacking \(\textrm{UNF}\) of \(\varSigma \) running in constant time such that

$$ \textsf{Adv}^{{{{CH}}}}_{\varSigma ,\mathcal {D}^\mathcal {R}}+ \textsf{Adv}^{{{\varPi }}}_{\mathcal {R}^\mathcal {B}} + \textsf{Adv}^{{{\varPi }}}_{\mathcal {M}^\mathcal {R}} \ge \frac{\phi ^5}{384}. $$

Therefore in an asymptotic setting where \(\varSigma \) is class-hiding (CH) and adapts perfectly under malicious keys, and \(\mathcal {R}\) is an efficient reduction reducing a “hard” problem \(\varPi \) to \(\textrm{UNF}\), Corollary 1 states that \(\mathcal {R}\)’s tightness \(\phi \) is bound by the sum of the advantages of efficient reductions. Because of the hardness of CH and \(\varPi \), we get that these advantages are negligible. Therefore also \(\phi \) must be negligible, which yields that \(\mathcal {R}\) is not a “useful” reduction.