Linearly homomorphic structure-preserving signatures and their applications

Abstract

Structure-preserving signatures (SPS) are signature schemes where messages, signatures and public keys all consist of elements of a group over which a bilinear map is efficiently computable. This property makes them useful in cryptographic protocols as they nicely compose with other algebraic tools (like the celebrated Groth–Sahai proof systems). In this paper, we consider SPS systems with homomorphic properties and suggest applications that have not been provided before (in particular, not by employing ordinary SPS). We build linearly homomorphic structure-preserving signatures under simple assumptions and show that the primitive makes it possible to verify the calculations performed by a server on outsourced encrypted data (i.e., combining secure computation and authenticated computation to allow reliable and secure cloud storage and computation, while freeing the client from retaining cleartext storage). Then, we give a generic construction of non-malleable (and actually simulation-sound) commitment from any linearly homomorphic SPS. This notably provides the first constant-size non-malleable commitment to group elements.

Appendices

Appendix 1: Deferred proofs for the scheme in Sect. 3.2

1.1 Appendix 1.1: Proof of Lemma 1

Proof

Let us assume that an independent adversary \(\mathcal {A}\) can produce a Type II forgery with non-negligible advantage \(\varepsilon \). Using \(\mathcal {A}\), we build an algorithm \(\mathcal {B}\) solving a SDP instance \((g_z,g_r,h_z,h)\) with probability at least \(\varepsilon /(8 (q-1) (L+1))\). Algorithm \(\mathcal {B}\) chooses \((w_0,w_1,\ldots ,w_L) \in \mathbb {G}^{L+1}\) in the same way as in the security proof of Waters signatures [67]. Namely, for any string \(\tau \in \{0,1\}^L\), the hash value \(H_{\mathbb {G}}(\tau )=w_0 \cdot \prod _{i=1}^L w_i^{\tau [i]}\) can be expressed as \(H_{\mathbb {G}}(\tau )=g_r^{J(\tau )} \cdot h^{K(\tau )}\) for certain integer-valued functions \(J,K:\{0,1\}^L \rightarrow \mathbb {Z}_p\) that remain internal to the simulation. They are further defined using the methodology of programmable hash functions [52] so that, for any distinct \(\tau ,\tau _1,\ldots ,\tau _q\), we have \(J(\tau )=0 \mod p\) and \(J(\tau _i) \ne 0 \mod p\) for each \(i \in \{1,\ldots ,q\}\) with non-negligible probability \(\zeta =1/(8 \cdot q \cdot (L+1))\).

Remaining public key components are defined by setting \(g_i=g_z^{\chi _i} g_r^{\gamma _i}\) and \(h_i=h_z^{\chi _i}h^{\delta _i}\), with \(\chi _i,\gamma _i,\delta _i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) for \(i=1\) to \(n\), as in the real key generation algorithm.

Since \(\mathcal {A}\) is a Type II forger, it is expected to produce a forgery \((\tau ^\star ,\vec {M}^\star ,\sigma ^\star )\) for a tag \(\tau ^\star \) that was used by \(\mathcal {B}\) in some signing query but for which \(\vec {M}^\star \not \in \mathrm {span}(\vec {M}_1,\ldots ,\vec {M}_{n-1})\), where \(\vec {M}_1,\ldots ,\vec {M}_{n-1}\) are the vectors of \(\mathbb {G}^n\) that were associated with \(\tau ^\star \). We denote by \(\tau _1,\ldots ,\tau _q\) the distinct adversarially-chosen tags involved in \(\mathcal {A}\)’s queries during the game. Note that, since \(\mathcal {A}\) is a Type II adversary, we will have \(\tau ^\star \in \{\tau _1,\ldots ,\tau _q\}\) at the end of the game. We also assume w.l.o.g. that exactly \(n-1\) signing queries are made for each tag \(\tau \in \{\tau _1,\ldots ,\tau _q\}\) during the game (otherwise, \(\mathcal {B}\) can simulate signing queries for itself). During its interaction with \(\mathcal {A}\), the reduction \(\mathcal {B}\) answers \({\mathsf {Sign}}, \mathsf {SignDerive}\) and \(\mathsf {Reveal}\) queries as follows.

• Signing queries: At each signing query \(\big (\tau _{j},\vec {M}=(M_1,\ldots ,M_n) \big )\) involving the \(j\)-th distinct tag \(\tau _{j}, \mathcal {B}\) evaluates the function \(J(\tau _j)\) and considers the following situations.

  • If \(J(\tau _j) \ne 0, \mathcal {B}\) picks \(\rho ,\theta \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and computes

    $$\begin{aligned} \varTheta _1= H_{\mathbb {G}}\big (\tau _{j}\big )^{-\rho } \cdot \big (h_z\big )^{ \frac{K(\tau _{j})}{J(\tau _{j})} \cdot \theta } \cdot , \qquad \qquad \varTheta _2=h^\rho \cdot \big (h_z\big )^{\frac{- \theta }{J(\tau _{j})}}, \end{aligned}$$

    which can be written \((\varTheta _1,\varTheta _2)=\big ( h_z^{- \theta \cdot \alpha _r} \cdot H_{\mathbb {G}}(\tau )^{-\tilde{\rho }},h^{\tilde{\rho }} \big )\) if we define \(\tilde{\rho } = \rho - \frac{ \theta \cdot \beta _z }{J(\tau _{j})}\). Using \((\varTheta _1,\varTheta _2), \mathcal {B}\) obtains a valid signature on the vector \((M_1,\ldots ,M_n) \) by computing

    $$\begin{aligned} z&= g_r^{\theta } \cdot \prod _{i=1}^n M_i^{-\chi _i},&r&= g_z^{-\theta } \cdot \prod _{i=1}^n M_i^{-\gamma _i},&u&= \varTheta _1 \cdot \prod _{i=1}^n M_i^{-\delta _i},&v&= \varTheta _2. \end{aligned}$$

    The signature \(\sigma =(z,r,u,v)\) is not directly sent to \(\mathcal {A}\) but assigned to a new handle \(\mathsf {h}\) and stored in an entry \((\mathsf {h},(\tau _{j},\vec {M}),\sigma )\) of the table \(T\).

  • If \(J(\tau _j) = 0, \mathcal {B}\) picks \(\rho \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and computes

    $$\begin{aligned} z&= \prod _{i=1}^n M_i^{-\chi _i},&r&= \prod _{i=1}^n M_i^{-\gamma _i},&u&= H_{\mathbb {G}}\big (\tau _j\big )^{-\rho } \cdot \prod _{i=1}^n M_i^{-\delta _i},&v&= h^{\rho }, \end{aligned}$$

    which corresponds to a valid signature \((z,r,u,v)\) on \((M_1,\ldots ,M_n)\) for which \(\theta =0\). Again, \(\mathcal {B}\) chooses a handle \(\mathsf {h}\) and stores \(\big (\mathsf {h},(\tau ,\vec {M}),(z,r,u,v)\big )\) in the table \(T\).

• Derivation queries: Whenever \(\mathcal {A}\) queries \(\big ( (\mathsf {h}_1,\ldots ,\mathsf {h}_k), \{\beta _i\}_{i=1}^k \big )\) to the \(\mathsf {SignDerive}\) oracle, \(\mathcal {B}\) returns \(\perp \) if not all handles \(\mathsf {h}_1,\ldots ,\mathsf {h}_k\) correspond to queries involving \(\tau \). Otherwise, let \(\vec {M}_1,\ldots ,\vec {M}_k\) be the queried vectors. If \(\vec {M}' \ne \prod _{i=1}^k {\vec {M}_i}^{ \beta _i}, \mathcal {B}\) returns \(\perp \). Otherwise, \(\mathcal {B}\) answers the query in the same way as the real \(\mathsf {SignDerive}\) oracle, by updating the table \(T\).

• Reveal queries: When \(\mathcal {A}\) supplies a handle \(\mathsf {h}, \mathcal {B}\) returns \(\perp \) if no entry of the form \((\mathsf {h},(\tau ,\vec {M}),.)\) exists in \(T\). Otherwise, \(\mathcal {B}\) returns the previously generated signature \(\sigma \) and adds \(\big ( (\tau ,\vec {M}),\sigma )\) in the list \(Q\).

• Forgery: Eventually, \(\mathcal {A}\) outputs a Type II forgery \((\tau ^\star ,\vec {M}^\star ,\sigma ^\star )\), where \(\vec {M}^\star =(M_1^\star ,\ldots ,M_n^\star )\) and \(\sigma ^\star =(z^\star ,r^\star ,u^\star ,v^\star ) \in \mathbb {G}^4 \) satisfies the verification equation. At this point, \(\mathcal {B}\) evaluates \(J(\tau ^\star )\) and reports failure if \(J(\tau ^\star ) \ne 0\) or if the set \(\{\tau _1,\ldots ,\tau _q\}\) contains at least two tags \(\tau _{j_1},\tau _{j_2}\) such that \(J(\tau _{j_1})=J(\tau _{j_2})=0\). The same analysis as in [67] shows that, with probability \(1/(8 (q-1) (L+1))\), we have \(J(\tau ^\star )=0\) and \(J(\tau _{j})\ne 0\) for each \(\tau _j \in \{\tau _1,\ldots ,\tau _q\} \backslash \{\tau ^\star \}\). We thus find that \(\mathcal {B}\)’s probability not to abort during the entire game is at least \(1/(8 (q-1) (L+1))\).

If \(\mathcal {B}\) does not fail, we have \(H_{\mathbb {G}}(\tau ^\star )=h^{K(\tau ^\star )}\), so that \(\mathcal {B}\) can compute

$$\begin{aligned} z^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\chi _i},&r^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\gamma _i},&u^\dagger&= {v^\star }^{-K(\tau ^\star )} \cdot \prod _{i=1}^n {M_i^\star }^{-\delta _i},&v^\dagger = v^\star . \end{aligned}$$

(6)

We see that \((z^\dagger ,r^\dagger ,u^\dagger ,v^\dagger )\) forms a valid signature on \((M_1^\star ,\ldots ,M_n^\star )\) whose last component \(v^\dagger \) coincides with that of \(\mathcal {A}\)’s forgery. Since \((z^\dagger ,r^\dagger ,u^\dagger ,v^\dagger )\) and \((z^\star ,r^\star ,u^\star ,v^\star )\) both satisfy the verification equations, the triple

$$\begin{aligned} \Big (z^\ddagger , r^{\ddagger },u^{\ddagger }\Big ) = \Bigg ( \frac{z^{^\star }}{z^\dagger }, \frac{r^{^\star }}{r^\dagger }, \frac{u^{^\star }}{u^\dagger } \Bigg ) \end{aligned}$$

necessarily satisfies \(e(g_z,z^\ddagger ) \cdot e(g_r,r^\ddagger )=e(h_z,z^\ddagger ) \cdot e(h,u^\ddagger )=1_{\mathbb {G}_T}\). We are thus left with proving that \(z^\ddagger \ne 1_{\mathbb {G}}\) with all but negligible probability.

To do this, the key observation is that, in the desirable event

$$\begin{aligned} J\big (\tau ^\star \big )=0 \qquad \quad \wedge \qquad \quad \bigwedge _{\tau _j \ne \tau ^\star } J\big (\tau _j\big ) \ne 0, \end{aligned}$$

(7)

the only information that \(\mathcal {B}\) reveals about \((\chi _1,\ldots ,\chi _n)\) is contained in the \(z\)-components of signatures involving \(\tau ^\star \) if \(\mathcal {A}\) is a Type II adversary. Indeed, for each signing query \((\tau ,\vec {M})\) such that \(\tau \ne \tau ^\star , \mathcal {B}\) introduces in the signature a fresh random exponent \(\theta \in _R \mathbb {Z}_p\) that does not appear anywhere else. This allows \(\mathcal {B}\) not to leak anything about \((\chi _1,\ldots ,\chi _n)\) during these queries.

More precisely, let us first consider what an unbounded Type II adversary \(\mathcal {A}\) can see. Throughout the game, \(\mathcal {A}\) makes \(n(q-1)+(n-1)\) signing queries since at most \(n-1\) independent queries are allowed for the tag \(\tau ^\star \). Let us index these queries as \(\{\big (\tau _j,\vec {M}_k=(M_{k,1},\ldots ,M_{k,n}) \big )\}_{j,k}\), with \(j \in \{1,\ldots ,q\}\), and let \(\{(z_{j,k},r_{j,k},u_{j,k},v_{j,k})\}_{j,k}\) denote the answers in which \(\mathcal {B}\) introduces \(n(q-1)\) variables \(\{ \theta _{j,k} \}_{j \ne j^\star ,k \in \{1,\ldots ,n\}}\) in the exponent. Together with private key elements \(\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\), we have a total of \(3n+n(q-1)=2n+nq\) unknowns. Each signature \( (z_{j,k},r_{j,k},u_{j,k},v_{j,k}) \) provides \(\mathcal {A}\) with at most one new linearly independent equation—recall that \((z_{j,k},v_{j,k})\) uniquely determines \(r_{j,k},u_{j,k}\) while \( v_{j,k}\) does not depend on \(\theta _{j,k}\) or \(\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\)—in addition to the \(2n\) linear equations resulting from the public key elements \(\{(g_i,h_i)\}_{i=1}^n\).

Overall, a Type II adversary \(\mathcal {A}\) thus obtains \(2n+nq-1\) linear equations which is insufficient to solve a system of \(2n+nq\) unknowns. Since \((M_1^\star ,\ldots ,M_n^\star )\) is linearly independent of the vectors \(\vec {M}_{j^\star ,1},\ldots ,\vec {M}_{j^\star ,n-1}\) associated with \(\tau ^\star \), for \(\mathcal {A}\), predicting the value \(z^\dagger \) of (8) is equivalent to finding the missing piece equation that would determine \((\chi _1,\ldots ,\chi _n)\). With probability \(1-1/p\), we thus have \(z^\dagger \ne z^\star \) as claimed.\(\square \)

1.2 Appendix 1.2: Proof of Lemma 2

Proof

Let \(\mathcal {A}\) be a Type I forger with non-negligible advantage \(\varepsilon \). We show that it implies an algorithm \(\mathcal {B}\) solving a SDP instance \((g_z,g_r,h_z,h )\) with probability at least \(\varepsilon /(8 q (L+1))\).

Algorithm \(\mathcal {B}\) begins by choosing \((w_0,w_1,\ldots ,w_L) \in \mathbb {G}^{L+1}\) as in the security proof of Waters signatures [67]. This is done in such a way that, for any \(\tau \in \{0,1\}^L\), the hash value \(H_{\mathbb {G}}(\tau )\) can be written \(H_{\mathbb {G}}(\tau )=g_r^{J(\tau )} \cdot h^{K(\tau )}\) for the same functions \(J,K:\{0,1\}^L \rightarrow \mathbb {Z}_p\) as in the proof of Lemma 1. For any distinct \(\tau ,\tau _1,\ldots ,\tau _q\), we will thus have \(J(\tau )=0 \mod p\) and \(J(\tau _i) \ne 0 \mod p\) for each \(i \in \{1,\ldots ,q\}\) with non-negligible probability \(\zeta =1/(8 \cdot q \cdot (L+1))\).

Other public key components are defined by setting \(g_i=g_z^{\chi _i} g_r^{\gamma _i}\) and \(h_i= h_z^{\chi _i} h^{\delta _i}\), with \( \chi _i, \gamma _i,\delta _i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) for \(i=1\) to \(n\). During the game, \(\mathcal {A}\)’s queries are handled as follows.

• Signing queries: At each signing query \(\big (\tau _{j},\vec {M}=(M_1,\ldots ,M_n) \big )\) involving the \(j\)-th distinct tag \(\tau _{j}, \mathcal {B}\) aborts in the event that \(J(\tau _{j})=0 \mod \mod p\). Otherwise, \(\mathcal {B}\) picks \(\rho ,\theta \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and computes

  $$\begin{aligned} \varTheta _1= H_{\mathbb {G}}\big (\tau _{j}\big )^{-\rho } \cdot \big (h_z\big )^{ \frac{K(\tau _{j})}{J(\tau _{j})} \cdot \theta } \cdot , \qquad \qquad \varTheta _2=h^\rho \cdot \big (h_z\big )^{\frac{- \theta }{J(\tau _{j})}}. \end{aligned}$$

  Note that the above pair can be written \((\varTheta _1,\varTheta _2)=\big ( h_z^{- \theta \cdot \alpha _r} \cdot H_{\mathbb {G}}(\tau )^{-\tilde{\rho }},h^{\tilde{\rho }} \big )\), where \(\tilde{\rho } = \rho - \frac{ \theta \cdot \beta _z }{J(\tau _{j})}\). Using \((\varTheta _1,\varTheta _2), \mathcal {B}\) obtains a well-formed signature on \((M_1,\ldots ,M_n) \) by computing

  $$\begin{aligned} z&= g_r^{\theta } \cdot \prod _{i=1}^n M_i^{-\chi _i},&r&= g_z^{-\theta } \cdot \prod _{i=1}^n M_i^{-\gamma _i},&u&= \varTheta _1 \cdot \prod _{i=1}^n M_i^{-\delta _i},&v&= \varTheta _2. \end{aligned}$$

  The signature \(\sigma =(z,r,u,v)\) is not directly returned to \(\mathcal {A}\) but associated with a new handle \(\mathsf {h}\) and stored in an entry \((\mathsf {h},(\tau _{j},\vec {M}),\sigma )\) of the table \(T\).

• Derivation queries: When \(\mathcal {A}\) queries \(\big ( (\mathsf {h}_1,\ldots ,\mathsf {h}_k), \{\beta _i\}_{i=1}^k \big )\) to the signature derivation oracle, \(\mathcal {B}\) returns \(\perp \) if not all handles \(\mathsf {h}_1,\ldots ,\mathsf {h}_k\) correspond to queries involving \(\tau \). Otherwise, let \(\vec {M}_1,\ldots ,\vec {M}_k\) be the queried vectors. If \(\vec {M}' \ne \prod _{i=1}^k {\vec {M}_i}^{ \beta _i}, \mathcal {B}\) returns \(\perp \). Otherwise, \(\mathcal {B}\) answers exactly like the real \(\mathsf {SignDerive}\) oracle and updates the table \(T\).

• Reveal queries: When \(\mathcal {A}\) queries the \(\mathsf {Reveal}\) oracle with a handle \(\mathsf {h}, \mathcal {B}\) returns \(\perp \) if no entry of the form \((\mathsf {h},(\tau ,\vec {M}),.)\) exists in \(T\). Otherwise, \(\mathcal {B}\) returns the previously computed signature \(\sigma \)—just like the actual \(\mathsf {Reveal}\) oracle—and adds \(\big ( (\tau ,\vec {M}),\sigma )\) in the list \(Q\).

• Forgery: Eventually, \(\mathcal {A}\) outputs a Type II forgery \((\tau ^\star ,\vec {M}^\star ,\sigma ^\star )\), where \(\vec {M}^\star =(M_1^\star ,\ldots ,M_n^\star )\) and \(\sigma ^\star =(z^\star ,r^\star ,u^\star ,v^\star ) \in \mathbb {G}^4 \) is a tuple satisfying the verification equation. At this step, \(\mathcal {A}\) computes \(J(\tau ^\star )\) and aborts if \(J(\tau ^\star ) \ne 0\). However, the same analysis as in [67] shows that, with probability \(1/(8q (L+1))\), we have \(J(\tau ^\star )=0\) and \(J(\tau _{j})\ne 0\) for each \(j \in \{1,\ldots ,q\}\).

If \(\mathcal {B}\) does not fail, we have \(H_{\mathbb {G}}(\tau ^\star )=h^{K(\tau ^\star )}\) and \(\mathcal {B}\) can thus compute

$$\begin{aligned} z^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\chi _i},&r^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\gamma _i},&u^\dagger&= {v^\star }^{-K(\tau ^\star )} \cdot \prod _{i=1}^n {M_i^\star }^{-\delta _i},&v^\dagger&= v^\star . \end{aligned}$$

(8)

The \(4\)-uple \((z^\dagger ,r^\dagger ,u^\dagger ,v^\dagger )\) forms a valid signature on \((M_1^\star ,\ldots ,M_n^\star )\) whose last component is identical to that of \(\mathcal {A}\)’s forgery. Since \((z^\dagger ,r^\dagger ,u^\dagger ,v^\dagger )\) and \((z^\star ,r^\star ,u^\star ,v^\star )\) both satisfy the verification equations, we find that

$$\begin{aligned} \Big (z^\ddagger , r^{\ddagger },u^{\ddagger }\Big ) = \Bigg ( \frac{z^{^\star }}{z^\dagger }, \frac{r^{^\star }}{r^\dagger }, \frac{u^{^\star }}{u^\dagger } \Bigg ) \end{aligned}$$

necessarily gives a non-trivial solution to the SDP instance with overwhelming probability.

Indeed, the same arguments as in the proof of Lemma 1 show that we can only have \(z^\ddagger = 1_{\mathbb {G}}\) with probability \(1/p\). The reason is that, in each signing query, \(\mathcal {B}\) introduces a new blinding exponent \(\theta \) that does not appear anywhere else. For this reason, \(\mathcal {B}\) never leaks any information about \((\chi _1,\ldots ,\chi _n)\) at any time and the element \(z^\dagger \) is thus completely undetermined in \(\mathcal {A}\)’s view.\(\square \)

Appendix 2: A fully randomizable linearly homomorphic SPS

In certain situations, one may want derived signatures to have the same distribution as original signatures on the same messages.

1.1 Appendix 2.1: Privacy definition

Ahn et al. [8] formalized a strong privacy property requiring that derived signatures be statistically indistinguishable from original ones, even when these are given.

In [12], Attrapadung et al. extended the definition of [8]—which only considers honestly generated signatures—to any original signature satisfying the verification algorithm.

Definition 6

([12]) A linearly homomorphic signature \((\mathsf {Keygen},{\mathsf {Sign}},\mathsf {SignDerive},{\mathsf {Verify}})\) is said completely context hiding if, for all public/private key pairs \((\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {Keygen}(\lambda )\), for any message set \({\mathcal {S}}=\{ (\tau ,\vec {M}_1),\ldots ,(\tau ,\vec {M}_{n-1}) \} \), any coefficients \(\{\omega _i\}_{i=1}^{n-1}\) and any \((\tau ,\vec {M}) \) such that \(\vec {M} = \prod _{i=1}^{n-1} \vec {M}_i^{\omega _i}\), for all \(\{\sigma _i\}_{i=1}^{n-1}\) such that \({\mathsf {Verify}}(\mathsf {pk},\tau , \vec {M}_i,\sigma _i )=1\), the following distributions are statistically close

$$\begin{aligned}&\left\{ \left( \mathsf {sk},~\{\sigma _i\}_{i=1}^{n-1}, ~{\mathsf {Sign}}(\mathsf {sk},\tau ,\vec {M})\right) \right\} _{\mathsf {sk},{\mathcal {S}},\vec {M}},\\&\left\{ \bigl (\mathsf {sk},~\{\sigma _i\}_{i=1}^{n-1}, ~\mathsf {SignDerive}\big (\mathsf {pk},\tau ,~ \{(\omega _i,\sigma _i)\}_{i=1}^{n-1} \big ) \bigr ) \right\} _{\mathsf {sk},{\mathcal {S}},\vec {M}}. \end{aligned}$$

In [8] Ahn et al. showed that, if a scheme is strongly context hiding, then Definition 1 can be simplified by removing the \(\mathsf {SignDerive}\) and \(\mathsf {Reveal}\) oracles and only providing the adversary with an ordinary signing oracle.

1.2 Appendix 2.2: A completely context-hiding construction

We show that our scheme of Sect. 3.2 can be modified so as to become strongly context-hiding in the sense of [8]. Namely, signatures produced by the \(\mathsf {SignDerive}\) algorithm should be statistically indistinguishable from signatures freshly generated by \({\mathsf {Sign}}\), even when the original signatures are given.

The difficulty is that, in the scheme of Sect. 3.2, we cannot re-randomize the underlying \(\theta \) without knowing \(h_z^{\alpha _r}\). To address this problem, it is tempting to include in each signature a randomization component of the form \((h_z^{\alpha _r} \cdot H_{\mathbb {G}}(\tau )^{-\zeta },h^{\zeta })\), for some \(\zeta \in \mathbb {Z}_p\), which can be seen as a signature on the vector \((1_{\mathbb {G}},\ldots ,1_{\mathbb {G}})\). Unfortunately, the security proof ceases to go through as the reduction finds itself unable to generate a well-formed pair \((h_z^{\alpha _r} \cdot H_{\mathbb {G}}(\tau )^{-\zeta },h^{\zeta })\) at some step of its interaction with the adversary. Our solution actually consists in committing to the signature components that cannot be re-randomized and provide evidence that committed group elements satisfy the verification equations. This is achieved using Groth–Sahai non-interactive arguments on a perfectly witness indistinguishable Groth–Sahai CRS, as in the linearly homomorphic construction of Attrapadung et al. [13]. A slight difference with [13], however, is that signature components \((H_{\mathbb {G}}(\tau )^{-\rho },h^{-\rho })\) are no longer used and replaced by the technique of Malkin et al. [62], which yields slightly shorter signatures.

• Keygen \({\varvec{(\lambda ,n)}}\) given a security parameter \(\lambda \) and the dimension \(n \in {\mathbb {N}}\) of the subspace to be signed, choose bilinear group \((\mathbb {G},\mathbb {G}_T)\) of order \(p >2^{\lambda }\). Then, do the following.

  1. 1.

     Choose \(h \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\) and \(\alpha _z,\alpha _r,\beta _z, \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\). Define \(g_z=h^{\alpha _z}, g_r=h^{\alpha _r}\) and \(h_z=h^{\beta _z}\).

  2. 2.

     For each \(i \in \{1,\ldots ,n \}\), pick \( \chi _i, \gamma _i,\delta _i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and compute \(g_i= g_z^{\chi _i} \cdot g_r^{\gamma _i}, h_i= h_z^{\chi _i} \cdot h^{\delta _i}\).

  3. 3.

     Generate \(L+1\) Groth–Sahai common reference strings by choosing \(f_1,f_2 \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\) and defining vectors \(\vec {f_1}=(f_1,1,g) \in \mathbb {G}^3, \vec {f_2}=(1,f_2,g) \in \mathbb {G}^3\) and \(\vec {f}_{3,i} \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}^3\), for each \(i \in \{0,\ldots ,L\}\).

  The public key consists of

  $$\begin{aligned} \mathsf {pk}= \Bigg (g_z,~g_r,~h_z,~ h,~\{g_i,h_i\}_{i=1}^n,~ {{\mathbf {f}}}=\Big (\vec {f}_1,\vec {f}_2, \{ \vec {f}_{3,i} \}_{i=0}^{L} \Big ) \Bigg ) \end{aligned}$$

  while the private key is \(\mathsf {sk}=\big ( h_z^{\alpha _r},~ \{ \chi _i, \gamma _i,\delta _i \}_{i=1}^n \big ) \).

• Sign \({\varvec{(\mathsf {sk},\tau ,(M_1,\ldots ,M_n))}}\) to sign a vector \((M_1,\ldots ,M_n) \in \mathbb {G}^n\) using \(\mathsf {sk}= \big ( h_z^{\alpha _r},\{ \chi _i, \gamma _i,\delta _i \}_{i=1}^n \big ) \) with the file identifier \(\tau \), conduct the following steps.

  1. 1.

     Choose \(\theta \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and compute

     $$\begin{aligned} z&= g_r^{\theta } \cdot \prod _{i=1}^{n} M_i^{-\chi _i},&r&= g_z^{-\theta } \cdot \prod _{i=1}^n M_i^{-\gamma _i},&u&= h_z^{-\theta \cdot \alpha _r} \cdot \prod _{i=1}^n M_i^{-\delta _i}. \end{aligned}$$
  2. 2.

     Using the bits \(\tau [1]\ldots \tau [L]\) of \(\tau \in \{0,1\}^L\), define the vector \(\vec {f}_{\tau }=\vec {f}_{3,0} \cdot \prod _{i=1}^L \vec {f}_{3,i}^{~\tau [i]}\) so as to assemble a Groth–Sahai CRS \({\mathbf {f}}_{\tau }=(\vec {f}_1,\vec {f}_2,\vec {f}_{\tau })\).

  3. 3.

     Using \({\mathbf {f}}_{\tau }\), compute Groth–Sahai commitments

     $$\begin{aligned} \vec {C}_z= & {} \big (1_{\mathbb {G}},1_{\mathbb {G}},z\big ) \cdot \vec {f_1}^{\nu _{z,1}} \cdot \vec {f_2}^{\nu _{z,2}} \cdot \vec {f_\tau }^{\nu _{z,3}}\\ \vec {C}_r= & {} \big (1_{\mathbb {G}},1_{\mathbb {G}},r\big ) \cdot \vec {f_1}^{\nu _{r,1}} \cdot \vec {f_2}^{\nu _{r,2}} \cdot \vec {f_\tau }^{\nu _{r,3}} \\ \vec {C}_u= & {} \big (1_{\mathbb {G}},1_{\mathbb {G}},u\big ) \cdot \vec {f_1}^{\nu _{u,1}} \cdot \vec {f_2}^{\nu _{u,2}} \cdot \vec {f_\tau }^{\nu _{u,3}} \end{aligned}$$

     to \(z, r\) and \(u\), respectively. Using the randomness of these commitments, generate proofs \(\vec {\pi }_{1}=(\pi _{1,1},\pi _{1,2},\pi _{1,3}) \in \mathbb {G}^3\) and \(\vec {\pi }_{2}=(\pi _{2,1},\pi _{2,2},\pi _{2,3}) \in \mathbb {G}^3\) that \((z,r,u)\) satisfy the verification equations \(1_{\mathbb {G}_T}=e(g_z,z) \cdot e(g_r,r) \cdot \prod _{i=1}^n e(g_i,M_i)\) and \(1_{\mathbb {G}_T}=e(h_z,z) \cdot e(h,u) \cdot \prod _{i=1}^n e(h_i,M_i)\). These proofs are obtained as

     $$\begin{aligned} \vec {\pi }_1= & {} \big (\pi _{1,1},\pi _{1,2},\pi _{1,3}\big ) =\Big ( g_z^{-\nu _{z,1}} \cdot g_r^{-\nu _{r,1}},~g_z^{-\nu _{z,2}} \cdot g_r^{-\nu _{r,2}},~g_z^{-\nu _{z,3}} \cdot g_r^{-\nu _{r,3}} \Big ) \nonumber \\ \vec {\pi }_2= & {} \big (\pi _{2,1},\pi _{2,2},\pi _{2,3}\big ) =\Big ( h_z^{-\nu _{z,1}} \cdot h^{-\nu _{u,1}},~h_z^{-\nu _{z,2}} \cdot h^{-\nu _{u,2}},~h_z^{-\nu _{z,3}} \cdot h^{-\nu _{u,3}} \Big ) \end{aligned}$$

     and satisfy the verification equations

     $$\begin{aligned} \prod _{i=1}^n E\Big (g_i,\big (1_{\mathbb {G}},1_{\mathbb {G}},M_i\big ) \Big )^{-1}&= E\big (g_z,\vec {C}_z \big ) \cdot E \big (g_r,\vec {C}_r \big ) \cdot E\big (\pi _{1,1},\vec {f}_1\big ) \nonumber \\&\quad \ \cdot E\big (\pi _{1,2},\vec {f}_2\big ) \cdot E\big (\pi _{1,3},\vec {f}_{\tau }\big ),\nonumber \\ \prod _{i=1}^n E\Big (h_i,\big (1_{\mathbb {G}},1_{\mathbb {G}},M_i\big ) \Big )^{-1}&= E\big (h_z,\vec {C}_z \big ) \cdot E \big (h,\vec {C}_u \big ) \cdot E\big (\pi _{2,1},\vec {f}_1\big ) \nonumber \\&\quad \ \cdot E\big (\pi _{2,2},\vec {f}_2\big ) \cdot E\big (\pi _{2,3},\vec {f}_{\tau }\big ). \end{aligned}$$

     (9)

  The signature consists of

  $$\begin{aligned} \sigma =\big (\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi }_2\big ) \in \mathbb {G}^{15}. \end{aligned}$$

  (10)

• SignDerive \({\varvec{(\mathsf {pk},\tau ,\{(\omega _i, \sigma ^{(i)})\}_{i=1}^\ell )}}\) given \(\mathsf {pk}\), a file identifier \(\tau \) and \(\ell \) tuples \((\omega _i,\sigma ^{(i)}) \), parse each signature \(\sigma ^{(i)}\) as a tuple of the form \( \sigma ^{(i)}=(\vec {C}_{z,i},\vec {C}_{r,i},\vec {C}_{u,i},\vec {\pi }_{1,i}, \vec {\pi }_{2,i}) \in \mathbb {G}^{15} \) for \(i=1\) to \(\ell \). Otherwise, the derivation process proceeds in two steps.

  1. 1.

     Compute

     $$\begin{aligned} \vec {C}_z&= \prod _{i=1}^\ell \vec {C}_{z,i}^{~\omega _i},&\vec {C}_r=\prod _{i=1}^{~\ell } \vec {C}_{r,i}^{~\omega _i},&\vec {C}_{u}&=\prod _{i=1}^{\ell } \vec {C}_{u,i}^{~\omega _i},&\vec {\pi _{1}}&=\prod _{i=1}^{\ell } \vec {\pi }_{1,i}^{~\omega _i},&\vec {\pi _{2}}&=\prod _{i=1}^{\ell } \vec {\pi }_{2,i}^{~\omega _i}. \end{aligned}$$
  2. 2.

     Re-randomize the above commitments and proofs using their homomorphic property and return the re-randomized version \(\sigma =(\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi }_2 )\).

• Verify \({\varvec{(\mathsf {pk},\sigma ,\tau ,(M_1,\ldots ,M_n))}}\) given a pair \((\tau ,(M_1,\ldots ,M_n))\) and a purported signature \(\sigma \) parse the latter as \((\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi }_2 )\). Then, return \(1\) if and only if \((M_1,\ldots ,M_n)\ne (1_{\mathbb {G}},\ldots ,1_{\mathbb {G}})\) and Eq. 9 are satisfied.

We believe this construction to be of interest even if we disregard its structure-preserving property. Indeed, if we compare it with the only known completely context-hiding linearly homomorphic signature in the standard model [13], its signatures are shorter by one group element. Moreover, we can prove the security under the sole DLIN assumption whereas the scheme of [13] requires an additional assumption.

The scheme is clearly completely context hiding because signatures only consist of perfectly randomizable commitments and NIWI arguments.

As for the unforgeability of the scheme, the proof of the following theorem is along the lines of [62], Theorem 5]. However, we can only prove unforgeability in a weaker sense as we need to assume that the adversary is targeting. Namely, in the case of Type II attacks, the adversary must also output a proof that it actually broke the security of the scheme and that its vector \(\vec {M}^\star =(M_1^\star ,\ldots ,M_n^\star ) \in \mathbb {G}^n\) is indeed independent of the vectors for which it obtained signatures for the target tag \(\tau ^\star \).

If \(\{\vec {M}_i=(M_{i,1},\ldots ,M_{i,n})\}_{i=1}^m\) denote the linearly independent vectors that were signed for \(\tau ^\star \), the adversary could simply output a vector \(\vec {W}=(W_1,\ldots ,W_n) \in \mathbb {G}^{n }\) such that \(\prod _{j=1}^n e(M_j^\star ,W_{j}) \ne 1_{\mathbb {G}_T}\) and \(\prod _{j=1}^n e(M_{i,j},W_{j}) = 1_{\mathbb {G}_T}\) for each \(i \in \{1,\ldots ,m\}\). The latter test guarantees that the adversary’s output is a non-trivial Type II forgery.

Theorem 4

The above scheme provides unforgeability against independent targeting adversaries if the DLIN assumption holds in \(\mathbb {G}\).

Proof

Since the scheme is completely context-hiding, we work with a simpler security definition where the adversary only interacts with a signing oracle. This suffices to guarantee security in the sense of Definition 2, as implied by the result of Ahn et al. [8]. The proof proceeds via a sequence of games. In each game, we denote by \(X_i\) the probability that the adversary \(\mathcal {A}\) wins.

\({\mathsf{Game }}_{ real }:\) This is the real game. When the adversary \(\mathcal {A}\) terminates, the simulator outputs \(1\) if \(\mathcal {A}\) is successful. We thus have \(\Pr [X_{ real }]={\mathbf {Adv}}(\mathcal {A})\).

\({\mathsf{Game }}_{0}:\) This game is identical to \({\mathsf{Game }}_{ real }\) but we modify the generation of the public key. Namely, the vectors \((\vec {f_1},\vec {f_2},\{ \vec {f}_{3,i} \}_{i=0}^L )\) are chosen by setting \(\vec {f}_1=(f_1,1_{\mathbb {G}},g)\) and \(\vec {f}_2=(1_{\mathbb {G}},f_2,g)\), with \(f_1,f_2 \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\). As for \(\{ \vec {f}_{3,i} \}_{i=0}^L\), they are obtained as

$$\begin{aligned} \vec {f}_{3,0}= & {} \vec {f_1}^{\xi _{0,1}} \cdot \vec {f_2}^{\xi _{0,2}} \cdot \big (1,1,g\big )^{\xi _{0,3}} \cdot \big (1,1,g\big )^{\mu \cdot \zeta - \rho _0} \nonumber \\ \vec {f}_{3,i}= & {} \vec {f_1}^{\xi _{i,1}} \cdot \vec {f_2}^{\xi _{i,2}} \cdot \big (1,1,g\big )^{\xi _{i,3}} \cdot \big (1,1,g\big )^{-\rho _i}, \qquad \qquad i \in \big \{1,\ldots ,L\big \} \end{aligned}$$

(11)

with \(\mu \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\{0,\ldots ,L\}, \xi _{0,1},\xi _{1,1},\ldots ,\xi _{L,1} \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p, \xi _{0,2},\xi _{1,2},\ldots ,\xi _{L,2} \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p, \xi _{0,3},\xi _{1,3},\ldots ,\xi _{L,3} \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and \(\rho _0,\rho _1,\ldots ,\rho _L \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\{0,\ldots ,\zeta -1\}\), with \(\zeta =2q\) and where \(q\) is the number of distinct tags across all signing queries. Note that this change is only conceptual since \(\{ \vec {f}_{3,i} \}_{i=0}^L\) have the same distribution as in \({\mathsf{Game }}_{ real }\). We thus have \(\Pr [X_0]={\mathbf {Adv}}(\mathcal {A})\).

\({\mathsf{Game }}_{1}:\) In this game, we first raise an event \(F_1\), which causes the simulator \(\mathcal {B}\) to abort if it does not occur. Let \(\tau _1,\ldots ,\tau _q\) be the distinct tags successively involved in \(\mathcal {A}\)’s queries throughout the game and let \(\tau ^\star \) be the tag involved in \(\mathcal {A}\)’s forgery. We know that, for a Type II forger, \(\tau ^\star \in \{\tau _1,\ldots ,\tau _q\}\) whereas \(\tau ^\star \not \in \{\tau _1,\ldots ,\tau _q\}\) for a Type I adversary. For each string \(\tau \in \{0,1\}^L\), we consider the function \(J(\tau )= \mu \cdot \zeta - \rho _0 - \sum _{i=1}^L \rho _i \tau [i]\). We also define \(F_1\) to be the event that

$$\begin{aligned} J\big (\tau ^\star \big )=0 \qquad \wedge \qquad \bigwedge _{\tau _j \in \{\tau _1,\ldots ,\tau _q\} \backslash \{ \tau ^\star \}} J\big (\tau _j\big ) \ne 0 . \end{aligned}$$

We note that the exponents \(\rho _0,\rho _1,\ldots ,\rho _L\) are independent of \(\mathcal {A}\)’s view: as a consequence, the simulator could equivalently define \( \{ \vec {f}_{3,i} \}_{i=0}^L\) first and only choose \(\{\rho _i\}_{i=0}^L\) – together with values \(\{\xi _{3,i}\}_{i=0}^L\) explaining the \(\{\vec {f}_{3,i}\}_{i=0}^L\)—at the end of the game, when \(\tau ^\star ,\tau _1,\ldots ,\tau _q\) have been defined. In the case of a Type I attack, the same analysis as [67] (after the simplification of Bellare and Ristenpart [14]) shows that \(\Pr [X_1 \wedge F_1] \ge {\mathbf {Adv}}(\mathcal {A})^2/(27 \cdot q \cdot (L+1))\).

This follows from the fact that, for any set of queries, a lower bound on the probability of event \(F_1\) is \( 1/(2q(L+1))\). In the case of Type II attacks, a lower bound on the probability of \(F_1\) for any set of queries is given by \( \eta \ge 1/(2 (q-1)(L+1))>1/(2q (L+1))\). Indeed, after re-ordering, the set of queried tags can be written \(\{\tau ^\star ,\tau _1,\ldots ,\tau _{q-1}\}\) and, from the known results [52, 67] on the programmability of Waters’ hash function, we know that the probability, taken over the choice of \((\mu , \rho _0,\ldots ,\rho _L)\), to have \(J(\tau ^\star )=0\) and \(\wedge _{j=1}^{q-1} J(\tau _j)\ne 0\) for any distinct \(\tau ^\star ,\tau _1,\ldots ,\tau _q\) is at least \( 1/(2(q-1)(L+1))>1/(2q(L+1)). \) In the following, we denote by \(F_i\) the counterpart of event \(F_1\) in \({\mathsf{Game }}_i\).

\({\mathsf{Game }}_{2}:\) In this game, we modify the distribution of the public key. Namely, \(\vec {f_1}=(f_1,1,g)\) and \(\vec {f_2}=(1,f_2,g)\) are chosen as before but, instead of generating the vectors \(\{\vec {f}_{3,i}\}_{i=0}^L\) as previously, we choose them as

$$\begin{aligned} \vec {f}_{3,0}= & {} \vec {f_1}^{\xi _{0,1}} \cdot \vec {f_2}^{\xi _{0,2}} \cdot \big (1,1,g\big )^{\mu \cdot \zeta - \rho _0} \nonumber \\ \vec {f}_{3,i}= & {} \vec {f_1}^{\xi _{i,1}} \cdot \vec {f_2}^{\xi _{i,2}} \cdot \big (1,1,g\big )^{-\rho _i}, \qquad \qquad i \in \big \{1,\ldots ,L\big \} \end{aligned}$$

(12)

which amounts to setting \(\xi _{0,3}=\xi _{1,3}=\ldots = \xi _{L,3}=0\). This change should not significantly affect \(\mathcal {A}\)’s behavior if the DLIN assumption holds. More precisely, if events \(X_1 \wedge F_1\) and \(X_2 \wedge F_2\) occur with noticeably different probabilities in \({\mathsf{Game }}_1\) and \({\mathsf{Game }}_2\), this contradicts the DLIN assumption. Concretely, consider a DLIN instance \( (g,f_1,f_2,f_1^{\delta _1},f_2^{\delta _2},Z )\), where \(\delta _1,\delta _2 \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and \(Z=g^{\delta _1+\delta _2}\) or \(Z \in _R \mathbb {G}\). Using the random self-reducibility of DLIN, we can create \(L+1\) independent DLIN instances by picking \(\varphi _{i},\phi _i,\psi _i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\), for \(i\in \{0,\ldots ,L\}\) and setting

$$\begin{aligned} \vec {f}_{3,0}= & {} \Big ( \big (f_1^{\delta _1}\big )^{\varphi _{0}} \cdot f_1^{\phi _{0}}, ~\big (f_2^{\delta _2}\big )^{\varphi _0} \cdot f_2^{\psi _{ 0} },~Z^{\varphi _{0 }} \cdot g^{\phi _{ 0}+\psi _{ 0} } \cdot \big (1,1,g\big )^{\mu \cdot \zeta - \rho _0} \Big ) \\ \vec {f}_{3,i}= & {} \Big ( \big (f_1^{\delta _1}\big )^{\varphi _{i }} \cdot f_1^{\phi _{i }}, ~\big (f_2^{\delta _2}\big )^{\varphi _i} \cdot f_2^{\psi _{i } },~Z^{\varphi _{i }} \cdot g^{\phi _{i }+\psi _{i } } \cdot \big (1,1,g\big )^{-\rho _i} \Big ), \qquad \quad i \in \big \{1,\ldots ,L\big \} \end{aligned}$$

If \(Z \in _R \mathbb {G}, \{\vec {f}_{3,i}\}_{i=0}^L\) is distributed as in \({\mathsf{Game }}_1\). If \(Z=g^{\delta _1+\delta _2}\), the distribution of \(\{\vec {f}_{3,i}\}_{i=0}^L\) is the same as in (12). For this reason, we can write \(|\Pr [X_2 \wedge F_2]-\Pr [X_1 \wedge F_1]|\le {\mathbf {Adv}}^{\mathrm{DLIN}}(\mathcal {A})\) as we assumed that the challenger \(\mathcal {B}\) can always detect when a targeting adversary is successful.

\({\mathsf{Game }}_{3}:\) In this game, we modify the treatment of signing queries. We note that, for a given message \((\tau ,\vec {M}=(M_1,\ldots ,M_n))\), there is an exponential number of witnesses \((z,r,u) \in \mathbb {G}^3\) satisfying the verification equations

$$\begin{aligned} \begin{aligned} e(g_z,z) \cdot e(g_r,r) \cdot \prod _{i=1}^n e\big (g_i,M_i\big ) = 1_{\mathbb {G}_T},\\ e(h_z,z) \cdot e(h,u) \cdot \prod _{i=1}^n e\big (h_i,M_i\big ) = 1_{\mathbb {G}_T}. \end{aligned} \end{aligned}$$

(13)

Specifically, each \(z \in _R \mathbb {G}\) determines a unique pair \((r,u)\) for which (13) holds. However, in \({\mathsf{Game }}_3\), the simulator \(\mathcal {B}\) answers all signing queries using the witness \((z,r,u)\) such that

$$\begin{aligned} z&= \prod _{i=1}^n M_i^{-\chi _i},&r&=\prod _{i=1}^n M_i^{-\gamma _i},&u&=\prod _{i=1}^n M_i^{-\delta _i}. \end{aligned}$$

Note that this amounts to choosing \(\theta =0\) at step 1 of the signing algorithm. Still, \(\mathcal {B}\) has a valid witness for the statement to be proved. It thus assembles a Groth–Sahai CRS \({\mathbf {f}}=(\vec {f}_1,\vec {f}_2,\vec {f}_{\tau })\) by computing \(\vec {f}_{\tau }=\vec {f}_{3,0} \cdot \prod _{i=1}^{L} \vec {f}_{3,i}^{~\tau [i]}\). Using \({\mathbf {f}}\), it computes Groth–Sahai commitments \(\vec {C}_z,\vec {C}_r,\vec {C}_u\) to \(z, r\) and \(u\). Using the randomness of these commitments, it faithfully generates proofs \(\vec {\pi }_1\) and \(\vec {\pi }_2\) satisfying the verification equations (9).

We argue that this change does not affect \(\mathcal {A}\)’s view whatsoever. Indeed, if event \(F_3\) occurs we have \(J(\tau ^\star )=0\) and \(J(\tau _j)\ne 0\) for each \(\tau _j \ne \tau ^\star \). Moreover, when \(J(\tau _j)\), the Groth–Sahai CRS \((\vec {f}_1,\vec {f}_2,\vec {f}_{\tau _j})\) is a perfectly hiding Groth–Sahai CRS. This means that \(\vec {C}_z, \vec {C}_r, \vec {C}_u\) are perfectly hiding commitments and proofs \((\vec {\pi }_1,\vec {\pi }_2)\) are perfectly witness indistinguishable proofs. In other words, although the proofs \((\vec {\pi }_1,\vec {\pi }_2)\) are always generated using the witnesses \((z,r,u)\) for which \(\theta =0\), their distribution does not depend on which specific witness is used.

In contrast, in the case of Type II attacks, signing queries involving \(\tau ^\star , (\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi _2})\) reveal the underlying \((z,r,u)\) in the information theoretic sense since \((\vec {f}_1,\vec {f}_2,\vec {f}_{\tau ^\star })\) is a perfectly binding CRS when \(J(\tau ^\star )=0\). However, at most \(n-1\) signing queries on linearly independent vectors \(\vec {M}_j\) are made for the tag \(\tau ^\star \), so that \(\mathcal {A}\) only obtains \(n-1\) linearly independent equations in the exponent. As a consequence, \(\mathcal {A}\) does not obtain a sufficient amount of information to recognize that \(\theta =0\) in the underlying signatures. For this reason, we find that \(\Pr [X_3 \wedge F_3]=\Pr [X_2 \wedge F_2]\).

In \(\mathsf{Game }_3\), we show that a successful forger \(\mathcal {A}\) implies an algorithm \(\mathcal {B}\) solving a given SDP instance \((g_z,g_r,h_z,h)\) with non-negligible advantage, which contradicts the DLIN assumption.

Recall that, when the adversary \(\mathcal {A}\) terminates, it outputs \((\tau ^\star ,\vec {M}^\star ,\sigma ^\star )\), where \(\vec {M}^\star =(M_1^\star ,\ldots ,M_n^\star )\) and \(\sigma ^\star =(\vec {C}_{z}^\star ,\vec {C}_r^\star ,\vec {C}_u^\star ,\vec {\pi }_1^\star ,\vec {\pi }_2^\star ) \in \mathbb {G}^{15} \) satisfies the verification equations. At this point, if the event \(F_1\) introduced in \({\mathsf{Game }}_1\) occurs, we must have \(J(\tau ^\star )=0\), which means that \(\vec {f}_{\tau ^\star }=\vec {f}_{3,0} \cdot \prod _{i=1}^{L+1} \vec {f}_{3,i}^{~\tau ^\star [i]}\) is in \(\mathrm {span}(\vec {f}_{1},\vec {f}_2)\). This implies that \(\vec {C}_z^\star , \vec {C}_r^\star \) and \(\vec {C}_u^\star \) are perfectly binding commitments. Moreover, using \((\log _g(f_1),\log _g(f_2)), \mathcal {B}\) can extract the underlying group elements \((z^\star ,r^\star ,u^\star ) \in \mathbb {G}^3\) by performing BBS decryptions of ciphertexts \((\vec {C}_z^\star ,\vec {C}_r^\star ,\vec {C}_u^\star )\). Since \((\vec {\pi }_1^\star ,\vec {\pi }_2^\star )\) are valid proofs for a perfectly sound Groth–Sahai CRS, the extracted elements \((z^\star ,r^\star ,u^\star )\) necessarily satisfy

$$\begin{aligned} 1_{\mathbb {G}_T}=e\big (g_z,z^\star \big ) \cdot e\big (g_r,r^\star \big ) \cdot \prod _{i=1}^n e\big (g_i,M_i^\star \big )= e\big (h_z,z^\star \big ) \cdot e\big (h,u^\star \big ) \cdot \prod _{i=1}^n e\big (h_i,M_i^\star \big ). \end{aligned}$$

(14)

Having extracted \((z^\star ,r^\star ,u^\star ), \mathcal {B}\) also computes

$$\begin{aligned} z^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\chi _i},&r^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\gamma _i},&u^\dagger&= \prod _{i=1}^n {M_i^\star }^{-\delta _i}, \end{aligned}$$

(15)

so that \((z^\dagger ,r^\dagger ,u^\dagger )\) also satisfies (14). Since \((z^\dagger ,r^\dagger ,u^\dagger )\) and \((z^\star ,r^\star ,u^\star )\) both satisfy (14), the triple

$$\begin{aligned} \Big (z^\ddagger , r^{\ddagger },u^{\ddagger }\Big ) = \Bigg ( \frac{z^{^\star }}{z^\dagger }, \frac{r^{^\star }}{r^\dagger }, \frac{u^{^\star }}{u^\dagger } \Bigg ) \end{aligned}$$

necessarily satisfies \(e(g_z,z^\ddagger ) \cdot e(g_r,r^\ddagger )=e(h_z,z^\ddagger ) \cdot e(h,u^\ddagger )=1_{\mathbb {G}_T}\). To conclude the proof, we argue that \(z^\ddagger \ne 1_{\mathbb {G}}\) with all but negligible probability.

To do this, we remark that, if the event \(F_1\) defined in \({\mathsf{Game }}_1\) occurs, the only information that \(\mathcal {B}\) leaks about \((\chi _1,\ldots ,\chi _n)\) resides in the unique signing query involving \(\tau ^\star \) if the case of Type II attacks. Indeed, for all signing queries \((\tau ,\vec {M})\) involving tags \(\tau \) such that \(\tau \ne \tau ^\star \), we have \(J(\tau )\ne 0\) so that \((\vec {f_1},\vec {f_2},\vec {f}_\tau )\) is a perfectly hiding Groth–Sahai CRS, for which proofs \((\vec {\pi }_1,\vec {\pi }_2)\) and commitments are perfectly witnesses indistinguishable. In other words, the signatures \((\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi _2})\) for which \(J(\tau )\ne 0\) leak nothing about \((\chi _1,\ldots ,\chi _n)\). In contrast, in the case of Type II attacks, signing queries involving \(\tau ^\star , (\vec {C}_z,\vec {C}_r,\vec {C}_u,\vec {\pi }_1,\vec {\pi _2})\) reveal the underlying \((z,r,u)\) in the information theoretic sense. However, at most \(n-1\) linearly independent vectors \(\vec {M}_j\) are signed w.r.t. \(\tau ^\star \), so that \(\mathcal {A}\) only obtains \(n-1\) linearly independent equations in the exponent for the unknowns \((\chi _1,\ldots ,\chi _n)\). As a consequence, we can apply the same arguments as in the proof of Theorem 1 and Lemma 1. With probability \(1-1/p\), we thus have \(z^\ddagger \ne z^\star \).

To recap, we find

$$\begin{aligned} \Pr \big [X_3 \wedge F_3\big ] = {\mathbf {Adv}}^{\mathrm{SDP}}(\mathcal {B}) \cdot \Bigg (1-\frac{1}{p} \Bigg )^{-1}. \end{aligned}$$

When putting the above altogether, we find

$$\begin{aligned} \frac{ {\mathbf {Adv}}(\mathcal {A})^2 }{ 27 \cdot q \cdot (L+1) } \le {\mathbf {Adv}}^{\mathrm{SDP}}(\mathcal {B}) \cdot \Bigg (1-\frac{1}{p}\Bigg )^{-1} + {\mathbf {Adv}}^{\mathrm{DLIN}}(\mathcal {B}). \end{aligned}$$

Since any SDP algorithm \(\mathcal {B}_0\) yields a DLIN distinguisher \(\mathcal {B}_1\) such that \({\mathbf {Adv}}^{\mathrm{DLIN}}(\mathcal {B}_0) \!\ge \! 2 \cdot {\mathbf {Adv}}^{\mathrm{SDP}}(\mathcal {B}_1)\), we find

$$\begin{aligned} {\mathbf {Adv}}(\mathcal {A}) \le \sqrt{ 27 \cdot q \cdot (L+1) \cdot \left[ 1+ \frac{1}{2} \cdot \left( 1-\frac{1}{p}\right) ^{-1} \right] \cdot {\mathbf {Adv}}^{\mathrm{DLIN}}(\mathcal {B})} \end{aligned}$$

and the announced result follows.\(\square \)

Appendix 3: Definitions for trapdoor commitments

Formally, a non-interactive commitment scheme \((\mathsf {Setup},\mathsf {Com},{\mathsf {Verify}})\) is a triple of probabilistic polynomial-time (PPT) algorithms where, on input of a security parameter \(\lambda , \mathsf {Setup}\) outputs a public key \(pk\); \(\mathsf {Com}\) takes as input a message \(\mathsf {Msg}\), a public key \(pk\) and outputs a commitment/de-commitment pair \((\mathsf {com},\mathsf {dec}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathsf {Com}(pk,\mathsf {Msg})\), and \({\mathsf {Verify}}(pk,\mathsf {Msg},\mathsf {com},\mathsf {dec})\) is deterministic and outputs \(0\) or \(1\). The correctness property guarantees that \({\mathsf {Verify}}\) always outputs \(1\) whenever \((\mathsf {com},\mathsf {dec})\) is obtained by committing to \(\mathsf {Msg}\) using honestly generated parameters.

The binding property demands that, given \(pk\), no PPT adversary should be able to produce a commitment that can be opened to two distinct messages. More precisely, for any PPT adversary \(\mathcal {A}\), the following advantage function should be negligible as a function of \(\lambda \).

$$\begin{aligned} {\mathbf {Adv}}_{\mathsf {CMT}}^{\mathrm{bind}}(\mathcal {A}):= & {} \Pr \Bigl [~\mathsf {Verify}\big (pk,\mathsf {Msg}_0,\mathsf {com},\mathsf {dec}_0\big ) =\mathsf {Verify}\big (pk,\mathsf {Msg}_1,\mathsf {com},\mathsf {dec}_1)=1 \\&\wedge \mathsf {Msg}_0 \ne \mathsf {Msg}_1 ~:~ pk \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathsf {Setup}( \lambda );~ \big (\mathsf {com},\mathsf {Msg}_0,\mathsf {dec}_0,\mathsf {Msg}_1,\mathsf {dec}_1\big )\\&\mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathcal {A}(pk) ~\Bigr ] \end{aligned}$$

A commitment is also said hiding if commitment to distinct messages have computationally indistinguishable distributions. Formally, for any PPT adversary \(\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)\), the following advantage term is negligible as a function of \(\lambda \).

$$\begin{aligned} {\mathbf {Adv}}_{\mathsf {CMT}}^{\mathrm{hide}}(\mathcal {A}):= & {} \Bigl | \Pr \left[ ~ b=b' ~:~ pk \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathsf {Setup}( \lambda );~ b \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\{0,1\};~ \big (\mathsf {Msg}_0,\mathsf {Msg}_1,st\big ) \right. \\&\left. \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathcal {A}_1 (pk);\big (\mathsf {com},\mathsf {dec}\big ) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathsf {Com}\big (pk,m_b\big );~ b' \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathcal {A}_2(\mathsf {com},st)~\right] - \frac{1}{2} \Bigr | \end{aligned}$$

A trapdoor commitment is a perfectly hiding commitment for which a trapdoor \(tk\) makes it possible to break the binding property and open a commitment to any arbitrary value. However, this should remain infeasible without the trapdoor. More formally, a trapdoor commitment uses two additional algorithms \((\mathsf {FakeCom},\mathsf {FakeOpen})\) that proceed as follows.

Definition 7

A trapdoor commitment is a tuple \((\mathsf {Setup},\mathsf {Com},\mathsf {FakeCom},\mathsf {FakeOpen}, {\mathsf {Verify}})\) of efficient algorithms where \(\mathsf {Com}\) and \(\mathsf {Verify}\) proceed as in an ordinary commitment and other algorithms proceed as follows.

• Setup is a randomized algorithm that takes as input a security parameter \(\lambda \). It produces a public key \(pk\) and a trapdoor \(tk\).

• FakeCom is a randomized algorithm that takes as input a public key \( {pk}\) and the trapdoor \(tk\). It outputs a fake commitment string \(\widetilde{\mathsf {com}}\) and some auxiliary information \(\mathsf {aux}\).

• FakeOpen takes as input a fake commitment produced by \(\mathsf {FakeCom}\) and the corresponding auxiliary information \(\mathsf {aux}\). It also takes as input a message \(\mathsf {Msg}\) and the trapdoor \(tk\) and outputs a fake de-commitment \(\widetilde{\mathsf {dec}}\) such that \(\mathsf {Verify}(pk,\mathsf {Msg},\widetilde{\mathsf {com}},\widetilde{\mathsf {dec}})=1\). Moreover, the two distributions

  

  and

  $$\begin{aligned} D_{ real }:= & {} \Bigl \{ \big (pk,tk\big ) \leftarrow \mathsf {Setup}(\lambda ); ~\big ( {\mathsf {com}},\mathsf {dec}\big )\\&\qquad \leftarrow \mathsf {Com}\big (pk, \mathsf {Msg}\big ) : \big (pk, \mathsf {Msg}, \mathsf {com}, \mathsf {dec}\big ) \Bigr \} \end{aligned}$$

  should be indistinguishable.

We now recall the definition of independence for commitment schemes, which is known (see, e.g., [43] for a proof) to imply re-usable non-malleability with respect to opening.

Definition 8

([34]) A trapdoor commitment scheme \((\mathsf {Setup},\mathsf {Com},\mathsf {FakeCom},\mathsf {FakeOpen}, {\mathsf {Verify}})\) provides \(\ell \)-independence if, for any PPT adversary \((\mathcal {A}_1,\mathcal {A}_2)\) and any pair of \(\ell \)-tuples \((\mathsf {Msg}_1,\ldots ,\mathsf {Msg}_{\ell }), (\mathsf {Msg}_1',\ldots ,\mathsf {Msg}_{\ell })'\), the following probability is a negligible function of the security parameter \(\lambda \)

$$\begin{aligned}&\Pr \Big [ \big (pk,tk\big ) \leftarrow \mathsf {Setup}(\lambda );~R_1,\ldots ,R_{\ell } \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\{0,1\}^{{\mathsf {poly}}(\lambda )}; \\&\qquad \big (\widetilde{\mathsf {com}}_i,\mathsf {aux}_i\big ) \leftarrow \mathsf {FakeCom}\big (pk,tk,R_i\big ) \\&\qquad \big (st,\mathsf {com}^\star \big ) \leftarrow \mathcal {A}_1\big (pk,\widetilde{\mathsf {com}}_1,\ldots , \widetilde{\mathsf {com}}_{\ell }\big )~\text {with } \mathsf {com}^\star \not \in \{\widetilde{\mathsf {com}_i}\}_{i=1}^{\ell } \\&\qquad \mathsf {dec}_i \leftarrow \mathsf {FakeOpen}\big (\mathsf {aux}_i, tk,\widetilde{\mathsf {com}}_i,\mathsf {Msg}_i\big ) ~~\forall i \in \{1,\ldots ,\ell \} \\&\qquad \mathsf {dec}_i' \leftarrow \mathsf {FakeOpen}\big (\mathsf {aux}_i, tk,\widetilde{\mathsf {com}}_i,\mathsf {Msg}_i'\big ) ~~\forall i \in \{1,\ldots ,\ell \} \\&\qquad \big (\mathsf {Msg}_1^\star ,\mathsf {dec}_1^\star \big ) \leftarrow \mathcal {A}_2\big (st,pk,\mathsf {Msg}_1,\mathsf {dec}_1,\ldots , \mathsf {Msg}_{\ell },\mathsf {dec}_{\ell }\big ) \\&\qquad \big (\mathsf {Msg}_2^\star ,\mathsf {dec}_2^\star \big ) \leftarrow \mathcal {A}_2\big (st,pk,\mathsf {Msg}_1',\mathsf {dec}_1',\ldots , \mathsf {Msg}_{\ell }',\mathsf {dec}_{\ell }'\big ): \\&\qquad \mathsf {Msg}_1^\star \ne \mathsf {Msg}_2^\star \wedge {\mathsf {Verify}}\big (pk,\mathsf {Msg}_1^\star ,\mathsf {com}^\star , \mathsf {dec}_1^\star \big )\\&\qquad =1 \wedge {\mathsf {Verify}}\big (pk,\mathsf {Msg}_2^\star ,\mathsf {com}^\star , \mathsf {dec}_2^\star \big )=1~\Big ]. \end{aligned}$$

A trapdoor commitment is independent if it provides \(\ell \)-independence for any arbitrary \(\ell \in {\mathsf {poly}}(\lambda )\).

It is known (see, e.g., [61]) that, when a SSTC scheme and a secure one-time signature are combined to build an ordinary commitment scheme, the simulation-sound binding property and the security of the one-time signature imply the notion of independence.

Appendix 4: Proof of Theorem 3

Proof

We first observe that the commitment satisfies the trapdoor property if the homomorphic SPS is regular. Indeed, in the distribution \(D_{ fake }\), the commitment \(\widetilde{\mathsf {com}}\) is obtained as

$$\begin{aligned} c_j = \prod _{\mu =1}^{n_z} e\big (F_{j,\mu },\hat{Z}_\mu \big ) \cdot \prod _{\nu =1}^{n_v} e\big (T_{j,\nu },\hat{V}_{\nu }\big ) \cdot \prod _{i=1}^n e\big (G_{j,i},\hat{M}_i\big ),\qquad j \in \{1,\ldots ,m\} \end{aligned}$$

(16)

where \((\hat{M}_1,\ldots ,\hat{M}_{n}) \in _R \mathbb {G}^n\) and for a uniformly random tuple \((\hat{Z}_1,\ldots ,\hat{Z}_{n_z},\hat{V}_1,\ldots ,\hat{V}_{n_v}) \in _R \mathbb {G}^{n_z+n_v}\). We also know that, for any \( (M_1,\ldots ,M_n) \ne (\hat{M}_1,\ldots ,\hat{M}_n) \), the vector \((M_1/ \hat{M}_1 ,\ldots ,M_n / \hat{M}_n )\) has a valid signature \(\sigma '=(Z_1',\ldots ,Z_{n_z}',V_1',\ldots ,V_{n_v}')\), so that there exists

$$\begin{aligned} \widetilde{\mathsf {dec}}=\left( \tilde{Z}_1,\ldots ,\tilde{Z}_{n_z} ,\tilde{V}_1 ,\ldots ,\tilde{V}_{n_v} \right) =\left( Z_1' \cdot \hat{Z}_1 ,\ldots ,\hat{Z}_{n_z}' \cdot \hat{Z}_{n_z} ,V_1' \cdot \hat{V}_1 ,\ldots ,V_{n_v}' \cdot \hat{V}_{n_v} \right) \end{aligned}$$

that explains \(\widetilde{\mathsf {com}}\) as a commitment to \(({M}_1,\ldots , {M}_n)\). Moreover, since \((\hat{Z}_1,\ldots ,\hat{Z}_{n_v},\hat{V}_1,\ldots ,\hat{V}_{n_v})\) was chosen uniformly in \(\mathbb {G}^{n_z+n_v}, \widetilde{\mathsf {dec}}\) is uniform among values \((\tilde{Z}_1 ,\ldots ,\tilde{Z}_{n_z} ,\tilde{V}_1 ,\ldots ,\tilde{V}_{n_v} )\) such that

$$\begin{aligned} c_j = \prod _{\mu =1}^{n_z} e\big (F_{j,\mu },\tilde{Z}_\mu \big ) \cdot \prod _{\nu =1}^{n_v} e\big (T_{j,\nu },\tilde{V}_{\nu } \big ) \cdot \prod _{i=1}^n e\big (G_{j,i}, {M}_i\big ),\qquad j \in \big \{1,\ldots ,m\big \}. \end{aligned}$$

(17)

In other words, the joint distribution of \((\widetilde{\mathsf {com}},\widetilde{\mathsf {dec}})\) is the same as if it were obtained by choosing \((\tilde{Z}_1 ,\ldots ,\tilde{Z}_{n_z} ,\tilde{V}_1,\ldots ,\tilde{V}_{n_v} ) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}^{n_v+n_z}\) and computing \(\{c_j\}_{j=1}^m\) as per (17).

We now turn to the simulation-sound binding property and show that, if there exists a PPT adversary \(\mathcal {A}\) that breaks this property with non-negligible advantage \(\varepsilon \), there exits a non-independent Type I forger \(\mathcal {B}\) against the signature scheme.

Concretely, our adversary \(\mathcal {B}\) obtains a public key \(\mathsf {pk}\) from its own challenger and sends the commitment key \(pk=\mathsf {pk}\) to \(\mathcal {A}\). Whenever \(\mathcal {A}\) sends a query \((\mathsf {commit},tag)\) to the \({\mathcal {O}}_{tk,pk}\) oracle, \(\mathcal {B}\) faithfully runs the \(\mathsf {SSTC}.\mathsf {FakeCom}\) algorithm and thus computes \(\widetilde{\mathsf {com}}=\{\tilde{c}_j\}_{j=1}^m\) according to (16) for randomly chosen \( (\hat{M}_1,\ldots ,\hat{M}_n) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}^n, \hat{\mathsf {dec}}=(\hat{Z}_1,\ldots ,\hat{Z}_{n_z},\hat{V}_1,\ldots , \hat{V}_{n_v}) \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}^{n_z+n_v}\) and retains the information \(\mathsf {aux}=((\hat{M}_1,\ldots ,\hat{M}_n),\hat{\mathsf {dec}})\). When the oracle \({\mathcal {O}}_{tk,pk}\) subsequently receives a query of the form \((\mathsf {decommit},\widetilde{com}, (M_1,\ldots ,M_n))\), the reduction \(\mathcal {B}\) invokes its own signing oracle on the input \((tag,(M_1/\hat{M}_1,\ldots ,M_n/\hat{M}_n))\). Upon receiving the resulting signature \((Z_1',\ldots ,Z_{n_z}',V_1',\ldots ,V_{n_v}'), \mathcal {B}\) computes and returns \(\widetilde{\mathsf {dec}}=(\hat{Z}_1 \cdot Z_1',\ldots ,\hat{Z}_{n_z} \cdot Z_{n_z}',\hat{V}_1 \cdot V_1',\ldots ,\hat{V}_{n_v} \cdot V_{n_v}')\).

Eventually, the adversary \(\mathcal {A}\) outputs a commitment of its own \(\mathsf {com}^\star = (c_1^\star ,\ldots ,c_m^\star )\) along with valid openings \(\mathsf {dec}=(Z_1 ,\ldots ,Z_{n_z} ,V_1 ,\ldots ,V_{n_v} ), \mathsf {dec}'=(Z_1',\ldots ,Z_{n_z}',V_1',\ldots ,V_{n_v}')\) to distinct vectors \((M_1,\ldots ,M_n) \ne (M_1',\ldots ,M_n')\) for some tag \(tag^\star \) that has never been used in any query to \({\mathcal {O}}_{tk,sk}\). Since both openings successfully pass the verification test, we find that

$$\begin{aligned} \Bigl ( {Z_1}/{Z_1'}, \ldots , {Z_{n_z}}/{Z_{n_z}'}, \ldots , {V_{1}}/{V_{1}'}, \ldots , {V_{n_v}}/{V_{n_v}'} \Bigr ) \end{aligned}$$

forms a valid homomorphic signature on the vector \((M_1/M_1',\ldots ,M_n/M_n') \ne (1_{\mathbb {G}},\ldots ,1_{\mathbb {G}})\) for the identifier \(\tau ^\star =tag^\star \). By construction, \(\tau ^\star \) was never the input of a signing query made by \(\mathcal {B}\) to its own oracle. Consequently, \(\mathcal {B}\) is indeed a Type I non-independent forger with advantage \(\varepsilon \).\(\square \)

Appendix 5: Non-interactive simulation-sound trapdoor commitments from linearly homomorphic signatures in groups of public order

MacKenzie and Yang [61] showed that simulation-sound trapdoor commitments imply digital signatures. In the converse direction, constructions of SSTCs are only known for signature schemes admitting efficient \(\Sigma \) protocols. In fact, as noted by Fujisaki [40], all known constructions of non-interactive simulation-sound or multi-trapdoor [42] commitments build on signature schemes for which an efficient \(\Sigma \) protocol allows proving knowledge of a signature.

The idea is to commit to a message \(m\) by using \(m\) as the challenge of a \(\Sigma \) protocol for proving knowledge of a signature \(\sigma =\mathsf {Sig}(sk,tag)\) on the tag. The commitment is given by the first message \(a\) of the \(\Sigma \) protocol transcript \((a,m,z)\), which is obtained by simulating a proof of knowledge of a valid signature \(\sigma \) on the message \(tag\). The commitment is subsequently opened by revealing \(z\). By the special soundness of the \(\Sigma \) protocol, unless the sender actually knows a valid signature on \(tag\), it can only open a given commitment \(a\) to one message \(m\).

While simple, the above construction (which extends to give identity-based trapdoor commitments, as noted in [25]) does not readily extend to commit to vectors. Fujisaki [40] gave an alternative construction based on encryption schemes. However, this construction is interactive. Groth and Ostrovsky [49] finally defined the notion of simulation-extractable commitments by additionally requiring adversarially-generated commitments to be extractable instead of simply binding. A consequence of this strengthened property is that, just like UC commitments [24], simulation-extractable commitments cannot be length-reducing any longer.

This section shows that ordinary (i.e., non-structure-preserving) linearly homomorphic signatures also make it possible to construct non-interactive simulation-sound (and thus non-malleable) commitments if they satisfy a certain template. Moreover, they make it possible to commit to vectors while preserving the ability of efficiently proving properties about committed vectors. We notably obtain efficient constructions based on the Diffie–Hellman and strong Diffie–Hellman [15] assumptions.

1.1 Appendix 5.1: Definition and template

We first consider a definition of unforgeability which is obtained by simplifying Definition 2 and removing the \(\mathsf {SignDerive}\) and \(\mathsf {Reveal}\) oracles. As we will see, this simplified definition will be sufficient for the construction of simulation-sound trapdoor commitments. On the other hand, unlike the definition used in [17–19], Definition 9 allows the adversary to choose the file identifiers in his signing queries.

Definition 9

A linearly homomorphic signature scheme \(\Sigma =(\mathsf {Keygen},{\mathsf {Sign}},\mathsf {SignDerive},{\mathsf {Verify}})\) is secure if no probabilistic polynomial time (PPT) adversary has non-negligible advantage (as a function of the security parameter \(\lambda \in {\mathbb {N}}\)) in the following game:

1. 1.

   The adversary \(\mathcal {A}\) chooses an integer \(n \in {\mathbb {N}}\) and sends it to the challenger who runs \(\mathsf {Keygen}(\lambda ,n)\) and obtains \((\mathsf {pk},\mathsf {sk})\) before sending \(\mathsf {pk}\) to \(\mathcal {A}\).

2. 2.

   On a polynomial number of occasions, \(\mathcal {A}\) chooses a tag \(\tau \in {\mathcal {T}}\) and a vector \(\vec {v}\). The challenger returns \(\sigma ={\mathsf {Sign}}(\mathsf {sk},\tau ,\vec {v})\) to \(\mathcal {A}\).

3. 3.

   \(\mathcal {A}\) outputs an identifier \(\tau ^\star \), a signature \(\sigma ^\star \) and a vector \(\vec {y} \in \mathbb {Z}_N^n\). The adversary \(\mathcal {A}\) is deemed successful if \({\mathsf {Verify}}(\mathsf {pk},\tau ^\star ,\vec {y}^\star ,\sigma ^\star )=1\) and either of the following holds:

   • \(\circ \) (Type I): \(\tau ^\star \ne \tau _i\) for any \(i\) and \(\vec {y}^\star \ne \vec {0}\).

   • \(\circ \) (Type II): \(\tau ^\star = \tau _i\) for some \(i \in \{1,\ldots ,q\}\) and \(\vec {y}^\star \not \in V_i\), where \(V_i\) denotes the subspace spanned by all vectors \(\vec {v}_1,\ldots ,\vec {v}_{k_i}\) that have been queried for \(\tau _i\).

Note that, in some cases, it may be sufficient to use a non-adaptive definition of unforgeability where the adversary has to declare all the file identifier \(\tau _1,\ldots ,\tau _q\) involved in signing queries at the very beginning of the attack (before seeing the public key \(\mathsf {pk}\)).

Again, we say that the adversary is independent if

• For any given tag \(\tau \), it is restricted to only query signatures on linearly independent vectors.

• Each pair \(({\tau },\vec {m})\) is queried at most once.

Let \(\varPi =(\mathsf {Keygen},{\mathsf {Sign}},\mathsf {SignDerive},{\mathsf {Verify}})\) be a linearly homomorphic signature over \(\mathbb {Z}_p^n\), for some large prime \(p>2^{\lambda }\). We assume that \(\varPi \) uses groups \(\mathbb {G}_1\) and \(\mathbb {G}_2 \) of public orders \(p^k\) and \(p\), respectively, for some \(k\in {\mathbb {N}}\). We also assume that each signature \(\sigma \) lives in \( \mathbb {G}_1 \). The verification algorithm takes as input a purported signature \(\sigma \in \mathbb {G}_1\), a file identifier \(\tau \) and a vector \(\vec {m}\). It returns \(1\) if and only if

$$\begin{aligned} F \big (\sigma ,\vec {m}, \mathsf {pk},\tau \big ) = 1_{\mathbb {G}_2}, \end{aligned}$$

(18)

where \(F \) is a function ranging over the group \(\mathbb {G}_2\) and satisfying certain linearity properties. Namely, for each \(\mathsf {pk}\) produced by \(\mathsf {Keygen}\) and each \(\tau \), we require that

$$\begin{aligned} F \big (\sigma _1 \cdot \sigma _2 , \vec {m}_1 + \vec {m}_2, \mathsf {pk},\tau \big ) = F \big (\sigma _1 , \vec {m}_1 , \mathsf {pk},\tau \big ) \cdot F \big (\sigma _2 , \vec {m}_2 , \mathsf {pk},\tau \big ) \end{aligned}$$

for any vectors \(\vec {m}_1,\vec {m}_2 \in \mathbb {Z}_p^n\) and any \(\sigma _1,\sigma _2 \in \mathbb {G}_1\). As a consequence, we also have

$$\begin{aligned} F \big (\sigma , \vec {m}, \mathsf {pk},\tau \big )^{\omega }= F \big (\sigma ^{\omega }, {\omega } \cdot \vec {m} , \mathsf {pk},\tau \big ) \end{aligned}$$

for any \(\omega \in \mathbb {Z}_p\) and any \(\sigma \in \mathbb {G}_1\). Finally, the derivation algorithm \(\mathsf {SignDerive}\) proceeds by computing \(\mathsf {SignDerive}(\mathsf {pk},\tau ,\{ (\omega _i,\sigma ^{(i)})\}_{i=1}^{\ell })= \prod _{i=1}^{\ell } { \sigma ^{(i)} }^{\omega _i}\).

We remark that the above template only captures schemes in groups of public order, so that constructions based on the Strong RSA assumption [26, 27] or on lattices [17, 18] are not covered. The reason is that, when working over the integers, messages and signature components may increase at each homomorphic operation. This makes it harder to render trapdoor openings indistinguishable from original de-commitments.

1.2 Appendix 5.2: Simulation-sound trapdoor commitments from linearly homomorphic signatures

From a linearly homomorphic signature scheme \(\varPi =(\mathsf {Keygen},{\mathsf {Sign}},\mathsf {SignDerive},{\mathsf {Verify}})\) satisfying the template of Appendix 5.1, we construct a non-interactive length-reducing SSTC as follows.

• SSTC.Setup \({\varvec{(\lambda ,n)}}\) given the required dimension \(n \in {\mathbb {N}}\) of committed vectors, run \(\varPi .\mathsf {Keygen}(\lambda ,n)\) to obtain a public key \(\mathsf {pk}\) and a private key \(\mathsf {sk}\). The commitment key is \(pk= \mathsf {pk}\) and the trapdoor \(tk\) consists of the private key \(\mathsf {sk}\) of \(\varPi \).

• SSTC.Com \({\varvec{(pk ,tag,\vec {m})}}\) to commit to a vector \(\vec {m} \in \mathbb {Z}_p^n\), choose \( \sigma \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}_1\) in the signature space. Compute and output

  $$\begin{aligned} c= & {} F \big (\sigma ,\vec {m}, \mathsf {pk},tag \big ) \end{aligned}$$

  by evaluating \(F\) as in the left-hand-side member of the verification equation (18). The commitment string is \( \mathsf {com}=c\) whereas the decommitment is \(\mathsf {dec}= \sigma \).

• SSTC.FakeCom \({\varvec{(pk,tk,tag)}}\) proceeds identically to \(\mathsf {SSTC}.\mathsf {Com}\) but using a randomly chosen vector \(\vec {m}_{ fake } \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p^n\). If \((\hat{\mathsf {com}},\hat{\mathsf {dec}})\) denotes the resulting commitment/decommitment pair, the algorithms sets \(\widetilde{\mathsf {com}}=\hat{\mathsf {com}}\) and \( \mathsf {aux}=(\vec {m}_{ fake },\hat{\mathsf {dec}})\).

• SSTC.FakeOpen \({\varvec{(\mathsf {aux},tk,tag, \widetilde{\mathsf {com}},\vec {m})}}\) the algorithm parses \(\widetilde{\mathsf {com}}\) as \(\tilde{c} \in \mathbb {G}_2\) and \(\mathsf {aux}\) as \(\big (\vec {m}_{ fake },\hat{\mathsf {dec}})\), where \(\hat{\mathsf {dec}}=\hat{\sigma } \in \mathbb {G}_1\). It first generates a linearly homomorphic signature on the difference vector \(\vec {m}- \vec {m}_{ fake } \in \mathbb {Z}_p^n\) for the tag \(tag=\tau \). Namely, using the trapdoor \(tk=\mathsf {sk}\), compute

  $$\begin{aligned} \sigma ' \leftarrow \varPi .{\mathsf {Sign}}\big (\mathsf {sk},\tau ,\vec {m} - \vec {m}_{ fake } \big ). \end{aligned}$$

  Finally, it computes \(\widetilde{\sigma }= \mathsf {SignDerive}(\mathsf {pk},\tau ,\{ (1,\hat{\sigma } ),(1,\sigma ')\} )=\hat{\sigma } \cdot \sigma ' \in \mathbb {G}_1\) and returns \(\widetilde{\mathsf {dec}}=\widetilde{\sigma }\).

• SSTC.Verify \({\varvec{(pk,tag, \vec {m},\mathsf {com},\mathsf {dec})}}\) parse the commitment \(\mathsf {com}\) as \(c \in \mathbb {G}_2\) and the opening \(\mathsf {dec}\) as \( \sigma \in \mathbb {G}_1 \). If these cannot be parsed properly, return \(0\). Otherwise, return \(1\) if \(c=F(\sigma ,\vec {m},\mathsf {pk},tag)\) and \(0\) otherwise.

For completeness, we prove the following result in a similar way to the proof of Theorem 3.

Theorem 5

The above construction is a secure SSTC assuming that \(\varPi \) is both regular and unforgeable against non-independent Type I attacks.

Proof

The proof is very similar to the proof of Theorem 3. We first show that the commitment is a trapdoor commitment if \(\varPi \) is a regular homomorphic signature. Indeed, in the distribution \(D_{ fake }\), the commitment is obtained as

$$\begin{aligned} \widetilde{\mathsf {com}}= & {} F \big (\hat{\sigma } ,\vec {m}_{ fake }, \mathsf {pk},tag \big ) \end{aligned}$$

(19)

where \(\vec {m}_{ fake } \in _R \mathbb {Z}_p^n\) and \(\hat{\sigma } \in _R \mathbb {G}_1\). Since \(\varPi \) is regular, we also know that, for any \( \vec {m} \ne \vec {m}_{ fake } \), the vector \( \vec {m} - \vec {m}_{ fake }\) has a valid signature \(\sigma ' \in \mathbb {G}_1\). As a consequence, there exists

$$\begin{aligned} \widetilde{\mathsf {dec}}=\tilde{\sigma }= \mathsf {SignDerive}\big (\mathsf {pk},\tau ,\{ (1,\hat{\sigma } \big ),(1,\sigma ')\} \big )= \hat{\sigma } \cdot \sigma ' \end{aligned}$$

such that \(\widetilde{\mathsf {com}}=F (\tilde{\sigma } ,\vec {m} , \mathsf {pk},tag )\), so that \(\widetilde{\mathsf {com}}\) can be explained as a commitment to \(\vec {m}\). Moreover, since \(\hat{\sigma }\) was chosen uniformly in \(\mathbb {G}_1\), the obtained de-commitment \(\tilde{\sigma }\) is uniform among values such that

$$\begin{aligned} \widetilde{\mathsf {com}}= & {} F \big (\tilde{\sigma } ,\vec {m} , \mathsf {pk},tag \big ) \end{aligned}$$

Said otherwise, \((\widetilde{\mathsf {com}},\widetilde{\mathsf {dec}})\) has the same distribution as if it were obtained by choosing \(\widetilde{dec}= \tilde{\sigma } \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}_1\) and computing \(\widetilde{\mathsf {com}} = F (\tilde{\sigma } ,\vec {m} , \mathsf {pk},tag )\).

To establish the simulation-sound binding property, we show that, if there exists a PPT adversary \(\mathcal {A}\) that breaks this property with advantage \(\varepsilon \), the homomorphic signature scheme \(\varPi \) can be broken by a non-independent Type I forger \(\mathcal {B}\) with the same advantage \(\varepsilon \).

Algorithm \(\mathcal {B}\) takes as input a linearly homomorphic signature public key \(\mathsf {pk}\) and sends \(pk=\mathsf {pk}\) to the simulation-binding adversary \(\mathcal {A}\). When \(\mathcal {A}\) sends a query \((\mathsf {commit},tag)\) to the \({\mathcal {O}}_{tk,pk}\) oracle, \(\mathcal {B}\) runs the \(\mathsf {SSTC}.\mathsf {FakeCom}\) algorithm and computes \(\widetilde{\mathsf {com}}= F(\hat{\sigma },\vec {m}_{ fake },\mathsf {pk},tag)\) for randomly chosen \( \hat{\sigma } \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}_1\) and \(\vec {m}_{ fake } \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p^n\). It retains the state information \(\mathsf {aux}=(\vec {m}_{ fake },\hat{\sigma })\). For each invocation of the oracle \({\mathcal {O}}_{tk,pk}\) for an input of the form \((\mathsf {decommit},\widetilde{com}, \vec {m}), \mathcal {B}\) sends the query \((tag,\vec {m} -\vec {m}_{ fake })\) to its own signing oracle. Upon receiving the latter’s response \(\sigma ', \mathcal {B}\) computes and returns \(\widetilde{\mathsf {dec}}= \sigma ' \cdot \hat{\sigma }\).

Eventually, \(\mathcal {A}\) comes up with a commitment of its own \(\mathsf {com}^\star \) with valid openings \(\mathsf {dec}=\sigma , \mathsf {dec}'=\sigma '\) to distinct vectors \(\vec {m} \ne \vec {m}' \) for a tag \(tag^\star \) that it never submitted to \({\mathcal {O}}_{tk,sk}\). Since \(\vec {m} \ne \vec {m}' \) and \(\mathsf {dec}\) and \(\mathsf {dec}'\) are valid openings of \(\mathsf {com}^\star \) to \(\vec {m}\) and \(\vec {m}'\), respectively, the triple

$$\begin{aligned} \big (\tau ^\star ,\sigma /\sigma ',\vec {m} - \vec {m}' \big ) \end{aligned}$$

forms a valid Type I forgery for the linearly homomorphic scheme \(\varPi \). \(\square \)

1.3 Appendix 5.3: Instantiations

Construction from the Diffie–Hellman assumption Previously, non-malleable commitments based on the CDH assumption were—implicitly or explicitly—described in [35, 64] but it is not immediate how to extend them to commit to vectors in a modular way.

In [12], Attrapadung et al. described a linearly homomorphic signature which is notably secure against Type I independent adversaries—as implicitly proved by [12], Lemma 8]—under the computational Diffie–Hellman (CDH) assumption.

• Keygen \({\varvec{(\lambda ,n)}}\) given a security parameter \(\lambda \in {\mathbb {N}}\) and an integer \(n \in {\mathsf {poly}}(\lambda )\), choose bilinear groups \((\mathbb {G},\mathbb {G}_T)\) of prime order \(p > 2^{\lambda }\). Choose \(\alpha \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p, g, v \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\) and \(u_0,u_1,\ldots ,u_L \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\), for some \(L \in {\mathsf {poly}}(\lambda )\). These elements \((u_0,\ldots ,u_L) \in \mathbb {G}^{L+1}\) will be used to implement a programmable hash function \(H_{\mathbb {G}}:\{0,1\}^L \rightarrow \mathbb {G}\) such that any \(L\)-bit string \(\tau =\tau [1]\ldots \tau [L] \in \{0,1\}^L\) is mapped to the hash value \(H_{\mathbb {G}}(\tau )=u_0 \cdot \prod _{i=1}^L u_i^{\tau [i]}\). Pick \( g_i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\) for \(i=1\) to \(n\). Finally, define the identifier space \({\mathcal {T}}:= \{0,1\}^L\). The private key is \(\mathsf {sk}:= \alpha \) and the public key consists of

  $$\begin{aligned} \mathsf {pk}:= \Bigl ( \big (\mathbb {G},\mathbb {G}_T\big ),~ g , ~ g^{\alpha }, ~v, ~ \{ g_i \}_{i=1}^n,~\{u_i\}_{i=0}^L \Bigr ). \end{aligned}$$

• Sign \({\varvec{(\mathsf {sk},\tau ,\vec {m} )}}\) given a vector \(\vec {m}=(m_1,\ldots ,m_n) \in \mathbb {Z}_p^n\), a file identifier \( \tau \in \{0,1\}^L\) and the private key \(\mathsf {sk}= {\alpha } \in \mathbb {Z}_p \), return \(\perp \) if \(\vec {m}=\vec {0}\). Otherwise, choose \(r,s \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\). Then, compute a signature \( \sigma = (\sigma _1,\sigma _2,s ) \in \mathbb {G}^2 \times \mathbb {Z}_p\) as

  $$\begin{aligned} \sigma _1&= \big ( g_1^{m_1} \ldots g_n^{m_n} \cdot v^s\big )^{\alpha } \cdot H_{\mathbb {G}}(\tau )^{r },&\sigma _{2 }&= g^{r}. \end{aligned}$$

• SignDerive \({\varvec{(\mathsf {pk},\tau ,\{(\beta _i, \sigma _i)\}_{i=1}^\ell )}}\) given \(\mathsf {pk}\), a file identifier \(\tau \) and \(\ell \) tuples \((\beta _i,\sigma _i) \), parse each signature \(\sigma _i\) as \(\sigma _i=(\sigma _{i,1},\sigma _{i,2},s_i)\) for \(i=1\) to \(\ell \). Then, choose \(\tilde{r} \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\) and compute

  $$\begin{aligned} \sigma _1&= \prod _{i=1}^\ell \sigma _{i,1}^{\beta _i} \cdot H_{\mathbb {G}}(\tau )^{\tilde{r}},&\sigma _2&= \prod _{i=1}^\ell \sigma _{i,2}^{\beta _i} \cdot g^{\tilde{r}},&s&=\sum _{i=1}^{\ell } \beta _i \cdot s_i, \end{aligned}$$

  and output \((\sigma _1,\sigma _2,s)\).

• Verify \({\varvec{(\mathsf {pk},\tau ,\vec {m},\sigma )}}\) given \(\mathsf {pk}\), a signature \(\sigma =(\sigma _1,\sigma _2,s)\) and a message \((\tau ,\vec {m})\), where \(\tau \in \{0,1\}^L\) and \(\vec {m}\) is a vector \((m_1,\ldots ,m_n) \in (\mathbb {Z}_p)^n\), return \(0\) if \(\vec {m}=\vec {0}\). Otherwise, return \(1\) if

  $$\begin{aligned} e\Big (\sigma _1,g\Big ) = e\Big (g_1^{m_1} \dots g_n^{m_n} \dot{v}^s,g^{\alpha }\Big ) \cdot e\big ( H_{\mathbb {G}}(\tau ),\sigma _2\big ) \end{aligned}$$

  and \(0\) otherwise.

This scheme can be seen as a specific instantiation of the template where the group \(\mathbb {G}_1\) is a product \(\mathbb {G}_1=\mathbb {G}^2 \times \mathbb {Z}_p\), which is a group for the operation \((\cdot ,\cdot , +)\), and \(\mathbb {G}_2=\mathbb {G}_T\). Here, \(\mathbb {G}_1\) and \(\mathbb {G}_2\) thus have order \(p^3\) and \(p\), respectively. As for the linear function \(F\), it can be instantiated as

$$\begin{aligned} F\Big (\big (\sigma _1,\sigma _2,s\big ),\vec {m},\mathsf {pk}, \tau \Big ) := e\big (\sigma _1,g^{-1}\big ) \cdot e\big (H_{\mathbb {G}}(\tau ),\sigma _2\big ) \cdot e\big (g_1^{m_1}\ldots g_n^{m_n} \cdot v^s,g^{\alpha }\big ). \end{aligned}$$

As a result, we obtain a new non-interactive simulation-sound trapdoor commitment to vectors under the CDH assumption. We note that the scheme can be optimized by removing the terms \(v^s\) and \(s\), so as to have \((\sigma _1,\sigma _2)=\big ((\prod _{i=1}^n g_i^{m_i})^{\alpha } \cdot H_{\mathbb {G}}(\tau )^r ,g^r \big )\) and

$$\begin{aligned} F\Big (\big (\sigma _1,\sigma _2\big ),\vec {m},\mathsf {pk}, \tau \Big ) := e\big (\sigma _1,g^{-1}\big ) \cdot e\big (H_{\mathbb {G}}(\tau ),\sigma _2\big ) \cdot e\left( g_1^{m_1}\ldots g_n^{m_n} ,g^{\alpha }\right) . \end{aligned}$$

Indeed, in the proof of [12], Lemma 8], we observe that, if the signature scheme only needs to be secure against Type I attacks, the terms \((v^s,s) \in \mathbb {G}\times \mathbb {Z}_p\) can be eliminated.

Unlike the CDH-based construction of [40], the above commitment scheme is non-interactive and allows committing to vectors with a constant-size commitment string. Unlike the solution consisting in committing to a short string obtained by hashing the vector, our solution makes it possible for the sender to prove properties (using \(\Sigma \) protocols or Groth–Sahai proofs) about committed vectors in an efficient way.

We also remark that, for vectors of dimension \(n=1\), we obtain a simplification of existing multi-trapdoor (or identity-based) trapdoor commitments [35, 64] based on the Waters signature: instead of starting from a \(\Sigma \) protocol for proving knowledge of a Waters signature, we obtain a more efficient scheme by building the commitment algorithm on the verification equation of the underlying signature: recall that the verification equation of Waters signatures \((\sigma _1,\sigma _2)\) returns \(1\) if and only if it holds that \(e(\sigma _1,g)=e(g^{\alpha },h ) \cdot e(H_{\mathbb {G}}(M),\sigma _2)\), where \(M \in \{0,1\}^L\) is the message and \( g^{\alpha },h \) are part of the public key. Now, to commit to a message \(m \in \mathbb {Z}_p\) the sender can pick random \(\theta _1,\theta _2 \in \mathbb {G}\) and compute \(\mathsf {com}=e(g^{\alpha },h)^m \cdot e(g,\theta _1) \cdot e(H_{\mathbb {G}}(\tau ),\theta _2) \in \mathbb {G}_T\) and \(\mathsf {dec}=(\theta _1,\theta _2)\). It is easy to see that a signature \((\sigma _1,\sigma _2)\) on \(\tau \) allows trapdoor opening \(\mathsf {com}\). Moreover, the resulting scheme gives shorter commitment string and a faster verification algorithm than in [25, 64].

Construction from the strong Diffie–Hellman assumption As mentioned earlier, in the application to non-malleable commitments, simulation-sound trapdoor commitments only need to be secure against adversaries that choose beforehand (before receiving the public key) on which tags they will see equivocations of commitments produced by \(\mathsf {FakeCom}\). In this case, we only need the underlying linearly homomorphic signature to be secure against non-adaptive Type I independent adversaries. The construction of Catalano et al. [27] is an example of such system. In [27], it was implicitly⁶ proved that the scheme is secure against non-adaptive (independent) Type I adversaries under the strong Diffie–Hellman assumption [15].

• Keygen \({\varvec{(\lambda ,n)}}\) given a security parameter \(\lambda \in {\mathbb {N}}\) and an integer \(n \in {\mathsf {poly}}(\lambda )\), choose bilinear groups \((\mathbb {G},\mathbb {G}_T)\) of prime order \(p > 2^{\lambda }\). Choose \(\alpha \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p, g, v \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\) and \( g_i \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {G}\) for \(i=1\) to \(n\). Finally, define the identifier space \({\mathcal {T}}:= \mathbb {Z}_p\). The private key is \(\mathsf {sk}:= \alpha \) and the public key consists of

  $$\begin{aligned} \mathsf {pk}:= \Bigl ( \big (\mathbb {G},\mathbb {G}_T\big ),~ g , ~ g^{\alpha }, ~v, ~ \{ g_i \}_{i=1}^n \Bigr ). \end{aligned}$$

• Sign \({\varvec{(\mathsf {sk},\tau ,\vec {m} )}}\) given a vector \(\vec {m}=(m_1,\ldots ,m_n) \in \mathbb {Z}_p^n\), a file identifier \( \tau \in \mathbb {Z}_p\) and the private key \(\mathsf {sk}= {\alpha } \in \mathbb {Z}_p \), choose \( s \mathop {\leftarrow }\limits ^{\scriptscriptstyle R}\mathbb {Z}_p\). Then, compute a signature \( \sigma = (\sigma _1 ,s ) \in \mathbb {G}\times \mathbb {Z}_p\) where

  $$\begin{aligned} \sigma _1 = \big ( g_1^{m_1} \ldots g_n^{m_n} \cdot v^s \big )^{\frac{1}{\alpha + \tau }}. \end{aligned}$$

• SignDerive \({\varvec{(\mathsf {pk},\tau ,\{(\beta _i, \sigma _i)\}_{i=1}^\ell )}}\) given \(\mathsf {pk}\), a file identifier \(\tau \) and \(\ell \) tuples \((\beta _i,\sigma _i) \), parse each signature \(\sigma _i\) as \(\sigma _i=(\sigma _{i,1},s_i)\) for \(i=1\) to \(\ell \). Then, compute

  $$\begin{aligned} \sigma _1&= \prod _{i=1}^\ell \sigma _{i,1}^{\beta _i},&s&=\sum _{i=1}^{\ell } \beta _i \cdot s_i, \end{aligned}$$

  and output \((\sigma _1, s)\).

• Verify \({\varvec{(\mathsf {pk},\tau ,\vec {m},\sigma )}}\) given the public key \(\mathsf {pk}\), a signature \(\sigma =(\sigma _1, s)\) and a message \((\tau ,\vec {m})\), where \(\tau \in \mathbb {Z}_p\) and \(\vec {m}=(m_1,\ldots ,m_n) \in (\mathbb {Z}_p)^n\), return \(1\) if and only if

  $$\begin{aligned} e\big (\sigma _1,g^{\tau } \cdot g^{\alpha }\big ) = e\big (g_1^{m_1}\ldots g_n^{m_n} \cdot v^s,g \big ). \end{aligned}$$

This construction can also be seen as a special case of our template where \(\mathbb {G}_1= \mathbb {G}\times \mathbb {Z}_p\) is a group for the operation \((\cdot ,+)\) and \(\mathbb {G}_2=\mathbb {G}_T\) is a multiplicative group. Here, we thus have \(|\mathbb {G}_1|=p^2\) and \(|\mathbb {G}_2|=p\). The linear function \(F\) is now defined as

$$\begin{aligned} F\big ( (\sigma _1,s),\vec {m},\mathsf {pk}, \tau \big ) := e\left( \sigma _1,g^{\tau } \cdot g^{\alpha }\right) \cdot e\left( g_1^{m_1}\ldots g_n^{m_n} \cdot v^s,g^{-1} \right) . \end{aligned}$$

The linearly homomorphic signature of [27] thus implies a non-interactive non-adaptive simulation-sound trapdoor commitment to vectors based on the strong Diffie–Hellman assumption. Again, the scheme can be simplified by removing the term \(v^s\) since the underlying signature only needs to be secure against non-adaptive Type I attacks. In the case \(n=1\), the resulting non-malleable commitment is a variant of the one of [42], Sect. 4.2].