Efficient Fully StructurePreserving Signatures for Large Messages
Abstract
We construct both randomizable and strongly existentially unforgeable structurepreserving signatures for messages consisting of many group elements. To sign a message consisting of \(N=mn\) group elements we have a verification key size of m group elements and signatures contain \(n+2\) elements. Verification of a signature requires evaluating \(n+1\) pairing product equations.
We also investigate the case of fully structurepreserving signatures where it is required that the secret signing key consists of group elements only. We show a variant of our signature scheme allowing the signer to pick part of the verification key at the time of signing is still secure. This gives us both randomizable and strongly existentially unforgeable fully structurepreserving signatures. In the fully structure preserving scheme the verification key is a single group element, signatures contain \(m+n+1\) group elements and verification requires evaluating \(n+1\) pairing product equations.
Keywords
Digital signatures Pairingbased cryptography Full structurepreservation1 Introduction
Structurepreserving signatures are pairingbased signatures where verification keys, messages and signatures all consist solely of group elements and the verification algorithm relies on generic group operations such as multiplications and pairings to verify a signature. Structurepreserving signatures are interesting because they compose well with other structurepreserving primitives such as ElGamal encryption [ElG85] and GrothSahai proofs [GS12] for instance. By combining different structurepreserving components it is possible to build advanced cryptographic schemes in a modular manner. Applications of structurepreserving signatures include blind signatures [AFG+10, FV10], group signatures [AFG+10, FV10, LPY12], homomorphic signatures [LPJY13, ALP13], delegatable anonymous credentials [Fuc11], compact verifiable shuffles [CKLM12], network encoding [ALP12], oblivious transfer [GH08, CDEN12], tightly secure encryption [HJ12, ADK+13] and anonymous ecash [ZLG12].
Since structurepreserving signatures are basic components when building cryptographic schemes it is crucial to make them as efficient as possible. All cryptographic protocols built on top of a structurepreserving signature scheme will be affected by its efficiency. There has therefore been a significant amount of research into finding barriers for how efficient structurepreserving signatures can be and constructing schemes achieving these bounds. Abe et al. [AGHO11] demonstrated a lower bound of 3 group elements for structurepreserving signatures (using Type III pairings, which is the most efficient type) and found matching constructions with 3 element signatures.
While the case of signing a single group element has been well studied, the question of signing larger messages has received less attention. Most structurepreserving schemes offering to sign many elements do so by increasing the size of the verification key linearly in the message to be signed. One could of course imagine chopping a large message into smaller pieces and signing each of them individually and then sign the resulting signatures to bind them together. However, this approach incurs a multiplicative overhead proportional to the size of the signatures we use, which due to the lower bound will be at least a factor 3. Also, such constructions would require the use of many pairing product equations in the verification of a signature.
Recently Abe et al. [AKOT15] introduced the notion of fully structurepreserving signatures. In a fully structurepreserving signature scheme also the secret key is required to consist of group elements only, which stands in contrast to most current structurepreserving signature schemes where the secret key consists of field elements. Fully structurepreservation is useful in several contexts, it is for instance often the case in a PKI that to get a public key certified one must demonstrate possession of a matching secret key. When the secret key consists of group elements it becomes possible to use GrothSahai proofs to give efficient proofs of knowledge of the secret key.
Abe et al. [AKOT15] also considered the question of signing messages that consist of many group elements. Surprisingly they showed that one can give fully structurepreserving signatures that only grow propotionately to the square root of the message size. The reason this is remarkable is that in structurepreserving signatures one cannot use collisionresistant hashfunctions to reduce the message size since they are structuredestroying and furthermore it is known that sizereducing strictly structurepreserving commitments do not exist [AHO12]. They also showed a lower bound that says the combined length of the verification key and the signature size must be at least the square root of the message size, which holds regardless of whether the structurepreservation is full or not.
1.1 Our Contribution
As we said earlier it is crucial to optimize efficiency of structurepreserving signatures. In this paper we investigate the case of signing large messages and present very efficient structurepreserving signature schemes for signing many elements at once. Our signature schemes will be designed directly with large messages in mind and therefore be more efficient than constructions relying on the combination of multiple signature schemes.
We construct a structurepreserving signature scheme for messages consisting of \(N=mn\) group elements. The verification key contains m elements and the signature size is \(n+2\) elements. This matches the best structurepreserving signature schemes for a single group element, in which case we would have a single group element verification key and a 3 element signature but unlike prior constructions our signature scheme scales very well for large messages. The verification process involves \(n+1\) pairing product equations, so also this matches state of the art for signing a single group element but scales well to handle larger messages.
Depending on the context, it may be desirable to use a strong signature scheme where it is not only infeasible to forge signatures on messages that have not been seen before but it is also infeasible to create a new different signatures on messages that have already been signed. In other circumstances, however, quite the opposite may be the case and it may be desirable to have signatures that can be randomized. In particular, when combining structurepreserving signatures with GrothSahai proofs, randomizability may be desirable since some of the signature elements can be revealed in the clear after being randomized.
Our signature scheme is very flexible in the sense that the same verification key can be used for both strong signatures and randomizable signatures at the same time. We define the notion of a combined signature scheme where the signer can choose for each message whether to make the signature strongly unforgeable or randomizable.
We also present a modified construction that is fully structurepreserving. In order to get full structurepreservation it is necessary for the signer to know discrete logarithms of group elements that are paired with the message since she does not know the discrete logarithms of the group elements in the message. Surprisingly this can be achieved in a simple way in our signature scheme by letting the signer pick most of the verification key herself. Due to this property we now get a fully structurepreserving signature scheme where the verification key is just a single group element and the signature consists of \(m+n+2\) group elements.
1.2 Related Work
The name “structurepreserving signature” was coined by Abe et al. [AFG+10] but there are earlier works giving structurepreserving signatures with the first being [Gro06].
Abe et al. [AGHO11] gave the first 3 element signature scheme for fully asymmetric pairings (Type III) and also proved that this is optimal. Abe et al. [AGOT14] give 2 element signatures based on partially asymmetric pairings (Type II) but Chatterjee and Menezes [CM15] showed that structure preserving signatures in the partially asymmetric setting are less efficient than signatures based on fully asymmetric pairings. In this paper we therefore only consider the fully asymmetric setting, which gives the best efficiency and thus is the most relevant case to consider.
A line of research [HJ12, ACD+12, ADK+13, LPY15, BCPW15] has worked on basing structurepreserving signatures on standard assumptions such as the decision DiffieHellman or the decision linear assumptions. The fully structurepreserving signatures by Abe et al. [AKOT15] is based on the natural double pairing assumption, which is implied by the DDH assumption. However, Abe et al. [AGO11] has showed that 3 element signatures cannot be proven secure under a noninteractive assumption using blackbox reductions, so strong assumptions are needed to get optimal efficiency. We will therefore base the security of our signatures on the generic group model [Nec94, Sho97] instead of aiming for security under a wellestablished assumption.
The signature scheme in Abe et al. [AGOT14] can be seen to be fully structurepreserving. It is a 3 group element signature scheme and is selectively randomiazable. Selective randomizability means that signatures are strong but the signer can choose to release a randomization token to make a signature randomizable. This notion is different from our notion of a combined signature scheme where the signer can choose to create randomizable or strong signatures. The advantage of selective randomizable signatures is that all signatures are verified with the same verification equation; the disadvantage is the need to issue randomization tokens when making a signature randomizable.
Comparison of structurepreserving signature schemes for messages consisting of \(N=mn\) elements in \(\mathbb {G}_2\). We display public parameter, verification key and signature sizes measured in group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and number of pairing product equations required for verifying a signature. The public parameters also contain a description of the bilinear group. The public parameters can be reused for other cryptographic schemes so their cost can be amortized.
Scheme  Parameters  Verification key  Signature  PPE 

[AKOT15]  \(4 \,\, \mathbb {G}_1, 4 \, \mathbb {G}_2\)  \(1\, \, \mathbb {G}_1, 10+3m+3n \,\, \mathbb {G}_2\)  \(7+m+n \, \,\mathbb {G}_1, 4+2n \,\, \mathbb {G}_2\)  \(5+n\) 
Our SPS  \(1 \,\, \mathbb {G}_1, n+1 \,\, \mathbb {G}_2\)  \(m \, \,\mathbb {G}_1\)  \(1 \,\, \mathbb {G}_1, 1+n \,\, \mathbb {G}_2\)  \(1+n\) 
Our fully SPS  \(1 \,\, \mathbb {G}_1, n+m \,\, \mathbb {G}_2\)  \(1 \,\, \mathbb {G}_1\)  \(m \,\, \mathbb {G}_1, 1+n \,\, \mathbb {G}_2\)  \(1+n\) 
2 Preliminaries
2.1 Bilinear Groups

\(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) are groups of prime order p

\(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is a bilinear map

G generates \(\mathbb {G}_1\), H generates \(\mathbb {G}_2\) and e(G, H) generates \(\mathbb {G}_T\)

There are efficient algorithms for computing group operations, evaluating the bilinear map, comparing group elements and deciding membership of the groups
In a bilinear group we refer to deciding group membership, computing group operations in \(\mathbb {G}_1,\mathbb {G}_2\) or \(\mathbb {G}_T\), comparing group elements and evaluating the bilinear map as the generic group operations. In the signature schemes we construct we only use generic group operations.
Galbraith, Paterson and Smart [GPS08] distinguish between 3 types of bilinear group generators. In the Type I setting (also called the symmetric setting) \(\mathbb {G}_1=\mathbb {G}_2\), in the Type II setting there is an efficiently computable isomorphism \(\psi :\mathbb {G}_2\rightarrow \mathbb {G}_1\), and in the Type III setting no isomorphism that is efficiently computable in either direction between the source groups exists. Throughout the paper we will work in the Type III setting, which gives the most efficient operations and therefore is most important setting.
It will be useful to use the notation of Escala et al. [EHK+13] that keeps track of the discrete logarithm of group elements. They represent a group element X in \(\mathbb {G}_1\) by \([x]_1\) when \(X=G^x\) and a group element Y in \(\mathbb {G}_2\) as \([y]_2\) when \(Y=H^y\) and a group element \(Z\in \mathbb {G}_T\) as \([z]_T\) when \(Z=e(G,H)^z\). In this notation the source group generators G and H are \([1]_1\) and \([1]_2\).
The advantage of using this notation is that it highights the underlying linear algebra performed on the exponents when we do group operations. Multiplying two group elements \(X,Y\in \mathbb {G}_1\) to get XY for instance corresponds to \([x]_1+[y]_1=[x+y]_1\). Exponentiation of \(X\in \mathbb {G}_1\) with \(y\in \mathbb {Z}_p\) to get \(X^y\) can be written \(y[x]_1=[yx]_1\). Using the bilinear map on \(X\in \mathbb {G}_1\) and \(Y\in \mathbb {G}_2\) to get e(X, Y) can be written as \([x]_1[y]_2=[xy]_T\).
We can represent vectors of group elements \(\mathbf {X}=(X_1,\ldots ,X_n)\) in \(\mathbb {G}_1\) as \([\varvec{x}]_1\). The operations taking place in the groups have natural linear algebra equivalents, e.g., exponentiation of a vector of group elements to a matrix of exponents to get a new vector of group elements can be written \([\varvec{x}]_1A=[\varvec{x}A]_1\). A pairing product \(\prod _{i=1}^ne(X_i,Y_i)\) can be written \([\varvec{x}]_1\cdot [\varvec{y}]_2=[\varvec{x}\cdot \varvec{y}]_T\). Exponentiation of a number of group elements to the same exponent to get \((X_1^a,\ldots ,X_n^a)\) can be written \([\varvec{x}]_1a=[\varvec{x}a]_1\).
2.2 Signature Schemes
Our signature schemes work over an asymmetric bilinear group generated by \(\mathcal {G}\). This group may be generated by the signer and included in the public verification key. In many cryptographic schemes it is convenient for the signer to work on top of a preexisting bilinear group though. We will therefore in the description of our signatures explicitly distinguish between a setup algorithm \(\mathbf {Setup}\) that produces public parameters pp and a key generation algorithm the signer uses to generate her own keys. The setup algorithm we use in our paper generates a bilinear group \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,[1]_1,[1]_2)\leftarrow \mathcal {G}(1^\lambda )\). It then extends the description of the bilinear group with additional randomly selected group elements. Our signature scheme does not rely on knowledge of the discrete logarithms of these random group elements, so the setup may be reused for many different signature schemes and other cryptographic schemes.
A signature scheme (with setup algorithm \(\mathbf {Setup}\)) consists of efficient algorithms \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign},\mathbf {Vfy})\).

\(\mathbf {Setup}(1^\lambda )\rightarrow pp\): The setup algorithm generates public parameters pp. They specify a message space \(\mathcal {M}_{pp}\).

\(\mathbf {Gen}(pp)\rightarrow (vk,sk)\): The key generation algorithm takes public parameters pp as input and returns a public verification key vk and a secret signing key sk.

\(\mathbf {Sign}(pp,sk,m)\rightarrow \sigma \): The signing algorithm takes a signing key sk and a message \(m\in \mathcal {M}_{pp}\) as input and returns a signature \(\sigma \).

\(\mathbf {Vfy}(pp,vk,m,\sigma )\rightarrow 1/0\): The verification algorithm takes the verification key vk, a message m and a purported signature \(\sigma \) as input and returns either 1 (accept) or 0 (reject).
Definition 1
2.3 StructurePreserving Signature Schemes
Structurepreserving signatures are extremely versatile because they mix well with other pairingbased protocols. GrothSahai proofs [GS12] are for instance designed with pairing product equations in mind and can therefore easily be applied to structurepreserving signatures.
Definition 2

public parameters include a bilinear group \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,[1]_1,[1]_2)\leftarrow \mathcal {G}(1^\lambda )\),

verification keys consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\),

messages consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\),

signatures consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and

the verification algorithm only needs to decide membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and evaluate pairing product equations.
Fully Structure Preserving Signatures. Abe et al. [AKOT15] argue that in several applications it is desirable that also the secret signing keys only contain source group elements. They define a structurepreserving signature scheme to be fully structure preserving if the signing key sk consists of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and the correctness of the secret signing key with respect to the public verification key can be verified using pairing product equations.
3 Randomizable and Strongly Unforgeable Signatures
A signature scheme is said to be existentially unforgeable if it is infeasible to forge a signature on a message that has not previously been signed. The standard definition of existential unforgeability allows the adversary to modify an existing signature on a message to a new signature on the same message. We say a signature scheme is randomizable if it is possible to randomize a signature on a message to get a new random signature on the same message. On the other hand, we say a signature scheme is strongly unforgeable when it is also infeasible to modify a signature, or more precisely it is infeasible to construct a valid message and signature pair that has not previously been seen.
Both strong signatures and randomizable signatures have many uses. We will therefore construct both strongly existentially unforgeable signatures and randomizable signatures. To capture the best of both worlds, we will define a combined signature scheme where the signer can decide whether a signature should be randomizable or strongly unforgeable. Randomizable signatures are constructed using signing algorithm \(\mathbf {Sign}_0\) and verified by verification algorithm \(\mathbf {Vfy}_0\). Strongly unforgeable signatures are constructed using signing algorithm \(\mathbf {Sign}_1\) and verified by verification algorithm \(\mathbf {Vfy}_1\).
A naïve combined signature scheme would have a verification key containing two verification keys, one for randomizable signatures and one for strong signatures. However, this solution has the disadvantage of increasing key size. Instead we will in this paper construct a combined signature scheme where the verification key is just a single group element that can be used to verify either type of signature. This dual use of the verification key means that we must carefully consider the security implications of combining two signature schemes though, so we will now define a combined signature scheme.
A combined signature scheme \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign}_0,\mathbf {Vfy}_0,\mathbf {Rand},\mathbf {Sign}_1,\mathbf {Vfy}_1)\) consists of 7 probabilistic polynomial time algorithms as described below.

\(\mathbf {Setup}(1^\lambda , size )\rightarrow pp\): The setup algorithm takes the security parameter \(\lambda \) and description of the size of messages to be signed and generates public parameters. It defines a message space \(\mathcal {M}_{pp}\) of messages that can be signed.

\(\mathbf {Gen}(pp)\rightarrow (vk,sk)\): The key generation algorithm given public parameters generates a public verification key vk and a secret signing key sk.

\(\mathbf {Sign}_0(pp,sk,m)\rightarrow \sigma \): The randomizable signature algorithm given the signing key and a message m returns a randomizable signature \(\sigma \).

\(\mathbf {Vfy}_0(pp,vk,m,\sigma )\rightarrow 1/0\): The randomizable signature verification algorithm given a message and a purported randomizable signature on it returns 1 if accepting the signature and 0 if rejecting the signature.

\(\mathbf {Rand}(pp,vk,m,\sigma )\rightarrow \sigma '\): The randomization algorithm given a valid randomizable signature on a message returns a new randomized signature on the same message.

\(\mathbf {Sign}_1(pp,sk,m)\rightarrow \sigma \): The strong signature algorithm given the signing key and a message m returns a strongly unforgeable signature \(\sigma \).

\(\mathbf {Vfy}_1(pp,vk,m,\sigma )\rightarrow 1/0\): The strong signature verification algorithm given a message and a purported strong signature on it returns 1 if accepting the signature and 0 if rejecting the signature.
We say a combined signature scheme has perfect correctness if the constituent randomizable and strongly unforgeable signature schemes \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign}_0,\mathbf {Vfy}_0)\) and \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign}_1,\mathbf {Vfy}_1)\) both are perfectly correct.
The combined signatures are perfectly randomizable if a randomized signature looks exactly like a fresh signature on the same message.
Definition 3
To capture the attacks that can occur against a combined signature scheme, we assume the adversary may arbitrarily query a signer for randomizable or strong signatures. We want the signature scheme to be combined existentially unforgeable in the sense that even seeing randomizable signatures does not help in breaking strong existential unforgeability and on the other hand seeing strong signatures does not help in producing randomizable signatures.
Definition 4
4 StructurePreserving Combined Signature Scheme
In order to explain some of the design principles underlying the construction, let us first consider the special case where the message space is \(\mathbb {G}_2\), i.e., we are signing a single group element and \(N=m=n=1\). The setup includes a random group element \([y]_2\), the verification key consists of a single group element \([v]_1\), and both randomizable and strongly unforgeable signatures are of the form \(\sigma =([r]_1,[s]_2,[t]_2)\).
Now, what if the adversary instead of creating a signature from scratch tries to modify an existing signature or combine many existing signatures? Well, due to the randomness in the choice of \(z\leftarrow \mathbb {Z}_p^*\) in the signing protocol each signature query will yield a signature with a different random \([r_i]_1\). As it turns out this randomization used in each signature makes it hard for the adversary to combine multiple signatures, or even modify one signature, in a meaningful way with generic group operations. The intuition is that generic group operations allow the adversary to take linear combinations of elements it has seen, however, the verificaction equations are quadratic.
Finally, to sign mn group elements in \(\mathbb {G}_2\) instead of m group elements we keep the first verification equation, which does not involve the message, but add \(n1\) extra verification equations similar to the second verification equation for a vector of group elements described above. This allows us to sign n vectors in parallel. In order to avoid linear combinations of message vectors and signature components being useful in other verification equations, we give each verification equation a separate \([v]_1[y_k]_2\) term, where \(k=1,\ldots ,n\) is the number of the verification equation.
Theorem 1
Fig. 1 gives a structurepreserving combined signature scheme that is CEUFCMA secure in the generic group model.
Proof
Perfect correctness, perfect randomizability and structurepreservation follows by inspection. What remains now is to prove that the signature scheme is CEUFCMA secure in the generic group model. In the (Type III) generic bilinear group model the adversary may compute new group elements in either source group by taking arbitrary linear combinations of previously seen group elements in the same source group. We shall see that no such linear combination of group elements, viewed as formal Laurent polynomials in the variables picked by the key generator and the signing oracle, yields an existential forgery. It follows along the lines of the Uber assumption of Boneh, Boyen and Goh [BBG05] from the inability to produce forgeries when working with formal Laurent polynomials that the signature scheme is CEUFCMA secure in the generic bilinear group model.
Now we have the term \(\rho _{r_\ell }\sigma \frac{1}{z_\ell }=0\), which shows us \(\sigma =0\). The terms \(\rho _{r_\ell }\sigma _{y,k}\frac{y_k}{z_\ell }=0\) for \(k=1,\ldots ,n\) give us \(\varvec{\sigma }_y=\mathbf {0}\).
The polynomials corresponding to \(s_j\) and \(\varvec{t}_j\) contain the indeterminate \(z_j\) in all terms, so no linear combination of them can give us a term where the indeterminate component is \(vy_k\) for some \(k\in \{1,\ldots ,n\}\). Since \(M_j\) is constructed as a linear combination of elements in the verification key and components in \(\mathbb {G}_2\) from previously seen signatures, it too cannot contain a term where the indeterminate component is \(vy_k\). The coefficient of \(\frac{z_j}{z_\ell }vy_k\) is therefore \(\rho _{r_\ell }\sigma _{t_j,k}=0\) and therefore \(\sigma _{t_j,k}=0\) for every \(j\ne \ell \) and \(k\in \{1,\ldots ,n\}\). This shows \(\varvec{\sigma }_{t_j}=\mathbf {0}\) for all \(j\ne \ell \). Looking at the coefficients for \(vy_k\) for \(k=1,\ldots ,n\) we see that \(\varvec{\sigma }_{t_\ell }=\mathbf {0}\) too.
We have now deduced that \(\varvec{m}'=\mathbf {0}\) and therefore \(\varvec{m}_\ell =\mathbf {m}\). This means the first column in M for which the adversary has produced a signature is a copy of the first column in the queried message \(M_\ell \). Using the same analysis on the last \(n1\) verification equations gives us that the other \(n1\) columns also match. This means a generic adversary can only produce valid signatures for previously queried messages, so we have EUFCMA security.
Finally, let us consider the case where \(b=1\), i.e., we are doing a strong signature verification. We saw earlier that \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_\ell \mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) which can only be satisfied if \(b_{\ell }=1\) and \(\rho _{r_\ell }=1\). This means \(s=s_\ell \) and \(r=r_\ell \) and \(M=M_\ell \) and therefore \(\varvec{t}=\varvec{t}_\ell \). So the generic adversary can only satisfy the strong verification equation with \(b=1\) by copying both the message and signature from a previous query with \(b_\ell =1\).
On the other hand, if \(b=0\), i.e., we are verifying a randomizable signature, we see from \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_l\mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) that \(b_\ell =0\). So the adversary has randomized a signature intended for randomization. \(\square \)
5 Fully StructurePreserving Combined Signature Scheme
The earlier structurepreserving signature scheme uses knowledge of the discrete logarithms of \([\varvec{u}]_1\) in a fundamental way since \([\varvec{t}]_2\) contains a \(z(\varvec{u},1)[M]_2\) component that could not be computed without these discrete logarithms. This situation is common for all structurepreserving signature schemes for messages that are vectors of group elements. The need to specify such discrete logarithms in the signing key therefore prevents them from being fully structurepreserving.
Abe et al. [AKOT15] get around this problem by only pairing message group elements with signature group elements where the signer knows the discrete logarithms. Inspired by their work, we will let the signer pick \([\varvec{u}]_1\) and include it in the signature.
Letting the signer pick \([\varvec{u}]_1\) as part of the verification key means that she can know their discrete logarithms. Since she also picks \(z\leftarrow \mathbb {Z}_p^*\) herself she can now use linear operations to compute the \(z(\varvec{u},1)[M]_2\) part of \([\varvec{t}]_2\). Furthermore, we have designed the scheme such that the rest can be computed with linear operations as well. To make randomizable signatures the signer just needs to know \([v]_2\) and \([v\varvec{y}]_2\). To make strong signatures she additionally needs to know \([v\varvec{x}]_2\) and \([v^2]_2\).
Theorem 2
Fig. 2 gives a fully structurepreserving combined signature scheme that is CEUFCMA secure in the generic group model.
Proof
What remains now is to prove that the signature scheme is CEUFCMA secure in the generic group model. In the (Type III) generic bilinear group model the adversary may compute new group elements in either source group by taking arbitrary linear combinations of previously seen group elements in the same source group. We shall see that no such linear combination of group elements, viewed as formal Laurent polynomials in the variables picked by the key generator and the signing oracle, yields an existential forgery. It follows along the lines of the Uber assumption in [BBG05] this that the signature scheme is CEUFCMA secure in the generic bilinear group model.
Now we have the term \(\rho _{r_\ell }\sigma \frac{1}{z_\ell }=0\), which shows us \(\sigma =0\). The terms \(\rho _{r_\ell }\sigma _{y,k}\frac{y_k}{z_\ell }=0\) for \(k=1,\ldots ,n\) give us \(\varvec{\sigma }_y=\mathbf {0}\).
The polynomials corresponding to \(s_j\) and \(\varvec{t}_j\) contain the indeterminate \(z_j\) in all terms, so no linear combination of them can give us a term where the indeterminate component is \(vy_k\) for some \(k\in \{1,\ldots ,n\}\). Since \(M_j\) is constructed as a linear combination of elements in the verification key and components in \(\mathbb {G}_2\) from previously seen signatures, it too cannot contain a term where the indeterminate component is \(vy_k\). The coefficient of \(\frac{z_j}{z_\ell }vy_k\) is therefore \(\rho _{r_\ell }\sigma _{t_j,k}=0\) and therefore \(\sigma _{t_j,k}=0\) for every \(j\ne \ell \) and \(k\in \{1,\ldots ,n\}\). This shows \(\varvec{\sigma }_{t_j}=\mathbf {0}\) for all \(j\ne \ell \). Looking at the coefficients for \(vy_k\) for \(k=1,\ldots ,n\) we see that \(\varvec{\sigma }_{t_\ell }=\mathbf {0}\) too.
A similar argument can applied to the remaining \(n1\) verification equations showing us that in all columns M and \(M_{\ell }\) match. This means \(M=M_{\ell }\), so the signature scheme is existentially unforgeable both for randomizable signatures and strong signatures.
Finally, let us consider the case where \(b=1\), i.e., we are doing a strong signature verification. We have already seen that \(b\varvec{\sigma }_x=\mathbf {0}\) so when \(b=1\) this means \(\varvec{\sigma }_x=\mathbf {0}\). Since \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_\ell \mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) we see that \(b_{\ell }=1\) and \(\rho _{r_\ell }=1\). This means \(s=s_\ell \) and \(r=r_\ell \) and \(\varvec{u}=\varvec{u}_\ell \) and \(M=M_\ell \) and therefore \(\varvec{t}=\varvec{t}_\ell \). So the generic adversary can only satisfy the strong verification equation with \(b=1\) by copying both the message and signature from a previous query with \(b_\ell =1\).
On the other hand, if we have \(b=0\), i.e., we are verifying a randomizable signature, we see from \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_l\mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) that \(b_\ell =0\). So the adversary has randomized a signature intended for randomization. \(\square \)
Notes
Acknowledgment
We thank Masayuki Abe, Markulf Kohlweiss, Miyako Ohkubo and Mehdi Tibouchi for their comments and sharing an early version of [AKOT15] with us.
References
 [ACD+12]Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constantsize structurepreserving signatures: generic constructions and simple assumptions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 4–24. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [ADK+13]Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [AFG+10]Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [AGHO11]Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structurepreserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 [AGO11]Abe, M., Groth, J., Ohkubo, M.: Separating short structurepreserving signatures from noninteractive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 [AGOT14]Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Unified, minimal and selectively randomizable structurepreserving signatures. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 688–712. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 [AHO12]Abe, M., Haralambiev, K., Ohkubo, M.: Group to group commitments do not shrink. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 301–317. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [AKOT15]Abe, M., Kohlweiss, M., Ohkubo, M., Tibouchi, M.: Fully structurepreserving signatures and shrinking commitments. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 35–65. Springer, Heidelberg (2015)Google Scholar
 [ALP12]Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [ALP13]Attrapadung, N., Libert, B., Peters, T.: Efficient completely contexthiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [BBG05]Boneh, D., Boyen, X., Goh, E.J.: Hierarchical identity based encryption with constant size ciphertext. Cryptology ePrint Archive, Report 2005/015 (2005)Google Scholar
 [BCPW15]Benhamouda, F., Couteau, G., Pointcheval, D., Wee, H.: Implicit zeroknowledge arguments and applications to the malicious setting. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 107–129. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 [CDEN12]Camenisch, J., Dubovitskaya, M., Enderlein, R.R., Neven, G.: Oblivious transfer with hidden access control from attributebased encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 559–579. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [CKLM12]Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable proof systems and applications. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 281–300. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [CM15]Chatterjee, S., Menezes, A.: Type 2 structurepreserving signature schemes revisited. In: ASIACRYPT (2015)Google Scholar
 [EHK+13]Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for DiffieHellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [ElG85]ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
 [Fuc11]Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 [FV10]Fuchsbauer, G., Vergnaud, D.: Fair blind signatures without random oracles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 16–33. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [GH08]Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 179–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 [GPS08]Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 [Gro06]Groth, J.: Simulationsound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 [GS12]Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 [HJ12]Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [LPJY13]Libert, B., Peters, T., Joye, M., Yung, M.: Linearly homomorphic structurepreserving signatures and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 289–307. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 [LPY12]Libert, B., Peters, T., Yung, M.: Group signatures with almostforfree revocation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 571–589. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 [LPY15]Libert, B., Peters, T., Yung, M.: Short group signatures via structurepreserving signatures: standard model security from simple assumptions. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 296–316. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 [Nec94]Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Mat. Zametki 55(2), 91–101 (1994)MathSciNetzbMATHGoogle Scholar
 [Sho97]Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)CrossRefGoogle Scholar
 [ZLG12]Zhang, J., Li, Z., Guo, H.: Anonymous transferable conditional Ecash. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 45–60. Springer, Heidelberg (2013)CrossRefGoogle Scholar