More Efficient (Almost) Tightly Secure Structure-Preserving Signatures

Abstract

We provide a structure-preserving signature (SPS) scheme with an (almost) tight security reduction to a standard assumption. Compared to the state-of-the-art tightly secure SPS scheme of Abe et al. (CRYPTO 2017), our scheme has smaller signatures and public keys (of about \(56\%\), resp. \(40\%\) of the size of signatures and public keys in Abe et al.’s scheme), and a lower security loss (of \(\mathbf{O}(\log Q)\) instead of \(\mathbf{O}(\lambda )\), where \(\lambda \) is the security parameter, and \(Q=\mathsf {poly}(\lambda )\) is the number of adversarial signature queries).

While our scheme is still less compact than structure-preserving signature schemes without tight security reduction, it significantly lowers the price to pay for a tight security reduction. In fact, when accounting for a non-tight security reduction with larger key (i.e., group) sizes, the computational efficiency of our scheme becomes at least comparable to that of non-tightly secure SPS schemes.

Technically, we combine and refine recent existing works on tightly secure encryption and SPS schemes. Our technical novelties include a modular treatment (that develops an SPS scheme out of a basic message authentication code), and a refined hybrid argument that enables a lower security loss of \(\mathbf{O}(\log Q)\) (instead of \(\mathbf{O}(\lambda )\)).

R. Gay—Supported by ERC Project aSCEND (639554), and a Google PhD fellowship.

D. Hofheinz—Supported by ERC Project PREP-CRYPTO (724307), and by DFG grants HO 4534/4-1 and HO 4534/2-2.

L. Kohl—Supported by ERC Project PREP-CRYPTO (724307), and by DFG grant HO 4534/2-2.

J. Pan—Supported by DFG grant HO 4534/4-1.

1 Introduction

Structure-Preserving Signatures (SPSs). Informally, a cryptographic scheme (such as an encryption or signature scheme) is called structure-preserving if its operation can be expressed using equations over a (usually pairing-friendly) cyclic group. A structure-preserving scheme has the advantage that we can reason about it with efficient zero-knowledge proof systems such as the Groth-Sahai non-interactive zero-knowledge (NIZK) system [31]. This compatibility is the key to constructing efficient anonymous credential systems (e.g., [10]), and can be extremely useful in voting schemes and mix-nets (e.g., [30]).

In this work, we are concerned with structure-preserving signature (SPS) schemes. Since popular tools such as “structure-breaking” collision-resistant hash functions cannot be used in a structure-preserving scheme, constructing an SPS scheme is a particularly challenging task. Still, there already exist a variety of SPS schemes in the literature [2, 4,5,6, 17,18,19, 29, 35, 37, 39, 44] (see also Table 1 for details on some of them).

Tight Security for SPS Schemes. A little more specifically, in this work we are interested in tightly secure SPS schemes. Informally, a cryptographic scheme is tightly secure if it enjoys a tight security reduction, i.e., a security reduction that transforms any adversary \(\mathcal {A}\) on the scheme into a problem-solver with about the same runtime and success probability as \(\mathcal {A}\), independently of the number of uses of the scheme.¹ A tight security reduction gives security guarantees that do not degrade in the size of the setting in which the scheme is used.

Specifically, tight security reductions allow to give “universal” keylength recommendations that do not depend on the envisioned size of an application. This is useful when deploying an application for which the eventual number of uses cannot be reasonably bounded a priori. Moreover, this point is particularly vital for SPS schemes. Namely, an SPS scheme is usually combined with several other components that all use the same cyclic group. Thus, a keylength increase (which implies changing the group, and which might be necessary for a non-tightly secure scheme for which a secure keylength depends on the number of uses) affects several schemes, and is particularly costly.

In recent years, progress has been made in the construction of a variety of tightly² secure cryptographic schemes such as public-key encryption schemes [11, 25, 33,34,35, 42, 43], identity-based encryption schemes [8, 14, 20, 21, 27, 36], and signature schemes [3, 6, 14, 16, 21, 34, 35, 42]. However, somewhat surprisingly, only few SPS schemes with tight security reductions are known. Moreover, these tightly secure SPS schemes [6, 35] are significantly less efficient than either “ordinary” SPS or tightly secure signature schemes (see Table 1). One reason for this apparent difficulty to construct tightly secure SPS schemes is that tight security appears to require dedicated design techniques (such as a sophisticated hybrid argument over the bits of an IBE identity [21]), and most known such techniques cannot be expressed in a structure-preserving manner.

Table 1. Comparison of standard-model SPS schemes (in their most efficient variants). We list unilateral schemes (with messages over one group) and bilateral schemes (with messages over both source groups of a pairing) separately. The notation \((x_1,x_2)\) denotes \(x_1\) elements in \({{\mathbb {G}}_1}\) and \(x_2\) elements in \({{\mathbb {G}}_2}\). \(|{M}|\), \(|\sigma |\), and \(|{ pk }|\) denote the size of messages, signatures, and public keys (measured in group elements). “Sec. loss” denotes the multiplicative factor that the security reduction to “Assumption” loses, where we omit dominated and additive factors. (Here, “generic” means that only a proof in the generic group model is known.) For the tree-based scheme HJ12, \(\ell \) denotes the depth of the tree (which limits the number of signing queries to \(2^\ell \)). \(Q\) denotes the number of adversarial signing queries, and \(\lambda \) is the security parameter.

1.1 Our Contribution

Overview. We present a tightly secure SPS scheme with significantly improved efficiency and tighter security reduction compared to the state-of-the-art tightly secure SPS scheme of Abe et al. [6]. Specifically, our signatures contain 14 group elements (compared to 25 group elements in [6]), and our security reduction loses a factor of only \(\mathbf{O}(\log Q)\) (compared to \(\mathbf{O}(\lambda )\)), where \(\lambda \) denotes the security parameter, and \(Q=\mathsf {poly}(\lambda )\) denotes the number of adversarial signature queries. When accounting for loose reductions through an appropriate keylength increase, the computational efficiency of our scheme even compares favorably to that of state-of-the-art non-tightly secure SPS schemes.

In the following, we will detail how we achieve our results, and in particular the progress we make upon previous techniques. We will also compare our work to existing SPS schemes (both tightly and non-tightly secure).

Central Idea: A Modular Treatment. A central idea in our work (that in particular contrasts our approach to the one of Abe et al.) is a modular construction. That is, similar to the approach to tight IBE security of Blazy, Kiltz, and Pan [14], the basis of our construction is a tightly secure message authentication code (MAC). This tightly secure MAC will then be converted into a signature scheme by using NIZK proofs, following (but suitably adapting) the generic MAC-to-signatures conversion of Bellare and Goldwasser [12].

Starting Point: A Tightly Secure MAC. Our tightly secure MAC will have to be structure-preserving, so the MAC used in [14] cannot be employed in our case. Instead, we derive our MAC from the recent tightly secure key encapsulation mechanism (KEM) of Gay, Hofheinz, and Kohl [26] (which in turn builds upon the Kurosawa-Desmedt PKE scheme [41]). To describe their scheme, we assume a group \({\mathbb {G}}=\langle g\rangle \) of prime order p, and we use the implicit notation \([x]:=g^x\) from [24]. We also fix an integer k that determines the computational assumption to which we want to reduce.³ Now in (a slight simplification of) the scheme of [26], a ciphertext C with corresponding KEM key K is of the form

$$\begin{aligned} C \;=\; (\, [ \mathbf {t}],\, \pi \,), \qquad K \;=\; [ (\mathbf {k}_0+\mu \mathbf {k}_1)^\top \mathbf {t}] \quad (\text {for } \, \mu =H([\mathbf {t}])), \end{aligned}$$

(1)

where H is a collision-resistant hash function, and \(\mathbf {k}_0,\mathbf {k}_1,\mathbf {t}\in {{{\mathbb {Z}}}_p^{2k}}\) and \(\pi \) are defined as follows. First, \(\mathbf {k}_0,\mathbf {k}_1\in {{{\mathbb {Z}}}_p^{2k}}\) comprise the secret key. Next, \(\mathbf {t}=\mathbf {A}_0\mathbf {r}\) for a fixed matrix \(\mathbf {A}_0\) (given as \([\mathbf {A}_0]\) in the public key) and a random vector \(\mathbf {r}\in {\mathbb {Z}}_p^k\) chosen freshly for each encryption. Finally, \(\pi \) is a NIZK proof that proves that \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\) for another fixed matrix \(\mathbf {A}_1\) (also given as \([\mathbf {A}_1]\) in the public key). The original Kurosawa-Desmedt scheme [41] is identical, except that \(\pi \) is omitted, and \(k=1\). Hence, the main benefit of \(\pi \) is that it enables a tight security reduction.⁴

We can view this KEM as a MAC scheme simply by declaring the MAC tag for a message \({M}\) to be the values (C, K) from (1), only with \(\mu :={M}\) (instead of \(\mu =H([\mathbf {t}])\)). The verification procedure of the resulting MAC will check \(\pi \), and then check whether C really decrypts to K. (Hence, MAC verification still requires the secret key \(\mathbf {k}_0,\mathbf {k}_1\).) Now a slight adaptation of a generic argument of Dodis et al. [22] reduces the security of this MAC tightly to the security of the underlying KEM scheme. Unfortunately, this resulting MAC is not structure-preserving yet (even if the used NIZK proof \(\pi \) is): the message \({M}=\mu \) is a scalar (from \({\mathbb {Z}}_p\)).⁵

Abstracting Our Strategy into a Single “core lemma”. We can distill the essence of the security proof of our MAC above into a single “core lemma”. This core lemma forms the heart of our work, and shows how to randomize all tags of our MAC. While this randomization follows a previous paradigm called “adaptive partitioning” (used to prove the tight security of PKE [26, 33] and SPS schemes [6]), our core lemma induces a much smaller reduction loss. The reason for this smaller reduction loss is that previous works on tightly secure schemes (including [6, 26, 33]) conduct their reduction along the individual bits of a certain hash value (or message to be signed). Since this hash value (or message) usually has \(\mathbf{O}(\lambda )\) bits, this induces a hybrid argument of \(\mathbf{O}(\lambda )\) steps, and thus a reduction loss of \(\mathbf{O}(\lambda )\). In contrast, we conduct our security argument along the individual bits of the index of a signing query (i.e., a value from 1 to Q, where Q is the number of signing queries). This index exists only in the security proof, and can thus be considered as an “implicit” way to structure our reduction.⁶

From MACs to Signatures and Structure-Preserving Signatures. Fortunately, our core lemma can be used to prove not only our MAC scheme, but also a suitable signature and SPS scheme tightly secure. To construct a signature scheme, we can now use an case-tailored (and heavily optimized) version of the generic transformation of Bellare and Goldwasser [12]. In a nutshell, that transformation turns a MAC tag (that requires a secret key to verify) into a publicly verifiable signature by adding a NIZK proof to the tag that proves its validity, relative to a public commitment to the secret key. For our MAC, we only need to prove that the given key K really is of the form \(K=[(\mathbf {k}_0+\mu \mathbf {k}_1)^\top \mathbf {t}]\). This linear statement can be proven with a comparatively simple and efficient NIZK proof \(\pi '\). For \(k=1\), an optimized Groth-Sahai-based implementation of \(\pi \), and an implicit \(\pi '\) (that uses ideas from [38, 40]), the resulting signature scheme will have signatures that contain 14 group elements.

To turn our scheme into an SPS scheme, we need to reconsider the equation \(K=[(\mathbf {k}_0+\mu \mathbf {k}_1)^\top \mathbf {t}]\) from (1). In our MAC (and also in the signature scheme above), we have set \(\mu ={M}\in {\mathbb {Z}}_p\), which we cannot afford to do for an SPS scheme. Our solution consists in choosing a different equation that fulfills the following requirements:

1. (a)

   it is algebraic (in the sense that it integrates a message \({M}\in {\mathbb {G}}\)), and

2. (b)

   it is compatible with our core lemma (so it can be randomized quickly).

For our scheme, we start from the equation

$$\begin{aligned} K=[\mathbf {k}_0^\top \mathbf {t}+\mathbf {k}^\top \begin{pmatrix}{M}\\ 1\end{pmatrix}] \end{aligned}$$

(2)

for uniform keys \(\mathbf {k}_0,\mathbf {k}\). We note that a similar equation has already been used by Kiltz, Pan, and Wee [39] for constructing SPS schemes, although with a very different and non-tight security proof. We can plug this equation into the MAC-to-signature transformation sketched above, to obtain an SPS scheme with only 14 group elements (for \(k=1\)) per signature.

Our security proof will directly rely on our core lemma to first randomize the \(\mathbf {k}_0^\top \mathbf {t}\) part of (2) in all signatures. After that, similar to [39], an information-theoretic argument (that only uses the pairwise independence of the second part of (2), when viewed as a function of \({M}\)) shows security.

Our basic SPS scheme is unilateral, i.e., its messages are vectors over only one source group of a given pairing. To obtain a bilateral scheme that accepts “mixed” messages over both source groups of an asymmetric pairing, we can use a generic transformation of [39] that yields a bilateral scheme with signatures of 17 group elements (for \(k=1\)).

Table 2. Comparison of the computational efficiency of state-of-the-art SPS schemes (in their most efficient, SXDH-based variants) with our SXDH-based schemes in the unilateral (UL) and bilateral (BL) version. With “PPEs” and “Pairings”, we denote the number of those operations necessary during verification, where “batched” denotes optimized figures obtained by “batching” verification equations [13]. The “\(|{M}|\)” and “Sec. loss” columns have the same meaning as in Table 1. The column “\(|{{\mathbb {G}}_1}|\)” denotes the (bit)size of elements from the first source group in a large but realistic scenario (under some simplifying assumptions), see the discussion in Sect. 1.2. “\(|\sigma |\) (bits)” denotes the resulting overall signature size, where we assume that the bitsize of \({{\mathbb {G}}_2}\) elements is twice the bitsize of \({{\mathbb {G}}_1}\)-elements.

1.2 Related Work and Efficiency Comparison

In this subsection, we compare our work to the closest existing work (namely, the tightly secure SPS scheme of Abe et al. [6]) and other, non-tightly secure SPS schemes.

Comparison to the Work of Abe et al. The state of the art in tightly secure SPS schemes (and in fact currently the only other efficient tightly secure SPS scheme) is the recent work of Abe et al. [6]. Technically, their scheme also uses a tightly secure PKE scheme (in that case [33]) as an inspiration. However, there are also a number of differences in our approaches which explain our improved efficiency and reduction.

First, Abe et al.’s scheme involves more (and more complex) NIZK proofs, since they rather closely follow the PKE scheme from [33]. This leads to larger proofs and thus larger signatures. Instead, our starting point is the much simpler scheme of [26] (which only features one comparatively simple NIZK proof in its ciphertext).

Second, while the construction of Abe et al. is rather monolithic, our construction can be explained as a modification of a simple MAC scheme. Our approach thus allows for a more modular exposition, and in particular we can outsource the core of the reduction into a core lemma (as explained above) that can be applied to MAC, signature, and SPS scheme.

Third, like previous tightly secure schemes (and in particular the PKE schemes of [26, 33]), Abe et al. conduct their security reduction along the individual bits of a certain hash value (or message to be signed). As explained above, our reduction is more economic, and uses a hybrid argument over an “implicit” counter value.

Efficiency Comparison. We give a comparison to other SPS schemes in Table 1. This table shows that our scheme is still significantly less efficient in terms of signature size than existing, non-tightly secure SPS schemes. However, when considering computational efficiency, and when accounting for a larger security loss in the reduction with larger groups, things look differently.

The currently most efficient non-tightly secure SPS schemes are due to Jutla and Roy [37] and Kiltz, Pan, and Wee [39]. Table 2 compares the computational complexity of their verification operation with the tightly secure SPSs of Abe et al. and our schemes. Now consider a large scenario with \(Q=2^{30}\) signing queries and a target security parameter of \(\lambda =100\). Assume further that we use groups that only allow generic attacks (that require time about the square root of the group size). This means that we should run a scheme in a group of size at least \(2^{2(\lambda +\log L)}\), where L denotes the multiplicative loss of the respective security reduction. Table 2 shows the resulting group sizes in column “\(|{{\mathbb {G}}_1}|\)” (in bits, such that \(|{{\mathbb {G}}_1}|=200\) denotes a group of size \(2^{200}\)).

Now very roughly, the computational complexity of pairings can be assumed to be cubic in the (bit)size of the group [7, 9, 23, 28]. Hence, in the unilateral setting, and assuming an optimized verification implementation (that uses “batching” [13]) the computational efficiency of the verification in our scheme is roughly on par with that in the (non-tightly secure) state-of-the-art scheme of Jutla and Roy [37], even for small messages. For larger messages, our scheme becomes preferable. In the bilateral setting, our scheme is clearly the most efficient known scheme.

Roadmap

We fix some notation and recall some preliminaries in Sect. 2. In Sect. 3, we present our basic MAC and prove it secure (using the mentioned core lemma). In Sects. 4 and 5, we present our signature and SPS schemes. Due to lack of space, for some proofs (including the more technical parts of the proof of the core lemma, and a full proof for the signature scheme) we refer to the full version.

2 Preliminaries

In this section we provide the preliminaries which our paper builds upon. First, we want to give an overview of notation used throughout all sections.

2.1 Notation

By \(\lambda \in \mathbb {N}\) we denote the security parameter. We always employ \(\mathsf {negl}:\mathbb {N}\rightarrow \mathbb {R}_{\ge 0}\) to denote a negligible function, that is for all polynomials \(p\in \mathbb {N}[X]\) there exists an \(n_0\in \mathbb {N}\) such that \(\mathsf {negl}(n)< 1/p(n)\) for all \(n\ge n_0\). For any set \(\mathcal {S}\), by \(s \leftarrow _{R}\mathcal {S}\) we set s to be a uniformly at random sampled element from \(\mathcal {S}\). For any distribution \(\mathcal {D}\) by \(d\leftarrow \mathcal {D}\) we denote the process of sampling an element d according to the distribution \(\mathcal {D}\). For any probabilistic algorithm \(\mathcal {B}\) by \(\mathrm {out}\leftarrow \mathcal {B}(\mathrm {in})\) by \(\mathrm {out}\) we denote the output of \(\mathcal {B}\) on input \(\mathrm {in}\). For a deterministic algorithm we sometimes use the notation \(\mathrm {out}:=\mathcal {B}(\mathrm {in})\) instead. By p we denote a prime throughout the paper. For any element \(m \in \mathbb {Z}_p\), we denote by \(m_i\in \{0,1\}\) the i-th bit of m’s bit representation and by \(m_{|i} \in \{0,1\}^i\) the bit string comprising the first i bits of m’s bit representation.

It is left to introduce some notation regarding matrices. To this end let \(k,\ell \in \mathbb {N}\) such that \(\ell >k\). For any matrix \(\mathbf {A}\in \mathbb {Z}_p^{\ell \times k}\), we write

$$\begin{aligned} {\mathrm {span}}(\mathbf {A}):=\{\mathbf {A}\mathbf {r}\mid \mathbf {r}\in \mathbb {Z}_p^k\}\subset \mathbb {Z}_p^\ell , \end{aligned}$$

to denote the span of \(\mathbf {A}\).

For a full rank matrix \(\mathbf {A}\in \mathbb {Z}_p^{\ell \times k}\) we denote by \(\mathbf {A}^\perp \) a matrix in \(\mathbb {Z}_p^{\ell \times (\ell -k)}\) with \(\mathbf {A}^\top \mathbf {A}^\perp =\mathbf 0 \) and rank \(\ell -k\). We denote the set of all matrices with these properties as

$$\begin{aligned} \mathsf {orth}(\mathbf {A}):=\{\mathbf {A}^\perp \in \mathbb {Z}_p^{\ell \times (\ell -k)}\mid \mathbf {A}^\top \mathbf {A}^\perp =\mathbf 0 \hbox { and }\mathbf {A}^\bot \hbox { has rank }\ell -k\}. \end{aligned}$$

For vectors \(\mathbf {v}\in \mathbb {Z}_p^{k+n}\) (\(n\in \mathbb {N}\)), by \(\overline{\mathbf {v}}\in \mathbb {Z}_p^k\) we denote the vector consisting of the upper k entries of \(\mathbf {v}\) and accordingly by \(\underline{\mathbf {v}}\in \mathbb {Z}_p^n\) we denote the vector consisting of the remaining n entries of \(\mathbf {v}\).

Similarly, for a matrix \(\mathbf {A}\in \mathbb {Z}_p^{2k\times k}\), by \(\overline{\mathbf {A}}\in \mathbb {Z}_p^{k\times k}\) we denote the upper square matrix and by \(\underline{\mathbf {A}}\in \mathbb {Z}_p^{k\times k}\) the lower one.

2.2 Pairing Groups and Matrix Diffie-Hellman Assumptions

Let \({\mathsf {GGen}}\) be a probabilistic polynomial time (PPT) algorithm that on input \(1^\lambda \) returns a description \(\mathcal {PG}=(\mathbb {G}_1,\mathbb {G}_2,G_T,p,P_1,P_2,e)\) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic group of order p for a \(2\lambda \)-bit prime p, \(P_1\) and \(P_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and \(e: \mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) is an efficiently computable (non-degenerate) bilinear map. Define \(P_T := e(P_1, P_2)\), which is a generator of \(\mathbb {G}_T\). We use implicit representation of group elements. For \(i \in \{1, 2, T \}\) and \(a \in \mathbb {Z}_p\), we define \([a]_i = a P_i \in \mathbb {G}_i\) as the implicit representation of a in \(\mathbb {G}_i\). Given \([a]_1\), \([a]_2\), one can efficiently compute \([ab]_T\) using the pairing e. For two matrices \(\mathbf {A}\), \(\mathbf {B}\) with matching dimensions, we define \(e([\mathbf {A}]_1, [\mathbf {B}]_2 ) := [\mathbf {A}\mathbf {B}]_T \in \mathbb {G}_T\).

We recall the definitions of the Matrix Decision Diffie-Hellman (MDDH) assumption from [24].

Definition 1

(Matrix distribution). Let \(k,\ell \in \mathbb {N}\), with \(\ell > k\) and p be a \(2\lambda \)-bit prime. We call a PPT algorithm \(\mathcal {D}_{\ell ,k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_p^{\ell \times k}\) of full rank k.

Note that instantiating \(\mathcal {D}_{2,1}\) with a PPT algorithm outputting matrices \(\begin{pmatrix}1\\ a\end{pmatrix}\) for \(a\leftarrow _{R}\mathbb {Z}_p\), \(\mathcal {D}_{2,1}\)-MDDH relative to \(\mathbb {G}_1\) corresponds to the DDH assumption in \(\mathbb {G}_1\). Thus, for \(\mathcal {PG}=(\mathbb {G}_1,\mathbb {G}_2,G_T,p,P_1, P_2,e)\), assuming \(\mathcal {D}_{2,1}\)-MDDH relative to \(\mathbb {G}_1\) and relative to \(\mathbb {G}_2\), corresponds to the SXDH assumption.

In the following we only consider matrix distributions \(\mathcal {D}_{\ell ,k}\), where for all \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}\) the first k rows of \(\mathbf {A}\) form an invertible matrix. We also require that in case \(\ell =2k\) for any two matrices \(\mathbf {A}_0,\mathbf {A}_1\leftarrow _{R}\mathcal {D}_{2k,k}\) the matrix \(({\mathbf {A}}_0\mid {\mathbf {A}}_1 )\) has full rank with overwhelming probability. In the following we will denote this probability by \(1-\varDelta _{\mathcal {D}_{2k,k}}\). Note that if \((\mathbf {A}_0\mid \mathbf {A}_1)\) has full rank, then for any \(\mathbf {A}^\bot _0\in \mathsf {orth}(\mathbf {A}_0)\), \(\mathbf {A}^\bot _1\in \mathsf {orth}(\mathbf {A}_1)\) the matrix \((\mathbf {A}^\bot _0\mid \mathbf {A}^\bot _1)\in \mathbb {Z}_p^{2k\times 2k}\) has full rank as well, as otherwise there would exists a non-zero vector \(\mathbf {v}\in \mathbb {Z}_p^{2k}\backslash \{\mathbf {0}\}\) with \((\mathbf {A}_0\mid \mathbf {A}_1)^\top \mathbf {v}=\mathbf {0}\). Further, by similar reasoning \((\mathbf {A}^\bot _0)^\top \mathbf {A}_1\in \mathbb {Z}_p^{k\times k}\) has full rank.

The \(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman problem in \(\mathbb {G}_i\), for \(i \in \{1,2,T\}\), is to distinguish the between tuples of the form \(([\mathbf {A}]_i,[\mathbf {A}\mathbf {w}]_i)\) and \(([\mathbf {A}]_i,[\mathbf {u}]_i)\), for a randomly chosen \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}\), \(\mathbf {w}\leftarrow _{R}\mathbb {Z}_p^k\) and \(\mathbf {u}\leftarrow _{R}\mathbb {Z}_p^{\ell }\).

Definition 2

(\(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman \(\mathcal {D}_{\ell ,k}\)-MDDH). Let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution. We say that the \(\mathcal {D}_{\ell ,k}\)-Matrix Diffie-Hellman (\(\mathcal {D}_{\ell ,k}\)-MDDH) assumption holds relative to a prime order group \(\mathbb {G}_i\) for \(i \in \{1,2,T\}\), if for all PPT adversaries \(\mathcal {A}\),

$$\begin{aligned} {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_i,\mathcal {D}_{\ell ,k},\mathcal {A}}}(\lambda ) :=&\left| \Pr [\mathcal {A}(\mathcal {PG},[\mathbf {A}]_i, [\mathbf {A}\mathbf {w}]_i)=1]\right. \\ {}&\left. -\Pr [\mathcal {A}(\mathcal {PG},[\mathbf {A}]_i, [\mathbf {u}]_i) =1] \right| \le \mathsf {negl}(\lambda ), \end{aligned}$$

where the probabilities are taken over \(\mathcal {PG}:= (\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,p,P_1,P_2) \leftarrow {\mathsf {GGen}}(1^\lambda )\), \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}, \mathbf {w}\leftarrow _{R}\mathbb {Z}_p^k, \mathbf {u}\leftarrow _{R}\mathbb {Z}_p^{\ell }\).

For \(Q \in \mathbb {N}\), \(\mathbf {W}\leftarrow _{R}\mathbb {Z}_p^{k \times Q}\) and \(\mathbf {U}\leftarrow _{R}\mathbb {Z}_p^{\ell \times Q}\), we consider the Q-fold \(\mathcal {D}_{\ell ,k}\)-MDDH assumption, which states that distinguishing tuples of the form \(([\mathbf {A}]_i, [\mathbf {A}\mathbf {W}]_i)\) from \(([\mathbf {A}]_i, [\mathbf {U}]_i)\) is hard. That is, a challenge for the Q-fold \(\mathcal {D}_{\ell ,k}\)-MDDH assumption consists of Q independent challenges of the \(\mathcal {D}_{\ell ,k}\)-MDDH assumption (with the same \(\mathbf {A}\) but different randomness \(\mathbf {w}\)). In [24] it is shown that the two problems are equivalent, where the reduction loses at most a factor \(\ell -k\).

Lemma 1

(Random self-reducibility of \(\mathcal {D}_{\ell ,k}\)-MDDH, [24]). Let \(\ell ,k,\) \(Q \in \mathbb {N}\) with \(\ell >k\) and \(Q > \ell -k\) and \(i \in \{1,2,T\}\). For any PPT adversary \(\mathcal {A}\), there exists an adversary \({\mathcal {B}}\) such that \(T({\mathcal {B}}) \approx T(\mathcal {A}) + Q\cdot \mathsf {poly}(\lambda )\) with \(\mathsf {poly}(\lambda )\) independent of \(T(\mathcal {A})\), and

$$\begin{aligned} {\mathrm {Adv}^{Q\text {-}\mathrm{mddh}}_{\mathcal {PG},\mathbb {G}_i,\mathcal {D}_{\ell ,k},\mathcal {A}}}(\lambda ) \le (\ell -k) \cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_i,\mathcal {D}_{\ell ,k},{\mathcal {B}}}}(\lambda ) + \tfrac{1}{p-1}. \end{aligned}$$

Here

$$\begin{aligned}{\mathrm {Adv}^{Q\text {-}\mathrm{mddh}}_{\mathcal {PG},\mathbb {G}_i,\mathcal {D}_{\ell ,k},\mathcal {A}}}(\lambda ) :=&\left| \Pr [\mathcal {A}(\mathcal {PG},[\mathbf {A}]_i, [\mathbf {A}\mathbf {W}]_i)=1]\right. \\ {}&\left. -\Pr [\mathcal {A}(\mathcal {PG},[\mathbf {A}]_i, [\mathbf {U}]_i) =1] \right| ,\end{aligned}$$

where the probability is over \(\mathcal {PG}:= (\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,p,P_1,P_2) \leftarrow {\mathsf {GGen}}(1^\lambda )\), \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{\ell ,k}, \mathbf {W}\leftarrow _{R}\mathbb {Z}_p^{k \times Q}\) and \(\mathbf {U}\leftarrow _{R}\mathbb {Z}_p^{\ell \times Q}\).

For \(k\in \mathbb {N}\) we define \(\mathcal {D}_{k}:=\mathcal {D}_{k+1,k}\).

The Kernel-Diffie-Hellman assumption \(\mathcal {D}_{k}\)-KMDH [45] is a natural computational analogue of the \(\mathcal {D}_k\)-MDDH Assumption.

Definition 3

(\(\mathcal {D}_{k}\)-Kernel Diffie-Hellman assumption \(\mathcal {D}_{k}\)-KMDH). Let \(\mathcal {D}_{k}\) be a matrix distribution. We say that the \(\mathcal {D}_{k}\)-Kernel Diffie-Hellman (\(\mathcal {D}_{k}\)-KMDH) assumption holds relative to a prime order group \(\mathbb {G}_i\) for \(i \in \{1,2\}\) if for all PPT adversaries \(\mathcal {A}\),

$$\begin{aligned}{\mathrm {Adv}^\mathrm{kmdh}_{\mathcal {PG},\mathbb {G}_i,\mathcal {D}_{\ell ,k},\mathcal {A}}}(\lambda )&:= \Pr [ \mathbf {c}^\top \mathbf {A}= \mathbf {0} \wedge \mathbf {c}\ne \mathbf {0} \mid [\mathbf {c}]_{3-i} \leftarrow _{R}\mathcal {A}(\mathcal {PG},[\mathbf {A}]_i)] \\&~\le \mathsf {negl}(\lambda ), \end{aligned}$$

where the probabilities are taken over \(\mathcal {PG}:= (\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,p,P_1,P_2) \leftarrow {\mathsf {GGen}}(1^\lambda )\), and \(\mathbf {A}\leftarrow _{R}\mathcal {D}_{k}\).

Note that we can use a non-zero vector in the kernel of \(\mathbf {A}\) to test membership in the column space of \(\mathbf {A}\). This means that the \(\mathcal {D}_k\)-KMDH assumption is a relaxation of the \(\mathcal {D}_k\)-MDDH assumption, as captured in the following lemma from [45].

Lemma 2

([45]). For any matrix distribution \(\mathcal {D}_k\), \(\mathcal {D}_k\)-MDDH \(\Rightarrow \) \(\mathcal {D}_k\)-KMDH.

2.3 Signature Schems and Message Authentication Codes

Definition 4

(MAC). A message authentication code (MAC) is a tuple of PPT algorithms \(\mathsf {MAC}:=({\mathsf {Gen}},{\mathsf {Tag}},{\mathsf {Ver}})\) such that:

• \({\mathsf {Gen}}(1^\lambda )\): on input of the security parameter, generates public parameters \( pp \) and a secret key \({ sk }\).

• \({\mathsf {Tag}}( pp ,{ sk }, m)\): on input of public parameters \( pp \), the secret key \({ sk }\) and a message \(m \in \mathcal {M}\), returns a tag \(\mathsf {tag}\).

• \({\mathsf {Ver}}( pp ,{{ sk }},m,\mathsf {tag})\): verifies the tag \(\mathsf {tag}\) for the message m, outputting a bit \(b=1\) if \(\mathsf {tag}\) is valid respective to m, and 0 otherwise.

We say \(\mathsf {MAC}\) is perfectly correct, if for all \(\lambda \in \mathbb {N}\),all \(m \in \mathcal {M}\) and all \(( pp ,{ sk }) \leftarrow {\mathsf {Gen}}(1^\lambda )\) we have

$$\begin{aligned} {\mathsf {Ver}}( pp ,{{ sk }},m,{\mathsf {Tag}}( pp ,{ sk },m))=1. \end{aligned}$$

Definition 5

(\(\mathsf {UF}\text {-}\mathsf {CMA}\) security). Let \(\mathsf {MAC}:=({\mathsf {Gen}},{\mathsf {Tag}},{\mathsf {Ver}})\) be a MAC. For any adversary \(\mathcal {A}\), we define the following experiment:

The adversary is restricted to one call to \(\textsc {VerO}\). We say that a MAC scheme \(\mathsf {MAC}\) is \(\mathsf {UF}\text {-}\mathsf {CMA}\) secure, if for all PPT adversaries \(\mathcal {A}\),

Note that in our notion of \(\mathsf {UF}\text {-}\mathsf {CMA}\) security, the adversary gets only one forgery attempt. This is due to the fact that we employ the MAC primarily as a building block for our signature. Our notion suffices for this purpose, as an adversary can check the validity of a signature itself.

Definition 6

(Signature). A signature scheme is a tuple of PPT algorithms \(\mathsf {SIG}:=({\mathsf {Gen}},{\mathsf {Sign}},{\mathsf {Ver}})\) such that:

• \({\mathsf {Gen}}(1^\lambda )\): on input of the security parameter, generates a pair \(({ pk },{ sk })\) of keys.

• \({\mathsf {Sign}}({ pk },{ sk }, m)\): on input of the public key \({ pk }\), the secret key \({ sk }\) and a message \(m \in \mathcal {M}\), returns a signature \(\sigma \).

• \({\mathsf {Ver}}({ pk },m,\sigma )\): verifies the signature \(\sigma \) for the message m, outputting a bit \(b=1\) if \(\sigma \) is valid respective to m, and 0 otherwise.

We say that \(\mathsf {SIG}\) is perfectly correct, if for all \(\lambda \in \mathbb {N}\), all \(m \in \mathcal {M}\) and all \(({ pk },{ sk }) \leftarrow {\mathsf {Gen}}(1^\lambda )\),

$$\begin{aligned} {\mathsf {Ver}}({ pk },m,{\mathsf {Sign}}({ pk },{ sk },m))=1. \end{aligned}$$

In bilinear pairing groups, we say a signature scheme \(\mathsf {SIG}\) is structure-preserving if its public keys, signing messages, signatures contain only group elements and verification proceeds via only a set of pairing product equations.

Definition 7

(\(\mathsf {UF}\text {-}\mathsf {CMA}\) security). For a signature scheme \(\mathsf {SIG}:=({\mathsf {Gen}}, {\mathsf {Sign}},\) \({\mathsf {Ver}})\) and any adversary \(\mathcal {A}\), we define the following experiment:

We say that a signature scheme \(\mathsf {SIG}\) is \(\mathsf {UF}\text {-}\mathsf {CMA}\), if for all PPT adversaries \(\mathcal {A}\),

$$\begin{aligned} {\mathrm {Adv}^\mathrm{\mathrm {uf}\text {-}\mathrm {cma}}_{\mathsf {SIG},\mathcal {A}}}(\lambda ):= \mathrm {Pr}[{\mathrm {Exp}}^\mathrm{{uf}\text {-}\mathrm {cma}}_{\mathsf {SIG},\mathcal {A}}(\lambda )=1] \le \mathsf {negl}(\lambda ). \end{aligned}$$

2.4 Non-interactive Zero-Knowledge Proof (NIZK)

The notion of a non-interactive zero-knowledge proof was introduced in [15]. In the following we present the definition from [32]. Non-interactive zero-knowledge proofs will serve as a crucial building block for our constructions.

Definition 8

(Non-interactive zero-knowledge proof [32]). We consider a family of languages \({\mathcal {L}}=\{{{\mathcal {L}}}_{{ pars }}\}\) with efficiently computable witness relation \({\mathcal {R}_{{\mathcal {L}}}}\). A non-interactive zero-knowledge proof for \({\mathcal {L}}\) is a tuple of PPT algorithms \(\mathsf {PS}:=(\mathsf {PGen}, \mathsf {PTGen}, \mathsf {PPrv}, \mathsf {PVer}, \mathsf {PSim})\) such that:

• \(\mathsf {PGen}(1^\lambda ,{ pars })\) generates a common reference string \( crs \).

• \(\mathsf {PTGen}(1^\lambda ,{ pars })\) generates a common reference string \( crs \) and additionally a trapdoor \( td \).

• \(\mathsf {PPrv}( crs , x, w)\) given a word \(x\in {\mathcal {L}}\) and a witness w with \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), outputs a proof \(\varPi \in \mathcal {P}\).

• \(\mathsf {PVer}( crs ,x,\varPi )\) on input \( crs \), \(x\in \mathcal {X}\) and \(\varPi \) outputs a verdict \(b\in \{0,1\}\).

• \(\mathsf {PSim}( crs , td ,x)\) given a \( crs \) with corresponding trapdoor \( td \) and a word \(x\in \mathcal {X}\), outputs a proof \(\varPi \).

Further we require the following properties to hold.

• Completeness: For all possible public parameters \({ pars }\), for all words \(x~\in ~{\mathcal {L}}\), and all witnesses w such that \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), we have

  $$\begin{aligned} \Pr [\mathsf {PVer}( crs ,x,\varPi )=1]=1, \end{aligned}$$

  where the probability is taken over \(( crs , psk )\leftarrow \mathsf {PGen}~(1^\lambda ,{ pars })\) and \(\varPi \leftarrow \mathsf {PPrv}( crs ,x,w)\).

• Composable zero-knowledge\(^\star \): For all PPT adversaries \(\mathcal {A}\) we have that

  $$\begin{aligned}{\mathrm {Adv}^\mathrm{keygen}_{\mathsf {PS},\mathcal {A}}}(\lambda ) :=&\left| \Pr [\mathcal {A}{}(1^{\lambda }, crs )=1\mid crs \leftarrow \mathsf {PGen}(1^{\lambda },{ pars })]\right. \\ {}&\left. -\Pr [\mathcal {A}{}(1^{\lambda }, crs )=1\mid ( crs , td )\leftarrow \mathsf {PTGen}(1^{\lambda },{ pars })]\right| \end{aligned}$$

  is negligible in \(\lambda \).

  Further for all public parameters \({ pars }\), all pairs \(( crs , td )\) in the range of \(\mathsf {PTGen}(1^\lambda )\), all words \(x\in {\mathcal {L}}\), and all witnesses w with \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), we have that the outputs of

  $$\begin{aligned} \mathsf {PPrv}( crs ,x,w) \text{ and } \mathsf {PSim}( crs , td ,x) \end{aligned}$$

  are statistically indistinguishable.

• Perfect soundness: For all \( crs \) in the range of \(\mathsf {PGen}(1^\lambda ,{ pars })\), for all words \(x\notin {\mathcal {L}}\) and all proofs \(\varPi \) it holds \(\mathsf {PVer}( crs ,x,\varPi )=0\).

Fig. 1.

NIZK argument for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\) [31, 46].

Remark. We will employ a weaker notion of composable zero-knowledge in the following. Namely:

• Composable zero-knowledge: For a PPT adversary \(\mathcal {A}\), we define

  $$\begin{aligned} {\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda ) := \bigg | \Pr \left[ b' = b \left| \begin{array}{l} crs _0\leftarrow _{R}\mathsf {PGen}(1^\lambda ,{ pars }); \\ ( crs _1, td ) \leftarrow _{R}\mathsf {PTGen}(1^\lambda ,{ pars });\\ b \leftarrow _{R}\{0,1\}; \\ b' \leftarrow _{R}\mathcal {A}^{\textsc {Prove}(\cdot ,\cdot )}(1^\lambda , crs _b) \end{array} \right. \right] - \tfrac{1}{2} \bigg |. \end{aligned}$$

  Here \(\textsc {Prove}(x,w)\) returns \(\bot \) if \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=0\) or \(\varPi _b\) if \({\mathcal {R}_{{\mathcal {L}}}}(x,w)=1\), where \(\varPi _0 \leftarrow _{R}\mathsf {PPrv}( crs _0,x,w)\) and \(\varPi _1 \leftarrow _{R}\mathsf {PSim}( crs _1, td ,x)\). We say that \(\mathsf {PS}\) satisfies composable zero-knowledge if \({\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda ) \) is negligible in \(\lambda \) for all PPT \(\mathcal {A}\).

Note that the original definition of composable zero-knowledge tightly implies our definition of composable zero-knowledge. We choose to work with the latter in order to simplify the presentation of our proofs. Note that for working with this definition in the tightness setting, it is crucial that \({\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda )\) is independent of the number of queries to the oracle \(\textsc {Prove}\).

2.5 NIZK for Our OR-language

In this section we recall an instantiation of a NIZK for an OR-language implicitly given in [31, 46]. This NIZK will be a crucial part of all our constructions, allowing to employ the randomization techniques from [6, 26, 33] to obtain a tight security reduction.

Public Parameters. Let \(\mathcal {PG}\leftarrow {\mathsf {GGen}}(1^\lambda )\). Let \(k\in \mathbb {N}\). Let \(\mathbf {A}_0,\mathbf {A}_1\leftarrow _{R}\mathcal {D}_{2k,k}\). We define the public parameters to comprise

We consider \(k\in \mathbb {N}\) to be chosen ahead of time, fixed and implicitly known to all algorithms.

OR-Proof ([31, 46]). In Fig. 1 we present a non-interactive zero-knowledge proof for the OR-language

Note that this OR-proof is implicitly given in [31, 46]. We recall the proof in the full version.

Lemma 3

If the \(\mathcal {D}_k\)-MDDH assumption holds in the group \(\mathbb {G}_2\), then the proof system as defined in Fig. 1 is a non-interactive zero-knowledge proof for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\). More precisely, for every adversary \(\mathcal {A}\) attacking the composable zero-knowledge property of \(\mathsf {PS}\), we obtain an adversary \({\mathcal {B}}\) with \(T({\mathcal {B}})\approx T(\mathcal {A})+{Q}_{\mathsf {prove}}\cdot \mathsf {poly}(\lambda )\) and

$$\begin{aligned} {\mathrm {Adv}^\mathrm{zk}_{\mathsf {PS},\mathcal {A}}}(\lambda )\le {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_2,\mathcal {D}_{k},{\mathcal {B}}}}(\lambda ). \end{aligned}$$

3 Tightly Secure Message Authentication Code Scheme

Let \(k\in \mathbb {N}\) and let \(\mathsf {PS}:=(\mathsf {PGen},\mathsf {PTGen},\mathsf {PPrv},\mathsf {PSim})\) a non-interactive zero-knowledge proof for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\) as defined in Sect. 2.5. In Fig. 2 we provide a MAC \(\mathsf {MAC}:=({\mathsf {Gen}},{\mathsf {Tag}},{\mathsf {Ver}})\) whose security can be tightly reduced to \(\mathcal {D}_{2k,k}\)-MDDH and the security of the underlying proof system \(\mathsf {PS}\).

Fig. 2.

Tightly secure MAC \(\mathsf {MAC}:=({\mathsf {Gen}},{\mathsf {Tag}},{\mathsf {Ver}})\) from the \(\mathcal {D}_{2k,k}\)-MDDH assumption.

Instead of directly proving \(\mathsf {UF}\text {-}\mathsf {CMA}\) security of our MAC, we will first provide our so-called core lemma, which captures the essential randomization technique from [6, 26, 33]. We can employ this lemma to prove the security of our MAC and (structure-preserving) signature schemes. Essentially, the core lemma shows that the term \([\mathbf {k}_0^\top \mathbf {t}]_1\) is pseudorandom. We give the corresponding formal experiment in Fig. 3.

Fig. 3.

Experiment for the core lemma. Here, \(\mathbf {F}: \mathbb {Z}_p \rightarrow \mathbb {Z}^{2k}_p\) is a random function computed on the fly. We highlight the difference between \({\mathrm {Exp}}^\mathrm {core}_{0,\mathcal {A}}\) and \({\mathrm {Exp}}^\mathrm {core}_{1,\mathcal {A}}\) in gray.

Lemma 4

(Core lemma). If the \(\mathcal {D}_{2k,k}\)-MDDH assumption holds in \(\mathbb {G}_1\) and the tuple of algorithms \(\mathsf {PS}:=(\mathsf {PGen},\mathsf {PTGen},\mathsf {PPrv},\mathsf {PVer})\) is a non-interactive zero-knowledge proof system for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\), then going from experiment \({\mathrm {Exp}}^\mathrm {core}_{0,\mathcal {A}}(\lambda )\) to \({\mathrm {Exp}}^\mathrm {core}_{1,\mathcal {A}}(\lambda )\) can (up to negligible terms) only increase the winning chances of an adversary. More precisely, for every adversary \(\mathcal {A}\), there exist adversaries \({\mathcal {B}}\), \({\mathcal {B}}^\prime \) with running time \(T({\mathcal {B}}) \approx T({\mathcal {B}}^\prime ) \approx T(\mathcal {A}) + Q\cdot \mathsf {poly}(\lambda )\) such that

$$\begin{aligned} {\mathrm {Adv}^\mathrm{core}_{0,\mathcal {A}}}(\lambda ) \le {\mathrm {Adv}^\mathrm{core}_{1,\mathcal {A}}}(\lambda )+ \varDelta ^{\mathrm {core}}_{\mathcal {A}}(\lambda ), \end{aligned}$$

where

$$\begin{aligned} \varDelta ^{\mathrm {core}}_{\mathcal {A}}(\lambda ):=&(4k \lceil \log Q \rceil +2)\cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_1,\mathcal {D}_{2k,k},{\mathcal {B}}}}(\lambda )\\ {}&+(2\lceil \log Q \rceil +2)\cdot {\mathrm {Adv}^\mathrm{ZK}_{\mathsf {PS},{\mathcal {B}}^\prime }}(\lambda ) \\ {}&+\lceil \log Q \rceil \cdot \varDelta _{\mathcal {D}_{2k,k}}+ \tfrac{4\lceil \log Q \rceil +2}{p-1} + \tfrac{\lceil \log Q \rceil \cdot Q}{p}.\end{aligned}$$

Recall that by definition of the distribution \(\mathcal {D}_{2k,k}\) (Sect. 2.2), the term \(\varDelta _{\mathcal {D}_{2k,k}}\) is statistically small.

Proof Outline. Since the proof of Lemma 4 is rather complex, we first outline our strategy. Intuitively, our goal is to randomize the term \(u'\) used by oracles \(\textsc {TagO}\) and \(\textsc {VerO}\) (i.e., to change this term from \(\mathbf {k}_0^\top \mathbf {t}\) to \((\mathbf {k}_0+\mathbf {F}(\mathsf {ctr}))^\top \mathbf {t}\) for a truly random function \(\mathbf {F}\)). In this, it will also be helpful to change the distribution of \(\mathbf {t}\in {\mathbb {Z}}_p^{2k}\) in tags handed out by \(\textsc {TagO}\) as needed. (Intuitively, changing \(\mathbf {t}\) can be justified with the \(\mathcal {D}_{2k,k}\)-MDDH assumption, but we can only rely on the soundness of \(\mathsf {PS}\) if \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\). In other words, we may assume that \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\) for any of \(\mathcal {A}\)’s \(\textsc {VerO}\) queries, but only if the same holds for all \(\mathbf {t}\) chosen by \(\textsc {TagO}\).)

We will change \(u'\) using a hybrid argument, where in the i-th hybrid we set \(u'=(\mathbf {k}_0^\top +\mathbf {F}_i(\mathsf {ctr}_{|i}))^\top \mathbf {t}\) for a random function \(\mathbf {F}_i\) on i-bit prefixes, and the i-bit prefix \(\mathsf {ctr}_{|i}\) of \(\mathsf {ctr}\). (That is, we introduce more and more dependencies on the bits of \(\mathsf {ctr}\).) To move from hybrid i to hybrid \(i+1\), we proceed again along a series of hybrids (outsourced into the full version), and perform the following modifications:

• Partitioning. First, we choose \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_{\mathsf {ctr}_{i+1}})\) in \(\textsc {VerO}\), where \(\mathsf {ctr}_{i+1}\) is the \((i+1)\)-th bit of \(\mathsf {ctr}\). As noted above, this change can be justified with the \(\mathcal {D}_{2k,k}\)-MDDH assumption, and we may still assume \(\mathbf {t}\in {\mathrm {span}}(\mathbf {A}_0)\cup {\mathrm {span}}(\mathbf {A}_1)\) in every \(\textsc {TagO}\) query from \(\mathcal {A}\).

• Decoupling. At this point, the values \(u'\) computed in \(\textsc {TagO}\) and \(\textsc {VerO}\) are either of the form \(u'=(\mathbf {k}_0^\top +\mathbf {F}_i(\mathsf {ctr}_{|i}))^\top \mathbf {A}_0\mathbf {r}\) or \(u'=(\mathbf {k}_0^\top +\mathbf {F}_i(\mathsf {ctr}_{|i}))^\top \mathbf {A}_1\mathbf {r}\) (depending on \(\mathbf {t}\)). Since \(\mathbf {F}_i:\{0,1\}^i\rightarrow {\mathbb {Z}}_p^{2k}\) is truly random, and the matrix \(\mathbf {A}_0||\mathbf {A}_1\in {\mathbb {Z}}_p^{2k\times 2k}\) has linearly independent columns (with overwhelming probability), the two possible subterms \(\mathbf {F}_i(\mathsf {ctr}_{|i})^\top \mathbf {A}_0\) and \(\mathbf {F}_i(\mathsf {ctr}_{|i})^\top \mathbf {A}_1\) are independent. Thus, switching to \(u'=(\mathbf {k}_0^\top +\mathbf {F}_{i+1}(\mathsf {ctr}_{|i+1}))^\top \mathbf {t}\) does not change \(\mathcal {A}\)’s view at all.

After these modifications (and resetting \(\mathbf {t}\)), we have arrived at the \((i+1)\)-th hybrid, which completes the proof. However, this outline neglects a number of details, including a proper reasoning of \(\mathsf {PS}\) proofs, and a careful discussion of the decoupling step. In particular, an additional complication arises in this step from the fact that an adversary may choose \(\mathbf {t}\in {\mathrm {span}}(A_b)\) for an arbitrary bit b not related to any specific \(\mathsf {ctr}\). This difficulty is the reason for the somewhat surprising “\(\exists \mathsf {ctr}'\le \mathsf {ctr}\)” clause in \(\textsc {VerO}\).

Proof

(of Lemma 4). We proceed via a series of hybrid games \(\mathsf {G}_{0},\ldots ,\mathsf {G}_{3.\lceil \log Q\rceil }\), described in Fig. 4, and we denote by \(\varepsilon _i\) the advantage of \(\mathcal {A}\) to win \(\mathsf {G}_{i}\), that is \(\Pr [\mathsf {G}_{i}(\mathcal {A},1^\lambda )=1]\), where the probability is taken over the random coins of \(\mathsf {G}_{i}\) and \(\mathcal {A}\).

Fig. 4.

Games \(\mathsf {G}_{0},\mathsf {G}_{1},\mathsf {G}_{2},\mathsf {G}_{3.i}\) for \(i\in \{0,\ldots ,\lceil \log Q\rceil -1\}\), for the proof of the core lemma (Lemma 4). \(\mathbf {F}_i: \{0,1\}^i \rightarrow \mathbb {Z}_p^{2k}\) denotes a random function, and \(\mathsf {ctr}_{|i}\) denotes the i-bit prefix of the counter \(\mathsf {ctr}\) written in binary. In each procedure, the components inside a solid (dotted, gray) frame are only present in the games marked by a solid (dotted, gray) frame.

We have \(\mathsf {G}_{0}={\mathrm {Exp}}^\mathrm {core}_{0,\mathcal {A}}(\lambda )\) and thus by definition:

$$\begin{aligned} \varepsilon _0={\mathrm {Adv}^\mathrm{core}_{0,\mathcal {A}}}(\lambda ). \end{aligned}$$

Game \(\mathsf {G}_{1}\) is as \(\mathsf {G}_{0}\), except that \( crs \) is generated by \(\mathsf {PTGen}\) and the proofs computed by \(\textsc {TagO}\) are generated using \(\mathsf {PSim}\) instead of \(\mathsf {PPrv}\). This change is justified by the zero-knowledge of \(\mathsf {PS}\). Namely, let \(\mathcal {A}\) be an adversary distinguishing between \(\mathsf {G}_{0}\) and \(\mathsf {G}_{1}\). Then we can construct an adversary \({\mathcal {B}}\) on the composable zero-knowledge property of \(\mathsf {PS}\) as follows. The adversary \({\mathcal {B}}\) follows \(\mathsf {G}_{0}\), except he uses the \( crs \) obtained by its own experiment instead of calling \(\mathsf {PGen}\). \({\mathcal {B}}\) answers tag queries following the tag oracle, but instead of computing \(\varPi \) itself it asks its own oracle \(\textsc {Prove}\). Now \({\mathcal {B}}\) simulates \(\mathsf {G}_{0}\) in case it was given a real \( crs \) and it simulates \(\mathsf {G}_{1}\) in case it was given a \( crs \) generated by \(\mathsf {PTGen}\). \({\mathcal {B}}\) is thus such that \(T({\mathcal {B}}) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\) and

$$\begin{aligned} |\varepsilon _0 - \varepsilon _1| \le {\mathrm {Adv}^\mathrm{ZK}_{\mathsf {PS},{\mathcal {B}}}}(\lambda ). \end{aligned}$$

We can switch \([\mathbf {t}]_1\) to random over \(\mathbb {G}_1\) by applying the \(\mathcal {D}_{2k,k}\) assumption. More precisely, let \(\mathcal {A}\) be an adversary distinguishing between \(\mathsf {G}_{1}\) and \(\mathsf {G}_{2}\) and let \({\mathcal {B}}\) be an adversary given a Q-fold \(\mathcal {D}_{2k,k}\)-MDDH challenge \((\mathcal {PG},[\mathbf {A}_0]_1,[\mathbf {z}_1]_1,\dots ,[\mathbf {z}_Q]_1)\) as input. Now \({\mathcal {B}}\) sets up the game for \(\mathcal {A}\) similar to \(\mathsf {G}_{1}\), but instead choosing \(\mathbf {A}_0\leftarrow _{R}\mathcal {D}_{2k,k}\), it uses its challenge matrix \([\mathbf {A}_0]_1\) as part of the public parameters \({ pars }\). Further, to answer tag queries \({\mathcal {B}}\) sets \([\mathbf {t}_i]_1:=[\mathbf {z}_i]_1\) and computes the rest accordingly. This is possible as the proof \(\varPi \) is simulated from game \(\mathsf {G}_{1}\) on. In case \({\mathcal {B}}\) was given a real \(\mathcal {D}_{2k,k}\)-challenge, it simulates \(\mathsf {G}_{1}\) and otherwise \(\mathsf {G}_{2}\). Lemma 1 yields the existence of an adversary \({\mathcal {B}}_1\) with \(T({\mathcal {B}}_1) \approx T(\mathcal {A})+ Q \cdot \mathsf {poly}(\lambda )\) and

$$\begin{aligned} |\varepsilon _1-\varepsilon _2|\le k\cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_1,\mathcal {D}_{2k,k},{\mathcal {B}}_1}}(\lambda )+\tfrac{1}{p-1}. \end{aligned}$$

As for all \(\mathsf {ctr}\in \mathbb {N}\) we have \(\mathbf {F}_0(\mathsf {ctr}_{|0})=\mathbf {F}_0(\epsilon )\) and \(\mathbf {k}_0\) is distributed identically to \(\mathbf {k}_0+\mathbf {F}_0(\epsilon )\) for \(\mathbf {k}_0\leftarrow _{R}\mathbb {Z}_p^{2k}\) we have

$$\begin{aligned} \varepsilon _2=\varepsilon _{3.0}. \end{aligned}$$

For the proof of this transition we refer to the full version. We obtain: For every adversary \(\mathcal {A}\) there exist adversaries \({\mathcal {B}}_i\), \({\mathcal {B}}^\prime _i\) such that \(T({\mathcal {B}}_i) \approx T({\mathcal {B}}^\prime _i) \approx T(\mathcal {A}) + Q\cdot \mathsf {poly}(\lambda )\), and

$$\begin{aligned}\varepsilon _{3.i} \le&\varepsilon _{3.(i+1)}+4k \cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_1,\mathcal {D}_{2k,k},{\mathcal {B}}_i}}(\lambda )+2{\mathrm {Adv}^\mathrm{ZK}_{\mathsf {PS},{\mathcal {B}}_i^\prime }}(\lambda )\\ {}&+\varDelta _{\mathcal {D}_{2k,k}}+ \tfrac{4}{p-1} + \tfrac{Q}{p}. \end{aligned}$$

It is left to reverse the changes introduced in the transitions from game \(\mathsf {G}_{0}\) to game \(\mathsf {G}_{2}\) to end up at the experiment \({\mathrm {Exp}}^\mathrm {core}_{1,\mathcal {A}}(1^\lambda )\).

In order to do so we introduce an intermediary game \(\mathsf {G}_{4}\), where we set \([\mathbf {t}]:=[\mathbf {A}_0]_1\mathbf {r}\) for \(\mathbf {r}\leftarrow _{R}\mathbb {Z}_p^k\). This corresponds to reversing transition \(\mathsf {G}_{1}\rightsquigarrow \mathsf {G}_{2}\). By the same reasoning for every adversary \(\mathcal {A}\) we thus obtain an adversary \({\mathcal {B}}_{3.\lceil \log Q \rceil }\) with \(T({\mathcal {B}}_{3.\lceil \log Q \rceil }) \approx T(\mathcal {A})+ Q \cdot \mathsf {poly}(\lambda )\) such that

$$\begin{aligned} |\varepsilon _{3.\lceil \log Q \rceil }-\varepsilon _4|\le k\cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_1,\mathcal {D}_{2k,k},{\mathcal {B}}_{3.\lceil \log Q \rceil }}}(\lambda )+\tfrac{1}{p-1}. \end{aligned}$$

As \([\mathbf {t}]_1\) is now chosen from \({\mathrm {span}}([\mathbf {A}_0]_1)\) again, we can switch back to honest generation of the common reference string \( crs \) and proofs \(\varPi \). As in transition \(\mathsf {G}_{0}\rightsquigarrow \mathsf {G}_{1}\) for an adversary \(\mathcal {A}\) we obtain an adversary \({\mathcal {B}}_4\) with \(T({\mathcal {B}}_4) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\) and

$$\begin{aligned} |\varepsilon _4 - {\mathrm {Adv}^\mathrm{core}_{1,\mathcal {A}}}(\lambda )| \le {\mathrm {Adv}^\mathrm{ZK}_{\mathsf {PS},{\mathcal {B}}_4}}(\lambda ). \end{aligned}$$

Theorem 1

(\(\mathsf {UF}\text {-}\mathsf {CMA}\) security of \(\mathsf {MAC}\)). If the \(\mathcal {D}_{2k,k}\)-MDDH assumptions holds in \(\mathbb {G}_1\), and the tuple \(\mathsf {PS}:= (\mathsf {PGen},\mathsf {PTGen},\mathsf {PPrv}, \mathsf {PVer})\) is a non-interactive zero-knowledge proof system for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\), then the MAC \(\mathsf {MAC}:=({\mathsf {Gen}},{\mathsf {Tag}},{\mathsf {Ver}})\) provided in Fig. 2 is \(\mathsf {UF}\text {-}\mathsf {CMA}\) secure. Namely, for any adversary \(\mathcal {A}\), there exists an adversary \({\mathcal {B}}\) with running time \(T({\mathcal {B}}) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\), where Q is the number of queries to \(\textsc {TagO}\), \(\mathsf {poly}\) is independent of Q, and

$$\begin{aligned} {\mathrm {Adv}^\mathrm{\mathrm {uf}\text {-}\mathrm {cma}}_{\mathsf {MAC},\mathcal {A}}}(\lambda ) \le \varDelta _{{\mathcal {B}}}^{\mathrm {core}}(\lambda )+\tfrac{Q}{p}. \end{aligned}$$

Proof

We employ an intermediary game \(\mathsf {G}_{0}\) to prove \(\mathsf {UF}\text {-}\mathsf {CMA}\) security of the MAC. By \(\varepsilon _0\) we denote the advantage of \(\mathcal {A}\) to win game \(\mathsf {G}_{0} \), that is \(\Pr [\mathsf {G}_{0}(\mathcal {A},1^\lambda )=1]\), where the probability is taken over the random coins of \(\mathsf {G}_{0}\) and \(\mathcal {A}\).

Let \(\mathcal {A}\) be an adversary distinguishing between \({\mathrm {Exp}}^\mathrm{{uf}\text {-}\mathrm {cma}}_{\mathcal {A}}(\lambda )\) and \(\mathsf {G}_{0}\). Then we construct an adversary \({\mathcal {B}}\) with \(T({\mathcal {B}})\approx T(\mathcal {A})+Q\cdot \mathsf {poly}(\lambda )\) allowing to break the core lemma (Lemma 4) as follows. On input \( pp \) from \({\mathrm {Exp}}^\mathrm {core}_\beta (1^\lambda ,{\mathcal {B}})\) the adversary \({\mathcal {B}}\) forwards \( pp \) to \(\mathcal {A}\). Then, \({\mathcal {B}}\) samples \(\mathbf {k}_1 \leftarrow _{R}\mathbb {Z}_p^{2k}\). Afterwards, on a tag query \(\mu \) from \(\mathcal {A}\), \({\mathcal {B}}\) queries its own \(\textsc {TagO}\) oracle (which takes no input), receives \(([\mathbf {t}]_1, \varPi , [u']_1)\), computes \([u]_1:= [u']_1 + \mu \mathbf {k}_1^\top [\mathbf {t}]_1\), and answers with \(([\mathbf {t}]_1,\varPi ,[u]_1)\). Finally, given the forgery \(\big (\mu ^\star ,\mathsf {tag}^\star := ([\mathbf {t}]_1, \varPi , [u^\star ]_1)\big )\) from \(\mathcal {A}\), if \(\mu ^\star \notin \mathcal {Q}_{\mathsf {tag}}\) and \([u^\star ]_1\ne [0]_1\), then the adversary \({\mathcal {B}}\) sends \(\mathsf {tag}':=([\mathbf {t}]_1,\varPi , [u^\star ]_1 + \mu \mathbf {k}_1^\top [\mathbf {t}]_1)\) to its experiment (otherwise an invalid tuple). Then we have \({\mathrm {Adv}^\mathrm{\mathrm {uf}\text {-}\mathrm {cma}}_{\mathsf {MAC},\mathcal {A}}}(\lambda )={\mathrm {Adv}^\mathrm{core}_{0,{\mathcal {B}}}}(\lambda )\) and \(\varepsilon _{0} ={\mathrm {Adv}^\mathrm{core}_{1,{\mathcal {B}}}}(\lambda )\). The core lemma (Lemma 4) yields

$$\begin{aligned} {\mathrm {Adv}^\mathrm{core}_{0,{\mathcal {B}}}}(\lambda ) \le {\mathrm {Adv}^\mathrm{core}_{1,{\mathcal {B}}}}(\lambda )+ \varDelta ^{\mathrm {core}}_{{\mathcal {B}}}(\lambda ) \end{aligned}$$

and thus altogether we obtain

$$\begin{aligned} {\mathrm {Adv}^\mathrm{\mathrm {uf}\text {-}\mathrm {cma}}_{\mathsf {MAC},\mathcal {A}}}(\lambda ) \le \varepsilon _{0} + \varDelta ^{\mathrm {core}}_{{\mathcal {B}}}(\lambda ). \end{aligned}$$

We now prove that any adversary \(\mathcal {A}\) has only negligible chances to win game \(\mathsf {G}_{0}\) using the randomness of \(\mathbf {F}\) together with the pairwise independence of \(\mu \mapsto \mathbf {k}_0 + \mu \mathbf {k}_1\).

Let \(\big (\mu ^\star ,\mathsf {tag}^\star \big )\) be the forgery of \(\mathcal {A}\). we can replace \(\mathbf {k}_1\) by \(\mathbf {k}_1 - \mathbf {v}\) for \(\mathbf {v}\leftarrow _{R}\mathbb {Z}_p^{2k}\), as both are distributed identically. Next, for all \(j\le Q\) we can replace \(\mathbf {F}(j)\) by \(\mathbf {F}(j) + \mu ^{(j)} \cdot \mathbf {v}\) for the same reason. This way, \(\textsc {TagO}(\mu ^{(j)})\) computes

and \(\textsc {VerO}\big ([\mu ^\star ]_2,\mathsf {tag}^\star := ([\mathbf {t}]_1, \varPi , [u])\big )\) checks if there exists a counter \(i \in \mathcal {Q}_{\mathsf {tag}}\) such that:

For the forgery to be successful, it must hold \(\mu ^\star \notin \mathcal {Q}_{\mathsf {tag}}\) and \([u]\ne 0\) (and thus \([\mathbf {t}]_1\ne [{\mathbf {0}}]_1\)). Therefore, each value computed by \(\textsc {VerO}\) is (marginally) uniformly random over \(\mathbb {G}_1\).

As the verification oracle checks for all counters \(i\le Q\), applying the union bound yields

$$\begin{aligned} \varepsilon _{0} \le \tfrac{Q}{p}. \end{aligned}$$

Fig. 5.

The \(\mathsf {UF}\text {-}\mathsf {CMA}\) security experiment and game \(\mathsf {G}_{}\) for the \(\mathsf {UF}\text {-}\mathsf {CMA}\) proof of \(\mathsf {MAC}\) in Fig. 2. \(\mathbf {F}: \{0,1\}^{\lceil \log Q\rceil } \rightarrow \mathbb {Z}_p^{2k}\) denotes a random function, applied on \(\mathsf {ctr}\) written in binary. In each procedure, the components inside a gray frame are only present in the games marked by a gray frame.

Fig. 6.

Tightly UF-CMA secure signature scheme \(\mathsf {SIG}\).

4 Tightly Secure Signature Scheme

In this section, we present a signature scheme \(\mathsf {SIG}\) for signing messages from \(\mathbb {Z}_p\), described in Fig. 6, whose UF-CMA security can be tightly reduced to the \(\mathcal {D}_{2k,k}\)-MDDH and \(\mathcal {D}_{k}\)-MDDH assumptions.

\(\mathsf {SIG}\) builds upon the tightly secure MAC from Sect. 3, and functions as a stepping stone to explain the main ideas of the upcoming structure-preserving signature in Sect. 5. Recall that our MAC outputs \(\mathsf {tag}=([\mathbf {t}]_1, \varPi ,[u]_1)\), where \(\varPi \) is a (publicly verifiable) NIZK proof of the statement \(\mathbf {t} \in {\mathrm {span}}({\mathbf {A}}_0) \cup {\mathrm {span}}({\mathbf {A}}_1)\), and \(u=(\mathbf {k}_0 + \mu \mathbf {k}_1)^\top \mathbf {t}\) has an affine structure. Hence, alternatively, we can also view our MAC as an affine MAC [14] with \(\mathbf {t} \in {\mathrm {span}}({\mathbf {A}}_0) \cup {\mathrm {span}}({\mathbf {A}}_1)\) and a NIZK proof for that. Similar to [14], we use (tuned) Groth-Sahai proofs to make \([u]_1\) publicly verifiable. Similar ideas have been used to construct efficient quasi-adaptive NIZK for linear subspace [38, 40], structure-preserving signatures [39], and identity-based encryption schemes [14]. In the following theorem we state the state the security of \(\mathsf {SIG}\). For a proof we refer to the full version.

Theorem 2

(Security of \(\mathsf {SIG}\)). If \(\mathsf {PS}:=(\mathsf {PGen},\mathsf {PPrv},\mathsf {PVer},\mathsf {PSim})\) is a non-interactive zero-knowledge proof system for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\), then the signature scheme \(\mathsf {SIG}\) described in Fig. 6 is \(\mathsf {UF}\text {-}\mathsf {CMA}\) secure under the \(\mathcal {D}_{2k,k}\)-MDDH and \(\mathcal {D}_{k}\)-MDDH assumptions. Namely, for any adversary \(\mathcal {A}\), there exist adversaries \({\mathcal {B}}, {\mathcal {B}}^\prime \) with running time \(T({\mathcal {B}}) \approx T({\mathcal {B}}^\prime ) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\), where Q is the number of queries to \(\textsc {SignO}\), \(\mathsf {poly}\) is independent of Q, and

$$\begin{aligned} {\mathrm {Adv}^\mathrm{uf-cma}_{\mathsf {SIG},\mathcal {A}}}(\lambda )\le {\mathrm {Adv}^\mathrm{uf-cma}_{\mathsf {MAC},{\mathcal {B}}}}(\lambda )+{\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_2,\mathcal {D}_{k},{\mathcal {B}}^\prime }}(\lambda ). \end{aligned}$$

5 Tightly Secure Structure-Preserving Signature Scheme

In this section we present a structure-preserving signature scheme \(\mathsf {SPS}\), described in Fig. 7, whose security can be tightly reduced to the \(\mathcal {D}_{2k,k}\)-MDDH and \(\mathcal {D}_{k}\)-MDDH assumptions. It builds upon the tightly secure signature presented in Sect. 4 by using a similar idea of [39]. Precisely, we view \(\mu \) as a label and the main difference between both schemes is that in the proof we do not need to guess which \(\mu \) the adversary may reuse for its forgery, and thus our security proof is tight.

Fig. 7.

Tightly UF-CMA secure structure-preserving signature scheme \(\mathsf {SPS}\) with message space \(\mathbb {G}_1^n\).

Fig. 8.

Games \(\mathsf {G}_{0}\) to \(\mathsf {G}_{2}\) for proving Theorem 3. Here, \(\mathbf {F}: \mathbb {Z}_p \rightarrow \mathbb {Z}^{2k}_p\) is a random function. In each procedure, the components inside a solid (dotted, double, gray) frame are only present in the games marked by a solid (dotted, double, gray) frame.

Theorem 3

(Security of \(\mathsf {SPS}\)). If \(\mathsf {PS}:=(\mathsf {PGen},\mathsf {PTGen},\mathsf {PVer},\mathsf {PSim})\) is a non-interactive zero-knowledge proof system for \(\mathcal {L}^\vee _{\mathbf {A}_0,\mathbf {A}_1}\), the signature scheme \(\mathsf {SPS}\) described in Fig. 7 is \(\mathsf {UF}\text {-}\mathsf {CMA}\) secure under the \(\mathcal {D}_{2k,k}\)-MDDH and \(\mathcal {D}_{k}\)-MDDH assumptions. Namely, for any adversary \(\mathcal {A}\), there exist adversaries \({\mathcal {B}}, {\mathcal {B}}^\prime \) with running time \(T({\mathcal {B}}) \approx T({\mathcal {B}}^\prime ) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\), where Q is the number of queries to \(\textsc {SignO}\), \(\mathsf {poly}\) is independent of Q, and

$$\begin{aligned} {\mathrm {Adv}^\mathrm{uf-cma}_{\mathsf {SPS},\mathcal {A}}}(\lambda )\le \varDelta _{{\mathcal {B}}}^{\mathrm {core}}(\lambda )+{\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_2,\mathcal {D}_{k},{\mathcal {B}}^\prime }}(\lambda )+\tfrac{Q}{p^k}+\tfrac{Q}{p}. \end{aligned}$$

When using \(\mathsf {PS}\) from Sect. 2.5, we obtain

$$\begin{aligned} {\mathrm {Adv}^\mathrm{uf-cma}_{\mathsf {SPS},\mathcal {A}}}(\lambda )\le&(4k \lceil \log Q \rceil +2)\cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_1,\mathcal {D}_{2k,k},{\mathcal {B}}}}(\lambda )\\ {}&+(2\lceil \log Q \rceil +3)\cdot {\mathrm {Adv}^\mathrm{mddh}_{\mathcal {PG},\mathbb {G}_2,\mathcal {D}_{k},{\mathcal {B}}^\prime }}(\lambda ) +\lceil \log Q \rceil \cdot \varDelta _{\mathcal {D}_{2k,k}}\\ {}&+ \tfrac{4\lceil \log Q \rceil +2}{p-1} + \tfrac{(Q+ 1)\lceil \log Q \rceil +Q}{p} +\tfrac{Q}{p^k} .\end{aligned}$$

Strategy. In a nutshell, we will embed a “shadow MAC” in our signature scheme, and then invoke the core lemma to randomize the MAC tags computed during signing queries and the final verification of \(\mathcal {A}\)’s forgery. A little more specifically, we will embed a term \(\mathbf {k}_0^\top \mathbf {t}\) into the \(\mathbf {A}\)-orthogonal space of each \(\mathbf {u}\) computed by \(\textsc {SignO}\) and \(\textsc {VerO}\). (Intuitively, changes to this \(\mathbf {A}\)-orthogonal space do not influence the verification key, and simply correspond to changing from one signing key to another signing key that is compatible with the same verification key.) Using our core lemma, we can randomize this term \(\mathbf {k}_0^\top \mathbf {t}\) to \((\mathbf {k}_0+\mathbf {F}(\mathsf {ctr}))^\top \mathbf {t}\) for a random function \(\mathbf {F}\) and a signature counter \(\mathsf {ctr}\). Intuitively, this means that we use a freshly randomized signing key for each signature query. After these changes, an adversary only has a statistically small chance in producing a valid forgery.

Proof

(of Theorem 3). We proceed via a series of hybrid games \(\mathsf {G}_{0}\) to \(\mathsf {G}_{2}\), described in Fig. 8. By \(\varepsilon _i\) we denote the advantage of \(\mathcal {A}\) to win \(\mathsf {G}_{i}\).

Here we change the verification oracle as described in Fig. 8.

Note that a pair \((\mu ^\star ,\sigma ^\star )\) that passes \(\textsc {VerO}\) in \(\mathsf {G}_{0}\) always passes the \(\textsc {VerO}\) check in . Thus, to bound , it suffices to bound the probability that \(\mathcal {A}\) produces a tuple \((\mu ^\star ,\sigma ^\star )\) that passes \(\textsc {VerO}\) in , but not in \(\mathsf {G}_{0}\). For the signature \(\sigma ^\star =: ([\mathbf {t}]_1, \varPi , [\mathbf {u}]_1)\) we can write the verification equation in as

$$\begin{aligned}&e([\mathbf {u}]^\top _1,[\mathbf {A}]_2) = e({[\mathbf {t}]}^\top _1,[\mathbf {K}_0\mathbf {A}]_2) + e(\begin{bmatrix} \mathbf {m}\\1 \end{bmatrix}_1^\top , [\mathbf {K}\mathbf {A}]_2) \\&\Leftrightarrow e([\mathbf {u}]_1 -{[\mathbf {t}]}_1^\top \mathbf {K}_0 - \begin{bmatrix} \mathbf {m}\\1 \end{bmatrix}^\top _1 \mathbf {K}, [\mathbf {A}]_2) = \mathbf {0} \end{aligned}$$

Observe that for any \((\mu ^\star ,([\mathbf {t}]_1, \varPi , [\mathbf {u}]_1))\) that passes the verification equation in the experiment , but not the one in \(\mathsf {G}_{0}\), the value

$$\begin{aligned}{}[\mathbf {u}]_1 -{[\mathbf {t}]}_1^\top \mathbf {K}_0 - \begin{bmatrix} \mathbf {m}\\1 \end{bmatrix}^\top _1 \mathbf {K}\end{aligned}$$

is a non-zero vector in the kernel of \(\mathbf {A}\). Thus, from \(\mathcal {A}\) we can construct an adversary \({\mathcal {B}}\) against the \(\mathcal {D}_k\)-KMDH assumption. Finally, Lemma 2 yields an adversary \({\mathcal {B}}^\prime \) with \(T({\mathcal {B}}^\prime ) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\) such that

We can replace \(\mathbf {K}_0\) by \(\mathbf {K}_0+ {\mathbf {k}}_0 (\mathbf {a}^\bot )^\top \) for \(\mathbf {a}^\bot \in \mathsf {orth}(\mathbf {A})\) and \({\mathbf {k}}_i\leftarrow _{R}\mathbb {Z}_p^{2k}\), as both are distributed identically. Note that this change does not show up in the public key \({ pk }\). Looking ahead, this change will allow us to use the computational core lemma (Lemma 4). This yields

$$\begin{aligned} \varepsilon _0=\varepsilon _1. \end{aligned}$$

Let \(\mathcal {A}\) be an adversary playing either \(\mathsf {G}_{1}\) or \(\mathsf {G}_{2}\). We build an adversary \({\mathcal {B}}\) such that \(T({\mathcal {B}}) \approx T(\mathcal {A}) + Q \cdot \mathsf {poly}(\lambda )\) and

$$\begin{aligned} \Pr [{\mathrm {Exp}}^\mathrm {core}_{0,{\mathcal {B}}}(1^\lambda )=1 ] = \varepsilon _1\ \text{ and } \ \Pr [{\mathrm {Exp}}^\mathrm {core}_{1,{\mathcal {B}}}(1^\lambda ) =1] = \varepsilon _2. \end{aligned}$$

This implies, by the core lemma (Lemma 4), that

$$\begin{aligned} \varepsilon _1\le \varepsilon _2+\varDelta ^{\mathrm {core}}_{{\mathcal {B}}}(\lambda ). \end{aligned}$$

We now describe \({\mathcal {B}}\) against \({\mathrm {Exp}}^\mathrm {core}_{\beta ,{\mathcal {B}}}(1^\lambda )\) for \(\beta \) equal to either 0 or 1. First, \({\mathcal {B}}\) receives \( pp := (\mathcal {PG},[\mathbf {A}_0]_1, crs )\) from \({\mathrm {Exp}}^\mathrm {core}_{\beta ,{\mathcal {B}}}(1^\lambda )\), then, \({\mathcal {B}}\) samples \(\mathbf {A}\leftarrow _{R}\mathcal {D}_k\), \(\mathbf {a}^\bot \in \mathsf {orth}(\mathbf {A})\), \(\mathbf {K}_0 \leftarrow _{R}\mathbb {Z}_p^{2k \times (k+1)}\), \(\mathbf {K}\leftarrow _{R}\mathbb {Z}_p^{(n+1) \times (k+1)}\) and forwards \({ pk }:= (\mathcal {PG},[\mathbf {A}_0]_1, crs , [\mathbf {A}]_2, [\mathbf {K}_0\mathbf {A}]_2, {[\mathbf {K}\mathbf {A}]_2})\) to \(\mathcal {A}\).

To simulate \(\textsc {SignO}([\mathbf {m}]_1)\), \({\mathcal {B}}\) uses its oracle \(\textsc {TagO}\), which takes no input, and gives back \(([\mathbf {t}]_1, \varPi , [u]_1)\). Then, \({\mathcal {B}}\) computes \([\mathbf {u}]_1 := \mathbf {K}_0^\top {[\mathbf {t}]}_1 + \mathbf {a}^\bot [u]_1 + \mathbf {K}^\top \begin{bmatrix} \mathbf {m}\\ 1 \end{bmatrix}_1\), and returns \(\sigma := ([\mathbf {t}]_1, \varPi , [\mathbf {u}]_1)\) to \(\mathcal {A}\).

Finally, given the forgery \(\big ([\mathbf {m}^\star ]_1,\sigma ^\star )\) with corresponding signature \(\sigma ^\star :=([\mathbf {t}^\star ]_1, \varPi ^\star , [\mathbf {u}^\star ]_1)\), \({\mathcal {B}}\) first checks if \([\mathbf {m}^\star ]_1 \notin \mathcal {Q}_{\mathsf {sign}}\) and \([\mathbf {u}^\star ]_1 \ne [{\mathbf {0}}]_1\). If it is not the case, then \({\mathcal {B}}\) returns 0 to \(\mathcal {A}\). If it is the case, with the knowledge of \(\mathbf {a}^\bot \in \mathbb {Z}_p\), \({\mathcal {B}}\) efficiently checks whether there exists \([u^\star ]_1 \in \mathbb {G}_1\) such that \([\mathbf {u}^\star ]_1 -\mathbf {K}_0^\top {[\mathbf {t}^\star ]}_1 - \mathbf {K}^\top \begin{bmatrix} \mathbf {m}^\star \\1 \end{bmatrix}_1 = [u^\star ]_1 \mathbf {a}^\bot \). If it is not the case, \({\mathcal {B}}\) returns 0 to \(\mathcal {A}\). If it is the case, \({\mathcal {B}}\) computes \([u^\star ]_1\) (it can do so efficiently given \(\mathbf {a}^\bot \)), sets \(\mathsf {tag}:= ([\mathbf {t}^\star ]_1, \varPi ^\star , [u^\star ]_1)\), calls its verification oracle \(\textsc {VerO}(\mathsf {tag})\), and forwards the answer to \(\mathcal {A}\).

In game \(\mathsf {G}_{2}\) the vectors \(\mathbf {r}\) sampled by \(\textsc {SignO}\) are uniformly random over \(\mathbb {Z}_p^{k}\), while they are uniformly random over \((\mathbb {Z}_p^{k})^*=\mathbb {Z}_p^{k}\backslash \{0\}\) in \(\mathsf {G}_{3}\). Since this is the only difference between the games, the difference of advantage is bounded by the statistical distance between the two distributions of \(\mathbf {r}\). A union bound over the number of queries yields

$$\begin{aligned} \varepsilon _2 - \varepsilon _3 \le \tfrac{Q}{p^k}. \end{aligned}$$

These games are the same except for the extra condition \(\widetilde{\mathsf {ctr}} = \mathsf {ctr}'\) in \(\mathsf {G}_{4}\), which happens with probability \(\tfrac{1}{Q}\) over the choice of \(\widetilde{\mathsf {ctr}} \leftarrow _{R}[Q]\). Since the adversary view is independent of \(\widetilde{\mathsf {ctr}}\), we have

$$\begin{aligned} \varepsilon _4 = \tfrac{\varepsilon _3}{Q}. \end{aligned}$$

We prove that \(\varepsilon _4 \le \tfrac{1}{p}\).

First, we can replace \(\mathbf {K}\) by \(\mathbf {K}+ {\mathbf {v}(\mathbf {a}^\bot )^\top }\) for \(\mathbf {v}\leftarrow _{R}\mathbb {Z}_p^{n+1}\), and \(\{ \mathbf {F}(i): i \in [Q], i \ne \widetilde{\mathsf {ctr}}\}\) by \(\{ \mathbf {F}(i) + \mathbf {w}_i: i \in [Q], i \ne \widetilde{\mathsf {ctr}}\}\) for \(\mathbf {w}_i \leftarrow _{R}\mathbb {Z}_p^{2k}\). Note that this does not change the distribution of the game.

Thus, for the i-th signing query with \(i\ne \widetilde{\mathsf {ctr}}\) the value \(\mathbf {u}\) is computed by \(\textsc {SignO}([\mathbf {m}_i]_1)\) as

with \([\mathbf {t}]_1 := [\mathbf {A}_0]_1 \mathbf {r}\), \(\mathbf {r}\leftarrow _{R}(\mathbb {Z}_p^{k})^*\). This is identically distributed to

$$\begin{aligned}{}[\mathbf {u}]_1 = {\mathbf {K}}_0^\top [\mathbf {t}]_1 + \mathbf {K}^\top \begin{bmatrix} \mathbf {m}_i \\ 1 \end{bmatrix}_1 +\gamma _i \cdot \mathbf {a}^\bot , \text{ with } \gamma _i \leftarrow _{R}\mathbb {Z}_p . \end{aligned}$$

For the \(\widetilde{\mathsf {ctr}}\)’th signing query, we have

Assuming \(\mathcal {A}\) succeeds in producing a valid forgery, \(\textsc {VerO}\) computes

Since \(\mathbf {m}^\star \ne \mathbf {m}_{\widetilde{\mathsf {ctr}}}\) by definition of the security game, we can use the pairwise independence of \(\mathbf {m}\mapsto \mathbf {v}^\top \begin{bmatrix} \mathbf {m}\\ 1 \end{bmatrix}_1\) to argue that \(\mathbf {v}^\top \begin{bmatrix} \mathbf {m}^\star \\ 1 \end{bmatrix}_1\) and \(\mathbf {v}^\top \begin{bmatrix} \mathbf {m}_{\widetilde{\mathsf {ctr}}} \\ 1 \end{bmatrix}_1\) are two independent values, uniformly random over \(\mathbb {G}_1\). Thus, the verification equation is satisfied with probability at most \(\tfrac{1}{p}\), that is

$$\begin{aligned} \varepsilon _4 \le \tfrac{1}{p}. \end{aligned}$$

Bilateral Structure-Preserving Signature Scheme. Our structure-preserving signature scheme, \(\mathsf {SPS}\), defined in Fig. 7 can sign only messages from \(\mathbb {G}_1^n\). By applying the generic transformation from [39, Sect. 6], we can transform our \(\mathsf {SPS}\) to sign messages from \(\mathbb {G}_1^{n_1} \times \mathbb {G}_2^{n_2}\) using their two-tier SPS, which is a generalization of [1]. The transformation is tightness-preserving by Theorem 6 of [39] and costs additional k elements from \(\mathbb {G}_1\) and \(k+1\) elements from \(\mathbb {G}_2\) in the signature. For the SXDH assumption (\(k=1\)), our bilateral SPS scheme requires additional 1 element from \(\mathbb {G}_1\) and 2 elements from \(\mathbb {G}_2\) in the signature.