Accumulable optimistic fair exchange from verifiably encrypted homomorphic signatures

Abstract

Let us consider a situation where a client (Alice) frequently buys a certain kind of product from a shop (Bob) (e.g., an online music service sells individual songs at the same price, and a client buys songs multiple times in a month). In this situation, Alice and Bob would like to aggregate the total transactions and pay once per month because individual payments are troublesome. Though optimistic fair exchange (OFE) has been considered in order to swap electronic items simultaneously, known OFE protocols cannot provide such aggregate function efficiently because various costs are bounded by the number of transactions in the period. In order to run this aggregation procedure efficiently, we introduce a new kind of OFE called accumulable OFE (AOFE) that allows clients to efficiently accumulate payments in each period. In AOFE, any memory costs, computational costs, and communication complexity of the payment round must be constant in terms of the number of transactions. Since a client usually has just a low power and poor memory device, these efficiencies are desirable in practice. Currently, known approaches (e.g., based on verifiably encrypted signature scheme) are not very successful for constructing AOFE. Thus, we consider a new approach based on a new cryptographic primitive called verifiably encrypted homomorphic signature scheme (VEHS). In this paper, we propose a generic construction of AOFE from VEHS and also present a concrete VEHS scheme over a composite-order bilinear group by using the dual-form signature techniques. This VEHS scheme is also of independent interest. Since we can prove the security of VEHS without random oracles, our AOFE protocol is also secure without random oracles. Finally, we implemented our AOFE protocol, and it is efficient enough for practical use.

Appendices

Appendix 1: Proof of Theorem 1

We assume that an adversary \({\mathcal {E}}\) breaks security against clients of our AOFE protocol. \({\mathcal {E}}\) outputs \((\{\mathbf {v}_i^*,\omega ^{(i)*}\}_{i=1}^k,\) \(\mathsf {vk}_{{\mathcal {E}}},\tau ^*)\) such that for \(i = 1\) to k \(\mathsf {PVrfy}(\mathsf {vk}_{{\mathcal {E}}},\mathsf {apk},\mathbf {v}_i^*,\omega ^{(i)*},\tau ^*) \rightarrow 1\), \(\sigma ^{(i)*} \leftarrow \mathsf {Res}(\mathsf {ask},\mathsf {apk},\mathsf {vk}_{{\mathcal {E}}},\mathbf {v}_i^*,\omega ^{(i)*},\tau ^*)\) and \(\mathsf {OFE.Vrfy}(\mathsf {vk}_{{\mathcal {E}}},\) \(\mathsf {apk},\) \(\sum _{i=1}^k \mathbf {v}_i^*,\mathsf {Acc}(\mathsf {vk}_{{\mathcal {E}}},\mathsf {apk},\) \(\{\mathbf {v}_i^*,\sigma ^{(i)*}\}_{i=1}^k,\tau ^*),\) \(\tau ^*) \rightarrow 0\). This event can be separated to two cases:

1. 1.

   \(\exists i\) \(\mathsf {OFE.Vrfy}(\mathsf {vk}_{{\mathcal {E}}},\mathsf {apk},\mathbf {v}_i^*,\sigma ^{(i)*},\tau ^*) \rightarrow 0\).

2. 2.

   \(\forall i\) \(\mathsf {OFE.Vrfy}(\mathsf {vk}_{{\mathcal {E}}},\mathsf {apk},\mathbf {v}_i^*,\sigma ^{(i)*},\tau ^*) \rightarrow 1\).

Case 2 does not occur because of second condition of correctness in Definition 2. Thus, we only consider Case 1.

We construct an adversary \({\mathcal {A}}\) to extractability of the VEHS scheme from an adversary \({\mathcal {E}}\) to security against clients of our AOFE protocol. \({\mathcal {A}}\) performs the following steps.

Setup Given \(\mathsf {pp}\) and \(\mathsf {apk}\), \({\mathcal {A}}\) generates \((\mathsf {vk}_j,\mathsf {sk}_j)\) for all users except \({\mathcal {E}}\) according to the protocol. \(\mathsf {pp}\), \(\mathsf {apk}\), and \(\{vk_j\}\) are provided to \({\mathcal {E}}\) as public information.

Simulation

1. 1.

   If \({\mathcal {E}}\) poses \((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau )\) to the resolution oracle, \({\mathcal {A}}\) verifies that both \(\mathbf {v}\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\), and \(\mathsf {VesVrfy}(\mathsf {apk},\mathsf {vk}_j,\tau ,\mathbf {v},\omega ) \rightarrow 1\). If the verification result is correct, \({\mathcal {A}}\) poses \((\tau , \mathbf {v}, \mathsf {vk}_j, \omega ,)\) to the adjudication oracle, receives \(\sigma \), and returns \(\sigma \) to \({\mathcal {E}}\). Otherwise, \({\mathcal {A}}\) returns \(\bot \).

2. 2.

   When \({\mathcal {E}}\) outputs \((\{\mathbf {v}_i^*,\omega ^{(i)*}\}_{i=1}^k,\mathsf {vk}_{{\mathcal {E}}},\tau ^*)\), for \(i=1\) to k \({\mathcal {A}}\) runs \(\sigma ^{(i)*} \leftarrow \mathsf {Adj}(\mathsf {ask},\mathsf {apk},\) \(\mathsf {vk}_{{\mathcal {E}}},\omega ^{(i)*},\tau ^*,\mathbf {v}_i^*)\) and checks that \(\exists i'\) such that \(\mathsf {Vrfy}(\mathsf {vk}_{{\mathcal {E}}},\tau ^*,\mathbf {v}_{i'}^*,\sigma ^{(i')*}) \rightarrow 0\). Then, \({\mathcal {A}}\) outputs \((\tau ^*, \mathbf {v}_{i'}^*, \mathsf {vk}_{{\mathcal {E}}}, \omega ^{(i')*})\) as the answer to break extractability.

Analysis The simulation of the resolution oracle is perfect because answers for all queries to the resolution oracle are identical to answers for corresponding queries to the adjudication oracle. Thus, \(\mathsf{Adv}^{\text {OFE.Client}}_{{\mathcal {E}}}(\kappa )\) \(= \mathsf{Adv}^{\text {Ext}}_{{\mathcal {A}}}(\kappa ,n)\). \(\square \)

Appendix 2: Proof of Theorem 2

We assume that an adversary \({\mathcal {E}}\) breaks security against shops of our AOFE protocol. \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) such that \(\mathsf {OFE.Vrfy}(\mathsf {vk}_{A},\mathsf {apk},\mathbf {v}^*,\) \(\sigma ^*,\tau ^*) \rightarrow 1\), and \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{\mathbf {v}_i^*,\tau ^*\}_{i=1}^\ell \subseteq T_{psig}\) or \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{vk_A,\mathbf {v}_i^*,\cdot ,\) \(\tau ^*\}_{i=1}^\ell \subseteq T_{res}\). This event can be separated to three cases:

1. 1.

   \(\tau ^* \not = \tau \) for any entry \(((\cdot ,\tau ),\cdot ) \in T_{psig}\) and \(((\cdot , \cdot , \cdot ,\tau ), \cdot ) \in T_{res}\).

2. 2.

   \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*),\cdot )\}_{i=1}^\ell \subseteq T_{psig}\).

3. 3.

   \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((vk_A,\mathbf {v}_i^*,\cdot ,\) \(\tau ^*),\cdot )\}_{i=1}^\ell \subseteq T_{res}\).

1.1 Case 1

First, we consider Case 1. We construct an adversary \({\mathcal {A}}\) to class-I opacity of the VEHS scheme from an adversary \({\mathcal {E}}\) to security against shops of our AOFE protocol. \({\mathcal {A}}\) performs the following steps.

Initialization \({\mathcal {A}}\) receives \(\mathsf {pp}\), \(\mathsf {apk}^*\) and \(\mathsf {vk}^*\), outputs n, and sets \(vk_A:=vk^*\).

Setup \({\mathcal {A}}\) generates \((\mathsf {vk}_j,\mathsf {sk}_j)\) for all users except \(vk_A\) according to the protocol. \(\mathsf {pp}\), \(\mathsf {apk}^*\), and \(\{vk_j\}\) are provided to \({\mathcal {E}}\) as public information. \({\mathcal {A}}\) sets tables \(T_{psig}\) and \(T_{res}\) which is initialized as \(\emptyset \).

Simulation

1. 1.

   If \({\mathcal {E}}\) poses \((\mathbf {v},\tau )\) to the partial signing oracle, \({\mathcal {A}}\) poses \((\mathbf {v},\tau )\) to the creation oracle, receives \(\omega \), returns \(\omega \) to \({\mathcal {E}}\), and stores \(((\mathbf {v},\tau ),\omega )\) in table \(T_{psig}\).

2. 2.

   If \({\mathcal {E}}\) poses \((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau )\) to the resolution oracle where \(\mathsf {vk}_j \not = \mathsf {vk}_A\), \({\mathcal {A}}\) verifies that both \(\mathbf {v}\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\) and \(\mathsf {VesVrfy}(\mathsf {apk}^*,\) \(\mathsf {vk}_j,\tau ,\mathbf {v},\omega ) \rightarrow 1\). Then, \({\mathcal {A}}\) runs \(\sigma \leftarrow \mathsf {OFE.Sign}(\mathsf {sk}_j,\mathsf {apk}^*,\mathbf {v},\tau )\) with \(\mathsf {sk}_j\), returns \(\sigma \) to \({\mathcal {E}}\), and stores \(((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau ),\sigma )\) in table \(T_{res}\). Else if \({\mathcal {E}}\) poses \((\mathsf {vk}_A, \mathbf {v}, \omega ,\tau )\) to the resolution oracle, \({\mathcal {A}}\) poses \((\mathbf {v}, \omega ,\tau )\) to the adjudication oracle, receives \(\sigma \), returns \(\sigma \) to \({\mathcal {E}}\), and stores \(((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau ),\sigma )\) in table \(T_{res}\).

3. 3.

   When \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\), \({\mathcal {A}}\) verifies that \(\mathbf {v}^*\) has the form \((1,\ldots ,\) 1,  0,  \(\dots , 0)\) and \(\mathsf {Vrfy}(\mathsf {vk}_{A},\tau ^*,\mathbf {v}^*,\sigma ^*) \rightarrow 1\), and checks \(\tau ^* \not = \tau \) for any entry \(((\cdot ,\tau ),\cdot ) \in T_{psig}\) and \(((\cdot , \cdot , \cdot ,\tau ),\cdot ) \in T_{res}\). Then, \({\mathcal {A}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) as the tuple to break class-I opacity.

Analysis \(T_{psig}\) and \(T_{res}\) are identical to tables \(T_{\mathsf {ves}}\) and \(T_{\mathsf {sig}}\) in Definition 11, respectively, because \({\mathcal {A}}\) only forwards corresponding queries. The simulation of the partial signing oracle is perfect because the creation oracle behaves the same way as the partial signing oracle. Also, the difference between the simulation and the real resolution oracle is perfectly indistinguishable because our AOFE protocol satisfies the ambiguity due to resolution independence of VEHS. The ambiguity guarantees that for a common message \(\mathbf {v}\) any resolved signature based on \(\mathsf {ask}\) is indistinguishable from the ordinary signature based on \(\mathsf {sk}_j\). Thus, \(\mathsf{Adv}^{\text {OFE.Shop}}_{{\mathcal {E}}}(\kappa ) \le \mathsf{Adv}^{\text {Opac}}_{{\mathcal {A}}}(\kappa ,n) + negl\). \(\square \)

1.2 Case 2

Next, we consider Case 2. We construct an adversary \({\mathcal {A}}\) to class-II opacity of the VEHS scheme from an adversary \({\mathcal {E}}\) to security against shops of our AOFE protocol. \({\mathcal {A}}\) performs the following steps.

Initialization \({\mathcal {A}}\) receives \(\mathsf {pp}\), \(\mathsf {apk}^*\) and \(\mathsf {vk}^*\), outputs n, and sets \(\mathsf {vk}_A:=\mathsf {vk}^*\).

Setup \({\mathcal {A}}\) generates \((\mathsf {vk}_j,\mathsf {sk}_j)\) for all users except \(\mathsf {vk}_A\) according to the protocol. \(\mathsf {pp}\), \(\mathsf {apk}^*\), and \(\{\mathsf {vk}_j\}\) are provided to \({\mathcal {E}}\) as public information. \({\mathcal {A}}\) sets table \(T_{psig}\) which is initialized as \(\emptyset \).

Simulation

1. 1.

   If \({\mathcal {E}}\) poses \((\mathbf {v},\tau )\) to the partial signing oracle, \({\mathcal {A}}\) poses \((\mathbf {v},\tau )\) to the creation oracle, receives \(\omega \), returns \(\omega \) to \({\mathcal {E}}\), and stores \(((\mathbf {v},\tau ),\cdot )\) in table \(T_{psig}\).

2. 2.

   If \({\mathcal {E}}\) poses \((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau )\) to the resolution oracle where \(\mathsf {vk}_j \not = \mathsf {vk}_A\), \({\mathcal {A}}\) verifies that both \(\mathbf {v}\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\) and \(\mathsf {VesVrfy}(\mathsf {apk}^*,\) \(\mathsf {vk}_j,\tau ,\mathbf {v},\omega ) \rightarrow 1\). Then, \({\mathcal {A}}\) runs \(\sigma \leftarrow \mathsf {OFE.Sign}(\mathsf {sk}_j,\mathsf {apk}^*,\mathbf {v},\tau )\) with \(\mathsf {sk}_j\), and returns \(\sigma \) to \({\mathcal {E}}\). Else if \({\mathcal {E}}\) poses \((\mathsf {vk}_A, \mathbf {v}, \omega ,\tau )\) to the resolution oracle, \({\mathcal {A}}\) poses \((\mathbf {v}, \omega ,\tau )\) to the adjudication oracle, receives \(\sigma \), and returns \(\sigma \) to \({\mathcal {E}}\).

3. 3.

   When \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\), \({\mathcal {A}}\) verifies that \(\mathbf {v}^*\) has the form \((1,\ldots ,\) 1, 0,  \(\dots , 0)\) and \(\mathsf {Vrfy}(\mathsf {vk}_{A},\tau ^*,\mathbf {v}^*,\sigma ^*) \rightarrow 1\), and checks \(\mathbf {v}^* \not = \sum _{i=1}^k \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*).\cdot )\}_{i=1}^\ell \subseteq T_{psig}\). Then, \({\mathcal {A}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) as the tuple to break class-II opacity.

Analysis \(T_{psig}\) is identical to table \(T_{\mathsf {ves}}\) in Definition 11. The simulation of the partial signing oracle is perfect, and the difference between the simulation and the real resolution oracle is perfectly indistinguishable because of the ambiguity due to resolution independence of VEHS. When \(\mathbf {v}^*\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\) and \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*).\cdot )\}_{i=1}^\ell \subseteq T_{psig}\), then \(\mathbf {v}^*\not \in \mathop {\mathrm {span}}\nolimits (\mathbf {v}_1^*\ldots ,\mathbf {v}_l^*)\) where \(\mathbf {v}_1^*\ldots ,\mathbf {v}_l^*\) are vectors which appeared in \(T_{\mathsf {ves}}\) with \(\tau ^*\). Thus, \(\mathsf{Adv}^{\text {OFE.Shop}}_{{\mathcal {E}}}(\kappa ) \le \mathsf{Adv}^{\text {Opac}}_{{\mathcal {A}}}(\kappa ,n) + negl\). \(\square \)

1.3 Case 3

Finally, we consider Case 3. We construct an adversary \({\mathcal {A}}\) to class-III opacity of the VEHS scheme from an adversary \({\mathcal {E}}\) to security against shops of our AOFE protocol. \({\mathcal {A}}\) performs the following steps.

Initialization \({\mathcal {A}}\) receives \(\mathsf {pp}\), \(\mathsf {apk}^*\) and \(\mathsf {vk}^*\), outputs n, and sets \(\mathsf {vk}_A:=\mathsf {vk}^*\).

Setup \({\mathcal {A}}\) generates \((\mathsf {vk}_j,\mathsf {sk}_j)\) for all users except \(\mathsf {vk}_A\) according to the protocol. \(\mathsf {pp}\), \(\mathsf {apk}^*\), and \(\{\mathsf {vk}_j\}\) are provided to \({\mathcal {E}}\) as public information. \({\mathcal {A}}\) sets table \(T_{res}\) which is initialized as \(\emptyset \).

Simulation

1. 1.

   If \({\mathcal {E}}\) poses \((\mathbf {v},\tau )\) to the partial signing oracle, \({\mathcal {A}}\) poses \((\mathbf {v},\tau )\) to the creation oracle, receives \(\omega \), and returns \(\omega \) to \({\mathcal {E}}\).

2. 2.

   If \({\mathcal {E}}\) poses \((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau )\) to the resolution oracle where \(\mathsf {vk}_j \not = \mathsf {vk}_A\), \({\mathcal {A}}\) verifies that both \(\mathbf {v}\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\) and \(\mathsf {VesVrfy}(\mathsf {apk}^*,\) \(\mathsf {vk}_j,\tau ,\mathbf {v},\omega ) \rightarrow 1\). Then, \({\mathcal {A}}\) runs \(\sigma \leftarrow \mathsf {OFE.Sign}(\mathsf {sk}_j,\mathsf {apk}^*,\mathbf {v},\tau )\) with \(\mathsf {sk}_j\), returns \(\sigma \) to \({\mathcal {E}}\), and stores \(((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau ),\sigma )\) in table \(T_{res}\). Else if \({\mathcal {E}}\) poses \((\mathsf {vk}_A, \mathbf {v}, \omega ,\tau )\) to the resolution oracle, \({\mathcal {A}}\) poses \((\mathbf {v}, \omega ,\tau )\) to the adjudication oracle, receives \(\sigma \), returns \(\sigma \) to \({\mathcal {E}}\), and stores \(((\mathsf {vk}_j, \mathbf {v}, \omega ,\tau ),\sigma )\) in table \(T_{res}\).

3. 3.

   When \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\), \({\mathcal {A}}\) verifies that \(\mathbf {v}^*\) has the form \((1,\ldots ,\) 1, 0,  \(\dots , 0)\) and \(\mathsf {Vrfy}(\mathsf {vk}_{A},\tau ^*,\mathbf {v}^*,\sigma ^*) \rightarrow 1\), and checks \(\mathbf {v}^* \not = \sum _{i=1}^k \mathbf {v}_i^*\) for all sets \(\{((\mathsf {vk}_A,\mathbf {v}_i^*,\cdot ,\) \(\tau ^*),\cdot )\}_{i=1}^\ell \subseteq T_{res}\). Then, \({\mathcal {A}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) as the tuple to break class-III opacity.

Analysis \(T_{res}\) is identical to table \(T_{\mathsf {sig}}\) in Definition 11. The simulation of the partial signing oracle is perfect, and the difference between the simulation and the real resolution oracle is perfectly indistinguishable because of the ambiguity due to resolution independence of VEHS. When \(\mathbf {v}^*\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\) and \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((\mathsf {vk}_A,\mathbf {v}_i^*,\cdot ,\) \(\tau ^*),\cdot )\}_{i=1}^\ell \subseteq T_{res}\), then \(\mathbf {v}^*\not \in \mathop {\mathrm {span}}\nolimits (\mathbf {v}_1^*,\ldots ,\mathbf {v}_{l}^*)\) where \(\mathbf {v}_1^*,\ldots ,\mathbf {v}_l^*\) are vectors which appeared in \(T_{\mathsf {sig}}\) with \(\tau ^*\). Thus, \(\mathsf{Adv}^{\text {OFE.Shop}}_{{\mathcal {E}}}(\kappa ) \le \mathsf{Adv}^{\text {Opac}}_{{\mathcal {A}}}(\kappa ,n) + negl\). \(\square \)

Appendix 3: Proof of Theorem 3

We assume that an adversary \({\mathcal {E}}\) breaks security against the adjudicator of our AOFE protocol. \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) such that \(\mathsf {OFE.Vrfy}(\mathsf {vk}_{A},\) \(\mathsf {apk}^*,\) \(\mathbf {v}^*,\sigma ^*,\tau ^*) \rightarrow 1\), and \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*),\) \(\cdot ) \}_{i=1}^\ell \subseteq T_{psig}\) This event can be separated to two cases:

1. 1.

   \(\tau ^* \not = \tau \) for any entry \(((\cdot ,\tau ),\cdot ) \in T_{psig}\).

2. 2.

   \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*),\cdot )\}_{i=1}^\ell \subseteq T_{psig}\).

1.1 Case 1

First, we consider Case 1. We construct an adversary \({\mathcal {A}}\) to class-I unforgeability of the VEHS scheme from an adversary \({\mathcal {E}}\) to security against the adjudicator of our AOFE protocol. \({\mathcal {A}}\) performs the following steps.

Initialization \({\mathcal {A}}\) receives \(\mathsf {pp}\) and \(\mathsf {vk}^*\), outputs n, and sets \(\mathsf {vk}_A:=\mathsf {vk}^*\).

Setup \({\mathcal {A}}\) generates \((\mathsf {vk}_j,\mathsf {sk}_j)\) for all users except \(\mathsf {vk}_A\) according to the protocol. \(\mathsf {pp}\) and \(\{\mathsf {vk}_j\}\) are provided to \({\mathcal {E}}\) as public information. On receiving \(\mathsf {apk}^*\) from \({\mathcal {E}}\), \({\mathcal {A}}\) outputs \(\mathsf {apk}^*\). \({\mathcal {A}}\) sets table \(T_{psig}\) which is initialized as \(\emptyset \).

Simulation

1. 1.

   If \({\mathcal {E}}\) poses \((\mathbf {v},\tau )\) to the partial signing oracle, \({\mathcal {A}}\) poses \((\mathbf {v},\tau )\) to the creation oracle, receives \(\omega \), returns \(\omega \) to \({\mathcal {E}}\), and stores \(((\mathbf {v},\tau ),\omega )\) in table \(T_{psig}\).

2. 2.

   When \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\), \({\mathcal {A}}\) verifies that \(\mathbf {v}^*\) has the form \((1,\ldots ,1,\) 0,  \(\dots , 0)\) and \(\mathsf {Vrfy}(\mathsf {vk}_{A},\tau ^*,\mathbf {v}^*,\sigma ^*) \rightarrow 1\), and checks \(\tau ^* \not = \tau \) for any entry \(((\cdot ,\tau ),\cdot ) \in T_{psig}\). Then, \({\mathcal {A}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) as the tuple to break class-I unforgeability.

Analysis \(T_{psig}\) is identical to table \(T_{\mathsf {ves}}\) in Definition 11, because \({\mathcal {A}}\) only forwards corresponding queries. The simulation of the partial signing oracle is perfect because the creation oracle behaves the same way as the partial signing oracle. Thus, \(\mathsf{Adv}^{\text {OFE.Adj}}_{{\mathcal {E}}}(\kappa ) \le \mathsf{Adv}^{\text {VesForge}}_{{\mathcal {A}}}(\kappa ,n) + negl\). \(\square \)

1.2 Case 2

Next, we consider Case 2. We construct an adversary \({\mathcal {A}}\) to class-II unforgeability of the VEHS scheme from an adversary \({\mathcal {E}}\) to security against the adjudicator of our AOFE protocol. \({\mathcal {A}}\) performs the following steps.

Initialization \({\mathcal {A}}\) receives \(\mathsf {pp}\) and \(\mathsf {vk}^*\), outputs n, and sets \(\mathsf {vk}_A:=\mathsf {vk}^*\).

Setup \({\mathcal {A}}\) generates \((\mathsf {vk}_j,\mathsf {sk}_j)\) for all users except \(\mathsf {vk}_A\) according to the protocol. \(\mathsf {pp}\) and \(\{\mathsf {vk}_j\}\) are provided to \({\mathcal {E}}\) as public information. On receiving \(\mathsf {apk}^*\) from \({\mathcal {E}}\), \({\mathcal {A}}\) outputs \(\mathsf {apk}^*\). \({\mathcal {A}}\) sets table \(T_{psig}\) which is initialized as \(\emptyset \).

Simulation

1. 1.

   If \({\mathcal {E}}\) poses \((\mathbf {v},\tau )\) to the partial signing oracle, \({\mathcal {A}}\) poses \((\mathbf {v},\tau )\) to the creation oracle, receives \(\omega \), returns \(\omega \) to \({\mathcal {E}}\), and stores \(((\mathbf {v},\tau ),\omega )\) in table \(T_{psig}\).

2. 2.

   When \({\mathcal {E}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\), \({\mathcal {A}}\) verifies that \(\mathbf {v}^*\) has the form \((1,\ldots ,1,\) 0,  \(\dots , 0)\) and \(\mathsf {Vrfy}(\mathsf {vk}_{A},\tau ^*,\mathbf {v}^*,\sigma ^*) \rightarrow 1\), and checks \(\mathbf {v}^* \not = \sum _{i=1}^k \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*).\cdot )\}_{i=1}^\ell \subseteq T_{psig}\). Then, \({\mathcal {A}}\) outputs \((\mathbf {v}^*,\sigma ^*,\tau ^*)\) as the tuple to break class-II unforgeability.

Analysis \(T_{psig}\) is identical to table \(T_{\mathsf {ves}}\) in Definition 11, because \({\mathcal {A}}\) only forwards corresponding queries. The simulation of the partial signing oracle is perfect because the creation oracle behaves the same way as the partial signing oracle. When \(\mathbf {v}^*\) has the form \((1,\ldots ,1,0,\) \(\dots , 0)\) and \(\mathbf {v}^* \not = \sum _{i=1}^\ell \mathbf {v}_i^*\) for all sets \(\{((\mathbf {v}_i^*,\tau ^*).\cdot )\}_{i=1}^\ell \subseteq T_{psig}\), then \(\mathbf {v}^*\not \in \mathop {\mathrm {span}}\nolimits (\mathbf {v}_1^*\ldots ,\mathbf {v}_l^*)\) where \(\mathbf {v}_1^*\ldots ,\mathbf {v}_l^*\) are vectors which appeared in \(T_{\mathsf {ves}}\) with \(\tau ^*\). Thus, \(\mathsf{Adv}^{\text {OFE.Adj}}_{{\mathcal {E}}}(\kappa ) \le \mathsf{Adv}^{\text {VesForge}}_{{\mathcal {A}}}(\kappa ,n) + negl\). \(\square \)

Appendix 4: Proof of Theorem 7

Let us verify extractability [52], that is, any signature extracted from a valid VES by \(\mathsf {Adj}\) is valid even if a verification key is chosen malignly. We show that the winning probability is negligible even for an unlimited adversary.

Let us fix public parameters \((\mathbb {G},\mathbb {G}_T,e,N,g,X_3,u,v,\{h_i\}_{i \in [n]})\), where \(g,u,v,h_i \in \mathbb {G}_1\) and \(X_3 \in \mathbb {G}_3\), and fix an adjudicator’s key pair, \(\mathsf {ask}= \beta \in \mathbb {Z}_N^*\) and \(\mathsf {apk}= g^{\beta } \in \mathbb {G}_1\). Consider \(\tau \in \mathbb {Z}_N\), nonzero vector \(\mathbf {v}\in \mathbb {Z}_N^n\), a verification key \(\mathsf {vk}= z \in \mathbb {G}\), and a VES \(\omega = (\omega _1,\omega _2,\omega _3) \in \mathbb {G}^3\) output by the adversary. Suppose that the VES is valid, that is, they satisfy the equation

$$\begin{aligned} e(\omega _1,g) =e(H_{\mathsf {hom}}(\mathbf {v}),z) \cdot e(u^{\tau } v,\omega _2) \cdot e(y,\omega _3). \end{aligned}$$

(1)

The adjudicator \(\mathsf {Adj}\) extracts a signature from VES \(\omega \) by computing \(\sigma _1 \leftarrow (\omega _1/\omega _3^{\beta }) \cdot (u^\tau v)^{{\tilde{r}}} \cdot {\tilde{R}}_3 \text { and } \sigma _2 \leftarrow \omega _2 \cdot g^{{\tilde{r}}} \cdot {\tilde{R}}_3'\), where \({\tilde{r}} \leftarrow _{\$}\mathbb {Z}_N\) and \({\tilde{R}}_3,{\tilde{R}}_3' \leftarrow _{\$}\mathbb {G}_3\). By expanding \(e(\sigma _1,g)\) in the verification equation, we obtain

$$\begin{aligned} e(\sigma _1,g)&= e\left( (\omega _1/\omega _3^{\beta }) \cdot (u^\tau v)^{{\tilde{r}}} \cdot {\tilde{R}}_3, g\right) \\&= e(\omega _1, g) \cdot e(\omega _3^{-\beta },g) \cdot e((u^\tau v)^{{\tilde{r}}},g) \cdot e({\tilde{R}}_3, g) \\&= e(H_{\mathsf {hom}}(\mathbf {v}),z) \cdot e(u^{\tau } v,\omega _2) \cdot e(y,\omega _3)\\&\quad \cdot e(\omega _3,g^{-\beta }) \cdot e(u^\tau v,g^{{\tilde{r}}}) \\&\quad \text {(from eq. (1))} \\&= e(H_{\mathsf {hom}}(\mathbf {v}),z) \cdot e(u^{\tau } v, \omega _2 \cdot g^{{\tilde{r}}})\\&\quad (\text { from} y = g^{\beta }) \\&= e(H_{\mathsf {hom}}(\mathbf {v}),z) \cdot e(u^{\tau } v, \sigma _2) \cdot e(u^{\tau } v, {\tilde{R}}_3')^{-1}. \\&\quad (\text { from the def. of} \sigma _2) \end{aligned}$$

Notice that \(u^{\tau } v \in \mathbb {G}_1\) and, hence, \(e(u^{\tau } v, {\tilde{R}}_3')^{-1} = 1_{\mathbb {G}_T}\). Therefore,

$$\begin{aligned} e(\sigma _1,g) = e(H_{\mathsf {hom}}(\mathbf {v}),z) \cdot e(u^\tau v, \sigma _2) \end{aligned}$$

holds and the extracted signature is valid. \(\square \)

Appendix 5: Proof of Theorem 8

We show that our scheme is unforgeable if the ALP12 HS scheme is unforgeable (Theorem 4).

Proof

We simply design a reduction algorithm \({\mathcal {B}}\) that forges the ALP12 signature scheme from a forger \({\mathcal {A}}\) against our scheme.

• \({\mathcal {B}}\) initiates the game as follows: Given \(\mathsf {vk}_{\mathsf {HS}} = (\mathbb {G},\mathbb {G}_T,e,N,g,X_{p_3},\) \(u,v,\{h_i\}_{i \in [n]},g^{\alpha })\) from its challenger, it sets \(\mathsf {pp}= (\mathbb {G},\mathbb {G}_T,e,N,g,X_{p_3},\) \(u,v,\{h_i\}_{i \in [n]})\) and \(\mathsf {vk}= g^{\alpha }\). \({\mathcal {B}}\) runs \({\mathcal {A}}\) with input \(\mathsf {pp}\) and receives \(\mathsf {apk}^* = y \in \mathbb {G}\) from \({\mathcal {A}}\). \({\mathcal {B}}\) then gives \(\mathsf {vk}\) to \({\mathcal {A}}\).

• \({\mathcal {B}}\) can simulate the creation oracle by using its signing oracle and \(\mathsf {apk}^*\) as follows: Receiving \((\tau ,\mathbf {v})\) from \({\mathcal {A}}\), \({\mathcal {B}}\) queries \((\tau ,\mathbf {v})\) to its signing oracle and receives \(\sigma = (\sigma _1,\sigma _2) \leftarrow \mathsf {HS_{ALP}.Sign}(\mathsf {sk}_{\mathsf {HS}},\tau ,\mathbf {v})\), where \(\sigma _1 = H_{\hom }(\mathbf {v})^{\alpha } \cdot (u^{\tau } v)^r \cdot R_3\) and \(\sigma _2 = g^{r} \cdot R_3'\). It then chooses \(t \leftarrow _{\$}\mathbb {Z}_N\) and \(R_3'' \leftarrow _{\$}\mathbb {G}_3\) and computes \(\omega _1 \leftarrow \sigma _1 \cdot y^t\), \(\omega _2 \leftarrow \sigma _2\), and \(\omega _3 \leftarrow g^{t} \cdot R_3''\) as \(\mathsf {Create}\). It returns \(\omega = (\omega _1,\omega _2,\omega _3)\) to \({\mathcal {A}}\) and stores \(((\tau ,\mathbf {v}),\sigma ,\omega )\) to the table.

• Finally, \({\mathcal {A}}\) outputs a forgery \((\tau ^*,\mathbf {v}^*,\sigma ^*)\). \({\mathcal {B}}\) outputs \((\tau ^*,\mathbf {v}^*,\sigma ^*)\) as the forgery.

Since the winning conditions in Definition 13 and Definition 11 are essentially same, \({\mathcal {B}}\) wins if \({\mathcal {A}}\) wins. \(\square \)

Appendix 6: Proof of Theorem 9

The proof is very similar to the previous proof.

Proof

We construct a PPT adversary \({\mathcal {B}}\) that forges against the ALP12 scheme by using a PPT adversary \({\mathcal {A}}\) that violates class-I/II opacity against our scheme.

• \({\mathcal {B}}\) initiates the game as follows: Given \(\mathsf {vk}_{\mathsf {HS}} = (\mathbb {G},\mathbb {G}_T,e,N,g,X_{p_3},\) \(u,v,\{h_i\}_{i \in [n]},g^{\alpha })\) from its challenger, \({\mathcal {B}}\) chooses \(\beta \leftarrow _{\$}\mathbb {Z}_N\) and computes \(y \leftarrow g^{\beta }\). \({\mathcal {B}}\) then sets \(\mathsf {pp}= (\mathbb {G},\mathbb {G}_T,e,N,g,\) \(X_{p_3},u,v,\{h_i\}_{i \in [n]})\), \(\mathsf {apk}= y\), \(\mathsf {ask}= \beta \), and \(\mathsf {vk}= g^{\alpha }\). \({\mathcal {B}}\) runs \({\mathcal {A}}\) on input \(\mathsf {pp}\), \(\mathsf {apk}\), and \(\mathsf {vk}\).

• \({\mathcal {B}}\) simulates two oracles as follows:

  • Creation oracle: Receiving \((\tau ,\mathbf {v})\) from \({\mathcal {A}}\), \({\mathcal {B}}\) queries \((\tau ,\mathbf {v})\) to its signing oracle and receives \(\sigma = (\sigma _1,\sigma _2) \leftarrow \mathsf {HS_{ALP}.Sign}(\mathsf {sk}_{\mathsf {HS}},\) \(\tau ,\mathbf {v})\), where \(\sigma _1 = H_{\hom }(\mathbf {v})^{\alpha } \cdot (u^{\tau } v)^r \cdot R_3\) and \(\sigma _2 = g^{r} \cdot R_3'\). It then chooses \(t \leftarrow _{\$}\mathbb {Z}_N\) and \(R_3'' \leftarrow _{\$}\mathbb {G}_3\) and computes \(\omega _1 \leftarrow \sigma _1 \cdot y^t\), \(\omega _2 \leftarrow \sigma _2\), and \(\omega _3 \leftarrow g^{t} \cdot R_3''\) as \(\mathsf {Create}\). It returns \(\omega = (\omega _1,\omega _2,\omega _3)\) to \({\mathcal {A}}\).

  • Adjudication oracle: Since \({\mathcal {B}}\) has \(\mathsf {ask}= \beta \), it can simulate this oracle perfectly.

• Finally, \({\mathcal {A}}\) outputs a forgery \((\tau ^*,\mathbf {v}^*,\sigma ^*)\). \({\mathcal {B}}\) outputs \((\tau ^*,\mathbf {v}^*,\sigma ^*)\) as the forgery.

Notice that if \({\mathcal {A}}\) wins its class-I/II opacity game, \({\mathcal {B}}\) also wins its unforgeability game. Since the simulation is perfect, this completes the proof. \(\square \)

Table 3 In “creation” and “adjudication” columns, U indicates unknown type and A, B, B1, B2, and B3 denotes the type of VES/signature returned by the oracles. In “adjudication” column, \(*\rightarrow *\) indicates the adjudication oracle decrypts \(\omega \) and re-randomizes \(\sigma \) and \(*\nrightarrow *\) indicates the adjudication oracle freshly generates \(\sigma \)

Appendix 7: Proof of Theorem 10

We show here the class-III opacity of our VEHS scheme. From the definition, a forger wins if it outputs \((\tau ^*,\mathbf {y}^*,\sigma ^*)\) such that \(\mathbf {y}^* \not \in \mathop {\mathrm {span}}\nolimits (\mathbf {y}_{1},\dots ,\mathbf {y}_{k})\) but \(\mathbf {y}^* \in \mathop {\mathrm {span}}\nolimits (\mathbf {v}_1,\dots ,\mathbf {v}_{\ell })\), where \((\tau ^*,\mathbf {v}_i)\) are queried to the creation oracle and \((\tau ^*,\mathbf {y}_i)\) are queried to the adjudication oracle with corresponding valid VESs.

1.1 Dual-form signatures

The proof mainly follows those in [7], which stem from [47, 55]. With an ordinary signature scheme [47, 55], the typical proof proceeds as follows: We classify signatures into two types, say, type-A (or normal) and type-B (or semi-functional). In the original unforgeability game, the signing oracle returns type-A signatures, and we first show that no adversary can produce a type-B signature. The game is modified gradually by changing the type of i-th signature produced by the signing oracle, and we show that no adversary can distinguish these games in which we detect a change of adversary by checking the type of forgery output by the adversary. In the final game, the signing oracle returns type-B signatures, and we then show that no adversary can produce a type-A signature. Since the original and final games are computationally indistinguishable, this implies that no adversary can forge in type-A even in the original game.

Types of VES and signatures. We again define types of VESs and signatures.

Recall that if a VES \(\omega = (\omega _1,\omega _2,\omega _3)\) is valid, then it should be in the form

$$\begin{aligned} \omega _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^\tau v)^r \cdot y^t \cdot g_{p_2}^{w_1} \cdot R_3, \\ \omega _2&= g^r \cdot g_{p_2}^{w_2} \cdot R_3', \text { and } \omega _3 = g^t \cdot g_{p_2}^{w_3} \cdot R_3'', \end{aligned}$$

where \(g_{p_2}\) is a generator of \(\mathbb {G}_2\), \(w_1,w_2,w_3 \in \mathbb {Z}_N\), and \(R_3,R_3',R_3'' \in \mathbb {G}_3\). We say a VES \(\omega \) is type-A if \((w_1,w_2,w_3) \equiv (0,0,0) \pmod {p_2}\) and is type-B if \((w_1,w_2,w_3) \not \equiv (0,0,0) \pmod {p_2}\). In particular, we call a VES type-B1 if it is type-B and \(w_3 \equiv 0 \pmod {p_2}\) and type-B2 if it is type-B and \(w_2 \equiv 0 \pmod {p_2}\).

If a signature \(\sigma = (\sigma _1,\sigma _2)\) is valid, then it should be in the form

$$\begin{aligned} \sigma _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^\tau v)^r \cdot g_{p_2}^{w_1} \cdot R_3 \\&\text { and } \sigma _2 = g^r \cdot g_{p_2}^{w_2} \cdot R_3'. \end{aligned}$$

We say a signature is type-A if \((w_1,w_2) \equiv (0,0) \pmod {p_2}\). Just as with ALP12, we say a signature is type-B if \((w_1,w_2) \not \equiv (0,0)\pmod {p_2}\). More specifically, a type-B signature is said to be type-B1 if \(w_2 \not \equiv 0 \pmod {p_2}\) and type-B2 if \(w_2 \equiv 0 \pmod {p_2}\) and \(w_1 \not \equiv 0 \pmod {p_2}\).

Games In the following, we consider the sequence of games and show their computational closeness. Moreover, we show that there are no PPT adversaries that can forge respective type-A and type-B signatures in \(\mathbf {Game}_{\mathrm {final}}\) and \(\mathbf {Game}_{3}\) with a noticeable advantage. Let \(Q_{\mathsf {ves}}\) and \(Q_{\mathsf {sig}}\) be the number of queries to the creation and adjudication oracles, respectively.

Table 3 summarizes the games.

\(\mathbf {Game}_{\mathrm {real}}\) This is the same as the original game.

\(\mathbf {Game}_0\) We eliminate bad events: In this game, the challenger aborts if either of the following events occurs: (1) the adversary queries a new \(\tau \), which was not queried to the creation oracle, with a message \(\mathbf {y}\) and a valid VES \(\omega \) to the adjudication oracle, or (2) the adversary queries \((\tau ,\mathbf {y},\omega )\) to the adjudication oracle such that \(\omega \) is valid and \(\mathbf {y}\) is not contained in \(\mathop {\mathrm {span}}\nolimits (\mathbf {v}_1,\dots ,\mathbf {v}_{k})\) where \((\tau ,\mathbf {v}_i)\) were already queried to the creation oracle.

These events contradict the unforgeability and class-I and -II opacity. Therefore, under the assumptions, \(\Pr [S_{\mathrm {real}}]\) and \(\Pr [S_0]\) are within a negligible distance.

\(\mathbf {Game}_1\) At the beginning of this game, the challenger guesses an index of \(\tau ^*\) by choosing \(j^* \leftarrow _{\$}[Q_{\mathsf {ves}}]\) uniformly at random. The challenger aborts if it fails to guess, that is, \(\tau _{j^*} \ne \tau ^*\). Otherwise, the challenger does the same as in \(\mathbf {Game}_{0}\).

Since the choice of \(j^*\) is independent from the adversary’s view, we have \(\Pr [S_1] = \frac{1}{Q_{\mathsf {ves}}} \Pr [S_{0}]\).

\(\mathbf {Game}_2\) We next eliminate a bad event on the homomorphic hashing, \(H_{\mathsf {hom}}\).

The challenger additionally aborts if the adversary finally outputs \((\tau ^*,\mathbf {y}^*,\sigma ^*)\) which makes \(H_{\mathsf {hom}}(\mathbf {y}^*) = \prod _{i\in [n]} h_i^{y_i^*} = 1_{\mathbb {G}}\).

Lemma 1

\(\mathbf {Game}_1\) and \(\mathbf {Game}_2\) are computationally indistinguishable under assumption \(\mathbf {ALP3}\).

Intuitively speaking, a forger which outputs bad \(\mathbf {y}^*\) solves the representation problem over \(\mathbb {G}_1\) or finds a non-trivial factor of N.

Proof

Let us construct a solver \({\mathcal {B}}\) that, given \((g ,f,g^{\xi } ,X_1 X_2 ,X_3 ,Y_2 Y_3)\) and T, decides if \(T = f^{\xi } Z_3\) or \(f^{\xi } Z_2 Z_3\) from the forger \({\mathcal {A}}\) that, with noticeable probability, outputs \((\tau ^*,\mathbf {y}^*,\sigma ^*)\) such that \(\prod _{i\in [n]} h_i^{y_i^*} = 1_{\mathbb {G}}\).

Let \(h = g^{\xi }\) for simplicity. \({\mathcal {B}}\) sets keys as follows: It chooses \(\alpha , \beta , a_u,\) \(a_v \leftarrow _{\$}\mathbb {Z}_N\) and computes \(\mathsf {vk}= g^{\alpha }\), \(\mathsf {apk}= y = g^{\beta }\), \(u = g^{a_u}\), and \(v = g^{a_v}\). It prepares the homomorphic hashing as follows: It generates an n-tuple \((b_1,\dots ,b_n) \leftarrow _{\$}\mathbb {Z}_N^n\) at random and computes \(g_1' = h^{b_1}\) and \(g_i' = g^{b_i}\) for \(i \in [n]\). It generates a permutation \(\pi \) of n elements uniformly at random and sets \(h_i = g_{\pi (i)}'\) for \(i \in [n]\). It finally sets \(\mathsf {pp}= (\mathbb {G},\mathbb {G}_T,e,N,g,X_{3},u,v,\{h_i\}_{i \in [n]})\). We here follow the old technique by Brands [20].

\({\mathcal {B}}\) starts the simulation by feeding \(\mathsf {pp}\), \(\mathsf {apk}\), and \(\mathsf {vk}\) to \({\mathcal {A}}\). Since \({\mathcal {B}}\) possesses all secret keys, it can perfectly simulate the game.

Finally, \({\mathcal {B}}\) obtains \((\tau ^*,\mathbf {y}^*,\sigma ^*)\). If \(\prod _{i\in [n]} h_i^{y_i^*} \ne 1_{\mathbb {G}}\), then \({\mathcal {B}}\) aborts. If \(\prod _{i\in [n]} h_i^{y_i^*} = 1_{\mathbb {G}}\), then \({\mathcal {B}}\) solves the \(\mathbf {ALP3}\) as follows: By the definition of \(h_i\), we have

$$\begin{aligned} b_1 y_{\pi ^{-1}(1)}^* \cdot \xi + \sum _{i=2}^n b_i y_{\pi ^{-1}(i)}^* \equiv 0 \pmod {N}. \end{aligned}$$

Suppose that \(y_{\pi ^{-1}(1)}^* \in \mathbb {Z}_N\) contains a non-trivial factor of N. In this case, we have either one of \(p_1\), \(p_2\), or \(p_3\). (If you have \(p_1 p_2\), then we can compute \(p_3 = N/(p_1 p_2)\).) In order to decide \(T = f^{\xi } Z_3 \in \mathbb {G}_{1,3}\) or \(T = f^{\xi } Z_2 Z_3 \in \mathbb {G}\), we can use the test as follows:

• Suppose that we have \(p_1\), (we can check it by \((Y_2Y_3)^{p_2 p_3} = 1_{\mathbb {G}}\)). We check \(e(X_1X_2 ,\) \(T^{p_1}) = 1_{\mathbb {G}_T}\). If so, \(T^{p_1} \in \mathbb {G}_3\) and, thus, \(T \in \mathbb {G}_{1,3}\); otherwise, \(T \in \mathbb {G}\).

• Suppose that we have \(p_2\) (we can check it by \((Y_2Y_3)^{p_2} \ne 1_{\mathbb {G}}\) and \(e(X_1X_2,(Y_2Y_3)^{p_2}) = 1_{\mathbb {G}_T}\)). We compute \(p_1 p_3 = N/p_2\) and check \(T^{p_1 p_3} = 1_{\mathbb {G}}\) or not. If so, \(T \in \mathbb {G}_{1,3}\); otherwise, \(T \in \mathbb {G}\).

• Suppose that we have \(p_3\) (we can check it by \((X_1X_2)^{p_1 p_2} = 1_{\mathbb {G}}\)). We check \(e(Y_2 Y_3,\) \(T^{p_3}) = 1_{\mathbb {G}_T}\). If so, \(T_{p_3} \in \mathbb {G}_1\) and, thus, \(T \in \mathbb {G}_{1,3}\); otherwise, \(T \in \mathbb {G}\).

Therefore, \({\mathcal {B}}\) can solve \(\mathbf {ALP3}\).

Next, we suppose \(y_{\pi ^{-1}(1)}^* \in \mathbb {Z}_N^*\). In this case, \({\mathcal {B}}\) can compute

$$\begin{aligned} \xi \equiv - (b_1^{-1} \cdot y_{\pi ^{-1}(1)}^*)^{-1} \cdot \sum _{i=2}^n b_i y_{\pi ^{-1}(i)}^* \pmod {N} \end{aligned}$$

such that \(h = g^{\xi }\), since, with overwhelming probability, \(b_1 \in \mathbb {Z}_N^*\). Since \({\mathcal {B}}\) possesses \(\xi \in \mathbb {Z}_N\), therefore, it is easy to decide the form of T; compute \(T \cdot f^{-\xi }\) and check \(e(X_1 X_2, T \cdot f^{-\xi }) = 1_{\mathbb {G}_T}\); if so, T is of the form \(f^{\xi } Z_3\); otherwise, of the form \(f^{\xi } Z_2 Z_3\). Again, by this test, \({\mathcal {B}}\) can solve \(\mathbf {ALP3}\). \(\square \)

\(\mathbf {Game}_3\) We next eliminate another bad event. Let \(Y_{j^*} = \mathop {\mathrm {span}}\nolimits (\mathbf {y}_1,\dots ,\mathbf {y}_k)\), where \(\mathbf {y}_j\) are queries to the adjudication oracle with \(\tau ^*\). The challenger additionally aborts if \(\mathbf {y}^* \not \in Y_{j^*}\) but \(\mathbf {y}^* \bmod {p_2} \in Y_{j^*} \bmod {p_2}\), where \(Y_{j^*} \bmod {p_2}\) denotes the \(\mathop {\mathrm {span}}\nolimits (\mathbf {y}_1 \bmod {p_2},\dots ,\mathbf {y}_k \bmod {p_2})\) over \(\mathbb {Z}_{p_2}\).

Lemma 2

Under the assumption \(\mathbf {LW2}\), no PPT adversary can distinguish \(\mathbf {Game}_2\) from \(\mathbf {Game}_3\).

The proof of this lemma is the same as the original one in [7].

Proof

By the definitions of the two games, the difference occurs if and only if the adversary finally outputs a valid forgery for \((\tau ^*,\mathbf {y}^*)\) such that \(\tau ^* = \tau _{j^*}\) and \(\mathbf {y}^* \not \in Y_{j^*}\) but \(\mathbf {y}^* \bmod {p_2} \in Y_{j^*} \bmod {p_2}\). Let \(m \le k\) denote the dimension of \(Y_{j^*}\) over \(\mathbb {Z}_N\). We define a matrix as [7]:

$$\begin{aligned} M = \begin{pmatrix} \,\mathbf {y}_{1}^{\,\top }&\cdots&\mathbf {y}_{m}^{\,\top }&{\mathbf {y}}^{* \top } \end{pmatrix} \in \mathbb {Z}_N^{n \times (m+1)}. \end{aligned}$$

Notice that the matrix is of rank \(m+1\) over \(\mathbb {Z}_N\) but it has a rank as most m over \(\mathbb {Z}_{p_2}\). We then fill out the matrix M with its orthogonal vectors as

$$\begin{aligned} M'= \begin{pmatrix} R&M \end{pmatrix} \in \mathbb {Z}_N^{n \times n}, \end{aligned}$$

where \(R \in \mathbb {Z}_N^{n \times (n-(m+1))}\) is a basis of the dual space of \(Y_{j^*}\) over \(\mathbb {Z}_N\). Notice that \(\det (M') \not \equiv 0 \pmod {N}\) but \(\det (M') \equiv 0 \pmod {p_2}\). Therefore, we obtain a non-trivial factor of N by computing \(\gcd (\det (M'),N)\), that is, \(p_2\) or \(p_1 p_2\) or \(p_2 p_3\).

We now consider the following algorithm to solve the \(\mathbf {LW2}\) problem. Given \((g,X_1X_2,\) \(Z_3, Y_2Y_3)\), we have to decide if \(T \in \mathbb {G}_{1,3}\) or \(T \in \mathbb {G}\).

• Suppose that we have \(p_2\) (we can check \((Y_2Y_3)^{p_2} \ne 1_{\mathbb {G}}\) and \(e(X_1X_2,\) \((Y_2Y_3)^{p_2}) = 1_{\mathbb {G}_T}\)). We obtain \(p_1 p_3 = N/p_2\) and check \(T^{p_1 p_3} = 1_{\mathbb {G}}\) or not. If so, \(T \in \mathbb {G}_{1,3}\); otherwise, \(T \in \mathbb {G}\).

• Suppose that we have \(p_1 p_2\), (we can check \((X_1X_2)^{p_1 p_2} = 1_{\mathbb {G}}\)). We obtain \(p_3 = N/(p_1 p_2)\) and check \(e(Y_2 Y_3, T^{p_3}) = 1_{\mathbb {G}_T}\). If so, \(T_{p_3} \in \mathbb {G}_1\) and, thus, \(T \in \mathbb {G}_{1,3}\); otherwise, \(T \in \mathbb {G}\).

• Suppose that we have \(p_2 p_3\), (we can check \((Y_2Y_3)^{p_2 p_3} = 1_{\mathbb {G}}\)). We obtain \(p_1 = N/(p_2 p_3)\) and check \(e(X_1X_2 , T^{p_1}) = 1_{\mathbb {G}_T}\). If so, \(T^{p_1} \in \mathbb {G}_3\) and, thus, \(T \in \mathbb {G}_{1,3}\); otherwise, \(T \in \mathbb {G}\).

This completes the proof. \(\square \)

Lemma 3

Under the assumption \(\mathbf {LW1'}\), there is no PPT adversary that can forge a type-B forgery in \(\mathbf {Game}_3\).

Essentially, the proof is the same as that in [7]. We note that the statement holds under the original assumption \(\mathbf {LW1}\) rather than \(\mathbf {LW1'}\).

Proof

We construct a distinguisher \({\mathcal {B}}\) that, given \((g,X_3,T_0,T_1)\), decides whether \(T_0 \in \mathbb {G}_{1}\) or \(T_0 \in \mathbb {G}_{1,2}\), from the forger \({\mathcal {A}}\) outputting a type-B forgery.

Given \((g,X_3,T_0,T_1)\), \({\mathcal {B}}\) chooses \(\alpha ,\beta ,a_u,a_v,a_1,\dots ,a_n \leftarrow \mathbb {Z}_N\) and computes \(g^{\alpha }\), \(y=g^{\beta }\), \(u = g^{a_u}\), \(v = g^{a_v}\), and \(h_i = g^{a_i}\) for \(i \in [n]\). It also sets \(X_{p_3} = X_3\). For ease of notation, we let \(\mathbf {a} = (a_1,\dots ,a_n)\). Then, it guesses an index \(j^* \leftarrow _{\$}[Q_{\mathsf {ves}}]\). Notice that \({\mathcal {B}}\) can answer all signing queries and adjudication queries, since it possesses \(\mathsf {sk}= \alpha \) and \(\mathsf {ask}= \beta \).

At the final stage, \({\mathcal {A}}\) outputs \(\tau ^*\), \(\mathbf {y}^*\), and a type-B signature \(\sigma ^* = (\sigma _1^*,\sigma _2^*)\). If \(\tau _{j^*} \ne \tau ^*\), then \({\mathcal {B}}\) aborts. Otherwise, the algorithm \({\mathcal {B}}\) computes

$$\begin{aligned} \eta ^* = \sigma _1^* \cdot g^{-\alpha \cdot \langle \mathbf {a}, \mathbf {y}^* \rangle } \cdot (\sigma _2^*)^{-(a_u \tau ^* + a_v)}. \end{aligned}$$

Recall that

$$\begin{aligned} \sigma _1= & {} \big ({\textstyle \prod _{i\in [n]}} h_i^{y_i^*}\big )^{\alpha } \cdot (u^{\tau ^*} v)^r \cdot g_{p_2}^{w_1} \cdot R_3 \text { and } \sigma _2\\= & {} g^r \cdot g_{p_2}^{w_2} \cdot R_3', \end{aligned}$$

where \((w_1,w_2) \not \equiv (0,0) \pmod {p_2}\). Therefore, \(\eta ^*\) has no \(\mathbb {G}_1\) component. We next claim that \(\eta ^*\) has a non-trivial \(\mathbb {G}_2\) component with probability at least \(1-1/p_2\). This follows from the facts that we can write

$$\begin{aligned} \eta ^* = g_{p_2}^{w_1-w_2(a_u \tau ^* + a_v)} \cdot R_3''', \end{aligned}$$

for some \(R_3''' \in \mathbb {G}_3\), and \(a_u \bmod {p_2}\) and \(a_v \bmod {p_2}\) are hidden from \({\mathcal {A}}\). Hence, \({\mathcal {B}}\) can check \(T_0 \in \mathbb {G}_{1}\) or \(T_0 \in \mathbb {G}_{1,2}\) by testing \(e(T_0,\eta ^*) = 1\). \(\square \)

\(\mathbf {Game}_4\) We next sever relations between input \(\omega \) and output \(\sigma \) of the adjudication oracle. In the previous game, the adjudication oracle decrypts \(\omega \) into \(\sigma '\), re-randomizes \(\sigma '\), and outputs \(\sigma \). In \(\mathbf {Game}_4\), the oracle generates a type-A signature \(\sigma \) freshly if \(\omega \) is valid.

Lemma 4

Under the assumption \(\mathbf {LW1'}\), \(\mathbf {Game}_3\) and \(\mathbf {Game}_4\) are computationally indistinguishable.

Although the proof is obtained in a similar way to that of Lemma 3, we have to be careful with \(\beta \). In the proof of Lemma 3, it suffices to check the type of forgery after \({\mathcal {A}}\) halts. However, in this lemma, the reduction algorithm is required to catch the difference of the adjudication query immediately; otherwise, \({\mathcal {A}}\) can obtain information on \(a_u,a_v,\beta \bmod {p_2}\).

In order to check the types of forgeries, we employ the variant \(\mathbf {LW1'}\) in which the solver is given \(T_{b} \in \mathbb {G}_1\) and \(T_{1-b} \in \mathbb {G}_{1,2}\).

Proof

Notice that the two games are equivalent while \({\mathcal {A}}\) queries type-A VESs to the adjudication oracle. Therefore, it is enough to upper bound the probability that \({\mathcal {A}}\) queries a type-B VES to the adjudication oracle.

We construct a distinguisher \({\mathcal {B}}\) that, given \((g,X_3,T_0,T_1)\), determines which \(T_b\) contains a \(\mathbb {G}_2\) component, from the forger \({\mathcal {A}}\) that queries a type-B VES to the adjudication oracle.

Given \((g,X_3,T_0,T_1)\), \({\mathcal {B}}\) chooses \(\alpha ,\beta ,a_u,a_v,a_1,\dots ,a_n \leftarrow \mathbb {Z}_N\) and computes \(g^{\alpha }\), \(y = g^{\beta }\), \(u = g^{a_u}\), \(v = g^{a_v}\), and \(h_i = g^{a_i}\) for \(i \in [n]\). It also sets \(X_{p_3} = X_3\). For ease of notation, we let \(\mathbf {a} = (a_1,\dots ,a_n)\). Since \({\mathcal {B}}\) possesses \(\mathsf {sk}= \alpha \), \({\mathcal {B}}\) can answer all creation queries.

\({\mathcal {B}}\) checks the type of an adjudication query \((\tau ,\mathbf {y},\omega )\) as follows: If it is valid, then \({\mathcal {B}}\) computes \( \eta = \omega _1 \cdot g^{-\alpha \cdot \langle \mathbf {a}, \mathbf {y} \rangle } \cdot \omega _2^{-(a_u \tau + a_v)} \cdot \omega _3^{-\beta } \). It then tests whether \(e(T_b,\eta ) = 1_{\mathbb {G}_T}\) for each \(b \in \{0,1\}\). If both of them pass the test, \({\mathcal {B}}\) judges \(\omega \) type-A and continues the simulation by making a type-A signature on \((\tau ,\mathbf {y})\). If one of the tests for \(T_b\) fails, then \({\mathcal {B}}\) stops the simulation since it detects a type-B VES, and outputs b as the index of \(T_b\) which is in \(\mathbb {G}_{1,2}\).

We show why this test distinguishes \(T \in \mathbb {G}_1\) and \(T \in \mathbb {G}_{1,2}\). Recall that \( \omega _1 = \big ({\textstyle \prod _{i\in [n]}} h_i^{y_i}\big )^{\alpha } \cdot (u^{\tau } v)^r \cdot y^t \cdot g_{p_2}^{w_1} \cdot R_3, \omega _2 = g^r \cdot g_{p_2}^{w_2} \cdot R_3', \text { and } \omega _3 = g^t \cdot g_{p_2}^{w_3} \cdot R_3'', \) where \((w_1,w_2,w_3) \ne (0,0,0) \bmod {p_2}\). Therefore, \(\eta \) has no \(\mathbb {G}_1\) component. We next claim that \(\eta \) has a non-trivial \(\mathbb {G}_2\) component with a probability of at least \(1-1/p_2\). This follows from the following two facts: One is that we can write

$$\begin{aligned} \eta = g_{p_2}^{w_1-w_2(a_u \tau + a_v)-w_3\beta } \cdot R_3''', \end{aligned}$$

for some \(R_3''' \in \mathbb {G}_3\). The other is that \(a_u,a_v,\beta \bmod {p_2}\) are completely hidden from \({\mathcal {A}}\) since the simulation stops before \({\mathcal {A}}\) knows them. Therefore, \(w_1 - w_2 (a_u \tau +a_v)-w_3\beta \bmod {p}\) is distributed uniformly at random from \({\mathcal {A}}\)’s view. This completes the proof. \(\square \)

\(\mathbf {Game}_{5,(j_1,j_2)}\) We next modify the adjudication oracle by replacing type-A signatures except for \(\tau ^*\) with type-B1 signatures one by one.

We index a file identifier by \(l_1 \in [Q_{\mathsf {ves}}]\). We also index a query \((\tau _{l_1},\mathbf {y}_{l_2})\) to the adjudication oracle by \(l_1\) and \(l_2\).

For \(j_1 \in [Q_{\mathsf {ves}}]\) and \(j_2 \in \{0,\dots ,Q_{\mathsf {sig}}\}\), we define \(\mathbf {Game}_{5,(j_1,j_2)}\) as follows: In query \((\tau _{l_1},\mathbf {y}_{l_2},\omega )\) for the adjudication oracle, the oracle verifies the validity of the query. If the query is valid, the oracle makes a fresh signature as follows:

• If \(l_1 < j_1\) or \((l_1 = j_1) \cap (l_2 \le j_2)\): the oracle returns a type-B1 signature (except in the case \(l_1 = j^*\)).

• If \(l_1 > j_1\) or \((l_1 = j_1) \cap (l_2 > j_2)\): the oracle returns a type-A signature.

By this definition, we have \(\mathbf {Game}_4 = \mathbf {Game}_{5,(1,0)}\) and \(\mathbf {Game}_{5,(j_1,Q_{\mathsf {sig}})} = \mathbf {Game}_{5,(j_1+1,0)}\).

Lemma 5

For each \(j_1 \in [Q_{\mathsf {ves}}]\) and \(j_2 \in [Q_{\mathsf {sig}}]\), \(\mathbf {Game}_{5,(j_1,j_2)}\) and \(\mathbf {Game}_{5,(j_1,j_2-1)}\) are indistinguishable under the assumption \(\mathbf {LW2}\).

Proof

We construct a distinguisher \({\mathcal {B}}\) that, given \((g,X_1X_2,Z_3,Y_2Y_3)\) and T, distinguishes whether \(T \in \mathbb {G}\) or \(T \in \mathbb {G}_{1,3}\) from \({\mathcal {A}}\) that distinguishes \(\mathbf {Game}_{5,(j_1,j_2)}\) from \(\mathbf {Game}_{5,(j_1,j_2-1)}\).

It chooses \(\alpha ,\beta ,a_u,a_v,a_1,\dots ,a_n \leftarrow _{\$}\mathbb {Z}_N\) and sets \(\mathsf {pp}= (\mathbb {G},\mathbb {G}_T,e,N,\) \(g,X_{p_3},u,v,\{h_i\}_{i \in [n]})\), \(\mathsf {apk}= g^{\beta }\), and \(\mathsf {vk}= g^\alpha \), where \(X_{p_3} = Z_3\), \(u=g^{a_u}\), \(v = g^{a_v}\), and \(h_i = g^{a_i}\) for \(i \in [n]\). It then guesses \(j^* \leftarrow _{\$}[Q_{\mathsf {ves}}]\) and runs \({\mathcal {A}}\) by feeding \(\mathsf {pp}\), \(\mathsf {apk}\), and \(\mathsf {vk}\).

Since \({\mathcal {B}}\) possesses \(\mathsf {sk}= \alpha \), \({\mathcal {B}}\) can produce a type-A VES as in \(\mathbf {Game}_4\). In an adjudication query \((\tau _{l_1},\mathbf {y}_{l_2},\omega )\), if it is valid then the oracle returns \(\sigma \) as follows:

• If \(l_1 < j_1\) or \((l_1 = j_1) \cap (l_2 \le j_2)\): the adjudication oracle returns a type-B signature (except in the case \(l_1 = j^*\)).

  $$\begin{aligned} \sigma _1= & {} \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^\tau v)^r \cdot (Y_2 Y_3)^{z_1} \text { and } \sigma _2\\= & {} g^r \cdot (Y_2 Y_3)^{z_2}, \end{aligned}$$

  where \(r, z_1, z_2 \leftarrow _{\$}\mathbb {Z}_N\).

• If \(l_1 = j_1\) (and \(l_1 \ne j^*\)) and \(l_2 = j_2\): the adjudication oracle embeds T into the signature (except in the case \(l_1 = j^*\)) as follows:

  $$\begin{aligned} \sigma _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot T^{a_u \tau _{j_1} + a_v} \cdot Z_3^{z_1},\\ \sigma _2&= T \cdot Z_3^{z_2}, \end{aligned}$$

  where \(r, z_1, z_2 \leftarrow _{\$}\mathbb {Z}_N\). Notice that if \(T \in \mathbb {G}_{1,3}\) then \(\sigma \) is type-A. Otherwise, it is type-B with \((w_1,w_2) \equiv (\zeta _2 (a_u \tau _{l_1} + a_v),\zeta _2) \pmod {p_2}\), where \(T = g_{p_1}^{\zeta _1} g_{p_2}^{\zeta } g_{p_3}^{\zeta _3}\).

• If \(l_1 > j_1\) or \((l_1 = j_1) \cap (l_2 > j_2)\): the oracle returns a type-A VES by using \(\mathsf {sk}= \alpha \in \mathbb {Z}_N\).

Finally, \({\mathcal {A}}\) outputs \((\tau ^*,\mathbf {y}^*,\sigma ^*)\), where \(\sigma ^* = (\sigma _1^*,\sigma _2^*)\). \({\mathcal {B}}\) halts and outputs a random bit if guess \(j^*\) is not correct (by checking if \(\tau _{j^*} = \tau ^*\)).

We claim that \({\mathcal {B}}\) can check the type of \(\sigma ^*\). If the guess \(j^*\) is correct, \({\mathcal {B}}\) computes

$$\begin{aligned} \eta = \sigma _1^* \cdot \left( {\textstyle \prod _{i\in [n]}} h_i^{-y_i^*}\right) ^{\alpha } \cdot (\sigma _2^*)^{-(a_u \tau ^* + a_v)}. \end{aligned}$$

If \(e(X_1 X_2,\eta ) = 1_{\mathbb {G}_T}\) then \({\mathcal {B}}\) concludes that \(\sigma ^*\) is type-A, it has simulated \(\mathbf {Game}_{5,(j_1,j_2-1)}\), and \(T \in \mathbb {G}_{1,3}\). Otherwise, it concludes \(T \in \mathbb {G}\).

We analyze this test \(e(X_1 X_2,\eta ) = 1_{\mathbb {G}_T}\). If \(\sigma ^*\) is type-A, then \(\eta \in \mathbb {G}_3\). Therefore, \(\eta \) always passes the test. On the other hand, if \(\sigma ^*\) is type-B, \(\eta = g_{p_2}^{w_1 - w_2(a_u \tau ^* + a_v)} \cdot R_3\) for some \(R_3\).

Suppose that \(T \in \mathbb {G}_{1,3}\): \({\mathcal {B}}\) perfectly simulates \(\mathbf {Game}_{5,(j_1,j_2-1)}\) if \(j^*\) is correct. Since the adversary outputs a type-B signature with only negligible probability (by previous lemmas), the signature should be type-A. Therefore, it passes \({\mathcal {B}}\)’s test with overwhelming probability.

We next suppose that \(T \in \mathbb {G}_{1,3}\): In this case, \({\mathcal {B}}\) perfectly simulates \(\mathbf {Game}_{5,(j_1,j_2)}\) if \(j^*\) is correct. If the adversary outputs a type-A forgery, it passes the test. Otherwise, that is, the output forgery is type-B, and \(\eta \) passes the test with only negligible probability. This is because \(\eta = g_{p_2}^{w_1 - w_2(a_u \tau ^* + a_v)} \cdot R_3\), the adversary never knows \(a_u,a_v \bmod {p_2}\), and \(a_u \tau ^* + a_v \bmod {p_2}\) is distributed uniformly at random from \({\mathcal {A}}\)’s view even if it could know \(a_u \tau _{l_1} + a_v \bmod {p_2}\) from the signature on \((\tau _{l_1},\mathbf {y}_{l_2})\). Therefore, \(\eta \) contains a non-trivial \(\mathbb {G}_2\) part with overwhelming probability, and the change is detected by this test. This test fails with overwhelming probability, and \({\mathcal {B}}\) detects \({\mathcal {A}}\)’s change as we intended. This completes the proof. \(\square \)

\(\mathbf {Game}_{6,(j_1,j_2)}\) We next replace type-A VESs with type-B1 VESs except on \(\tau ^*\). For \(j_1 \in [Q_{\mathsf {ves}}]\) and \(j_2 \in \{0,\dots ,Q_{\mathsf {ves}}\}\), we define \(\mathbf {Game}_{6,(j_1,j_2)}\) as follows: On query \((\tau _{l_1},\mathbf {v}_{l_2})\) for the creation oracle, the oracle makes a fresh VES as follows:

• If \(l_1 < j_1\) or \((l_1 = j_1) \cap (l_2 \le j_2)\): the oracle returns a type-B VES (except in the case \(l_1 = j^*\)).

• If \(l_1 > j_1\) or \((l_1 = j_1) \cap (l_2 > j_2)\): the oracle returns a type-A VES.

By this definition, we have \(\mathbf {Game}_{5,(Q_{\mathsf {ves}},Q_{\mathsf {sig}})} = \mathbf {Game}_{6,(1,0)}\) and

\(\mathbf {Game}_{6,(j_1,Q_{\mathsf {sig}})} = \mathbf {Game}_{6,(j_1+1,0)}\).

Lemma 6

For each \(j_1 \in [Q_{\mathsf {ves}}]\) and \(j_2 \in [Q_{\mathsf {ves}}]\), \(\mathbf {Game}_{6,(j_1,j_2)}\) and \(\mathbf {Game}_{6,(j_1,j_2-1)}\) are indistinguishable under the assumption \(\mathbf {LW2}\).

Proof

We construct a distinguisher \({\mathcal {B}}\) that, given \((g,X_1X_2,Z_3,Y_2Y_3)\) and T, distinguishes \(T \in \mathbb {G}\) or \(T \in \mathbb {G}_{1,3}\).

\({\mathcal {B}}\) chooses \(\alpha ,\beta ,a_u,a_v,a_1,\dots ,a_n \leftarrow _{\$}\mathbb {Z}_N\) and sets \(\mathsf {pp}= (\mathbb {G},\mathbb {G}_T,e,N,\) \(g,X_{p_3},u,v,\{h_i\}_{i \in [n]})\), \(\mathsf {apk}= g^{\beta }\), and \(\mathsf {vk}= g^\alpha \), where \(X_{p_3} = Z_3\), \(u=g^{a_u}\), \(v = g^{a_v}\), and \(h_i = g^{a_i}\) for \(i \in [n]\). It then guesses the index \(j^*\) and feeds \(\mathsf {pp},\mathsf {apk},\mathsf {vk}\) to \({\mathcal {A}}\).

On a creation query \((\tau _{l_1},\mathbf {v}_{l_2})\), \({\mathcal {B}}\) responds as follows:

• If \(l_1 < j_1\) or \((l_1 = j_1) \cap (l_2 \le j_2)\), the oracle returns a type-B VES (except in the case \(l_1 = j^*\)) as follows:

  $$\begin{aligned} \omega _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^\tau v)^r \cdot y^t \cdot (Y_2 Y_3)^{z_1},\\ \omega _2&= g^r \cdot (Y_2 Y_3)^{z_2}, \text { and } \omega _3 = g^t \cdot Z_3^{z_3} \end{aligned}$$

  by choosing \(r,t,z_1,z_2,z_3 \leftarrow _{\$}\mathbb {Z}_N\).

• If \(l_1 = j_1\) and \(l_2 = j_2\): the oracle returns a type-B VES (except in the case \(l_1 = j^*\)).

  $$\begin{aligned} \omega _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot T^{a_u \tau _{j_1} + a_v} \cdot y^{t} \cdot Z_3^{z_1},\\ \omega _2&= T \cdot Z_3^{z_2}, \text { and } \omega _3 = g^t \cdot Z_3^{z_3} \end{aligned}$$

  by choosing \(t,z_1,z_2,z_3 \leftarrow _{\$}\mathbb {Z}_N\). Notice that if \(T \in \mathbb {G}_{1,3}\) then \(\omega \) is type-A. Otherwise, it is a type-B with \((w_1,w_2) \equiv (\zeta _2 (a_u \tau _{l_1} + a_v),\zeta _2) \pmod {p_2}\), where \(T = g_{p_1}^{\zeta _1} g_{p_2}^{\zeta _2} g_{p_3}^{\zeta _3}\).

• If \(l_1 > j_1\) or \((l_1 = j_1) \cap (l_2 > j_2)\): the oracle returns a type-A VES by using \(\mathsf {sk}= \alpha \in \mathbb {Z}_N\) and \(\mathsf {apk}\).

On an adjudication query \((\tau _{l_1},\mathbf {y},\omega )\), it answers a type-B1 signature if \(l_1 \ne j^*\) and a type-A signature if \(l_1 = j^*\) by using \(\mathsf {sk}\).

\({\mathcal {A}}\) finally outputs \((\tau ^*,\mathbf {y}^*,\sigma ^*)\), where \(\sigma ^* = (\sigma _1^*,\sigma _2^*)\). \({\mathcal {B}}\) halts and outputs a random bit if the guess \(j^*\) is incorrect (by checking if \(\tau _{j^*} = \tau ^*\)).

We again claim that \({\mathcal {B}}\) can check the type of \(\sigma ^*\). If the guess \(j^*\) is correct, \({\mathcal {B}}\) computes

$$\begin{aligned} \eta = \sigma _1^* \cdot \left( {\textstyle \prod _{i\in [n]}} h_i^{-y_i^*}\right) ^{\alpha } \cdot (\sigma _2^*)^{-(a_u \tau ^* + a_v)}. \end{aligned}$$

If \(e(X_1 X_2,\eta ) = 1_{\mathbb {G}_T}\) then \({\mathcal {B}}\) concludes that \(\sigma ^*\) is type-A, it has simulated \(\mathbf {Game}_{6,(j_1,j_2-1)}\), and \(T \in \mathbb {G}_{1,3}\). Otherwise, it concludes \(T \in \mathbb {G}\).

We analyze this test \(e(X_1 X_2,\eta ) = 1_{\mathbb {G}_T}\). If \(\sigma ^*\) is type-A, then \(\eta \in \mathbb {G}_3\). Therefore, \(\eta \) always passes the test. On the other hand, if \(\sigma ^*\) is type-B \(\eta = g_{p_2}^{w_1 - w_2(a_u \tau ^* + a_v)} \cdot R_3\) for some \(R_3\).

Suppose that \(T \in \mathbb {G}_{1,3}\): \({\mathcal {B}}\) perfectly simulates \(\mathbf {Game}_{6,(j_1,j_2-1)}\) if \(j^*\) is correct. Since the adversary outputs a type-B signature with only negligible probability (by previous lemmas), the signature should be type-A. Therefore, it passes \({\mathcal {B}}\)’s test with overwhelming probability.

We next suppose that \(T \in \mathbb {G}_{1,3}\): in this case, \({\mathcal {B}}\) perfectly simulates \(\mathbf {Game}_{6,(j_1,j_2)}\) if \(j^*\) is correct. If the adversary outputs a type-A forgery, it passes the test. Otherwise, that is, the output forgery is type-B, then \(\eta \) passes the test with only negligible probability. This is because \(\eta = g_{p_2}^{w_1 - w_2(a_u \tau ^* + a_v)} \cdot R_3\) and \(a_u \tau ^* + a_v \bmod {p_2}\) is distributed uniformly at random from \({\mathcal {A}}\)’s view even if it could know \(a_u \tau _{l_1} + a_v \bmod {p_2}\). Therefore, \(\eta \) contains a non-trivial \(\mathbb {G}_2\) part with overwhelming probability, and the change is detected by this test. This test fails with overwhelming probability, and \({\mathcal {B}}\) detects \({\mathcal {A}}\)’s change as we intended. This completes the proof. \(\square \)

\(\mathbf {Game}_{7,j}\) We next replace fresh type-A VESs with fresh type-B VESs for \(\tau ^*\) one by one. For \(j \in \{0,\dots ,Q_{\mathsf {ves}}\}\), we define \(\mathbf {Game}_{7,j}\) as follows: On query \((\tau _{j^*},\mathbf {v}_{l})\) for the creation oracle, the oracle makes a fresh VES as follows:

• If \(l \le j\): the oracle returns a type-B2 VES

• If \(l > j\): the oracle returns a type-A VES.

By this definition, we have \(\mathbf {Game}_{6,(Q_{\mathsf {ves}},Q_{\mathsf {ves}})} = \mathbf {Game}_{7,0}\).

Lemma 7

For each \(j \in [Q_{\mathsf {ves}}]\), there is no computational difference between \(\mathbf {Game}_{7,j-1}\) and \(\mathbf {Game}_{7,j}\) under the assumption \(\mathbf {LW2}\).

In the proof, we exploit \(y^t\) and \(g^t\) of the VESs.

Proof

We construct a distinguisher \({\mathcal {B}}\) that, given \((g,X_1X_2,Z_3,Y_2Y_3)\) and T, distinguishes whether \(T \in \mathbb {G}\) or \(T \in \mathbb {G}_{1,3}\).

\({\mathcal {B}}\) chooses \(\alpha ,\beta ,a_u,a_v,a_1,\dots ,a_n \leftarrow _{\$}\mathbb {Z}_N\) and sets \(\mathsf {pp}= (\mathbb {G},\mathbb {G}_T,e,N,\) \(g,X_{p_3},u,v,\{h_i\}_{i \in [n]})\), \(\mathsf {apk}= g^{\beta }\), and \(\mathsf {vk}= g^\alpha \), where \(X_{p_3} = Z_3\) \(u=g^{a_u}\), \(v = g^{a_v}\), and \(h_i = g^{a_i}\) for \(i \in [n]\). It guesses an index \(j^* \leftarrow _{\$}[Q_{\mathsf {ves}}]\) and feeds \(\mathsf {pp},\mathsf {apk},\mathsf {vk}\) to \({\mathcal {A}}\).

On the creation query \((\tau _{j^*},\mathbf {v}_{l})\), \({\mathcal {B}}\) responds as follows:

• If \(l < j\) the oracle returns a type-B2 VES computed as

  $$\begin{aligned} \omega _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^{\tau _{j^*}} v)^r \cdot y^t \cdot (Y_2 Y_3)^{z_1},\\ \omega _2&= g^r \cdot Z_3^{z_2}, \text { and } \omega _3 = g^t \cdot (Y_2 Y_3)^{z_3}, \end{aligned}$$

  by choosing \(r,t,z_1,z_2,z_3 \leftarrow _{\$}\mathbb {Z}_N\).

• If \(l = j\) the oracle returns a VES computed as follows:

  $$\begin{aligned} \omega _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^{\tau _{j^*}} v)^r \cdot T^{\beta } \cdot Z_3^{z_1},\\ \omega _2&= g^r \cdot Z_3^{z_2}, \text { and } \omega _3 = T \cdot Z_3^{z_3}, \end{aligned}$$

  by choosing \(r,t,z_1,z_2,z_3 \leftarrow _{\$}\mathbb {Z}_N\). Note that if \(T \in \mathbb {G}_{1,3}\), then \(\omega \) is a type-A VES. Otherwise, it is type-B2 with \((w_1,w_2,w_3) \equiv (\zeta _2 \beta ,0,\zeta _2) \pmod {p_2}\), where \(T = g_{p_1}^{\zeta _1} g_{p_2}^{\zeta _2} g_{p_3}^{\zeta _3}\).

• If \(l > j\) the oracle returns a type-A VES as

  $$\begin{aligned} \omega _1&= \left( {\textstyle \prod _{i\in [n]}} h_i^{v_i}\right) ^{\alpha } \cdot (u^{\tau _{j^*}} v)^r \cdot y^{t} \cdot Z_3^{z_1},\\ \omega _2&= g^r \cdot Z_3^{z_2}, \text { and } \omega _3 = g^t \cdot Z_3^{z_3}, \end{aligned}$$

  by choosing \(r,t,z_1,z_2,z_3 \leftarrow _{\$}\mathbb {Z}_N\).

On the creation query for \((\tau _l,\mathbf {v})\) for \(l \ne j^*\) and on the adjudication query for \((\tau ,\mathbf {y},\omega )\), it can answer correctly since it knows \(\mathsf {sk}\), \(\mathsf {apk}\), \(Z_3\), and \(Y_2 Y_3\).

At the end, \({\mathcal {A}}\) outputs \((\tau ^*,\mathbf {y}^*,\sigma ^*)\), where \(\sigma ^* = (\sigma _1^*,\sigma _2^*)\). \({\mathcal {B}}\) halts and outputs a random bit if the guess \(j^*\) is not correct (by checking \(\tau _{j^*} = \tau ^*\)).

We again claim that \({\mathcal {B}}\) can check the type of \(\sigma ^*\) as a routine task. \({\mathcal {B}}\) computes

$$\begin{aligned} \eta = \sigma _1^* \cdot \left( {\textstyle \prod _{i\in [n]}} h_i^{-y_i^*}\right) ^{\alpha } \cdot (\sigma _2^*)^{-(a_u \tau ^* + a_v)}. \end{aligned}$$

If \(e(X_1 X_2,\eta ) = 1_{\mathbb {G}_T}\) then it concludes that \(\sigma ^*\) is type-A, it has simulated \(\mathbf {Game}_{7,j-1}\), and \(T \in \mathbb {G}_{1,3}\). Otherwise, it concludes \(T \in \mathbb {G}\).

We analyze this test \(e(X_1 X_2,\eta ) = 1_{\mathbb {G}_T}\). If \(\sigma ^*\) is type-A, then \(\eta \in \mathbb {G}_3\). Therefore, \(\eta \) always passes the test. On the other hand, if \(\sigma ^*\) is type-B, \(\eta = g_{p_2}^{w_1 - w_2(a_u \tau ^* + a_v)} \cdot R_3\) for some \(R_3\). Since \({\mathcal {A}}\) has no knowledge of \(a_u, a_v \bmod {p_2}\), \(\eta \) contains a non-trivial \(\mathbb {G}_2\) part with overwhelming probability. Therefore, the change is detected by this test.

Suppose that \(T \in \mathbb {G}_{1,3}\): \({\mathcal {B}}\) perfectly simulates \(\mathbf {Game}_{7,j-1}\) if \(j^*\) is correct. Since the adversary outputs a type-B signature with only negligible probability (by previous lemmas), the signature should be type-A. Therefore, it passes \({\mathcal {B}}\)’s test with overwhelming probability.

We next suppose that \(T \in \mathbb {G}_{1,3}\): In this case, \({\mathcal {B}}\) perfectly simulates \(\mathbf {Game}_{7,j}\) if \(j^*\) is correct. If the adversary outputs a type-A forgery, it passes the test. Otherwise, that is, the output forgery is type-B, then it passes the test only with negligible probability. Therefore, the test fails with overwhelming probability, and \({\mathcal {B}}\) detects \({\mathcal {A}}\)’s change as we intended. This completes the proof. \(\square \)

\(\mathbf {Game}_{\mathrm {final}}\) Finally, we replace type-A signatures with type-B2 signatures for a file identifier \(\tau ^*\) at once. In this game, all of the VESs/signatures that the adversary receives are type-B.

Lemma 8

Under the assumption \(\mathbf {ALP3}\), \(\mathbf {Game}_{7,Q_{\mathsf {ves}}}\) and \(\mathbf {Game}_{\mathrm {final}}\) are computationally indistinguishable.

Proof

We construct a distinguisher \({\mathcal {B}}\) that, given \((g ,f ,g^{\xi } ,X_1 X_2 ,X_3 ,Y_2 Y_3 ,T)\), determines if \(T = f^{\xi } Z_3\) or \(f^{\xi } Z_2 Z_3\) from \({\mathcal {A}}\), which distinguishes the two games.

\({\mathcal {B}}\) sets keys as follows: \(g^{\alpha } = g^{\xi }\), \(y = g^{\beta }\), \(u = g^{a_u}\), \(v = g^{a_v}\), and \(h_i = f^{a_i}\) for \(i\in [n]\). It then guesses an index \(j^* \leftarrow _{\$}[Q_{\mathsf {ves}}]\). It feeds \(\mathsf {pp},\mathsf {apk},\mathsf {vk}\) to the adversary \({\mathcal {A}}\).

On the creation query \((\tau _{l_1},\mathbf {v})\), \({\mathcal {B}}\) responds as follows:

• If \(l_1 \ne j^*\): To generate a type-B1 VES, it computes \(\omega \) by freshly choosing \(r, t, z_1, z_2, z_3 \leftarrow _{\$}\mathbb {Z}_N\) and computing

  $$\begin{aligned} \omega _1&= T^{\langle \mathbf {a}, \mathbf {v} \rangle } \cdot (u^\tau v)^r \cdot y^t \cdot (Y_2 Y_3)^{z_1}, \\ \omega _2&= g^r \cdot (Y_2 Y_3)^{z_2}, \text { and } \omega _3 = g^t \cdot X_3^{z_3}. \end{aligned}$$

• If \(l_1 = j^*\): To generate a type-B2 VES, it computes \(\omega \) as

  $$\begin{aligned} \omega _1&= T^{\langle \mathbf {a}, \mathbf {v} \rangle } \cdot (u^\tau v)^r \cdot y^t \cdot (Y_2 Y_3)^{z_1}, \\ \omega _2&= g^r \cdot X_3^{z_2}, \text { and } \omega _3 = g^t \cdot (Y_2 Y_3)^{z_3}, \end{aligned}$$

  by choosing \(r,t,z_1,z_2,z_3 \leftarrow _{\$}\mathbb {Z}_N\).

We stress here that those VESs reveal no information of \(\langle \mathbf {a}, \mathbf {v} \rangle \bmod {p_2}\) since \(\omega _1\)’s \(\mathbb {G}_2\) parts are randomized.

On the adjudication query \((\tau _{l_1},\mathbf {y},\omega )\), \({\mathcal {B}}\) checks its validity. If it is valid, \({\mathcal {B}}\) responds as follows:

• If \(l_1 \ne j^*\): It computes a type-B1 signature by choosing \(r,z_1,z_2 \leftarrow _{\$}\mathbb {Z}_N\) and computing

  $$\begin{aligned} \sigma _1 = T^{\langle \mathbf {a}, \mathbf {y} \rangle } \cdot (u^\tau v)^r \cdot (Y_2 Y_3)^{z_1} \text { and } \sigma _2 = g^r \cdot (Y_2 Y_3)^{z_2}. \end{aligned}$$

  We note that those signatures leak no information of \(\langle \mathbf {a}, \mathbf {y} \rangle \bmod {p_2}\).

• If \(l_1 = j^*\): In order to embed T into signatures for \(\tau _{l_1}\) and \(\mathbf {y}\), \({\mathcal {B}}\) chooses \(r,z_1,z_2 \leftarrow _{\$}\mathbb {Z}_N\) and computes

  $$\begin{aligned} \sigma _1 = T^{\langle \mathbf {a}, \mathbf {y} \rangle } \cdot (u^\tau v)^r \cdot X_3^{z_1} \text { and } \sigma _2 = g^r \cdot X_3^{z_2} \end{aligned}$$

  and outputs \(\sigma = (\sigma _1,\sigma _2)\).

Finally, \({\mathcal {A}}\) outputs a signature \(\sigma ^* = (\sigma _1^*,\sigma _2^*)\) on \(\tau ^*\) and \(\mathbf {y}^*\). If the guess is not correct (\(\tau ^* \ne \tau _{j^*}\)), then \({\mathcal {B}}\) aborts. Otherwise, \({\mathcal {B}}\) checks a type of the signature as follows: compute

$$\begin{aligned} \eta = \sigma _1^*\cdot (\sigma _2)^{a_u \tau ^* + a_v}, \end{aligned}$$

and check that \(e(X_1 X_2,\eta ) = e(X_1 X_2,T)^{\langle \mathbf {a}, \mathbf {y}^* \rangle }\). If the equality holds, then the signature is type-A and it concludes that \(T = f^{\xi } Z_3\); otherwise, the signature is type-B and it concludes that \(T = f^{\xi } Z_2 Z_3\).

Let us analyze \({\mathcal {B}}\)’s test, which is very similar to the original proof [7]. We can write \(T = f^{\xi } g_{p_2}^{z} Z_3\), and if \(T = f^{\xi } Z_3\), then \(z = 0\), otherwise z is uniformly at random modulo \(p_2\). By the definition of \(\eta \), it is of the form

$$\begin{aligned} \eta = f^{\xi \cdot \langle \mathbf {a}, \mathbf {y}^* \rangle } \cdot g_{p_2}^{\theta } \cdot R_3, \end{aligned}$$

where \(\theta \in \mathbb {Z}_{p_2}\) is 0 if \(\sigma ^*\) is type-A and \(\theta \ne 0\) otherwise. We can write the left-hand side of the test as

$$\begin{aligned} e(X_1 X_2,\eta ) = e(X_1, f^{\xi \cdot \langle \mathbf {a}, \mathbf {y}^* \rangle }) \cdot e(X_2, g_{p_2})^{\theta } \end{aligned}$$

and the right-hand side as

$$\begin{aligned} e(X_1 X_2,T)^{\langle \mathbf {a}, \mathbf {y}^* \rangle }= & {} e(X_1 X_2, f^{\xi } g_{p_2}^{z})^{\langle \mathbf {a}, \mathbf {y}^* \rangle }\\= & {} e(X_1, f^{\xi })^{\langle \mathbf {a}, \mathbf {y}^* \rangle } \cdot e(X_2, g_{p_2})^{z \langle \mathbf {a}, \mathbf {y}^* \rangle }. \end{aligned}$$

Therefore, \({\mathcal {B}}\) concludes that \(T = f^{\xi } Z_3\) if and only if \(\theta \equiv z \cdot \langle \mathbf {a}, \mathbf {y}^* \rangle \pmod {p_2}\).

We analyze the test more deeply when guess \(j^*\) is correct. Suppose that \(T = f^{\xi } Z_3\): In this case, \({\mathcal {B}}\) simulates \(\mathbf {Game}_{7,Q_{\mathsf {ves}}}\) perfectly. Hence, the adversary has no chance to know \(\mathbf {a} \bmod {p_2}\) in the game. If \(\sigma ^*\) is type-A, then it passes \({\mathcal {B}}\)’s test because \(\theta \equiv z \equiv 0 \pmod {p_2}\). If \(\sigma ^*\) is type-B, then it cannot pass \({\mathcal {B}}\)’s test because \(z = 0\) and \(\theta \not \equiv 0 \pmod {p_2}\). However, the probability that \({\mathcal {A}}\) outputs a type-B forgery is negligible by previous lemmas. Hence, if \(T = f^{\xi } Z_3\), \({\mathcal {B}}\) returns a correct answer.

Next, we suppose that \(T = f^{\xi } g_{p_2}^{z} Z_3\): In this case, \({\mathcal {B}}\) simulates \(\mathbf {Game}_{\mathrm {final}}\) perfectly. In the game, \({\mathcal {A}}\) can obtain \(z \langle \mathbf {a}, \mathbf {y}_1 \rangle \bmod {p_2} ,\dots ,z \langle \mathbf {a}, \mathbf {y}_{n-1} \rangle \bmod {p_2}\) from the \(\mathbb {G}_2\) part of signatures for linearly independent vectors \(\mathbf {y}_1,\dots ,\mathbf {y}_{n-1} \in \mathbb {Z}_N^n\). From the hypothesis that \(\mathbf {y}^* \bmod {p_2} \not \in Y_{j^*} \bmod {p_2}\), the value \(z \langle \mathbf {a}, \mathbf {y}^* \rangle \pmod {p_2}\) is distributed uniformly at random from \({\mathcal {A}}\)’s view. If \(\sigma ^*\) is type-A, then it passes \({\mathcal {B}}\)’s test with the probability at most \(1/p_2\), because \(\theta = 0\) and \(z \langle \mathbf {a}, \mathbf {y}^* \rangle \ne 0\). If \(\sigma ^*\) is type-B, then it passes the test if \(\theta \equiv z \cdot \langle \mathbf {a}, \mathbf {y}^* \rangle \pmod {p_2}\). However, since \(z \cdot \langle \mathbf {a}, \mathbf {y}^* \rangle \pmod {p_2}\) is distributed uniformly at random from \({\mathcal {A}}\)’s view, the adversary can fool the test by outputting a type-B signature with the probability at most \(1/p_2\). This completes the proof. \(\square \)

Lemma 9

Under the assumption \(\mathbf {ALP4}\), no PPT adversary \({\mathcal {A}}\) can produce a type-A forgery in \(\mathbf {Game}_{\mathrm {final}}\).

Proof

We construct a solver \({\mathcal {B}}\) that, given \((g ,g^a ,g^b ,g^{ab}X_2 ,X_3 ,g^c Y_2 ,Z_2)\), computes \(T = e(g,g)^{a b c}\) by using \({\mathcal {A}}\).

At first, \({\mathcal {B}}\) chooses \(\beta ,a_u,a_v,a_1,\dots ,a_n \leftarrow _{\$}\mathbb {Z}_N\) and sets \(X_{p_3} = X_3\), \(g^{\alpha } = g^{a}\), \(u=g^{a_u}\), \(v=g^{a_v}\), \(y = g^{\beta }\), and \(h_i = (g^b)^{a_i}\) for \(i \in [n]\). Let \(\tau _1,\dots ,\tau _{Q_{\mathsf {ves}}}\) be distinct file identifiers that \({\mathcal {A}}\) queries to the creation oracle.

On the creation query \((\tau _{l},\mathbf {v})\), \({\mathcal {B}}\) responds as follows: To generate a type-B VES for any \(\tau \) and \(\mathbf {v}\),

• If \(l \ne j^*\), it computes \(\omega \) by freshly choosing \(r, t, z_1, z_2, z_3 \leftarrow _{\$}\mathbb {Z}_N\) and computing

  $$\begin{aligned} \omega _1&= (g^{ab}X_2)^{\langle \mathbf {a}, \mathbf {v} \rangle } \cdot (u^{\tau _l} v)^r \cdot y^t \cdot (Z_2 X_3)^{z_1}, \\ \omega _2&= g^r \cdot (Z_2 X_3)^{z_2}, \text { and } \omega _3 = g^t \cdot X_3^{z_3}. \end{aligned}$$

• If \(l = j^*\), it computes \(\omega \) by freshly choosing \(r, t, z_1, z_2, z_3 \leftarrow _{\$}\mathbb {Z}_N\) and computing

  $$\begin{aligned} \omega _1&= (g^{ab}X_2)^{\langle \mathbf {a}, \mathbf {v} \rangle } \cdot (u^{\tau _l} v)^r \cdot y^t \cdot (Z_2 X_3)^{z_1}, \\ \omega _2&= g^r \cdot X_3^{z_2}, \text { and } \omega _3 = g^t \cdot (Z_2 X_3)^{z_3}. \end{aligned}$$

On the adjudication query \((\tau _{l},\mathbf {y},\omega )\), if it is valid, then \({\mathcal {B}}\) responds as follows:

• If \(l_1 \ne j^*\), it computes a type-B1 signature \(\sigma = (\sigma _1,\sigma _2)\) by choosing \(r,z_1,z_2 \leftarrow _{\$}\mathbb {Z}_N\) and computing

  $$\begin{aligned} \sigma _1= & {} (g^{ab}X_2)^{\langle \mathbf {a}, \mathbf {y} \rangle } \cdot (u^\tau v)^r \cdot (Z_2 X_3)^{z_1} \text { and } \sigma _2\\= & {} g^r \cdot (Z_2 X_3)^{z_2}. \end{aligned}$$

• If \(l_1 = j^*\) it computes a type-B2 signature \(\sigma = (\sigma _1,\sigma _2)\) by choosing \(r,z_1,z_2 \leftarrow _{\$}\mathbb {Z}_N\) and computing

  $$\begin{aligned} \sigma _1 = (g^{ab}X_2)^{\langle \mathbf {a}, \mathbf {y} \rangle } \cdot (u^\tau v)^r \cdot (Z_2 X_3)^{z_1} \text { and } \sigma _2 = g^r \cdot X_3^{z_2}. \end{aligned}$$

Finally, \({\mathcal {A}}\) outputs a type-A signature \(\sigma ^* = (\sigma _1^*,\sigma _2^*)\) on \(\tau ^*\) and \(\mathbf {y}^*\). If guess \(j^*\) is incorrect, then \({\mathcal {B}}\) aborts. Otherwise (\(\tau ^* = \tau _{j^*}\)), then it computes

$$\begin{aligned} \eta = \left( \sigma _1^*/(\sigma _2^*)^{a_u \tau ^* + a_v}\right) ^{1/\langle \mathbf {a}, \mathbf {y}^* \rangle }. \end{aligned}$$

Note that we already eliminated the event where \(\langle \mathbf {a}, \mathbf {y}^* \rangle \not \equiv 0 \bmod {p_1}\) in \(\mathbf {Game}_2\). Moreover, note that there is no leak of \(\langle \mathbf {a}, \mathbf {y}^* \rangle \bmod {p_2}\), since for any VES/signature their \(\mathbb {G}_2\) parts are distributed uniformly at random. Therefore, with probability at least \(1-1/p_2\), \(\langle \mathbf {a}, \mathbf {y}^* \rangle \not \equiv 0 \bmod {p_2}\) holds. Moreover, the vector \(\mathbf {a} \bmod {p_3}\) is never leaked to \({\mathcal {A}}\). Therefore, we can conclude \(\langle \mathbf {a}, \mathbf {y}^* \rangle \) is a unit in \(\mathbb {Z}_N\), and we can take its inverse over \(\mathbb {Z}_N\).

Since \(\sigma ^*\) is a type-A signature, it should be of the form

$$\begin{aligned} \sigma _1^* = (g^{ab})^{\langle \mathbf {a}, \mathbf {y}^* \rangle } \cdot (u^{\tau ^*}v)^r \cdot R_3 \text { and } \sigma _2^* = g^r \cdot R_3'. \end{aligned}$$

Therefore, we have \(\eta = g^{ab} \cdot R_3''\) for some \(R_3'' \in \mathbb {G}_3\). Hence, \({\mathcal {B}}\) computes \(T = e(g,g)^{abc}\) by taking the pairing \(e(g^c Y_2,\eta )\).

\(\square \)