1 Introduction

The notion of structure-preserving signatures (SPS) was introduced in [AFG+10] so that such signatures are compatible with the bilinear-pairings based efficient non-interactive zero-knowledge (NIZK) proofs of Groth and Sahai [GS08]. The messages, signatures, and verification keys are required to be elements of groups that support efficient bilinear-pairings (bilinear groups), and the signature verification consists of just evaluating one or more bilinear-pairing product equations. With the structure of the signature preserved, one can then build many interesting cryptographic primitives and protocols that require (hiding) commitments to such messages and signatures and yet retain the ability to prove properties about these using Groth-Sahai NIZK proofs (GS-NIZK proofs). To list a few, SPS have been used to build blind signatures [AO09, AFG+10], group signatures [AHO10], traceable signatures [ACHO11], group encryption [CLY09], and delegatable credential systems [Fuc11].

The first SPS was introduced by Groth in 2006 even before GS-NIZK proofs were introduced [Gro06]. In the same work Groth also introduced NIZK proofs for algebraic equations over bilinear groups, but since this construction was rather inefficient, it was best viewed as a feasibility study. A variation of the Camenisch-Lysyanskaya signature scheme [CL04] was shown to be an SPS secure against random message attacks [GH08]. Cathalo et al. [CLY09] and Fuchsbauer [Fuc09] gave schemes which are efficient when signing a single group element, but their signature size increases linearly in the size of the message. In [AHO10], the authors presented the first constant-size SPS consisting of seven group elements, provable under a non-interactive but dynamic q-type assumption. In [AGHO11], the authors show a three group element SPS scheme provable in the generic asymmetric pairings group model. Interestingly, they also showed that any SPS scheme in asymmetric bilinear groups must require at least three group elements and two pairing product verification equations. They also gave a four group element SPS scheme under a non-interactive but dynamic q-type assumption. In [AGO11], the authors show that any SPS scheme proven secure by a black-box reduction of the standard SXDH assumption in asymmetric bilinear groups must have four group elements.

Recently, Kiltz et al. [KPW15] and Libert et al. [LPY15] gave efficient SPS schemes under standard bilinear assumptions such as SXDH (Symmetric eXternal Diffie-Hellman assumption) or MDDH (Matrix-DDH assumption). While the latter scheme required ten group elements, the former was even shorter requiring only seven group elements (under SXDH). However, both schemes required three pairing product equations for signature verification, which is sub-optimal. Moreover, the security proofs given for both schemes incurred a quadratic (in the number of signature queries) loss in security.

1.1 Our Contributions

In this work, we show that the scheme of Kiltz et al. [KPW15] can be modified to have a signature size of only six group elements. More importantly, the number of pairing product equations required for signature verification is reduced to two, which is optimal by the lower bound of [AGHO11]. Further, we give a security proof that only has a \(Q \log {Q}\) security loss in reduction from standard SXDH or MDDH assumptions.

The ramifications of these improvements are many-fold. First, note that since SPS are used along with commitments, encryptions and GS-NIZK proofs, this can lead to a multiplicative factor improvement in the final cryptographic application. For example, every group element in the SPS that needs a Groth-Sahai commitment leads to a factor two blowup. A CCA2-encryption such as the Cramer-Shoup encryption [CS02] could lead to a factor four or five blowup. Each pairing product equation can lead to up to eight extra group elements in GS-NIZK proofs (under SXDH assumption), and indeed the type of extra pairing product equation in [KPW15] does take eight extra group elements (four in each of the two asymmetric bilinear groups).

Using the methodology of [AHO10, AFG+10, LPY15] build a dynamic group signature scheme with signature size of 30 group elements in \(\mathbb {G} _1\), 14 group elements in \(\mathbb {G} _2\) and an integer tag. The improvements presented in this work are directly applicable and should lead to a reduction of at least ten group elements in the size of the signature. Similar improvements are expected in blind signature schemes and other anonymous credentials based schemes.

We also give constructions and security proofs under the more general k-MDDH (matrix-DDH) assumption. Our results and comparison with previous work is summarized in Table 1.

As for the improved security reduction, [KPW15] show that if an adaptive chosen-message attack adversary makes at most Q signature queries, then its success probability of forging a signature on a new message is bounded from above by (roughly)

$$\begin{aligned} Q^2 \cdot {{\textsc {ADV}}_{{\textsc {ddh}}}} + Q^2/q \end{aligned}$$

where q is the order of the cyclic groups, and \({{\textsc {ADV}}_{{\textsc {ddh}}}}\) is the maximum advantage an efficient adversary has in a (decisional Diffie-Hellman) DDH-challenge game in either of the asymmetric bilinear groups. In this work, we show that the success probability of forging a signature is at most (roughly)

$$\begin{aligned} Q\cdot \log {Q} \cdot {{\textsc {ADV}}_{{\textsc {ddh}}}} + Q^2/q \end{aligned}$$

Since, by Pollard’s Rho method [Pol78], \(\text {ADV}_{{\textsc {ddh}}}\) is at least \(1/\sqrt{q}\), the first term in both of the above success probabilities is dominant. Thus, for the same security guarantee, and for large number of signatures (which should be expected for group signatures and other such anonymous credential applications), the earlier schemes would require almost twice the number of bits in representation of the group elements.

Table 1. Comparison with existing unbounded security SPS schemes with table adapted from [KPW15]. \((n_1, n_2)\) denotes \(n_1\,\mathbb {G}_1\) elements and \(n_2\,\mathbb {G}_2\) elements. The table gives message, signature and public key sizes and finally the number of pairing product equations needed for verification. \(RE(\mathcal{D}_k)\) is the number of group elements needed for representing a sample from \(\mathcal{D}_k\); \(\overline{RE}(\mathcal{D}_k)\) is the same for all but the last row of a sample. For k-Linear assumption these are \(k+1\) and k respectively.
Full size table

1.2 Our Techniques

The underlying idea in the SPS schemes of both [KPW15] and [LPY15], and our scheme is to hide a secret using a CCA2 encryption scheme, and in particular the Cramer-Shoup encryption [CS02], and prove in zero-knowledge that the signer knows the secret encrypted in the ciphertext. This methodology of building signature schemes was already described in [CCS09] (also, see a refinement of this method in [JR13]). However, as is well-known, the Cramer-Shoup encryption scheme requires exponentiation with a tag which is computed from other elements in the ciphertext in a 1-1 fashion. This enforces the tag to be different if the ciphertext is changed in any way. However, this clearly is not structure-preserving, as the 1-1 mapping is required to map from the group elements to another group \(\mathbb {Z}_q\), where q is the order of the bilinear groups.

In [KPW15] and [LPY15], the tag is instead chosen afresh at random (i.e., independent of other elements in the ciphertext), and its representation in the bilinear group is given as part of the signature. The tag is also used in the aforementioned exponentiation (in fact, more than one), and simple bilinear tests can check that these values are consistent. To get a better understanding, we now give some specific details. Let k be the secret of the signer. To create the signature, it generates a Cramer-Shoup encryption, by picking r at random, and setting

$$\begin{aligned} \rho = g_1^r , \hat{\rho } = (g_1^{b})^r, \gamma = g_1^k \cdot (g_1^d)^r \cdot (g_1^e) ^{t \cdot r} \end{aligned}$$

where t is the tag, and \(g_1^{b}, g_1^{d}, g_1^{e}\) are part of the public key. In SPS, since t is chosen afresh, the signer also gives \(\psi = g_1^{t \cdot r}\) and \(\tau = g_2^{t}\). Note that \(\tau \) is in group \(\mathbb {G} _2\), whereas all other elements are in group \(\mathbb {G} _2\). The consistency of \(\rho \), \(\psi \) and \(\tau \) is easily checked by a bilinear pairing product equation, i.e., \(\mathsf{e}(\rho , \tau ) = \mathsf{e}(\psi , g_2)\).

If one were to follow the methodology of [CCS09], the signer also gives a NIZK proof \(\pi \) that \(\rho , \hat{\rho }, \psi \) and \(\gamma \) are consistent with the public key, and some public information about k. However, with the quasi-adaptive computationally-sound NIZK proofs (QA-NIZK) of [JR13], one can give a QA-NIZK proof that these elements are in an affine span of the underlying linear subspace language, with the verifier CRS independent of the affine component (i.e. \(g_1^k\)).

The scheme in [KPW15] (also [LPY15]) also gives an additional element \(\hat{\psi } = (g_1^b)^{t \cdot r}\), and the signature verification requires another consistency check, i.e. \(\mathsf{e}(\hat{\rho }, \tau ) = \mathsf{e}(\hat{\psi }, g_2)\). The main reason for this additional verification is that [KPW15] does not follow the above methodology for the security proof, and instead uses a core computational lemma which was used to give an unbounded-simulation sound QA-NIZK scheme [KW15]. As mentioned earlier, it suffices to use a (non simulation-sound) NIZK as long as one uses a CCA2 encryption like Cramer-Shoup (which in itself is just a one-time simulation-sound method). Now, readers familiar with Cramer-Shoup encryption will recall that the main idea there is the ability for the simulator to use an alternate decryption. However, in signature schemes, as opposed to Cramer-Shoup encryption, there is no real decryption, but just a verification of the signature using private trapdoor keys. This can also be done efficiently using the bilinear pairing available, and this is the reason why a single additional test of the relationship between \(\psi \), \(\rho \) and \(\tau \) suffices. More details can be found in Sect. 3.1.

1.3 Recursive Complexity-Leveraging for Improved Security Reduction

For improving the security reduction, we first note that [KPW15] requires a complexity-leveraging technique, because the simulator of the challenger in the SPS security game must guess a query index (the one for which the adversary may use the same tag), and then try to simulate signatures only for indices other than this guess. However, since the adversary is adaptive, this guess is only correct with probability 1 / Q, where Q is the maximum number of queries the adversary makes.

We follow a recursive approach, where the simulator goes through Q hybrid games. In the first Q / 2 hybrid games, the simulator guesses a set Z of size Q / 2, and then simulates queries outside this set. Now, the simulator’s correct guess probability that the adversary’s tag will match a tag in query from set Z is much higher, i.e., 1 / 2. From the Q / 2-th hybrid onwards, we show that the simulator can switch to another sequence of hybrid games, where now the simulator guesses a set Z of size Q / 4, and so forth inductively. The penalty in the security reduction in this switch is only a factor of two. Note that we are paying a penalty of factor \(2^m\) for only the last \(Q/2^{m-1}\) hybrids, and this leads to a reduction with only a \(Q \log {Q}\) security loss. We expect our novel complexity-leveraging technique to be more widely applicable, and of independent interest.

2 Preliminaries

We will consider cyclic groups \(\mathbb {G} _1, \mathbb {G} _2\) and \(\mathbb {G} _T\) of prime order q, with an efficient bilinear map \(\mathsf{e}: \mathbb {G} _1 \times \mathbb {G} _2 \rightarrow \mathbb {G} _T\). Group elements \(\mathbf{g}_1\) and \(\mathbf{g}_2\) will typically denote generators of the group \(\mathbb {G} _1\) and \(\mathbb {G} _2\) respectively. Following [EHK+13], we will use the notations \([a]_1, [a]_2\) and \([a]_T\) to denote \(a\mathbf{g}_1, a\mathbf{g}_2\), and \(a \cdot \mathsf{e}(\mathbf{g}_1, \mathbf{g}_2)\) respectively and use additive notations for group operations. When talking about a general group \(\mathbb {G}\) with generator \(\mathbf{g}\), we will just use the notation [a] to denote \(a\mathbf{g}\). The notation generalizes to vectors and matrices in a natural component-wise way.

For two vector or matrices A and B, we will denote the product \(A^\top B\) as \(A \cdot B\). The pairing product \(\mathsf{e}([A]_1, [B]_2)\) evaluates to the matrix product \([AB]_T\) in the target group with pairing as multiplication and target group operation as addition.

We recall the Matrix Decisional Diffie-Hellman or MDDH assumptions from [EHK+13]. A matrix distribution \(\mathcal{D}_{l, k}\), where \(l > k\), is defined to be an efficiently samplable distribution on \(\mathbb {Z}_q^{l \times k}\) which is full-ranked with overwhelming probability. The \(\mathcal{D}_{l, k}\) -MDDH assumption in group \(\mathbb {G}\) states that with samples \({\mathbf {\mathsf{{A}}}} \leftarrow \mathcal{D}_{l, k}, \mathbf{s} \leftarrow \mathbb {Z}_q^k\) and \(\mathbf{s}' \leftarrow \mathbb {Z}_q^l\), the tuple \(([{\mathbf {\mathsf{{A}}}}], [{\mathbf {\mathsf{{A}}}} \mathbf{s}])\) is computationally indistinguishable from \(([{\mathbf {\mathsf{{A}}}}], [\mathbf{s}'])\). A matrix distribution \(\mathcal{D}_{k+1, k}\) is simply denoted by \(\mathcal{D}_k\).

2.1 Quasi-Adaptive NIZK Proofs

A witness relation is a binary relation on pairs of inputs, the first called a word and the second called a witness. Each witness relation R defines a corresponding language L which is the set of all words x for which there exists a witness w, such that R(xw) holds.

We will consider Quasi-Adaptive NIZK proofs [JR13] for a probability distribution \(\mathcal{D}\) on a collection of (witness-) relations \(\mathcal{R} = \{R_\rho \}\) (with corresponding languages \(L_\rho \)). Recall that in a quasi-adaptive NIZK, the CRS can be set after the language parameter has been chosen according to \(\mathcal{D}\). Please refer to [JR13] for detailed definitions.

For our SPS construction we will also need a property called true-simulation-soundness and an extension of QA-NIZKs called strong split-CRS QA-NIZK. We also recall the definitions of these concepts below.

Definition 1

(QA-NIZK [JR13]). We call a tuple of efficient algorithms \(({\mathsf {pargen}}, {\mathsf {crsgen}}, \mathsf{prover}, {\mathsf {ver}})\) a quasi-adaptive non-interactive zero-knowledge (QA-NIZK) proof system for witness-relations \(\mathcal{R} _\lambda = \{R_\rho \}\) with parameters sampled from a distribution \(\mathcal{D}\) over associated parameter language \(\mathcal{{L}_{\text {par}}}\), if there exist simulators \({\mathsf {crssim}}\) and \({\mathsf {sim}}\) such that for all non-uniform PPT adversaries \(\mathcal{A} _1, \mathcal{A} _2, \mathcal{A} _3,\) we have (in all of the following probabilistic experiments, the experiment starts by setting \(\lambda \) as \(\lambda \leftarrow {\mathsf {pargen}}(1^m)\), and choosing \(\rho \) as \(\rho \leftarrow \mathcal{D}_\lambda \)):

  • Quasi-Adaptive Completeness:

    $$ \Pr \left[ \begin{array}{l} \mathsf{CRS} \leftarrow {\mathsf {crsgen}}(\lambda ,\rho ) \\ (x, w) \leftarrow \mathcal{A} _1(\mathsf{CRS}, \rho ) \\ \pi \leftarrow \mathsf{prover} (\mathsf{CRS}, x, w) \end{array} :\ \begin{array}{c} {\mathsf {ver}}(\mathsf{CRS}, x, \pi ) =1 \ \mathbf {if} \\ R_\rho (x,w) \end{array} \right] = 1 $$

  • Quasi-Adaptive Soundness:

    $$ \Pr \left[ \begin{array}{l} \mathsf{CRS} \leftarrow {\mathsf {crsgen}}(\lambda ,\rho ) \\ (x, \pi ) \leftarrow \mathcal{A} _2(\mathsf{CRS}, \rho ) \end{array} :\ \begin{array}{c} x \notin L_\rho \ \mathbf {and} \\ {\mathsf {ver}}(\mathsf{CRS}, x, \pi ) =1] \end{array} \right] \approx 0 $$

  • Quasi-Adaptive Zero-Knowledge:

    $$\begin{aligned} \begin{array}{c} \Pr \left[ \mathsf{CRS} \leftarrow {\mathsf {crsgen}}(\lambda ,\rho ) :\ \mathcal{A} _3^{\mathsf{prover} (\mathsf{CRS}, \cdot , \cdot )}(\mathsf{CRS}, \rho ) = 1 \right] \\ \approx \\ \Pr \left[ (\mathsf{CRS}, {\mathsf {trap}}) \leftarrow {\mathsf {crssim}}(\lambda , \rho ) :\ \mathcal{A} _3^{{\mathsf {sim}}^*(\mathsf{CRS}, {\mathsf {trap}}, \cdot , \cdot )}(\mathsf{CRS}, \rho ) = 1 \right] , \end{array} \end{aligned}$$

    where \({\mathsf {sim}}^*(\mathsf{CRS}, {\mathsf {trap}}, x, w) = {\mathsf {sim}}(\mathsf{CRS}, {\mathsf {trap}}, x)\) for \((x, w)\in R_\rho \) and both oracles (i.e. \(\mathsf{prover} \) and \({\mathsf {sim}}^*\)) output failure if \((x, w)\not \in R_\rho \).

Definition 2

(True-Simulation-Sound [Har11]). A QA-NIZK is called true-simulation-sound if the verifier is sound even when an adaptive adversary has access to simulated proofs on language members. More precisely, for all PPT \(\mathcal{A} \),

$$ \Pr \left[ \begin{array}{l} (\mathsf{CRS}, {\mathsf {trap}}) \leftarrow {\mathsf {crssim}}(\lambda , \rho ) \\ (x, \pi ) \leftarrow \mathcal{A} ^{{\mathsf {sim}}(\mathsf{CRS}, {\mathsf {trap}}, \cdot , \cdot )}(\mathsf{CRS}, \rho ) \end{array} :\ \begin{array}{c} x \not \in L_\rho \ \mathbf {and} \\ {\mathsf {ver}}(\mathsf{CRS}, x, \pi ) = 1 \end{array} \right] \approx 0, $$

where the experiment aborts if the oracle is called with some \(x \not \in L_\rho \).

Definition 3

(Strong Split-CRS QA-NIZK [JR13]). We call a tuple of efficient algorithms \(({\mathsf {pargen}},{\mathsf {crsgen}}_{v},{\mathsf {crsgen}}_{p}, \mathsf{prover},{\mathsf {ver}})\) a strong split-CRS QA-NIZK proof system for an ensemble of distributions \(\{\mathcal{D}_\lambda \}\) on collection of witness-relations \(\mathcal{R} _\lambda = \{R_\rho \}\) with associated parameter language \(\mathcal{{L}_{\text {par}}}\) if there exists probabilistic polynomial time simulators \(({\mathsf {crssim}}_{v},{\mathsf {crssim}}_{p}, {\mathsf {sim}})\), such that for all non-uniform PPT adversaries \(\mathcal{A} _1, \mathcal{A} _2, \mathcal{A} _3,\) and \(\lambda \leftarrow {\mathsf {pargen}}(1^m)\), we have:

  • Quasi-Adaptive Completeness:

    $$ \Pr \left[ \begin{array}{l} (\mathsf{CRS}_v,st) \leftarrow {\mathsf {crsgen}}_v(\lambda ), \ \rho \leftarrow \mathcal{D}_{\lambda } \\ \mathsf{CRS}_p \leftarrow {\mathsf {crsgen}}_p(\lambda ,\rho , st) \\ (x,w) \leftarrow \mathcal{A} _1(\lambda , \mathsf{CRS}_v,\mathsf{CRS}_p, \rho ) \\ \pi \leftarrow \mathsf{prover} (\mathsf{CRS}_p, x,w) \end{array} :\ \begin{array}{c} {\mathsf {ver}}(\mathsf{CRS}_v, x, \pi ) =1 \ \mathbf {if} \\ R_\rho (x,w) \end{array} \right] = 1 $$

  • Quasi-Adaptive Soundness:

    $$ \Pr \left[ \begin{array}{l} (\mathsf{CRS}_v,st) \leftarrow {\mathsf {crsgen}}_v(\lambda ),\ \rho \leftarrow \mathcal{D}_{\lambda } \\ \mathsf{CRS}_p \leftarrow {\mathsf {crsgen}}_p(\lambda ,\rho ,st) \\ (x,\pi ) \leftarrow \mathcal{A} _2(\lambda , \mathsf{CRS}_v,\mathsf{CRS}_p, \rho ) \end{array} :\ \begin{array}{c} {\mathsf {ver}}(\mathsf{CRS}_v, x,\pi ) =1\ \mathbf {and} \\ \mathbf {not}\ (\exists w: R_\rho (x,w)) \end{array} \right] \approx 0 $$

  • Quasi-Adaptive Zero-Knowledge:

    $$\begin{aligned} \begin{array}{c} \Pr \left[ \begin{array}{l} (\mathsf{CRS}_v, st) \leftarrow {\mathsf {crsgen}}_v(\lambda ) \\ \rho \leftarrow \mathcal{D}_{\lambda } \\ \mathsf{CRS}_p \leftarrow {\mathsf {crsgen}}_p(\lambda ,\rho ,st) \end{array} :\ \begin{array}{c} \mathcal{A} _3^{\mathsf{prover} (\mathsf{CRS}_p, \cdot , \cdot )}(\lambda , \mathsf{CRS}_v,\mathsf{CRS}_p, \rho ) = 1 \end{array} \right] \\ \approx \\ \Pr \left[ \begin{array}{l} (\mathsf{CRS}_v, {\mathsf {trap}}, st) \leftarrow {\mathsf {crssim}}_{v}(\lambda ) \\ \rho \leftarrow \mathcal{D}_{\lambda } \\ \mathsf{CRS}_p \leftarrow {\mathsf {crssim}}_p(\lambda , \rho ,st) \end{array} :\ \begin{array}{c} \mathcal{A} _3^{{\mathsf {sim}}^*({\mathsf {trap}}, \cdot , \cdot )}(\lambda , \mathsf{CRS}_v,\mathsf{CRS}_p, \rho ) = 1 \end{array} \right] , \end{array} \end{aligned}$$

    where \({\mathsf {sim}}^*({\mathsf {trap}}, x,w) = {\mathsf {sim}}({\mathsf {trap}}, x)\) for \((x,w)\in R_\rho \) and both oracles (i.e. \(\mathsf{prover} \) and \({\mathsf {sim}}^*\)) output failure if \((x,w)\not \in R_\rho \).

2.2 Strong Split-CRS QA-NIZK for Affine Languages

We now describe a strong split-CRS QA-NIZK \(({\mathsf {pargen}}, {\mathsf {crsgen}}_v, {\mathsf {crsgen}}_p, \mathsf{prover},\) \({\mathsf {ver}})\) for affine linear subspace languages \(\{ L_{[{\mathbf {\mathsf{{M}}}}]_1, [{\mathbf {a}}]_1} \}\), consisting of words of the form \(\left[ {\mathbf {\mathsf{{M}}}} {\mathbf {x}} + {\mathbf {a}} \right] _1\), with parameters sampled from a robust and efficiently witness-samplable distribution \(\mathcal{D}\) over the associated parameter language \(\mathcal{{L}_{\text {par}}}\) and with soundness under a \(\mathcal{D}_k\)-\(\textsc {mddh} \) assumption. Robustness means that the top square matrix of \({\mathbf {\mathsf{{M}}}}\) is full-ranked with overwhelming probability. The construction is essentially the one of [JR13] adapted to the framework of [KW15].

Algorithm \({\mathsf {crsgen}}_v\): The algorithm \({\mathsf {crsgen}}_v\) samples a matrix \({\mathbf {\mathsf{{K}}}} \leftarrow \mathbb {Z}_q^{n \times k}\), a vector \({\mathbf {k}} \leftarrow \mathbb {Z}_q^k\) and a matrix \({\mathbf {\mathsf{{A}}}}^{(k+1) \times k}\) from the MDDH distribution \(\mathcal{D}_k\). Let \(\bar{{\mathbf {\mathsf{{A}}}}}\) be the top \(k \times k\) square matrix of \({\mathbf {\mathsf{{A}}}}\). Then it computes:

$$ \mathsf{CRS}_v:= \left( [{\mathbf {\mathsf{{C}}}}_0]_2^{n \times k} = [ {\mathbf {\mathsf{{K}}}} \bar{{\mathbf {\mathsf{{A}}}}}]_2,\quad [{\mathbf {\mathsf{{C}}}}_1]_2^{1 \times k} = [ {\mathbf {k}} \cdot \bar{{\mathbf {\mathsf{{A}}}}}]_2,\quad [\bar{{\mathbf {\mathsf{{A}}}}}]_2^{k \times k} \right) $$

and state \(st = ({\mathbf {\mathsf{{K}}}},\ {\mathbf {k}})\).

Algorithm \({\mathsf {crsgen}}_p\): Let \(\rho = ([{\mathbf {\mathsf{{M}}}}]_1^{n \times t},\) \([{\mathbf {a}}]_1^{n \times 1})\) be the language parameter supplied to \({\mathsf {crsgen}}_p\) and \(st = ({\mathbf {\mathsf{{K}}}},\ {\mathbf {k}})\) be the state transmitted by \({\mathsf {crsgen}}_v\). Then it computes:

$$ \mathsf{CRS}_p:= \left( [{\mathbf {\mathsf{{P}}}}_0]_1^{t \times k} = [{\mathbf {\mathsf{{M}}}}^\top {\mathbf {\mathsf{{K}}}}]_1,\quad [{\mathbf {\mathsf{{P}}}}_1]_1^{1 \times k} = [{\mathbf {a}} \cdot {\mathbf {\mathsf{{K}}}} + {\mathbf {k}}^\top ]_1 \right) $$

Prover \(\mathsf{prover} \) : Given candidate \({\mathbf {y}} = [ {\mathbf {\mathsf{{M}}}} {\mathbf {x}} + {\mathbf {a}}]_1\) with witness vector \({\mathbf {x}}^{t \times 1}\), the prover generates the following proof consisting of k elements in \(\mathbb {G} _1\):

$$ {\varvec{\pi }} := {\mathbf {x}} \cdot [{\mathbf {\mathsf{{P}}}}_0]_1 + [{\mathbf {\mathsf{{P}}}}_1]_1 $$

Verifier \({\mathsf {ver}}\) : Given candidate \({\mathbf {y}}\), and proof \({\varvec{\pi }}\), compute:

$$ \mathsf{e}({\mathbf {y}}^\top , [{\mathbf {\mathsf{{C}}}}_0]_2) + \mathsf{e}([1]_1, [{\mathbf {\mathsf{{C}}}}_1]_2) \mathop {=}\limits ^{?}\mathsf{e}({\varvec{\pi }}, [\bar{{\mathbf {\mathsf{{A}}}}}]_2) $$

Simulators \({\mathsf {crssim}}_v, {\mathsf {crssim}}_p\) and \({\mathsf {sim}}\): The algorithms \({\mathsf {crssim}}_v\) and \({\mathsf {crssim}}_p\) are identical to \({\mathsf {crsgen}}_v\) and \({\mathsf {crsgen}}_p\) respectively, except that \({\mathsf {crsgen}}_v\) also outputs \({\mathsf {trap}}:= ({\mathbf {\mathsf{{K}}}},\ [{\mathbf {k}}]_1)\). The proof simulator \({\mathsf {sim}}\) takes candidate \({\mathbf {y}}\) and trapdoor \(({\mathbf {\mathsf{{K}}}},\ [{\mathbf {k}}]_1)\) and outputs:

$$ {\varvec{\pi }} := {\mathbf {y}} \cdot {\mathbf {\mathsf{{K}}}} + [{\mathbf {k}}^\top ]_1 $$

Theorem 1

The above algorithms \(({\mathsf {pargen}}, {\mathsf {crsgen}}_v, {\mathsf {crsgen}}_p, \mathsf{prover}, {\mathsf {ver}})\) constitute a true-simulation-sound strong split-CRS QA-NIZK proof system for affine languages \(\{ L_{[{\mathbf {\mathsf{{M}}}}]_1, [{\mathbf {a}}]_1} \}\) with parameters \(([{\mathbf {\mathsf{{M}}}}]_1,\ [{\mathbf {a}}]_1)\) sampled from a robust and efficiently witness-samplable distribution \(\mathcal{D}\) over the associated parameter language \(\mathcal{{L}_{\text {par}}}\), given any group generation algorithm for which the \(\mathcal{D}_k\)-\(\textsc {mddh} \) assumption holds for group \(\mathbb {G} _2\).

2.3 Projective Hash Proof System

For a language L, let X be a superset of L and let \(H = (H_k)_{k \in K}\) be a collection of (hash) functions indexed by K with domain X and range another set \(\varPi \). The hash function family is generalized to a notion of projective hash function family if there is a set S of projection keys, and a projection map \(\alpha : \, K \rightarrow S\), and further the action of \(H_k\) on subset L of X is completely determined by the projection key \(\alpha (k)\). Finally, the projective hash function family is defined to be \(\mathbf {\epsilon }\)-universal \(\mathbf {_2}\) if for all \(s\in S\), \(x, x^* \in X\), and \(\pi , \pi ^* \in \varPi \) with \(x \not \in L \cup \{x^*\}\), the following holds:

$$\begin{aligned} \Pr [H_k(x) = \pi ~|~ H_k(x^*) = \pi ^* \, \wedge \alpha (k) = s] \, \le \, \epsilon . \end{aligned}$$

A projective hash function family is called \(\mathbf {\epsilon }\)-smooth if for all \(x \in X \setminus L\), the statistical difference between the following two distributions is \(\epsilon \): sample k uniformly from K and \(\pi '\) uniformly from \(\varPi \); the first distribution is given by the pair \((\alpha (k), H_k(x))\) and the second by the pair \((\alpha (k), \pi ')\). For languages defined by a witness-relation R, the projective hash proof family constitutes a projective hash proof system (PHPS) if \(\alpha \), \(H_k\), and another public evaluation function \(\hat{H}\) that computes \(H_k\) on \(x \in L\), given a witness of x and only the projection key \(\alpha (k)\), are all efficiently computable. An efficient algorithm for sampling the key \(k \in K\) is also assumed.

The above notions can also incorporate labels. In an extended PHPS, the hash functions take an additional input called label. The public evaluation algorithm also takes this label. All the above notions are now required to hold for each possible value of label. The extended PHPS is now defined to be \(\mathbf {\epsilon }\)-universal \(\mathbf {_2}\) is for all \(s\in S\), \(x, x^* \in X\), all labels \(\mathtt{l}\) and \(\mathtt{l}^*\), and \(\pi , \pi ^* \in \varPi \) with \(x \not \in L\) and \((x, \mathtt{l}) \ne (x^*, \mathtt{l}^*)\), the following holds:

$$ \Pr [H_k(x, \mathtt{l}) = \pi ~|~ H_k(x^*, \mathtt{l}^*) = \pi ^* \, \wedge \alpha (k) = s ] \, \le \, \epsilon . $$

Since we are interested in distributions of languages, we extend the above definition to distribution of languages. So consider a parametrized class of languages \(\{L_\rho \}_{\rho }\) with the parameters coming from an associated parameter language \(\mathcal{{L}_{\text {par}}}\). Assume that all the languages in this collection are subsets of X. Let H as above be a collection of hash functions from X to \(\varPi \). We say that the hash family is a projective hash family if for all \(L_\rho \), the action of \(H_k\) on \(L_\rho \) is determined by \(\alpha (k)\). Similarly, the hash family is \(\epsilon \)-universal\(_2\) (\(\epsilon \)-smooth) for \(\{L_\rho \}_{\rho }\) if for all languages \(L_\rho \) the \(\epsilon \)-universal\(_2\) (resp. \(\epsilon \)-smooth) property holds.

2.4 Structure-Preserving Signatures

Definition 4 (Structure-preserving signature)

A structure-preserving signature scheme SPS is defined as a triple of probabilistic polynomial time (PPT) algorithms \(SPS = ({\mathsf {Gen}}, {\mathsf {Sign}}, {\mathsf {Verify}})\):

  • The probabilistic key generation algorithm \({\mathsf {Gen}}(par)\) returns the public/secret key (pksk), where \(pk \in \mathbb {G}^{n_{pk}}\) for some \(n_{pk} \in poly(\lambda )\). We assume that pk implicitly defines a message space \(M := \mathbb {G}^n\) for some \(n \in poly(\lambda )\).

  • The probabilistic signing algorithm \({\mathsf {Sign}}(sk, [m])\) returns a signature \(\sigma \in \mathbb {G}^{n_\sigma }\) for \(n_\sigma \in poly(\lambda )\).

  • The deterministic verification algorithm \({\mathsf {Verify}}(pk, [m], \sigma )\) only consists of pairing product equations and returns 1 (accept) or 0 (reject).

Perfect correctness holds if for all \((pk,sk)\leftarrow {\mathsf {Gen}}(par)\) and all messages \([m]\in M\) and all \(\sigma \leftarrow {\mathsf {Sign}}(sk, [m])\) we have \({\mathsf {Verify}}(pk, [m], \sigma ) = 1\).

Definition 5 (Unforgeability against chosen message attack)

To an adversary A and scheme SPS we associate the advantage function:

$$ {\textsc {ADV}}^{CMA}_{SPS}(A) := \Pr \left[ \begin{array}{l} (pk,sk) \leftarrow {\mathsf {Gen}}(par) \\ ([m^*], \sigma ^*) \leftarrow A^{SignO(\cdot )}(pk) \end{array} :\ \begin{array}{c} [m^*] \notin Q_{msg} \ \mathbf {and} \\ {\mathsf {Verify}}(pk, [m^*], \sigma ^*) = 1 \end{array} \right] $$

where SignO([m]) runs \(\sigma \leftarrow {\mathsf {Sign}}(sk, [m])\), adds the vector [m] to \(Q_{msg}\) (initialized with \(\emptyset \)) and returns \(\sigma \) to A. An SPS is said to be (unbounded) CMA-secure if for all PPT adversaries A, \({\textsc {ADV}}^{CMA}_{SPS}(A)\) is negligible.

3 SPS Construction

Our SPS construction for a general \(\mathcal{D}_k\)-\(\textsc {mddh} \) assumption is given in Fig. 1. We also give the instantiation of this SPS for the Symmetric eXternal Diffie-Hellman Assumption (\({\textsc {sxdh}} \)) assumption in Fig. 2. The construction assumes groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and a target group \(\mathbb {G}_T\) with an efficient bilinear pairing \(\mathsf{e}\) from \(\mathbb {G}_1 \times \mathbb {G}_2\) to \(\mathbb {G}_T\).

Fig. 1.
figure 1

Structure Preserving Signature \(SPS_{\textsc {mddh}}\)

Full size image
Fig. 2.
figure 2

Structure Preserving Signature \(SPS_{{\textsc {sxdh}}}\)

Full size image

3.1 Security of the SPS Scheme

In this section we state and prove the security of the scheme \(SPS_{\textsc {mddh}}\) described in Fig. 1. The proof is similar to the proof of CCA2 secure encryption scheme of Cramer and Shoup [CS02], where tag-based universal\(_2\) projective hash proofs were introduced. The main difference is that the tag in structure preserving signatures (SPS) cannot be generated by hashing some of the group elements. The tag is therefore generated randomly and independently in SPS. The adversary may then try to forge a signature by setting the tag to be the same as the tag in one of the signatures it obtained earlier, and choosing other elements in the forged signature by modifying and combining elements of various signatures it obtained. In contrast, in Cramer-Shoup encryption, any change in other group elements of a ciphertext forces the tag to be different from all earlier ciphertext tags. To circumvent this problem in SPS, the tag t is provided as both \([t]_2\) and \([t {\mathbf {r}}]_1\), where \([{\mathbf {r}}]_1\) is randomness introduced as part of the signature. The validity of this relation can be checked publicly and efficiently using asymmetric bilinear pairing. Intuitively, this disallows the adversary to modify and combine elements from various signatures. It is now forced to modify at most one signature, while keeping the tag the same as in that signature. However, an affine secret component \([k_0]_1\) in the SPS signature, which is issued encrypted under an CCA2 encryption scheme and verified using a publicly verifiable QA-NIZK for affine languages, then disallows even this kind of forgery.

Theorem 2

For any efficient adversary \(\mathcal{A} \), which makes at most Q signature queries before attempting a forgery, its probability of success in the EUF-CMA game against the scheme \(SPS_{\textsc {mddh}}\) is at most

$$ {\textsc {ADV}}_{\varPi }^{TSS} + Q^2 \cdot \left( {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + \frac{3}{2q} \right) + \frac{Q}{q} + \frac{1}{q} $$

Proof

We go through a sequence of Games \(\mathbf G_{0}\) to \(\mathbf G_{6}\) which are described below and summarized in Fig. 3. In the following, \(\mathrm{Prob}_i[X]\) will denote probability of predicate X holding in probability space defined in game \(\mathbf G_{i} \).

Fig. 3.
figure 3

G Games and winning conditions

Full size image

Game \(\mathbf G_{0}\): Given setup parameters \((q, \mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, \mathsf{e}, [1]_1, [1]_2, n, \mathcal{D}_k)\), the challenger \(\mathcal{C}\) initializes a list \(\mathcal{M} \) to empty, generates \((\mathsf{CRS}_v, {\mathsf {trap}}, st) \leftarrow \varPi .{\mathsf {crssim}}_v\), and then samples \( {\mathbf {\mathsf{{B}}}}^{(k+1) \times k} \leftarrow \mathcal{D}_k \text { and } (k_0,\ {\mathbf {k}},\ {\mathbf {d}},\ {\mathbf {e}}) \leftarrow \mathbb {Z}_q\times \mathbb {Z}_q^n \times \mathbb {Z}_q^k \times \mathbb {Z}_q^k. \)

Then it sends the setup parameters and \(\mathsf{CRS}_v \) to adversary \(\mathcal{A}\) as public key. For \(i \in [1..Q]\), \(\mathcal{A}\) adaptively requests signature on \({\varvec{\mu }}_i\) (\(\in \mathbb {G} _1^n\)). The challenger \(\mathcal{C}\) generates signature \(\sigma _i\) by first sampling \(({\mathbf {r}}, \textsc {tag}) \leftarrow \mathbb {Z}_q^k \times \mathbb {Z}_q\), and then setting:

$$ \sigma _i := \left( \begin{array}{c} {\varvec{\rho }} = [\overline{{\mathbf {\mathsf{{B}}}}}{\mathbf {r}}]_1,\ \hat{\rho } = [\underline{{\mathbf {\mathsf{{B}}}}} {\mathbf {r}}]_1,\ {\varvec{\psi }} = \textsc {tag}\ [\overline{{\mathbf {\mathsf{{B}}}}} {\mathbf {r}}]_1,\ \\ \gamma = {\mathbf {k}} \cdot {\varvec{\mu }}_i + [k_0]_1 + {\mathbf {d}} \cdot {\varvec{\rho }} + {\mathbf {e}} \cdot {\varvec{\psi }},\ \tau = [\textsc {tag}]_2, \\ {\varvec{\pi }} = \varPi .{\mathsf {sim}}({\mathsf {trap}}, ({\varvec{\mu }}_i, {\varvec{\rho }}, \hat{\rho }, {\varvec{\psi }}, \gamma )) \end{array} \right) $$

It then sends \( \sigma _i \) to \(\mathcal{A}\), and adds \({\varvec{\mu }}_i\) to the list \(\mathcal{M} \). After it obtains Q signatures, \(\mathcal{A}\) responds with a message \({\varvec{\mu }}^*\) and a claimed signature on it \(\sigma ^*\). Adversary wins if \({\varvec{\mu }}^* \not \in \mathcal{M} \) and \(({\varvec{\mu }}^*, \sigma ^*)\) passes \(\mathsf{verify}\). Define:

figure a

This game exactly replicates the real construction to the adversary. So the adversary’s advantage in \(\mathbf G_{0}\) is the EUF-CMA advantage we seek to bound.

Game \(\mathbf G_{1}\): The challenge-response in this game is the same as Game \(\mathbf G_{0}\) except that in each signature the value \(\textsc {tag}\) is chosen randomly but distinctly from all the earlier \(\textsc {tag}\)’s. The winning condition remains the same, i.e. \(\mathsf{WIN} _0\).

The statistical difference between the view of the adversary in \(\mathbf G_{0}\) and \(\mathbf G_{1}\) is the probability of collision in the choice of \(\textsc {tag}\) for the Q signature queries in \(\mathbf G_{0}\), which is at most \(Q^2/(2\cdot q)\).

Game \(\mathbf G_{2}\): The challenge-response in this game is the same as \(\mathbf G_{1}\). The winning condition is now defined as

$$\begin{aligned} \mathsf{WIN} _2 \mathop {=}\limits ^{\triangle }&\ \mathsf{WIN} _0 \mathbf and (\sigma ^* = ({\varvec{\rho }}^*, \hat{\rho }^*, {\varvec{\psi }}^*, \gamma ^*, \tau ^*, {\varvec{\pi }}^*) \text { s.t.}\\&(\gamma ^* = {\mathbf {k}} \cdot {\varvec{\mu }}^* + [k_0]_1 + {\mathbf {d}} \cdot {\varvec{\rho }}^* + {\mathbf {e}} \cdot {\varvec{\psi }}^*) \\&\,\,{\mathbf {and}}\,\,(({\varvec{\rho }}^*, \hat{\rho }^*) \in Span([{\mathbf {\mathsf{{B}}}}]_1)) \end{aligned}$$

The difference in advantages of the adversary is upper bounded by the unbounded true-simulation-soundness of \(\varPi \):

$$\begin{aligned} | \mathrm{Prob}_{2} [ \mathsf{WIN} _2 ] - \mathrm{Prob}_{1} [ \mathsf{WIN} _1] | \le {\textsc {ADV}}_{\varPi }^{TSS} \end{aligned}$$
(1)

Game \(\mathbf G_{3}\): The challenge-response in this game is the same as \(\mathbf G_{2}\). The winning condition is now defined as

$$\begin{aligned} \mathsf{WIN} _3 \mathop {=}\limits ^{\triangle }&\ \mathsf{WIN} _0 \,\,{\mathbf {and}}\,\,(\sigma ^* = ({\varvec{\rho }}^*, \hat{\rho }^*, {\varvec{\psi }}^*, \gamma ^*, \tau ^*, {\varvec{\pi }}^*) \text { s.t.}\\&(\mathsf{e}(\gamma ^*,[1]_2) = \mathsf{e}({\mathbf {k}}\cdot {\varvec{\mu }}^* + [k_0]_1 + {\mathbf {d}} \cdot {\varvec{\rho }}^*, [1]_2) + \mathsf{e}({\mathbf {e}} \cdot {\varvec{\rho }}^*, \tau ^*)) \\&\,\,{\mathbf {and}}\,\,(({\varvec{\rho }}^*, \hat{\rho }^*) \in Span([{\mathbf {\mathsf{{B}}}}]_1)) \end{aligned}$$

Note that the predicate \( \mathsf{WIN} _3 \) is efficiently computable by the challenger \(\mathcal{C}\) as it generated \({\mathbf {\mathsf{{B}}}}\) as part of the language parameters \(({\mathbf {\mathsf{{M}}}}, {\mathbf {a}})\). As \(\mathsf{WIN} _0\) implies \(\mathsf{e}({\varvec{\psi }}^*, [1]_2) = \mathsf{e}({\varvec{\rho }}^*, \tau ^*)\), the winning condition is unchanged from the previous game and thus, \( \mathrm{Prob}_{2} [ \mathsf{WIN} _2 ]\) is the same as \( \mathrm{Prob}_{3} [ \mathsf{WIN} _3]\).

Game \(\mathbf G_{4}\): Define \({\mathbf {t}}^{k \times 1} \mathop {=}\limits ^{\triangle }(\underline{{\mathbf {\mathsf{{B}}}}}\ \overline{{\mathbf {\mathsf{{B}}}}}^{-1})^\top \). Since \({\mathbf {\mathsf{{B}}}}\) is overwhelmingly a full ranked matrix, we observe that \({\varvec{\rho }}\) can be just sampled uniformly randomly from \(\mathbb {Z}_q^k\) and \( \hat{\rho } \) can be set to \( {\mathbf {t}} \cdot {\varvec{\rho }} \) in the signature generation algorithm. Also in the winning condition \(({\varvec{\rho }}^*, \hat{\rho }^*) \in Span([{\mathbf {\mathsf{{B}}}}]_1)\) can be equivalently written as \(\hat{\rho }^* \mathop {=}\limits ^{?}{\mathbf {t}} \cdot {\varvec{\rho }}^*\), with no other constraints on \({\varvec{\rho }}^*\).

In Game \(\mathbf G_{4}\), the challenger \(\mathcal{C}\) picks \(({\mathbf {d}}_1,\ d_2,\ {\mathbf {e}}_1,\ e_2)\) at random from \(\mathbb {Z}_q^{2k+2}\), and sets \({\mathbf {d}} = {\mathbf {d}}_1 + d_2 {\mathbf {t}}\) and \({\mathbf {e}} = {\mathbf {e}}_1 + e_2 {\mathbf {t}}\) (i.e., instead of directly picking \({\mathbf {d}}\) and \({\mathbf {e}}\) at random while defining \(\mathcal{{L}_{\text {par}}}\)). This has no statistical change in the view of the adversary.

The winning condition is now defined and computed as:

$$\begin{aligned} \mathsf{WIN} _{4} \mathop {=}\limits ^{\triangle }&\ \mathsf{WIN} _0 \,\,{\mathbf {and}}\,\,(\sigma ^* = ({\varvec{\rho }}^*, {\varvec{\hat{\rho }}}^*, {\varvec{\psi }}^*, \gamma ^*, \tau ^*, {\varvec{\pi }}^*) \text { s.t.}\\&(\mathsf{e}(\gamma ^*,[1]_2) = \mathsf{e}({\mathbf {k}} \cdot {\varvec{\mu }}^* + [k_0]_1 + {\mathbf {d}}_1 \cdot {\varvec{\rho }}^* + d_2 \hat{\rho }^*, [1]_2) \\ {}&\quad + \mathsf{e}({\mathbf {e}}_1 \cdot {\varvec{\rho }}^* + e_2 \hat{\rho }^*, \tau ^*)) \\&\,\,{\mathbf {and}}\,\,(\hat{\rho }^* \mathop {=}\limits ^{?}{\mathbf {t}} \cdot {\varvec{\rho }}^*) \end{aligned}$$

Since \(\hat{\rho }^* = {\mathbf {t}} \cdot {\varvec{\rho }}^*\), it directly follows that \(({\mathbf {d}}_1 + d_2 {\mathbf {t}}) \cdot {\varvec{\rho }}^*\) is the same as \(({\mathbf {d}}_1 \cdot {\varvec{\rho }}^* + d_2 \hat{\rho }^*)\), and \(({\mathbf {e}}_1 + e_2 {\mathbf {t}}) \cdot {\varvec{\rho }}^*\) is the same as \(({\mathbf {e}}_1 \cdot {\varvec{\rho }}^* + e_2 \hat{\rho }^*)\). Therefore \(\mathsf{WIN} _{4} \equiv \mathsf{WIN} _{3}\).

Game \(\mathbf G_{5}\): In this game, we define \(\mathsf{WIN} _{5}\) to be the same as \(\mathsf{WIN} _{4}\), except that it does not have the conjunct \(\hat{\rho }^* \mathop {=}\limits ^{?}{\mathbf {t}} \cdot {\varvec{\rho }}\).

$$\begin{aligned} \mathsf{WIN} _{5} \mathop {=}\limits ^{\triangle }&\ \mathsf{WIN} _0 \,\,{\mathbf {and}}\,\,(\sigma ^* = ({\varvec{\rho }}^*, {\varvec{\hat{\rho }}}^*, {\varvec{\psi }}^*, \gamma ^*, \tau ^*, {\varvec{\pi }}^*) \text { s.t.}\\&(\mathsf{e}(\gamma ^*,[1]_2) = \mathsf{e}({\mathbf {k}} \cdot {\varvec{\mu }}^* + [k_0]_1 + {\mathbf {d}}_1 \cdot {\varvec{\rho }}^* + d_2 \hat{\rho }^*, [1]_2) \\ {}&\quad + \mathsf{e}({\mathbf {e}}_1 \cdot {\varvec{\rho }}^* + e_2 \hat{\rho }^*, \tau ^*)) \end{aligned}$$

We now prove that:

$$\begin{aligned} |\mathrm{Prob}_{5}[ \mathsf{WIN} _{5} ] - \mathrm{Prob}_{4}[ \mathsf{WIN} _{4}] | \le 1/q \end{aligned}$$
(2)

Firstly, note that the probability spaces in \(\mathbf G_{4}\) and \(\mathbf G_{5}\) are identical. We will now show that an adversary \(\mathcal{A} \) in Game \(\mathbf G_{4}\) has probability at most 1 / q of forcing \(\mathsf{WIN} _{5}\) while not satisfying \(\mathsf{WIN} _{4}\), i.e., forcing \(\mathsf{WIN} _{5} \,\,{\mathbf {and}}\,\,\hat{\rho }^* \ne {\mathbf {t}} \cdot {\varvec{\rho }}^*\).

The claim is an easy consequence of private hash on a non-\(Span([{\mathbf {\mathsf{{B}}}}]_1)\) word being random and independent of the public (projection) hash key [CS02]. Here, the public hash key is \([{\mathbf {d}}_1 + d_2 {\mathbf {t}}]_1\), with private hash key \(({\mathbf {d}}_1, d_2)\) (see Sect. 2.3). The public hash key is given to the adversary as part of all the signatures issued to the adversary. In particular it is used in computing \(\gamma \) component of the signature. The QA-NIZK proof is simulated, and the QA-NIZK simulator trapdoors do not use \(({\mathbf {d}}_1, d_2)\). Further, \(({\mathbf {d}}_1, d_2)\) are not used anywhere else, including \(\mathsf{CRS}_v\).

If \(({\varvec{\rho }}^*, \hat{\rho }^*) \notin Span([{\mathbf {\mathsf{{B}}}}]_1)\), then the right side of the pairing equation in \(\mathsf{WIN} _5\) includes an additive component \(\mathsf{e}({\mathbf {d}}_1 \cdot {\varvec{\rho }}^*+d_2{\hat{\rho }}^*, [1]_2)\), which is the same as \(\mathsf{e}(P, [1]_2)\) where P is the private hash of \(({\varvec{\rho }}^*, \hat{\rho }^*)\) using keys \(({\mathbf {d}}_1, d_2)\). Since, all other additive terms on the right hand side of the pairing equation are independent of this hash proof system, and the adversary \(\mathcal{A}\) also supplies \(\gamma ^*\), the probability of \(\mathsf{e}(\gamma ^*, [1]_2)\) equaling the right hand side is at most 1 / q. This finishes the proof of the claim.

Game \(\mathbf G_{6}\): In this game the challenger generates all signatures \(\sigma _i\) with \(\hat{\rho }_i\) and \(\gamma _i\) set to uniformly and independently chosen random values. The computation of \({\varvec{\rho }}, {\varvec{\psi }}, \tau \) and \({\varvec{\pi }}\) and the winning condition remain the same as in \(\mathbf G_{5}\).

We now claim that the difference between the advantage of the adversary in Game \(\mathbf G_{6}\) and Q times the advantage of the adversary in Game \(\mathbf G_{5}\) is negligible in Lemma 1 below, which is proved later:

Lemma 1

$$ \left| \mathrm{Prob}_5[\mathsf{WIN} _5] - Q \cdot \mathrm{Prob}_6[\mathsf{WIN} _6] \right| \le Q^2 \left( {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + \frac{1}{q} \right) $$

Now, in Game \(\mathbf G_{6} \), all the signatures on the Q adversarial queries are generated without using \(k_0\). Since \(k_0\) is also not part of the public key (which includes \(\mathsf{CRS}_v\)), the probability of adversary satisfying \(\mathsf{WIN} _6\) is 1 / q. Thus, probability of \(\mathsf{WIN} _6\) holding in Game \(\mathbf G_{6}\) is at most 1 / q:

$$ \mathrm{Prob}_6[\mathsf{WIN} _6] \le 1/q $$

Thus the proof of Lemma 1 will conclude the proof, which we proceed to do next.

Proof

(of Lemma 1 ). To prove this lemma we consider several hybrid Games \(\mathbf G_{5,i}\), for \(i \in [0..Q]\), where \(\mathbf G_{5,0}\) will turn out to be the same as \(\mathbf G_{5}\), and \(\mathbf G_{5, Q}\) will turn out to be the same as \(\mathbf G_{6}\). The hybrid Games \(\mathbf G_{5,i}\) for \(i\in [0..Q]\) are defined as follows.

Game \(\mathbf G_{5,i}\): The game differs from \(\mathbf G_{5}\) as follows: After it has generated the public key and sent it to \(\mathcal{A} \) just as in \(\mathbf G_{5}\), the challenger now picks a random index z from [1..Q]. If \(i<Q\), it picks i distinct indices randomly from \([1..Q] \setminus \{z\}\). Call this set of indices as S (note S is empty in Game \(\mathbf G_{5,0}\)). If \(i=Q\), let S be the full set [1..Q]. While generating a signature on a query with index \(j \in S\), the challenger generates the signature as in Game \(\mathbf G_{6}\) (i.e. random \(\gamma _i\) and \(\hat{\rho }_i\) terms), and for a query with index outside S it generates the signature as in Game \(\mathbf G_{5}\). The winning predicate for the adversary remains the same, i.e., \(\mathsf{WIN} _5\). As the winning condition will remain the same till the end of proof, we just define \(\mathsf{WIN} \equiv \mathsf{WIN} _5\). The game is described in Fig. 4.

Fig. 4.
figure 4

Games \(\mathbf G_{5,i}\)

Full size image

Note that in Game \(\mathbf G_{5,0}\), the probability of adversary winning, i.e. \(\mathsf{WIN}\) holding is the same as in Game \(\mathbf G_{5}\), since the set S is empty, and hence z might as well not be chosen.

To prove the requisite probability relations between the different games, consider the following predicate \(\mathsf{GOOD}\), defined at the end of each game. We will denote the components of the j-th signature \(\sigma _j\) by using subscript j.

figure b
Fig. 5.
figure 5

Lemmas

Full size image

Given the definitions of Games \(\mathbf G_{5,i}\) and \(\mathsf{GOOD}\) above, we now prove the lemma via the three lemmas given in Fig. 5. Chaining Lemma 3 sequentially \((Q-1)\) times, it follows that

$$ \left| \begin{array}{c} \mathrm{Prob}_{5, 0} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] - \\ \mathrm{Prob}_{5, Q-1} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{array} \right| \le (Q-1)\cdot ({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q ) $$

Now noting that \(\mathrm{Prob}_{5, Q-1} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \le \mathrm{Prob}_{5, Q-1} [ \mathsf{WIN} ]\) and using Lemma 4, we get:

$$ \left| \begin{array}{c} \mathrm{Prob}_{5, 0} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] \\ -\ \mathrm{Prob}_{5, Q} [ \mathsf{WIN} ] \end{array} \right| \le Q \cdot ({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q ) $$

Now, using Lemma 2, we finally establish Lemma 1:

$$ \left| \mathrm{Prob}_{5,0}[\mathsf{WIN} ] - Q \cdot \mathrm{Prob}_{5,Q}[\mathsf{WIN} ] \right| \le Q^2 \left( {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + \frac{1}{q} \right) $$

We proceed to prove Lemmas 2, 3 and 4 now.

Proof

(of Lemma 2). We equivalently show that:

$$\begin{aligned} \mathrm{Prob}_{5,0} [ \overline{ \mathsf{GOOD}} ~|~ \mathsf{WIN} ] \le (1- 1/Q) \end{aligned}$$

First note that in Game \(\mathbf G_{5,0}\), the value z can be chosen after the adversary has supplied its forged signature. Now, observe that:

$$ \mathrm{Prob}_{5,0} [ \overline{ \mathsf{GOOD}} ~|~ \mathsf{WIN} ] \le \mathrm{Prob}_{5,0} [\textsc {tag}^* \ne \textsc {tag}_z ~|~ \mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\exists j: \textsc {tag}^* = \textsc {tag}_j] $$

Since z is chosen after the adversary has replied with the forgery and given \(\textsc {tag}^*\) equals some \(\textsc {tag}_j\), the probability of \(z=j\) is at least 1 / Q (regardless of \(\mathsf{WIN}\) holding or not), and thus the probability of \(\textsc {tag}^*\) equaling \(\textsc {tag}_z\) is at least 1 / Q.

Discussion of Lemmas 3 and 4. From a formal proof perspective, one goes through many hybrid games, where in each subsequent hybrid Game \(\mathbf G_{5, i}\), the signature of one more element is simulated without using the affine component \([k_0]_1\). However, as is well known from proofs of Cramer-Shoup encryption, this can only be done as long as the forgery uses a different tag from the signature being simulated. Thus, the simulator instead guesses an index z, and picks the additional signature to be simulated from a query index different from z. This is always possible, as long as the simulator is in hybrid game \(\mathbf G_{5,i} \), with \(i < Q-1\). If the simulator’s guess turns out to be wrong, the adversary is declared outright winner. However, this gives the adversary only a Q factor advantage over its success in an MDDH challenge game.

The other main difference from Cramer-Shoup encryption is that there is no real decryption, but just a verification of the signature using private trapdoor keys. This can also be done efficiently using the bilinear pairing available, and this is the reason why a single additional test of the relationship between \([t]_2\), \([t {\mathbf {r}}]_1\) and \([{\mathbf {r}}]_1\) suffices.

The proof of Lemma 4, which handles the case \(i=Q-1\) is similar to (and easier than) proof of Lemma 3 except that in game \(\mathbf G_{5,Q-1} \), all but one signatures are simulated without keys \(k_0\) and \({\mathbf {k}}\). This makes the analysis similar to that of a one-time signature scheme.

Fig. 6.
figure 6

H Games and winning condition

Full size image

Proof

(of Lemma 3). We will consider three hybrid games which are summarized in Fig. 6. Game \(\mathbf H_{0}\) will be the same as game \(\mathbf G_{5, i-1} \), and \(\mathbf H_{2}\) the same as \(\mathbf G_{5, i} \).

Game \(\mathbf H_{0}\): The challenger picks yet another index y at random from \([1..Q] \setminus (\{z\} \cup S)\), and issues the signature on the y-th query in the same way as for other indices not in S. The idea is that in these sequence of games we will convert the signature generation on the y-th index to be same as for those indices in S. This will effectively expand the set S by one element and thus enable us to transition from Game \(\mathbf G_{5,i-1}\) to \(\mathbf G_{5, i}\), as long as \( i \le Q-1 \). Games \(\mathbf H_{0}\) and \(\mathbf G_{5,i-1}\) are semantically equivalent.

Game \(\mathbf H_{1}\): In Game \(\mathbf H_{1}\), the challenger issues the signature on the y-th query as follows: it picks \({\varvec{\rho }}_y\), \(\theta \) and \(\textsc {tag}_y\) at random. It sets \(\hat{\rho }_y = \theta \), \({\varvec{\psi }}_y = \textsc {tag}_y\ {\varvec{\rho }}_y\), \(\tau _y = [\textsc {tag}_y]_2\) and \(\gamma _y = {\mathbf {k}} \cdot {\varvec{\mu }}_y + [k_0]_1 + ({\mathbf {d}}_1 \cdot {\varvec{\rho }}_y + d_2 \hat{\rho }_y) + \textsc {tag}_y\ ({\mathbf {e}}_1 \cdot {\varvec{\rho }}_y + e_2 \hat{\rho }_y)\). It computes a QA-NIZK \({\varvec{\pi }}_y\), on the tuple \(({\varvec{\mu }}_j, {\varvec{\rho }}_y, \hat{\rho }_y, {\varvec{\psi }}_y, \gamma _y)\) using the QA-NIZK simulator \({\mathsf {crssim}}\), just as in all previous games. It outputs as signature \(\sigma _y\) the tuple \(({\varvec{\rho }}_y, \hat{\rho }_y, {\varvec{\psi }}_y, \gamma _y, \tau _y, {\varvec{\pi }}_y)\). Rest of the game and the winning condition is the same as \(\mathbf H_{0} \). We now prove that:

$$\begin{aligned} \left| \begin{array}{c} \mathrm{Prob}_{H_0}[ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\,\mathsf{GOOD} ]\ - \\ \mathrm{Prob}_{H_1} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\,\mathsf{GOOD} ] \end{array} \right| < {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} \end{aligned}$$
(3)

Let \(\mathcal{A}\) be any efficient adversary playing against \(\mathcal{C} \) in either game \(\mathbf H_{0} \) or \(\mathbf H_{1}\). Using \(\mathcal{A} \) and the challenger \(\mathcal{C}\) we will build another adversary \(\mathcal{A} '\) that plays against a \(\mathcal{D}_k{-\textsc {mddh}} \) challenger. So, suppose the \(\textsc {mddh}\) challenger issues either a real tuple \(([{\mathbf {\mathsf{{B}}}}]_1,\ {\varvec{\zeta }} = [{\mathbf {\mathsf{{B}}}} {\mathbf {r}}]_1)\) or a fake tuple \(([{\mathbf {\mathsf{{B}}}}]_1,\ {\varvec{\zeta }} = [{\mathbf {r}}']_1 \in \mathbb {G}_1^{k+1})\), with \( {\mathbf {\mathsf{{B}}}} \leftarrow \mathcal{D}_k \) and \( ({\mathbf {r}}, \ {\mathbf {r}}') \leftarrow \mathbb {Z}_q^k \times \mathbb {Z}_q^{k+1} \). In the first case, we will say that \(\mathcal{A} '\) is in the \(\textsc {mddhreal}\) game and in the latter case, we will say that \(\mathcal{A} '\) is in the \(\textsc {mddhfake}\) game. \(\mathcal{A} '\) uses \([{\mathbf {\mathsf{{B}}}}]_1\) to simulate \(\mathcal{C}\) in building the language parameters \(\mathcal{{L}_{\text {par}}}\) by choosing all other random values on its own. It then simulates \(\mathcal{C}\) for the rest of the game \(\mathbf H_{0}/\mathbf H_{1} \), including interaction with \(\mathcal{A} \), till the point of issuing the y-th signature. For the y-th signature, \(\mathcal{A} '\) sets \(({\varvec{\rho }}_y\), \(\hat{\rho }_y) := {\varvec{\zeta }}\), and picks \(\textsc {tag}_y\) at random, and sets \({\varvec{\psi }}_y = \textsc {tag}_y\ {\varvec{\rho }}_y\). The values \(\tau _y\) and \(\gamma _y\) and \({\varvec{\pi }}_y\) can then be computed from values already obtained.

After \(\mathcal{A} '\) issues this signature to \(\mathcal{A} \), adversary \(\mathcal{A} '\) continues the simulation of \(\mathcal{C} \), along with its interaction with \(\mathcal{A} \) till the computation and output of winning condition. \(\mathcal{A} '\) outputs 1 iff \(\mathsf{WIN} \,\,{\mathbf {and}}\,\,\mathsf{GOOD} \). Now, note that if \(\mathcal{A} '\) is in the \(\textsc {mddhreal}\) game, then the view of the adversary \(\mathcal{A} \) is identical to its view in \(\mathbf H_{0} \). And, if \(\mathcal{A} '\) is in the \(\textsc {mddhfake}\) game, then the view of the adversary \(\mathcal{A} \) is identical to its view in \(\mathbf H_{1} \). Thus:

$$\mathrm{Prob}[\mathcal{A} '(\textsc {mddhreal}) = 1] = \mathrm{Prob}_{H_0}[\mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} ]$$
$$\mathrm{Prob}[\mathcal{A} '(\textsc {mddhfake}) = 1] = \mathrm{Prob}_{H_1}[\mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} ].$$

That completes the proof of the claim, as the maximum advantage any efficient adversary has in winning an MDDH-challenge game is \({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}}\).

Game \(\mathbf H_{2}\): In Game \(\mathbf H_{2} \), in the computation of the signature on y-th query, the value \(\gamma _y\) is just sampled independently randomly from \(\mathbb {Z}_q\). The winning condition remains \(\mathsf{WIN}\). We now prove that the view of the adversary in Games \(\mathbf H_{2}\) and \(\mathbf H_{1}\) is statistically indistinguishable. More precisely,

$$\begin{aligned} |\mathrm{Prob}_{H_2}[ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] - \mathrm{Prob}_{H_1}[ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] | \le 1/q \end{aligned}$$

The claim is a consequence of private hash on a non-\(Span([{\mathbf {\mathsf{{B}}}}]_1)\) word being random and independent of the public universal\(_2\) projection hash key [CS02]. Here, the public universal\(_2\) projection hash key is the pair \([{\mathbf {d}}_1 + d_2 {\mathbf {t}}]_1\) and \([{\mathbf {e}}_1 + e_2 {\mathbf {t}}]_1\), with private universal\(_2\) hash key \(({\mathbf {d}}_1, d_2, {\mathbf {e}}_1, e_2)\). The public hash key is given to the adversary as part of all the signatures issued to the adversary, with the exception of the signature issued by \(\mathcal{C}\) on query index y. In the y-th query, the challenger discloses to the adversary one private hash on a non-\(Span([{\mathbf {\mathsf{{B}}}}]_1)\) word. In particular \({\varvec{\gamma }}_y\) includes as an additive term \(({\mathbf {d}}_1 \cdot {\varvec{\rho }}_y + d_2 \hat{\rho }_y) + \textsc {tag}_y\ ({\mathbf {e}}_1 \cdot {\varvec{\rho }}_y + e_2 \hat{\rho }_y)\), which is exactly the private universal\(_2\) hash on \(( {\varvec{\rho }}_y, \hat{\rho }_y )\) using tag \(t_y\). Now note that \(\mathsf{GOOD}\) and \(z \ne y\) implies \(\textsc {tag}^* \ne \textsc {tag}_y\), as y was chosen distinct from z. Thus, \(\textsc {tag}^*\) is different from \(\textsc {tag}_y\) used in the one private hash given to the adversary on a non-\(Span([{\mathbf {\mathsf{{B}}}}]_1)\) word.

Recall that the QA-NIZK proof is simulated, and the QA-NIZK simulator trapdoors do not use \(({\mathbf {d}}_1, d_2, {\mathbf {e}}_1, e_2)\). Further, \(({\mathbf {d}}_1, d_2, {\mathbf {e}}_1, e_2)\) are not used anywhere else, including \(\mathsf{CRS}_v\).

Thus the additive term \(({\mathbf {d}}_1 \cdot {\varvec{\rho }}_y + d_2 \hat{\rho }_y) + \textsc {tag}_y\ ({\mathbf {e}}_1 \cdot {\varvec{\rho }}_y + e_2 \hat{\rho }_y)\) in \(\gamma _y\) (in Game \(\mathbf H_{1}\)) completely hides \(([k_0]_1 + {\mathbf {k}} \cdot {\varvec{\mu }}_y)\). Thus, \(\gamma _y\) can just as well be sampled independently randomly. This is the same as Game \(\mathbf H_{2}\), and that proves the claim.

Thus, collecting all the inequalities, between consecutive games from \(\mathbf H_{0}\) to \(\mathbf H_{2}\), it follows that:

$$\left| \begin{array}{c} \mathrm{Prob}_{5, i-1} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] \\ - \mathrm{Prob}_{5, i} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{array} \right| \le {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q $$

Proof

(of Lemma 4). The proof of this lemma is similar to proof of Lemma 3, except that the predicate \(\mathsf{GOOD} \) here is just defined to be true. The proof of Lemma 3 goes through all the hybrid games with predicate \(\mathsf{GOOD}\) defined as true, except for the proof of

$$\begin{aligned} |\mathrm{Prob}_{H_2}[ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] - \mathrm{Prob}_{H_1}[ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] | \le 1/q. \end{aligned}$$

This proof for Lemma 3 required the fact that \(\mathsf{GOOD}\) implies that \(\textsc {tag}^* \ne \textsc {tag}_y\), where y was the query index being simulated with a fake MDDH tuple. Since, here we have defined \(\mathsf{GOOD}\) to be true, there is no such restriction on \(\textsc {tag}^*\).

In case \(\textsc {tag}^* \ne \textsc {tag}_y\), the proof continues to hold as before. If \(\textsc {tag}^* = \textsc {tag}_y\), we note that since we are in various hybrids of initial game \(\mathbf H_{0} = \mathbf G_{5, Q-1} \), no signature generated by \(\mathcal{C}\) (other than the y-th signature) uses \(k_0\) or \({\mathbf {k}}\). The trapdoors \(k_0\) and \({\mathbf {k}}\) are also not used in generation of public key. Thus, the only information available to \(\mathcal{A}\) about \(k_0\) and \({\mathbf {k}}\) is through the y-th signature simulation, which includes \({\mathbf {k}} \cdot {\varvec{\mu }}_y + [k_0]_1\) as an additive term. Thus, for \( \mathsf{WIN} \) to hold, \(\mathcal{A}\) must produce \( \gamma ^* - ( {\mathbf {d}}_1 \cdot {\varvec{\rho }}^* + d_2 \hat{\rho }^* ) - \textsc {tag}^*\ ({\mathbf {e}}_1 \cdot {\varvec{\rho }}^* + e_2 \hat{\rho }^* )\) equal to \({\mathbf {k}} \cdot {\varvec{\mu }}^* + [k_0]_1\). By simple linear algebra, this latter quantity is random, even given \({\mathbf {k}} \cdot {\varvec{\mu }}_y + [k_0]_1 \), for \({\varvec{\mu }}^* \ne {\varvec{\mu }}_y\).

This linear algebra fact is most conveniently seen by the following information-theoretic argument: Let \(\alpha \mathop {=}\limits ^{\triangle }{\mathbf {k}} \cdot {\varvec{\mu }}_y + [k_0]_1\) and \( \beta \mathop {=}\limits ^{\triangle }{\mathbf {k}} \cdot {\varvec{\mu }}^* + [k_0]_1 \). Now sample \(({\mathbf {k}},\ k') \leftarrow \mathbb {Z}_q^n \times \mathbb {Z}_q\), and then set \( [k_0]_1 := [k']_1 - {\mathbf {k}} \cdot {\varvec{\mu }}_y \). Then we have \(\alpha = [k']_1\) and \( \beta = [k']_1 + {\mathbf {k}} \cdot ({\varvec{\mu }}^* - {\varvec{\mu }}_y) \). Thus \(\alpha \) is uniformly random and independent of \({\mathbf {k}}\), while \(\beta \) has an independent uniformly random distribution due to the additional term \({\mathbf {k}} \cdot ({\varvec{\mu }}^* - {\varvec{\mu }}_y)\), where \({\mathbf {k}}\) is uniformly random and \( ({\varvec{\mu }}^* - {\varvec{\mu }}_y) \) is non-zero.

3.2 Improved Security Reduction for the SPS Scheme

Theorem 3

For any efficient adversary \(\mathcal{A} \), which makes at most Q signature queries before attempting a forgery, its probability of success in the EUF-CMA game against the SPS scheme is at most

$$ {\textsc {ADV}}_{\varPi }^{TSS} + Q \cdot (2+\log {Q}) \cdot \left( {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + \frac{1}{q}\right) + \frac{Q^2}{2q} + \frac{1}{q} $$

Proof

In the proof of this theorem and related lemmas, without loss of generality, we will assume that the number of signature queries Q made by the adversary is a power of two. This can cause at most a factor of two difference in the success probability of the adversary.

The Games \(\mathbf G_{0}\) to \(\mathbf G_{6}\) are same as in proof of Theorem 2. However, we now obtain a better upper bound on the probability of event \(\mathsf{WIN}\) holding in Game \(\mathbf G_{5}\), as opposed to the bound obtained in Lemma 1.

Lemma 5

$$\begin{aligned} \mathrm{Prob}_5[\mathsf{WIN} ] \le Q \cdot (2+\log {Q}) \cdot ({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q) \end{aligned}$$
Fig. 7.
figure 7

Modified Games \(\mathbf G_{5,i}\). Above, \( \log Q \le l \le 0\) and \( 0 \le u \le 2^l-1 \).

Full size image

Proof

Again, to prove this lemma we consider several hybrid Games \(\mathbf G_{5,i}\), for \(i \in [0..Q]\), where \(\mathbf G_{5,0}\) will turn out to be same as \(\mathbf G_{5}\), and \(\mathbf G_{5, Q}\) will turn out to be same as \(\mathbf G_{6}\). The hybrid Games \(\mathbf G_{5,i}\) are defined slightly differently in this proof as compared to the proof of Lemma 1. These are summarized in Fig. 7 and explained below.

Game \(\mathbf G_{5,i}\): For \(0 \le i<Q\), the game differs from \(\mathbf G_{5}\) as follows: After it has generated the public key and sent it to \(\mathcal{A} \) just as in \(\mathbf G_{5}\), the challenger now picks a random set Z of size \(2^{\lfloor \log {(Q-i)} \rfloor }\) of distinct indices from [1..Q]. It then picks i distinct indices randomly from \([1..Q] \setminus Z\). Call this set of indices as S (note that S is empty in Game \(\mathbf G_{5,0}\)). If \(i=Q\), let S be the full set [1..Q]. While generating signatures on a query with index \(j \in S\), the challenger generates the signature as in Game \(\mathbf G_{6}\) (i.e., samples \( \gamma \) and \( \hat{\rho } \) uniformly randomly), and for all other queries it generates the signature as in Game \(\mathbf G_{5}\). The winning predicate for the adversary remains the same, i.e., \(\mathsf{WIN}\).

Note that for hybrid Game \(\mathbf G_{5,i}\), such that \((Q-i)\) is a power of two, the union of disjoint sets S and Z is the complete set of indices [1..Q]. However, in the next hybrid Game \(\mathbf G_{5,i+1}\), the set Z is cut by half in size, so that there is a choice to pick S from \([1..Q] \setminus Z\). Thus, to relate such a hybrid Game \(\mathbf G_{5,i}\) (i.e. when \(Q-i\) is a power of two) to the next hybrid Game \(\mathbf G_{5,i+1}\), we introduce an intermediate Game \(\mathbf G'_{5,i} \).

For i, define Game \(\mathbf G'_{5,i} \) to be similar to Game \(\mathbf G_{5,i}\) except that the set of random and distinct indices Z is chosen to be of size \(2^{l-1}\). For S, we choose i distinct indices from \([1..Q] \setminus Z\), as before. The rest of the game and the winning condition remains the same.

For each hybrid Game \(\mathbf G_{5,i}\) or \(\mathbf G'_{5,i}\), define the following predicate

$$\begin{aligned} \mathsf{GOOD} \mathop {=}\limits ^{\triangle }\forall j \in [1..Q]\setminus Z: ({\varvec{\tau }}^* \ne {\varvec{\tau }}_j) \end{aligned}$$

In Lemma 6 below, we show that for \(i= Q-2^l\), the probability of \(\mathsf{WIN}\) and \(\mathsf{GOOD}\) holding in Game \(\mathbf G_{5,i}\) is at most two times the probability of \(\mathsf{WIN}\) and \(\mathsf{GOOD}\) holding in Game \(\mathbf G'_{5,i}\). Note that, for \(i=0\) the predicate \(\mathsf{GOOD}\) is equivalent to true, as Z is the complete set. Thus, this implies that the probability of \(\mathsf{WIN}\) holding in Game \(\mathbf G_{5}\) is at most two times the probability of \(\mathsf{WIN}\) and \(\mathsf{GOOD}\) holding in Game \(\mathbf G'_{5,0}\).

Using Lemmas 6 and 7 below, we now prove the recurrence relation that for \(l \in [2..\log Q]\):

$$\begin{aligned} \mathrm{Prob}_\mathbf{G'_{5,Q-2^l}}[\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \le&\ 2^{l-1} \cdot ( {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q) + \\&\ 2 \cdot \mathrm{Prob}_\mathbf{G'_{5,Q-2^{l-1}}}[\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \end{aligned}$$

Also, as a base case we have (from Lemma 7),

$$\begin{aligned} \mathrm{Prob}_\mathbf{G'_{5,Q- 2}}[\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \le&\ 2 \cdot ({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q) + \\&\ \mathrm{Prob}_\mathbf{G_{5, Q}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{aligned}$$

However, in the proof of Lemma 1, we established that in the last hybrid Game \(\mathbf G_{5,Q} \), the probability of \(\mathsf{WIN}\) is at most 1 / q. Thus,

$$ \mathrm{Prob}_\mathbf{G'_{5,Q- 2}}[\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \le 2 \cdot {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 3/q $$

Thus, by maintaining the induction hypothesis, for every \(l \in [1..\log Q]\):

$$\begin{aligned} \mathrm{Prob}_\mathbf{G'_{5,Q-2^l}}[\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \le (2^{l-1}l + 2^l) \cdot ({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q ) \end{aligned}$$

we get by induction that

$$\begin{aligned} \mathrm{Prob}_\mathbf{G'_{5,0}}[\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \le \left( \frac{Q}{2} \cdot \log {Q} + Q \right) \cdot ({{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q ) \end{aligned}$$

Lemma 6

For \(i \in [0..Q-1]\), and \(i = Q-2^l\),

$$\begin{aligned} \mathrm{Prob}_\mathbf{G_{5,i}}[ \mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \,\le \, 2 \cdot \mathrm{Prob}_\mathbf{G'_{5,i}}[ \mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \end{aligned}$$

Proof

For i, \(0 \le i < Q\), such that \((Q-i)\) a power of two, note that the Game \(\mathbf G_{5,i}\) can be defined by first picking a set S of i distinct and random indices from [1..Q], and then setting \( Z = [1..Q] \setminus S\). Similarly, the Game \(\mathbf G'_{5,i}\) can be defined by first picking a set S of i distinct indices, and then picking a set \(Z'\) of \((Q-i)/2\) distinct and random indices from \(Z = [1..Q] \setminus S\). This set can be picked after the adversary has replied with its claimed forgery. In other words, the probability of \(\mathsf{WIN}\) and \(\mathsf{GOOD}\) holding in \(\mathbf G'_{5,i}\) is same as probability of \(\mathsf{WIN}\) and \(\mathsf{GOOD'}\) holding in \(\mathbf G_{5,i}\) where \(\mathsf{GOOD'}\) is defined as

$$\begin{aligned} \mathsf{GOOD'} \mathop {=}\limits ^{\triangle }\forall j \in [1..Q]\setminus Z': ({\varvec{\tau }}^* \ne {\varvec{\tau }}_j) \end{aligned}$$

Letting \(\mathsf{DIST}\) stand for the predicate \(\forall j \in [1..Q]: ({\varvec{\tau }}^* \ne {\varvec{\tau }}_j)\), it follows that \(\mathsf{GOOD'} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} \, \,\,{\mathbf {and}}\,\,\lnot \mathsf{DIST} \) is equivalent to \(\mathsf{GOOD'} \, \,\,{\mathbf {and}}\,\,\lnot \mathsf{DIST} \). Thus,

$$\begin{aligned} \Pr [\mathsf{GOOD'} ~|~ \lnot \mathsf{DIST} \, \,\,{\mathbf {and}}\,\,\mathsf{WIN} ] =&\Pr [\mathsf{GOOD'} ~|~ \mathsf{GOOD} \, \,\,{\mathbf {and}}\,\,\lnot \mathsf{DIST} \, \,\,{\mathbf {and}}\,\,\mathsf{WIN} ] \\ \cdot&\Pr [\mathsf{GOOD} ~|~ \lnot \mathsf{DIST} \, \,\,{\mathbf {and}}\,\,\mathsf{WIN} ] \end{aligned}$$

Now, \(\Pr [\mathsf{GOOD'} ~|~ \mathsf{GOOD} \, \,\,{\mathbf {and}}\,\,\lnot \mathsf{DIST} \, \,\,{\mathbf {and}}\,\,\mathsf{WIN} ]\) is exactly 1 / 2. Thus, noting that \(\mathsf{GOOD} \) is equivalent to \(\mathsf{DIST} \,\vee \, (\mathsf{GOOD} \, \,\,{\mathbf {and}}\,\,\lnot \mathsf{DIST})\), and \(\mathsf{GOOD'} \) is equivalent to \(\mathsf{DIST} \,\vee \, (\mathsf{GOOD'} \, \,\,{\mathbf {and}}\,\,\lnot \mathsf{DIST})\), it follows that

$$\begin{aligned} \Pr [ \mathsf{GOOD} ~|~ \mathsf{WIN} ] =&\Pr [\mathsf{DIST} ~|~\mathsf{WIN} ] \nonumber \\&+ \Pr [ \mathsf{GOOD} ~|~ \lnot \mathsf{DIST} \, \,\,{\mathbf {and}}\,\,\mathsf{WIN} ] \cdot \Pr [\lnot \mathsf{DIST} ~|~ \mathsf{WIN} ] \end{aligned}$$
(4)
$$\begin{aligned} \Pr [ \mathsf{GOOD'} ~|~ \mathsf{WIN} ] =&\Pr [\mathsf{DIST} ~|~\mathsf{WIN} ] \nonumber \\&+ \frac{1}{2}\Pr [ \mathsf{GOOD} ~|~ \lnot \mathsf{DIST} \, \,\,{\mathbf {and}}\,\,\mathsf{WIN} ] \cdot \Pr [\lnot \mathsf{DIST} ~|~ \mathsf{WIN} ] \end{aligned}$$
(5)

Now, this implies \(\Pr [ \mathsf{GOOD} ~|~ \mathsf{WIN} ] \le 2 \cdot \Pr [ \mathsf{GOOD'} ~|~ \mathsf{WIN} ]\), because otherwise we obtain a contradiction that \(\Pr [\mathsf{DIST} ~|~\mathsf{WIN} ] <0\). Thus,

$$\begin{aligned} \Pr [\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \le 2 \cdot \Pr [\mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD'} ] \end{aligned}$$

Lemma 7

For \(i\in [1..Q]\), if \((Q-i+1)\) is a power of two and \(i \ne Q\), then

$$\left| \begin{array}{c} \mathrm{Prob}_\mathbf{G'_{5, i-1}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] \\ - \mathrm{Prob}_\mathbf{G_{5, i}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{array} \right| \le {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q $$

Otherwise (i.e., if \((Q-i+1)\) is not a power of two or \(i = Q\)),

$$\left| \begin{array}{c} \mathrm{Prob}_\mathbf{G_{5, i-1}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] \\ - \mathrm{Prob}_\mathbf{G_{5, i}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{array} \right| \le {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q $$

The proof of Lemma 7 is same as that for the proof of Lemma 3 (except for i equal to Q, when it is same as proof of Lemma 4). The only difference is in the proof of

$$\begin{aligned} |\mathrm{Prob}_\mathbf{H_{2}}[ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] - \mathrm{Prob}_\mathbf{H_{1}}[ \mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] | \le 1/q \end{aligned}$$

where we now argue that \(\mathsf{GOOD}\) and \(y\not \in Z\) implies \(t^* \ne t_y\).

Alternate Improved Reduction. The above reduction makes discrete ‘big jumps’ when \(Q-i\) is a power of two and a series of smooth ‘short jumps’ in between these big jumps. Instead, we can smoothen the entire jump sequence by shortening the set Z by 1 at every i while going from a primed game to an unprimed game. In an unprimed game, Z and S will partition the set [1..Q],  while in a primed game there will be \(Q-i\) choices for \( Z' \). This will result in the following modifications of Lemmas 6 and 7 :

Lemma 8

For \(i \in [0..Q-2]\),

$$\begin{aligned} \mathrm{Prob}_\mathbf{G_{5,i}}[ \mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \,\le \, \frac{Q-i}{Q-i-1} \cdot \mathrm{Prob}_\mathbf{G'_{5,i}}[ \mathsf{WIN} \, \,\,{\mathbf {and}}\,\,\mathsf{GOOD} ] \end{aligned}$$

Lemma 9

For \(i\in [1..Q-1]\),

$$\left| \begin{array}{c} \mathrm{Prob}_\mathbf{G'_{5, i-1}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] \\ - \mathrm{Prob}_\mathbf{G_{5, i}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{array} \right| \le {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q $$

and

$$\left| \begin{array}{c} \mathrm{Prob}_\mathbf{G_{5, Q-1}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\, \mathsf{GOOD} ] \\ - \mathrm{Prob}_\mathbf{G_{5, Q}} [ \mathsf{WIN} \,\,\,{\mathbf {and}}\,\,\mathsf{GOOD} \,] \end{array} \right| \le {{\textsc {ADV}}_{\mathcal{D}_k{-\textsc {mddh}}}} + 1/q $$

However, this still results in a \(Q\log Q\) loss in security.