Advertisement

Efficient Fully Structure-Preserving Signatures for Large Messages

  • Jens GrothEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9452)

Abstract

We construct both randomizable and strongly existentially unforgeable structure-preserving signatures for messages consisting of many group elements. To sign a message consisting of \(N=mn\) group elements we have a verification key size of m group elements and signatures contain \(n+2\) elements. Verification of a signature requires evaluating \(n+1\) pairing product equations.

We also investigate the case of fully structure-preserving signatures where it is required that the secret signing key consists of group elements only. We show a variant of our signature scheme allowing the signer to pick part of the verification key at the time of signing is still secure. This gives us both randomizable and strongly existentially unforgeable fully structure-preserving signatures. In the fully structure preserving scheme the verification key is a single group element, signatures contain \(m+n+1\) group elements and verification requires evaluating \(n+1\) pairing product equations.

Keywords

Digital signatures Pairing-based cryptography Full structure-preservation 

1 Introduction

Structure-preserving signatures are pairing-based signatures where verification keys, messages and signatures all consist solely of group elements and the verification algorithm relies on generic group operations such as multiplications and pairings to verify a signature. Structure-preserving signatures are interesting because they compose well with other structure-preserving primitives such as ElGamal encryption [ElG85] and Groth-Sahai proofs [GS12] for instance. By combining different structure-preserving components it is possible to build advanced cryptographic schemes in a modular manner. Applications of structure-preserving signatures include blind signatures [AFG+10, FV10], group signatures [AFG+10, FV10, LPY12], homomorphic signatures  [LPJY13, ALP13], delegatable anonymous credentials [Fuc11], compact verifiable shuffles [CKLM12], network encoding [ALP12], oblivious transfer [GH08, CDEN12], tightly secure encryption [HJ12, ADK+13] and anonymous e-cash [ZLG12].

Since structure-preserving signatures are basic components when building cryptographic schemes it is crucial to make them as efficient as possible. All cryptographic protocols built on top of a structure-preserving signature scheme will be affected by its efficiency. There has therefore been a significant amount of research into finding barriers for how efficient structure-preserving signatures can be and constructing schemes achieving these bounds. Abe et al. [AGHO11] demonstrated a lower bound of 3 group elements for structure-preserving signatures (using Type III pairings, which is the most efficient type) and found matching constructions with 3 element signatures.

While the case of signing a single group element has been well studied, the question of signing larger messages has received less attention. Most structure-preserving schemes offering to sign many elements do so by increasing the size of the verification key linearly in the message to be signed. One could of course imagine chopping a large message into smaller pieces and signing each of them individually and then sign the resulting signatures to bind them together. However, this approach incurs a multiplicative overhead proportional to the size of the signatures we use, which due to the lower bound will be at least a factor 3. Also, such constructions would require the use of many pairing product equations in the verification of a signature.

Recently Abe et al. [AKOT15] introduced the notion of fully structure-preserving signatures. In a fully structure-preserving signature scheme also the secret key is required to consist of group elements only, which stands in contrast to most current structure-preserving signature schemes where the secret key consists of field elements. Fully structure-preservation is useful in several contexts, it is for instance often the case in a PKI that to get a public key certified one must demonstrate possession of a matching secret key. When the secret key consists of group elements it becomes possible to use Groth-Sahai proofs to give efficient proofs of knowledge of the secret key.

Abe et al. [AKOT15] also considered the question of signing messages that consist of many group elements. Surprisingly they showed that one can give fully structure-preserving signatures that only grow propotionately to the square root of the message size. The reason this is remarkable is that in structure-preserving signatures one cannot use collision-resistant hash-functions to reduce the message size since they are structure-destroying and furthermore it is known that size-reducing strictly structure-preserving commitments do not exist [AHO12]. They also showed a lower bound that says the combined length of the verification key and the signature size must be at least the square root of the message size, which holds regardless of whether the structure-preservation is full or not.

1.1 Our Contribution

As we said earlier it is crucial to optimize efficiency of structure-preserving signatures. In this paper we investigate the case of signing large messages and present very efficient structure-preserving signature schemes for signing many elements at once. Our signature schemes will be designed directly with large messages in mind and therefore be more efficient than constructions relying on the combination of multiple signature schemes.

We construct a structure-preserving signature scheme for messages consisting of \(N=mn\) group elements. The verification key contains m elements and the signature size is \(n+2\) elements. This matches the best structure-preserving signature schemes for a single group element, in which case we would have a single group element verification key and a 3 element signature but unlike prior constructions our signature scheme scales very well for large messages. The verification process involves \(n+1\) pairing product equations, so also this matches state of the art for signing a single group element but scales well to handle larger messages.

Depending on the context, it may be desirable to use a strong signature scheme where it is not only infeasible to forge signatures on messages that have not been seen before but it is also infeasible to create a new different signatures on messages that have already been signed. In other circumstances, however, quite the opposite may be the case and it may be desirable to have signatures that can be randomized. In particular, when combining structure-preserving signatures with Groth-Sahai proofs, randomizability may be desirable since some of the signature elements can be revealed in the clear after being randomized.

Our signature scheme is very flexible in the sense that the same verification key can be used for both strong signatures and randomizable signatures at the same time. We define the notion of a combined signature scheme where the signer can choose for each message whether to make the signature strongly unforgeable or randomizable.

We also present a modified construction that is fully structure-preserving. In order to get full structure-preservation it is necessary for the signer to know discrete logarithms of group elements that are paired with the message since she does not know the discrete logarithms of the group elements in the message. Surprisingly this can be achieved in a simple way in our signature scheme by letting the signer pick most of the verification key herself. Due to this property we now get a fully structure-preserving signature scheme where the verification key is just a single group element and the signature consists of \(m+n+2\) group elements.

1.2 Related Work

The name “structure-preserving signature” was coined by Abe et al. [AFG+10] but there are earlier works giving structure-preserving signatures with the first being  [Gro06].

Abe et al. [AGHO11] gave the first 3 element signature scheme for fully asymmetric pairings (Type III) and also proved that this is optimal. Abe et al. [AGOT14] give 2 element signatures based on partially asymmetric pairings (Type II) but Chatterjee and Menezes  [CM15] showed that structure preserving signatures in the partially asymmetric setting are less efficient than signatures based on fully asymmetric pairings. In this paper we therefore only consider the fully asymmetric setting, which gives the best efficiency and thus is the most relevant case to consider.

A line of research [HJ12, ACD+12, ADK+13, LPY15, BCPW15] has worked on basing structure-preserving signatures on standard assumptions such as the decision Diffie-Hellman or the decision linear assumptions. The fully structure-preserving signatures by Abe et al.  [AKOT15] is based on the natural double pairing assumption, which is implied by the DDH assumption. However, Abe et al. [AGO11] has showed that 3 element signatures cannot be proven secure under a non-interactive assumption using black-box reductions, so strong assumptions are needed to get optimal efficiency. We will therefore base the security of our signatures on the generic group model [Nec94, Sho97] instead of aiming for security under a well-established assumption.

The signature scheme in Abe et al. [AGOT14] can be seen to be fully structure-preserving. It is a 3 group element signature scheme and is selectively randomiazable. Selective randomizability means that signatures are strong but the signer can choose to release a randomization token to make a signature randomizable. This notion is different from our notion of a combined signature scheme where the signer can choose to create randomizable or strong signatures. The advantage of selective randomizable signatures is that all signatures are verified with the same verification equation; the disadvantage is the need to issue randomization tokens when making a signature randomizable.

As discussed earlier the most directly related work is by Abe et al. [AKOT15] who introduced the notion of fully structure-preserving signatures and constructed a square root complexity scheme based on the double pairing assumption. We give a detailed performance comparison in Table 1. If we use \(m \approx n\approx \sqrt{N}\) their verification key contains \(11+6\sqrt{N}\) group elements, signatures contain \(11+4\sqrt{N}\) group elements, and they require \(5+\sqrt{N}\) pairing product equations to verify a signature. In comparison, our fully structure-preserving signature scheme has a verification key with 1 group element, signatures consist of \(2+2\sqrt{N}\) group elements, and we use \(1+\sqrt{N}\) pairing product equations to verify signatures.
Table 1.

Comparison of structure-preserving signature schemes for messages consisting of \(N=mn\) elements in \(\mathbb {G}_2\). We display public parameter, verification key and signature sizes measured in group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and number of pairing product equations required for verifying a signature. The public parameters also contain a description of the bilinear group. The public parameters can be reused for other cryptographic schemes so their cost can be amortized.

Scheme

Parameters

Verification key

Signature

PPE

[AKOT15]

\(4 \,\, \mathbb {G}_1, 4 \, \mathbb {G}_2\)

\(1\, \, \mathbb {G}_1, 10+3m+3n \,\, \mathbb {G}_2\)

\(7+m+n \, \,\mathbb {G}_1, 4+2n \,\, \mathbb {G}_2\)

\(5+n\)

Our SPS

\(1 \,\, \mathbb {G}_1, n+1 \,\, \mathbb {G}_2\)

\(m \, \,\mathbb {G}_1\)

\(1 \,\, \mathbb {G}_1, 1+n \,\, \mathbb {G}_2\)

\(1+n\)

Our fully SPS

\(1 \,\, \mathbb {G}_1, n+m \,\, \mathbb {G}_2\)

\(1 \,\, \mathbb {G}_1\)

\(m \,\, \mathbb {G}_1, 1+n \,\, \mathbb {G}_2\)

\(1+n\)

2 Preliminaries

2.1 Bilinear Groups

Throughout the paper we let \(\mathcal {G}\) be an asymmetric bilinear \(\lambda \) returns \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,G,H)\leftarrow \mathcal {G}(1^\lambda )\) with the following properties:
  • \(\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T\) are groups of prime order p

  • \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is a bilinear map

  • G generates \(\mathbb {G}_1\), H generates \(\mathbb {G}_2\) and e(GH) generates \(\mathbb {G}_T\)

  • There are efficient algorithms for computing group operations, evaluating the bilinear map, comparing group elements and deciding membership of the groups

In a bilinear group we refer to deciding group membership, computing group operations in \(\mathbb {G}_1,\mathbb {G}_2\) or \(\mathbb {G}_T\), comparing group elements and evaluating the bilinear map as the generic group operations. In the signature schemes we construct we only use generic group operations.

Galbraith, Paterson and Smart [GPS08] distinguish between 3 types of bilinear group generators. In the Type I setting (also called the symmetric setting) \(\mathbb {G}_1=\mathbb {G}_2\), in the Type II setting there is an efficiently computable isomorphism \(\psi :\mathbb {G}_2\rightarrow \mathbb {G}_1\), and in the Type III setting no isomorphism that is efficiently computable in either direction between the source groups exists. Throughout the paper we will work in the Type III setting, which gives the most efficient operations and therefore is most important setting.

It will be useful to use the notation of Escala et al. [EHK+13] that keeps track of the discrete logarithm of group elements. They represent a group element X in \(\mathbb {G}_1\) by \([x]_1\) when \(X=G^x\) and a group element Y in \(\mathbb {G}_2\) as \([y]_2\) when \(Y=H^y\) and a group element \(Z\in \mathbb {G}_T\) as \([z]_T\) when \(Z=e(G,H)^z\). In this notation the source group generators G and H are \([1]_1\) and \([1]_2\).

The advantage of using this notation is that it highights the underlying linear algebra performed on the exponents when we do group operations. Multiplying two group elements \(X,Y\in \mathbb {G}_1\) to get XY for instance corresponds to \([x]_1+[y]_1=[x+y]_1\). Exponentiation of \(X\in \mathbb {G}_1\) with \(y\in \mathbb {Z}_p\) to get \(X^y\) can be written \(y[x]_1=[yx]_1\). Using the bilinear map on \(X\in \mathbb {G}_1\) and \(Y\in \mathbb {G}_2\) to get e(XY) can be written as \([x]_1[y]_2=[xy]_T\).

We can represent vectors of group elements \(\mathbf {X}=(X_1,\ldots ,X_n)\) in \(\mathbb {G}_1\) as \([\varvec{x}]_1\). The operations taking place in the groups have natural linear algebra equivalents, e.g., exponentiation of a vector of group elements to a matrix of exponents to get a new vector of group elements can be written \([\varvec{x}]_1A=[\varvec{x}A]_1\). A pairing product \(\prod _{i=1}^ne(X_i,Y_i)\) can be written \([\varvec{x}]_1\cdot [\varvec{y}]_2=[\varvec{x}\cdot \varvec{y}]_T\). Exponentiation of a number of group elements to the same exponent to get \((X_1^a,\ldots ,X_n^a)\) can be written \([\varvec{x}]_1a=[\varvec{x}a]_1\).

2.2 Signature Schemes

Our signature schemes work over an asymmetric bilinear group generated by \(\mathcal {G}\). This group may be generated by the signer and included in the public verification key. In many cryptographic schemes it is convenient for the signer to work on top of a pre-existing bilinear group though. We will therefore in the description of our signatures explicitly distinguish between a setup algorithm \(\mathbf {Setup}\) that produces public parameters pp and a key generation algorithm the signer uses to generate her own keys. The setup algorithm we use in our paper generates a bilinear group \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,[1]_1,[1]_2)\leftarrow \mathcal {G}(1^\lambda )\). It then extends the description of the bilinear group with additional randomly selected group elements. Our signature scheme does not rely on knowledge of the discrete logarithms of these random group elements, so the setup may be reused for many different signature schemes and other cryptographic schemes.

A signature scheme (with setup algorithm \(\mathbf {Setup}\)) consists of efficient algorithms \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign},\mathbf {Vfy})\).

  • \(\mathbf {Setup}(1^\lambda )\rightarrow pp\): The setup algorithm generates public parameters pp. They specify a message space \(\mathcal {M}_{pp}\).

  • \(\mathbf {Gen}(pp)\rightarrow (vk,sk)\): The key generation algorithm takes public parameters pp as input and returns a public verification key vk and a secret signing key sk.

  • \(\mathbf {Sign}(pp,sk,m)\rightarrow \sigma \): The signing algorithm takes a signing key sk and a message \(m\in \mathcal {M}_{pp}\) as input and returns a signature \(\sigma \).

  • \(\mathbf {Vfy}(pp,vk,m,\sigma )\rightarrow 1/0\): The verification algorithm takes the verification key vk, a message m and a purported signature \(\sigma \) as input and returns either 1 (accept) or 0 (reject).

Definition 1

(Correctness). The signature scheme \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign},\mathbf {Vfy})\) is (perfectly) correct if for all security parameters \(k\in \mathbb {N}\)
$$\begin{aligned} \Pr \left[ \begin{array}{l}pp\leftarrow \mathbf {Setup}(1^\lambda ); (vk,sk)\leftarrow \mathbf {Gen}(pp)\\ m\leftarrow \mathcal {M}_{pp}; \sigma \leftarrow \mathbf {Sign}(pp,sk,m)\end{array}:\mathbf {Vfy}(pp,vk,m,\sigma )=1\right] =1. \end{aligned}$$

2.3 Structure-Preserving Signature Schemes

In this paper, we study structure-preserving signature schemes [AFG+10]. In a structure-preserving signature scheme the verification key, the messages and the signatures consist only of group elements from \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and the verification algorithm evaluates the signature by deciding group membership of elements in the signature and by evaluating pairing product equations, which are equations of the form
$$\prod _i\prod _je(X_i,X_j)^{a_{ij}}=1,$$
where \(X_1,X_2,\ldots \in \mathbb {G}_1\) are group elements appearing in ppvkm and \(\sigma \) and \(a_{11},a_{12},\ldots \in \mathbb {Z}\) are constants.

Structure-preserving signatures are extremely versatile because they mix well with other pairing-based protocols. Groth-Sahai proofs [GS12] are for instance designed with pairing product equations in mind and can therefore easily be applied to structure-preserving signatures.

Definition 2

(Structure-preserving signatures). A signature scheme is said to be structure preserving over bilinear group generator \(\mathcal {G}\) if
  • public parameters include a bilinear group \((p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,[1]_1,[1]_2)\leftarrow \mathcal {G}(1^\lambda )\),

  • verification keys consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\),

  • messages consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\),

  • signatures consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and

  • the verification algorithm only needs to decide membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and evaluate pairing product equations.

Fully Structure Preserving Signatures. Abe et al. [AKOT15] argue that in several applications it is desirable that also the secret signing keys only contain source group elements. They define a structure-preserving signature scheme to be fully structure preserving if the signing key sk consists of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and the correctness of the secret signing key with respect to the public verification key can be verified using pairing product equations.

3 Randomizable and Strongly Unforgeable Signatures

A signature scheme is said to be existentially unforgeable if it is infeasible to forge a signature on a message that has not previously been signed. The standard definition of existential unforgeability allows the adversary to modify an existing signature on a message to a new signature on the same message. We say a signature scheme is randomizable if it is possible to randomize a signature on a message to get a new random signature on the same message. On the other hand, we say a signature scheme is strongly unforgeable when it is also infeasible to modify a signature, or more precisely it is infeasible to construct a valid message and signature pair that has not previously been seen.

Both strong signatures and randomizable signatures have many uses. We will therefore construct both strongly existentially unforgeable signatures and randomizable signatures. To capture the best of both worlds, we will define a combined signature scheme where the signer can decide whether a signature should be randomizable or strongly unforgeable. Randomizable signatures are constructed using signing algorithm \(\mathbf {Sign}_0\) and verified by verification algorithm \(\mathbf {Vfy}_0\). Strongly unforgeable signatures are constructed using signing algorithm \(\mathbf {Sign}_1\) and verified by verification algorithm \(\mathbf {Vfy}_1\).

A naïve combined signature scheme would have a verification key containing two verification keys, one for randomizable signatures and one for strong signatures. However, this solution has the disadvantage of increasing key size. Instead we will in this paper construct a combined signature scheme where the verification key is just a single group element that can be used to verify either type of signature. This dual use of the verification key means that we must carefully consider the security implications of combining two signature schemes though, so we will now define a combined signature scheme.

A combined signature scheme \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign}_0,\mathbf {Vfy}_0,\mathbf {Rand},\mathbf {Sign}_1,\mathbf {Vfy}_1)\) consists of 7 probabilistic polynomial time algorithms as described below.

  • \(\mathbf {Setup}(1^\lambda , size )\rightarrow pp\): The setup algorithm takes the security parameter \(\lambda \) and description of the size of messages to be signed and generates public parameters. It defines a message space \(\mathcal {M}_{pp}\) of messages that can be signed.

  • \(\mathbf {Gen}(pp)\rightarrow (vk,sk)\): The key generation algorithm given public parameters generates a public verification key vk and a secret signing key sk.

  • \(\mathbf {Sign}_0(pp,sk,m)\rightarrow \sigma \): The randomizable signature algorithm given the signing key and a message m returns a randomizable signature \(\sigma \).

  • \(\mathbf {Vfy}_0(pp,vk,m,\sigma )\rightarrow 1/0\): The randomizable signature verification algorithm given a message and a purported randomizable signature on it returns 1 if accepting the signature and 0 if rejecting the signature.

  • \(\mathbf {Rand}(pp,vk,m,\sigma )\rightarrow \sigma '\): The randomization algorithm given a valid randomizable signature on a message returns a new randomized signature on the same message.

  • \(\mathbf {Sign}_1(pp,sk,m)\rightarrow \sigma \): The strong signature algorithm given the signing key and a message m returns a strongly unforgeable signature \(\sigma \).

  • \(\mathbf {Vfy}_1(pp,vk,m,\sigma )\rightarrow 1/0\): The strong signature verification algorithm given a message and a purported strong signature on it returns 1 if accepting the signature and 0 if rejecting the signature.

We say a combined signature scheme has perfect correctness if the constituent randomizable and strongly unforgeable signature schemes \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign}_0,\mathbf {Vfy}_0)\) and \((\mathbf {Setup},\mathbf {Gen},\mathbf {Sign}_1,\mathbf {Vfy}_1)\) both are perfectly correct.

The combined signatures are perfectly randomizable if a randomized signature looks exactly like a fresh signature on the same message.

Definition 3

(Perfect randomizability). The combined signature scheme is perfectly randomizable if for all \(\lambda \in \mathbb {N}\) and all stateful adversaries \(\mathcal {A}\)
$$\begin{aligned} \Pr \left[ \begin{array}{l} pp\leftarrow \mathbf {Setup}(1^\lambda ); (vk,sk)\leftarrow \mathbf {Gen}(pp)\\ m\leftarrow \mathcal {A}(pp,vk,sk); \sigma ,\sigma _0\leftarrow \mathbf {Sign}_0(pp,sk,m)\\ \sigma _1\leftarrow \mathbf {Rand}(pp,vk,m,\sigma ); b\leftarrow \{0,1\}\end{array}: \mathcal {A}(\sigma ,\sigma _b)=b \right] =\frac{1}{2}, \end{aligned}$$
where \(\mathcal {A}\) outputs \(m\in \mathcal {M}_{pp}\).

To capture the attacks that can occur against a combined signature scheme, we assume the adversary may arbitrarily query a signer for randomizable or strong signatures. We want the signature scheme to be combined existentially unforgeable in the sense that even seeing randomizable signatures does not help in breaking strong existential unforgeability and on the other hand seeing strong signatures does not help in producing randomizable signatures.

Definition 4

(Combined existential unforgeability under chosen message attack). The combined signature scheme is combined existentially unforgeable under adaptive chosen message attack (C-EUF-CMA) if for all probabilistic polynomial time adversaries \(\mathcal {A}\)
$$\begin{aligned} \Pr \left[ \begin{array}{l} pp\leftarrow \mathbf {Setup}(1^\lambda ); (vk,sk)\leftarrow \mathbf {Gen}(pp)\\ (m,\sigma )\leftarrow \mathcal {A}^{\mathbf {Sign}_0(pp,sk,\cdot ),\mathbf {Sign}_1(pp,sk,\cdot )}(pp,vk) \end{array}: \begin{array}{c} \mathbf {Vfy}_0(pp,vk,m,\sigma )=1 \wedge m\notin Q_0 \, \mathrm{{or}} \\ \mathbf {Vfy}_1(pp,vk,m,\sigma )=1 \wedge (m,\sigma )\notin Q_1\end{array}\right] \end{aligned}$$
is negligible, where \(\mathcal {A}\) outputs \(m\in \mathcal {M}_{pp}\) and always queries on messages in \(\mathcal {M}_{pp}\) and \(Q_0\) is the set of messages that have been queried to \(\mathbf {Sign}_0\) to get randomizable signatures and \(Q_1\) is the set of message and signature pairs from queries to \(\mathbf {Sign}_1\) to get strongly unforgeable signatures.

4 Structure-Preserving Combined Signature Scheme

Fig. 1 describes a structure-preserving combined signature scheme that can be used to sign messages consisting of \(N=mn\) group elements in \(\mathbb {G}_2\). It has a verification key size of m group elements, a signature size of \(n+2\) group elements, and verification involves evaluating \(n+1\) pairing product equations.
Fig. 1.

Structure-preserving combined signature scheme. The signature and verification algorithms for randomizable and strongly unforgeable signatures, respectively, are quite similar. We have there described them at the same time indicating the choice by \(b=0\) for randomizable signatures and \(b=1\) for strongly unforgeable signatures.

In order to explain some of the design principles underlying the construction, let us first consider the special case where the message space is \(\mathbb {G}_2\), i.e., we are signing a single group element and \(N=m=n=1\). The setup includes a random group element \([y]_2\), the verification key consists of a single group element \([v]_1\), and both randomizable and strongly unforgeable signatures are of the form \(\sigma =([r]_1,[s]_2,[t]_2)\).

For a randomizable signature there are two verification equations
$$\begin{aligned}{}[r]_1[s]_2=[1]_1[y]_2+[v]_1[1]_2 \qquad \qquad [r]_1[t]_2=[1]_1[m]_2+[v]_1[y]_2. \end{aligned}$$
It is easy to see that we can randomize the factors in \([r]_1[s]_2\) and \([r]_1[t]_2\) into \((\frac{1}{\beta }[r]_1)(\beta [s]_2)\) and \((\frac{1}{\beta }[r]_1)(\beta [t]_2)\) without changing the products themselves, which gives us randomizability of the signatures.
The first verification equation is designed to prevent the adversary from creating a forged signature from scratch after seeing the verification key only. An adversary using only generic group operations can do no better than computing \([r]_1=\rho [1]_1 +\rho _v [v]_1\) and \([s]_2=\sigma [1]_2+\sigma _y[y]_2\) \(\rho ,\rho _v,\sigma ,\sigma _y\in \mathbb {Z}_p\). Looking at the underlying discrete logarithms, the first verification equation then corresponds to the polynomial equation
$$\begin{aligned} (\rho +\rho _vv)(\sigma +\sigma _yy)=y+v \end{aligned}$$
in the unknown discrete logarithms v and y. This equation is not solvable: Looking at the \(\rho _v\sigma v=v\) terms we see \(\sigma \ne 0\). Looking at the \(\rho \sigma _y y=y\) terms we see \(\rho \ne 0\). But this would leave us with a constant term \(\rho \sigma \ne 0\).

Now, what if the adversary instead of creating a signature from scratch tries to modify an existing signature or combine many existing signatures? Well, due to the randomness in the choice of \(z\leftarrow \mathbb {Z}_p^*\) in the signing protocol each signature query will yield a signature with a different random \([r_i]_1\). As it turns out this randomization used in each signature makes it hard for the adversary to combine multiple signatures, or even modify one signature, in a meaningful way with generic group operations. The intuition is that generic group operations allow the adversary to take linear combinations of elements it has seen, however, the verificaction equations are quadratic.

In order to prevent randomization and get strong existential unforgeability the combined signature scheme modifies the latter verification equation by adding a \([v]_1[s]_2\) term. This gives us the following verification equations for strongly unforgeable signatures
$$\begin{aligned}{}[r]_1[s]_2=[1]_1[y]_2+[v]_1[1]_2 \qquad \qquad [r]_1[t]_2=[1]_1[m]_2+[v]_1[y]_2+[v]_1[s]_2. \end{aligned}$$
Now the randomization technique fails because a randomization of \([s]_2\) means we must change \([t]_2\) in a way that counteracts this change in the second verification equation. However, \([t]_2\) is paired with \([r]_1\) that also changes when \([s]_2\) changes. The adversary is therefore faced with a non-linear modification of the signatures and gets stuck because generic group operations only enable it to do linear modifications of signature elements.
We can extend the one-element signature scheme to sign a vector \([\varvec{m}]_2\) with m group elements in \(\mathbb {G}_2\) by extending the verification key by \(m-1\) random group elements \([\varvec{u}]_1=[(u_1,\ldots ,u_{m-1})]_1\). Now the verification equations become
$$\begin{aligned}{}[r]_1[s]_2=[1]_1[y_1]_2+[v]_1[1]_2 \qquad [r]_1[t]_2=[(\varvec{u},1)]_1\cdot [\varvec{m}]_2+[v]_1[y]_2+b[v]_1[s]_2, \end{aligned}$$
where \(b=0\) for a randomizable signature and \(b=1\) for a strong signature. The idea is that the discrete logarithms of the elements in \([\varvec{u}]_1\) are unknown to the adversary making it hard to change either group element in a previously signed message to get a new message that will verify under the same signature.

Finally, to sign mn group elements in \(\mathbb {G}_2\) instead of m group elements we keep the first verification equation, which does not involve the message, but add \(n-1\) extra verification equations similar to the second verification equation for a vector of group elements described above. This allows us to sign n vectors in parallel. In order to avoid linear combinations of message vectors and signature components being useful in other verification equations, we give each verification equation a separate \([v]_1[y_k]_2\) term, where \(k=1,\ldots ,n\) is the number of the verification equation.

Theorem 1

Fig. 1 gives a structure-preserving combined signature scheme that is C-EUF-CMA secure in the generic group model.

Proof

Perfect correctness, perfect randomizability and structure-preservation follows by inspection. What remains now is to prove that the signature scheme is C-EUF-CMA secure in the generic group model. In the (Type III) generic bilinear group model the adversary may compute new group elements in either source group by taking arbitrary linear combinations of previously seen group elements in the same source group. We shall see that no such linear combination of group elements, viewed as formal Laurent polynomials in the variables picked by the key generator and the signing oracle, yields an existential forgery. It follows along the lines of the Uber assumption of Boneh, Boyen and Goh [BBG05] from the inability to produce forgeries when working with formal Laurent polynomials that the signature scheme is C-EUF-CMA secure in the generic bilinear group model.

Suppose the adversary makes q queries \([M_i]_2\in \mathbb {G}_2^{m\times n}\) to get signatures
$$\begin{aligned}{}[r_i]_1=[\frac{1}{z_i}]_1 \qquad [s_i]_2=[z_i(y_1+v)]_2 \qquad [\varvec{t}_i]_2=[z_i\left( (\varvec{u},1)M_i+v\varvec{y}+b_iz_iv(y_1+v)\right) ]_2, \end{aligned}$$
where \(b_i=0\) if query i is for a randomizable signature and \(b_i=1\) if query i is for a strong signature, and where \(M_i\) may depend on previously seen signature elements in \([s_j]_2,[\varvec{t}_j]_2\) for \(j<i\).
Viewed as Laurent polynomials we have that a signature \(([r]_1,[s]_2,[\varvec{t}]_2)\) generated by the adversary on \([M]\in \mathbb {G}_2^{m\times n}\) is of the form
$$\begin{aligned} r= & {} \rho +v\rho _v+\varvec{u}\varvec{\rho }_{u}^\top +\sum _i\frac{1}{z_i}\rho _{r_i}\\ s= & {} \sigma +\varvec{\sigma }_y \varvec{y}^\top +\sum _j\sigma _{s_j}z_j(y_1+v)+\sum _j\varvec{\sigma }_{t_j}z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jz_jv(y_1+v)\mathbf {1}\right) \\ \varvec{t}= & {} \varvec{\tau }+\varvec{y}T_y+\sum _jz_j(y_1+v)\varvec{\tau }_{s_j}+\sum _jz_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jz_jv(y_1+ v)\mathbf {1}\right) T_{t_j} \end{aligned}$$
Similarly, all mn entries in M can be written on a form similar to s and all entries in queried matrices \(M_i\) can be written on a form similar to s where the sums are bounded by \(j<i\).
For the first verification equation to be satisfied we must have \(rs=y_1+v\), i.e.,
$$\begin{aligned} \left( \begin{array}{l}\,\, \rho +\varvec{u}\varvec{\rho }_{u}^\top \\ +v\rho _v+\sum \nolimits _i\frac{1}{z_i}\rho _{r_i}\end{array}\right) \left( \begin{array}{l}\ \ \sigma +\varvec{\sigma }_y \varvec{y}^\top +\sum \nolimits _j\sigma _{s_j}z_j(y_1+v)\\ +\sum \nolimits _j\varvec{\sigma }_{t_j}z_j\Big ((\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\Big )^\top \end{array}\right) =y_1+v \end{aligned}$$
We start by noting that \(r\ne 0\) since otherwise rs cannot have the term \(y_1\). Please observe that it is only in \(\mathbb {G}_1\) that we have terms including indeterminates with negative power, i.e., \(\frac{1}{z_i}\). In \(\mathbb {G}_2\) all indeterminates have positive power, i.e., so \(s_j,\varvec{t}_j,M_j\) only contain proper multi-variate polynomials. Now suppose for a moment that \(\rho _{r_i}=0\) for all i. Then in order not to have a terms involving \(z_j\)’s in rs we must have \(\sum _j\sigma _{s_j}z_j(y_1+v)+\sum _j\varvec{\sigma }_{t_j}z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) ^\top =0\). The term \(y_1\) now gives us \(\rho \sigma _{y,1}=1\) and the term v gives us \(\rho _v\sigma =1\). This means \(\rho \ne 0\) and \(\sigma \ne 0\) and therefore we reach a contradiction since the constant term should be \(\rho \sigma =0\). We conclude that there must exist some \(\ell \) for which \(\rho _{r_\ell }\ne 0\).

Now we have the term \(\rho _{r_\ell }\sigma \frac{1}{z_\ell }=0\), which shows us \(\sigma =0\). The terms \(\rho _{r_\ell }\sigma _{y,k}\frac{y_k}{z_\ell }=0\) for \(k=1,\ldots ,n\) give us \(\varvec{\sigma }_y=\mathbf {0}\).

The polynomials corresponding to \(s_j\) and \(\varvec{t}_j\) contain the indeterminate \(z_j\) in all terms, so no linear combination of them can give us a term where the indeterminate component is \(vy_k\) for some \(k\in \{1,\ldots ,n\}\). Since \(M_j\) is constructed as a linear combination of elements in the verification key and components in \(\mathbb {G}_2\) from previously seen signatures, it too cannot contain a term where the indeterminate component is \(vy_k\). The coefficient of \(\frac{z_j}{z_\ell }vy_k\) is therefore \(\rho _{r_\ell }\sigma _{t_j,k}=0\) and therefore \(\sigma _{t_j,k}=0\) for every \(j\ne \ell \) and \(k\in \{1,\ldots ,n\}\). This shows \(\varvec{\sigma }_{t_j}=\mathbf {0}\) for all \(j\ne \ell \). Looking at the coefficients for \(vy_k\) for \(k=1,\ldots ,n\) we see that \(\varvec{\sigma }_{t_\ell }=\mathbf {0}\) too.

The terms \(\rho _{r_\ell }\sigma _{s_j}\frac{z_j}{z_l}v\) give us \(\sigma _{s_j}=0\) for all \(j\ne \ell \). In order to get a coefficient of 1 for the term \(y_1\) we see that \(\sigma _{s_\ell }=\frac{1}{\rho _{r_\ell }}\), which is non-zero. Our analysis has now shown that
$$\begin{aligned} s=\frac{1}{\rho _{r_\ell }}z_\ell (y_1+v). \end{aligned}$$
Let us now analyze the structure of r. The term \(\rho _v \sigma _{\ell }v^2z_\ell =0\) gives us \(\rho _v=0\). We know from our previous analysis that if there was a second \(i\ne \ell \) for which \(\rho _{r_i}\ne 0\) then also \(\sigma _{\rho _{\ell }}=0\), which it is not. Therefore for all \(i\ne \ell \) we have \(\rho _{r_i}=0\). The term \(\rho \sigma _{s_\ell }z_\ell y_1\) gives \(\rho =0\). The terms in \(\sigma _{s_\ell }\varvec{u}z_\ell v\varvec{\rho }_u^{\top }\) give us \(\varvec{\rho }_{u}=\mathbf {0}\). Our analysis therefore shows
$$r=\rho _{r_\ell }\frac{1}{z_\ell }.$$
We now turn to the second verification equation, which is \(rt_1=(\varvec{u},1)\varvec{m}^\top +vy_1+bvs\), where \(\varvec{m}^\top \) is the first column vector of M. The message vector is of the form
$$\begin{aligned} \varvec{m}=\begin{array}{l}\ \ \varvec{\mu }+\varvec{y}M_y+\sum \nolimits _j\varvec{\mu }_{s_j}z_j(y_1+v)\\ +\sum \nolimits _jz_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}\end{array} \end{aligned}$$
where \(\varvec{\mu },M_y\varvec{\mu }_{s_j}\) and \(M_{t_j}\) are suitably sized vectors and matrices with entries in \(\mathbb {Z}_p\) chosen by the adversary. Similarly, we can write out \(t_1=\tau +\varvec{\tau }_y\varvec{y}^\top +\sum _j\tau _{s_j}z_j(y_1+v)+\sum _j\varvec{\tau }_{t_j}z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) \) for elements and suitably sized vectors \(\tau ,\varvec{\tau }_y,\tau _{s_j},\varvec{\tau }_{t_j}\) with entries in \(\mathbb {Z}_p\) chosen by the adversary.
Writing out the second verification equation we have
$$\begin{aligned}&\rho _{r_\ell }\frac{1}{z_\ell }\left( \begin{array}{l}\,\, \tau +\varvec{\tau }_y\varvec{y}^\top +\sum \nolimits _j\tau _{s_j}z_j(y_1+v)\\ +\sum \nolimits _j\varvec{\tau }_{t_j}z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) \end{array}\right) \\= & {} vy_1+bv\left( \frac{1}{\rho _{r_\ell }}z_\ell (y_1+v)\right) \\ {}+ & {} \left( \varvec{u},1\right) \left( \begin{array}{l}\,\, \varvec{\mu }+\varvec{y}M_y+\sum \nolimits _j\varvec{\mu }_{s_j}z_j(y_1+v)\\ +\sum \nolimits _jz_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top \!. \end{aligned}$$
Looking at the coefficients of terms involving \(\frac{1}{z_\ell }\) and \(\frac{y_k}{z_\ell }\) we get \(\tau =0\) and \(\varvec{\tau }_y=\mathbf {0}\). Looking at the terms in \(\rho _{r_\ell }\varvec{\tau }_{t_j}\frac{z_j}{z_\ell }v\varvec{y}\) we get \(\varvec{\tau }_{t_j}=\mathbf {0}\) for all \(j\ne \ell \). Similarly, the terms \(\rho _{r_\ell }\tau _{s_j}\frac{z_j}{z_\ell }v\) give us \(\tau _{s_j}=0\) for all \(j\ne \ell \). We are now left with
$$\begin{aligned}&\rho _{r_\ell }\left( \tau _{s_\ell }(y_1+v)+\varvec{\tau }_{t_\ell }\left( (\varvec{u},1)M_\ell +v\varvec{y}+b_\ell vz_\ell (y_1+v)\mathbf {1}\right) \right) \\= & {} vy_1+bv\frac{1}{\rho _{r_\ell }}z_\ell (y_1+v)\\+ & {} \left( \varvec{u},1\right) \left( \begin{array}{l}\,\, \varvec{\mu }+\varvec{y}M_y+\sum \nolimits _j\varvec{\mu }_{s_j}z_j(y_1+v)\\ +\sum \nolimits _jz_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top \!. \end{aligned}$$
Terms involving \(z_j\) and \(z_j^2\) must cancel out, so we can assume \(\varvec{\mu }_{s_j}=\mathbf {0}\) and \(M_{t_j}=0\) for \(j>\ell \). Since \(M_\ell \) does not involve \(z_\ell \) in any of its terms, we get from the terms in \((\varvec{u},1)z_\ell v\varvec{\mu }_{s_\ell }^\top \) that \(\varvec{\mu }_{s_\ell }=0\). Since there can be no terms involving \(z_\ell ^2\) we get \(b_\ell \mathbf {1}M_{t_\ell }^\top =\mathbf {0}\). Looking at the coefficients for v we get \(\tau _{s_\ell }=0\). This leaves us with
$$\begin{aligned}&\rho _{r_\ell }\varvec{\tau }_{t_\ell }\left( (\varvec{u},1)M_\ell +v\varvec{y}+b_\ell vz_\ell (y_1+v)\mathbf {1}\right) ^\top \\= & {} vy_1+bv\frac{1}{\rho _{r_\ell }}z_\ell (y_1+v) + (\varvec{u},1)z_\ell \left( (\varvec{u},1)M_\ell +v\varvec{y})M_{t_\ell } \right) ^\top \\+ & {} \left( \varvec{u},1\right) \left( \begin{array}{l}\,\, \varvec{\mu }+\varvec{y}M_y+\sum \nolimits _{j<\ell }\varvec{\mu }_{s_j}z_j(y_1+v)\\ +\sum \nolimits _{j<\ell }z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top \!. \end{aligned}$$
Looking at the terms involving \(z_\ell v^2\) we see \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_\ell \mathbf {1}^\top =b\frac{1}{\rho _{r_\ell }}\). This cancels out the first two parts involving \(z_\ell \). The only remaining terms involving \(z_\ell \) now give us \(M_{t_\ell }=0\). This gives us
$$\begin{aligned}&\rho _{r_\ell }\varvec{\tau }_{t_\ell }\left( (\varvec{u},1)M_\ell +v\varvec{y}\right) ^\top - \varvec{y}_1\\= & {} \left( \varvec{u},1\right) \left( \begin{array}{l}\,\, \varvec{\mu }+\varvec{y}M_y+\sum \nolimits _{j<\ell }\varvec{\mu }_{s_j}^{(\ell )}z_j(y_1+v)\\ +\sum \nolimits _{j<\ell }z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top \end{aligned}$$
Looking at the terms in \(v\varvec{y}\) we now get \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }=(1,0,\ldots ,0)\). Let the first column vector of \(M_\ell \) be \(\varvec{m}_\ell ^\top \) then we now have
$$\begin{aligned} (\varvec{u},1)\varvec{m}_\ell ^\top =(\varvec{u},1)\varvec{m}^\top \!. \end{aligned}$$
Writing
$$\begin{aligned} \varvec{m}'=\begin{array}{l}\,\, \varvec{m}_\ell -\mathbf {m}=\varvec{\mu }'+\varvec{y}M_y'+\sum \nolimits _{j<\ell }\varvec{\mu }_{s_j}'z_j(y_1+v)\\ +\sum _{j<\ell }z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}'\end{array} \end{aligned}$$
we now have
$$\begin{aligned} (\varvec{u},1)\left( \begin{array}{l}\,\, \varvec{\mu }'+\varvec{y}M_y'+\sum \nolimits _{j<\ell }\varvec{\mu }_{s_j}'z_j(y_1+v)\\ +\sum \nolimits _{j<\ell }z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+v)\mathbf {1}\right) M_{t_j}'\end{array}\right) ^\top =0. \end{aligned}$$
The terms in \((\varvec{u},1)\varvec{\mu }'^\top \) tell us \(\varvec{\mu }'=\mathbf {0}\). Looking at terms involving \(u_iy_k\) or \(y_k\) gives us \(M_y'=0\). Terms with \(z_j^2\) tell us \(b_j\mathbf {1}M_{t_j}'=\mathbf {0}\) for all j. Terms in \((\varvec{u},1)z_jv\mu _{s_j}'\) tell us \(\mu _{s_j}'=0\) for all j. Finally, terms in \((\varvec{u},1)(v\varvec{y}M_{t_j}')\) give us \(M_{t_j}'=0\).

We have now deduced that \(\varvec{m}'=\mathbf {0}\) and therefore \(\varvec{m}_\ell =\mathbf {m}\). This means the first column in M for which the adversary has produced a signature is a copy of the first column in the queried message \(M_\ell \). Using the same analysis on the last \(n-1\) verification equations gives us that the other \(n-1\) columns also match. This means a generic adversary can only produce valid signatures for previously queried messages, so we have EUF-CMA security.

Finally, let us consider the case where \(b=1\), i.e., we are doing a strong signature verification. We saw earlier that \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_\ell \mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) which can only be satisfied if \(b_{\ell }=1\) and \(\rho _{r_\ell }=1\). This means \(s=s_\ell \) and \(r=r_\ell \) and \(M=M_\ell \) and therefore \(\varvec{t}=\varvec{t}_\ell \). So the generic adversary can only satisfy the strong verification equation with \(b=1\) by copying both the message and signature from a previous query with \(b_\ell =1\).

On the other hand, if \(b=0\), i.e., we are verifying a randomizable signature, we see from \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_l\mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) that \(b_\ell =0\). So the adversary has randomized a signature intended for randomization.    \(\square \)

5 Fully Structure-Preserving Combined Signature Scheme

The earlier structure-preserving signature scheme uses knowledge of the discrete logarithms of \([\varvec{u}]_1\) in a fundamental way since \([\varvec{t}]_2\) contains a \(z(\varvec{u},1)[M]_2\) component that could not be computed without these discrete logarithms. This situation is common for all structure-preserving signature schemes for messages that are vectors of group elements. The need to specify such discrete logarithms in the signing key therefore prevents them from being fully structure-preserving.

Abe et al. [AKOT15] get around this problem by only pairing message group elements with signature group elements where the signer knows the discrete logarithms. Inspired by their work, we will let the signer pick \([\varvec{u}]_1\) and include it in the signature.

To make this idea work we first make a minor modification to our signature scheme from before. We include a vector of \(m-1\) group elements \([\varvec{x}]_2\) in the setup and we modify \([s]_2\) to have the form \([s]_2=z([y_1]_2+\varvec{u}\cdot [\varvec{x}]_2+[v]_2)\). The first verification equation then becomes
$$\begin{aligned}{}[r]_1[s]_2=[1]_1[y_1]_2+[\varvec{u}]_1\cdot [\varvec{x}]_2+[v]_1[1]_2. \end{aligned}$$
If this was the only modification we made it is not hard to see that the same security proof we gave earlier will work again, we are only modifying the verification equation by a random constant \([\varvec{u}\cdot \varvec{x}]_T\). The surprising thing though is that the signature scheme remains secure if we let the signer pick the \([\varvec{u}]_1\) part of the verification key herself and include it in the signature.

Letting the signer pick \([\varvec{u}]_1\) as part of the verification key means that she can know their discrete logarithms. Since she also picks \(z\leftarrow \mathbb {Z}_p^*\) herself she can now use linear operations to compute the \(z(\varvec{u},1)[M]_2\) part of \([\varvec{t}]_2\). Furthermore, we have designed the scheme such that the rest can be computed with linear operations as well. To make randomizable signatures the signer just needs to know \([v]_2\) and \([v\varvec{y}]_2\). To make strong signatures she additionally needs to know \([v\varvec{x}]_2\) and \([v^2]_2\).

The resulting fully structure-preserving signature scheme is presented in Fig. 2 and can be used to sign messages consisting of \(N=mn\) group elements in \(\mathbb {G}_2\). It has a verification key size of 1 group elements, a signature size of \(m+n+1\) group elements, and verification involves evaluating \(n+1\) pairing product equations.
Fig. 2.

Fully structure-preserving combined signature scheme. Since they are quite similar we have described the randomizable signature and the strongly unforgable signature algorithms jointly. Setting \(b=0\) gives the algorithms for randomizable signatures and setting \(b=1\) gives the algorithms for strongly unforgeable signatures.

Theorem 2

Fig. 2 gives a fully structure-preserving combined signature scheme that is C-EUF-CMA secure in the generic group model.

Proof

Perfect correctness, perfect randomizability and structure-preservation follows by inspection. The secret key \(sk=([v]_2,[v\varvec{x}]_2,[v\varvec{y}]_2,[v^2]_2)\) consists of \(m+n+1\) group elements and we can verify that it matches the verification key \(vk=[v]_1\) by checking the pairing product equations
$$\begin{aligned}{}[v]_1[1]_2=[1]_1[v]_2 \quad [v]_1[\varvec{x}]_2=[1]_1[v\varvec{x}]_2 \quad [v]_1[\varvec{y}]_2=[1]_1[v\varvec{y}]_2 \quad [v]_1[v]_2=[1]_1[v^2]_2, \end{aligned}$$
so the signature scheme is fully structure preserving.

What remains now is to prove that the signature scheme is C-EUF-CMA secure in the generic group model. In the (Type III) generic bilinear group model the adversary may compute new group elements in either source group by taking arbitrary linear combinations of previously seen group elements in the same source group. We shall see that no such linear combination of group elements, viewed as formal Laurent polynomials in the variables picked by the key generator and the signing oracle, yields an existential forgery. It follows along the lines of the Uber assumption in [BBG05] this that the signature scheme is C-EUF-CMA secure in the generic bilinear group model.

Suppose the adversary makes q queries \([M_i]_2\in \mathbb {G}_2^{m\times n}\) to get signatures
$$\begin{aligned}&[\varvec{u}_i]_1 \qquad [r_i]_1=[\frac{1}{z_i}]_1 \qquad [s_i]_2=[z_i(y_1+\varvec{u}_i\cdot \varvec{x}+v)]_2\\&[\varvec{t}_i]_2=[z_i\left( (\varvec{u}_i,1)M_i+v\varvec{y}+b_iz_iv(y_1+\varvec{u}_i\cdot \varvec{x}+v)\right) ]_2, \end{aligned}$$
where \(b_i=0\) if query i is for a randomizable signature and \(b_i=1\) if query i is for a strong signature, and where \(M_i\) may depend on previously seen signature elements in \([s_j]_2,[\varvec{t}_j]_2\) for \(j<i\).
Viewed as Laurent polynomials we have that a signature \(([\varvec{u}]_1,[r]_1,[s]_2,[\varvec{t}]_2)\) generated by the adversary on \([M]\in \mathbb {G}_2^{m\times n}\) is of the form
$$\begin{aligned} \varvec{u}= & {} \varvec{\alpha }+ v\varvec{\alpha }_v + \sum _i\varvec{u}_i A_i + \sum _i\frac{1}{z_i}\varvec{\alpha }_{r_i}\\ r= & {} \rho +v\rho _v+\sum _i\varvec{u}_i\varvec{\rho }_{u_i}^\top +\sum _i\frac{1}{z_i}\rho _{r_i}\\ s= & {} \sigma +\varvec{\sigma }_x \varvec{x}^\top +\varvec{\sigma }_y \varvec{y}^\top +\sum _j\sigma _{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\+ & {} \sum _j\varvec{\sigma }_{t_j}z_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jz_jv(y_1+\varvec{u}\varvec{x}^\top + v)\mathbf {1}\right) \\ \varvec{t}= & {} \varvec{\tau }+\varvec{x}T_x+\varvec{y}T_y+\sum _jz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\varvec{\tau }_{s_j}\\+ & {} \sum _jz_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jz_jv(y_1+\varvec{u}\varvec{x}^\top + v)\mathbf {1}\right) T_{t_j} \end{aligned}$$
Similarly, all mn entries in M can be written on a form similar to s and all entries in queried matrices \(M_i\) can be written on a form similar to s where the sums are bounded by \(j<i\).
For the first verification equation to be satisfied we must have \(rs=y_1+\varvec{u}\varvec{x}^\top +v\), i.e.,
$$\begin{aligned}&\left( \begin{array}{l}\,\, \rho +\sum \nolimits _i\varvec{u}_i\varvec{\rho }_{u_i}^\top \\ +v\rho _v+\sum \nolimits _i\frac{1}{z_i}\rho _{r_i}\end{array}\right) \cdot \left( \begin{array}{l}\,\,\, \sigma +\varvec{\sigma }_x \varvec{x}^\top +\varvec{\sigma }_y \varvec{y}^\top +\sum \nolimits _j\sigma _{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _j\varvec{\sigma }_{t_j}z_j\Big ((\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\Big )^\top \end{array}\right) \\= & {} y_1+\left( \varvec{\alpha }+ v\varvec{\alpha }_v + \sum _i\varvec{u}_i A_i + \sum _i\frac{1}{z_i}\varvec{\alpha }_{r_i}\right) \varvec{x}^\top +v \end{aligned}$$
We start by noting that \(r\ne 0\) since otherwise rs cannot have the term \(y_1\). Please observe that it is only in \(\mathbb {G}_1\) that we have terms including indeterminates with negative power, i.e., \(\frac{1}{z_i}\). In \(\mathbb {G}_2\) all indeterminates have positive power, i.e., so \(s_j,\varvec{t}_j,M_j\) only contain proper multi-variate polynomials. Now suppose for a moment that \(\rho _{r_i}=0\) for all i. Then in order not to have a terms involving \(z_j\)’s in rs we must have
$$\sum _j\sigma _{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^{\top }+v)+\sum _j\varvec{\sigma }_{t_j}z_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) ^\top =0.$$
The term \(y_1\) now gives us \(\rho \sigma _{y,1}=1\) and the term v gives us \(\rho _v\sigma =1\). This means \(\rho \ne 0\) and \(\sigma \ne 0\) and therefore we reach a contradiction since the constant term should be \(\rho \sigma =0\). We conclude that there must exist some \(\ell \) for which \(\rho _{r_\ell }\ne 0\).

Now we have the term \(\rho _{r_\ell }\sigma \frac{1}{z_\ell }=0\), which shows us \(\sigma =0\). The terms \(\rho _{r_\ell }\sigma _{y,k}\frac{y_k}{z_\ell }=0\) for \(k=1,\ldots ,n\) give us \(\varvec{\sigma }_y=\mathbf {0}\).

The polynomials corresponding to \(s_j\) and \(\varvec{t}_j\) contain the indeterminate \(z_j\) in all terms, so no linear combination of them can give us a term where the indeterminate component is \(vy_k\) for some \(k\in \{1,\ldots ,n\}\). Since \(M_j\) is constructed as a linear combination of elements in the verification key and components in \(\mathbb {G}_2\) from previously seen signatures, it too cannot contain a term where the indeterminate component is \(vy_k\). The coefficient of \(\frac{z_j}{z_\ell }vy_k\) is therefore \(\rho _{r_\ell }\sigma _{t_j,k}=0\) and therefore \(\sigma _{t_j,k}=0\) for every \(j\ne \ell \) and \(k\in \{1,\ldots ,n\}\). This shows \(\varvec{\sigma }_{t_j}=\mathbf {0}\) for all \(j\ne \ell \). Looking at the coefficients for \(vy_k\) for \(k=1,\ldots ,n\) we see that \(\varvec{\sigma }_{t_\ell }=\mathbf {0}\) too.

The terms \(\rho _{r_\ell }\sigma _{s_j}\frac{z_j}{z_l}v\) give us \(\sigma _{s_j}=0\) for all \(j\ne \ell \). In order to get a coefficient of 1 for the term \(y_1\) we see that \(\sigma _{s_\ell }=\frac{1}{\rho _{r_\ell }}\), which is non-zero. Our analysis has now shown that
$$\begin{aligned} s=\varvec{\sigma }_x \varvec{x}^\top +\frac{1}{\rho _{r_\ell }}z_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v). \end{aligned}$$
Let us now analyze the structure of r. The term \(\rho _v \sigma _{\ell }v^2z_\ell =0\) gives us \(\rho _v=0\). We know from our previous analysis that if there was a second \(i\ne \ell \) for which \(\rho _{r_i}\ne 0\) then also \(\sigma _{\rho _{\ell }}=0\), which it is not. Therefore for all \(i\ne \ell \) we have \(\rho _{r_i}=0\). The term \(\rho \sigma _{s_\ell }z_\ell y_1\) gives \(\rho =0\). The terms in \(\varvec{\rho }_{u_i}\sigma _{s_\ell }\varvec{u}_{i}z_\ell v\) give us \(\varvec{\rho }_{u_i}=\mathbf {0}\) for all i. Our analysis therefore shows
$$r=\rho _{r_\ell }\frac{1}{z_\ell }.$$
Finally, having simplifed r and s analysing the terms in \(\varvec{u}\) gives us
$$\begin{aligned} \varvec{u}=\varvec{u}_\ell +\rho _{r_\ell }\varvec{\sigma }_x \frac{1}{z_\ell }. \end{aligned}$$
We now turn to the second verification equation, which is \(rt_1=(\varvec{u},1)\varvec{m}^\top +vy_1+bvs\), where \(\varvec{m}^\top \) is the first column vector of M. The message vector is of the form
$$\begin{aligned} \varvec{m}=\begin{array}{l}\varvec{\mu }+\varvec{x}M_x+\varvec{y}M_y+\sum \nolimits _j\varvec{\mu }_{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _jz_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) M_{t_j}\end{array}, \end{aligned}$$
where \(\varvec{\mu },M_x,M_y\varvec{\mu }_{s_j}\) and \(M_{t_j}\) are suitably sized vectors and matrices with entries in \(\mathbb {Z}_p\) chosen by the adversary. Similarly, we can write out \(t_1=\tau +\varvec{\tau }_x\varvec{x}^\top +\varvec{\tau }_y\varvec{y}^\top +\sum _j\tau _{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)+\sum _j\varvec{\tau }_{t_j}z_j\left( (\varvec{u},1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) \) for elements and suitably sized vectors \(\tau ,\varvec{\tau }_x,\varvec{\tau }_y,\tau _{s_j},\varvec{\tau }_{t_j}\) with entries in \(\mathbb {Z}_p\) chosen by the adversary.
Writing out the second verification equation we have
$$\begin{aligned}&\rho _{r_\ell }\frac{1}{z_\ell }\left( \begin{array}{l}\,\,\, \tau +\varvec{\tau }_x\varvec{x}^\top +\varvec{\tau }_y\varvec{y}^\top +\sum \nolimits _j\tau _{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _j\varvec{\tau }_{t_j}z_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) ^\top \end{array}\right) \\= & {} vy_1+bv\left( \varvec{\sigma }_x \varvec{x}^\top +\frac{1}{\rho _{r_\ell }}z_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v)\right) \\+ & {} \left( \varvec{u}_\ell +\rho _{r_\ell }\varvec{\sigma }_x \frac{1}{z_\ell },1\right) \left( \begin{array}{l}\,\,\, \varvec{\mu }+\varvec{x}M_x+\varvec{y}M_y+\sum \nolimits _j\varvec{\mu }_{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _jz_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top . \end{aligned}$$
Looking at the coefficients of terms involving \(\frac{1}{z_\ell }\) we get the following equalities for all \(j\ne \ell \): \(\tau =\varvec{\sigma }_x \mu ^\top \ (\frac{1}{z_\ell })\), \(\varvec{\tau }_x=\varvec{\sigma }_xM_x^\top \ (\frac{x_k}{z_\ell })\), \(\varvec{\tau }_y=\varvec{\sigma }_x M_y^\top \ (\frac{y_k}{z_\ell })\), \(\tau _{s_j}=\varvec{\sigma }_x\varvec{\mu }_{s_j}^\top \ (\frac{vz_j}{z_\ell })\), \(\varvec{\tau }_{t_j}=\varvec{\sigma }_x T_{t_j}^\top \ (\frac{vy_kz_j}{z_\ell })\). Cancelling out these terms we are left with
$$\begin{aligned}&\rho _{r_\ell }\left( \tau _{s_\ell }(y_1+\varvec{u}_\ell \varvec{x}^\top +v)+\varvec{\tau }_{t_\ell }\left( (\varvec{u}_\ell ,1)M_\ell +v\varvec{y}+b_\ell vz_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v)\mathbf {1}\right) ^\top \right) \\= & {} vy_1+bv\left( \varvec{\sigma }_x \varvec{x}^\top +\frac{1}{\rho _{r_\ell }}z_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v)\right) \\+ & {} \rho _{r_\ell }\varvec{\sigma }_x \left( \varvec{\mu }_{s_\ell }(y_1+\varvec{u}_\ell \varvec{x}^\top +v)+\left( (\varvec{u}_\ell ,1)M_\ell +v\varvec{y}+b_\ell vz_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v)\mathbf {1}\right) M_{t_\ell }\right) ^\top \\+ & {} \left( \varvec{u}_\ell ,1\right) \left( \begin{array}{l}\,\, \varvec{\mu }+\varvec{x}M_x+\varvec{y}M_y+\sum \nolimits _j\varvec{\mu }_{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _jz_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top . \end{aligned}$$
Terms involving \(z_j\) and \(z_j^2\) must cancel out, so we can assume \(\mu _{s_j}=\mathbf {0}\) and \(M_{t_j}=0\) for \(j>\ell \). Since \(M_\ell \) does not involve \(z_\ell \) in any of its terms, we get from the terms in \((\varvec{u}_\ell ,1)z_\ell v\mu _{s_\ell }^\top \) that \(\varvec{\mu }_{s_\ell }=0\). Since there can be no terms involving \(z_\ell ^2\) we get \(b_\ell \mathbf {1}M_{t_\ell }^\top =\mathbf {0}\). Looking at the coefficients for v we get \(\tau _{s_\ell }=\varvec{\sigma }_x\varvec{\mu }_{s_\ell }\). This leaves us with
$$\begin{aligned}&\rho _{r_\ell }\varvec{\tau }_{t_\ell }\left( (\varvec{u}_\ell ,1)M_\ell +v\varvec{y}+b_\ell vz_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v)\mathbf {1}\right) ^\top \\= & {} vy_1+bv\left( \varvec{\sigma }_x \varvec{x}^\top +\frac{1}{\rho _{r_\ell }}z_\ell (y_1+\varvec{u}_\ell \varvec{x}^\top +v)\right) \\+ & {} \rho _{r_\ell }\varvec{\sigma }_x \left( \left( (\varvec{u}_\ell ,1)M_\ell +v\varvec{y}\right) M_{t_\ell }\right) ^\top \\+ & {} \left( \varvec{u}_\ell ,1\right) \left( \begin{array}{l}\,\, \varvec{\mu }+\varvec{x}M_x+\varvec{y}M_y+\sum \nolimits _{j<\ell }\varvec{\mu }_{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _{j<\ell }z_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top \\+ & {} (\varvec{u}_\ell ,1)z_\ell \left( (\varvec{u}_\ell ,1)M_\ell +v\varvec{y})M_{t_\ell } \right) ^\top . \end{aligned}$$
Looking at the terms involving \(z_\ell v^2\) we see \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_\ell \mathbf {1}^\top =b\frac{1}{\rho _{r_\ell }}\). The only remaining terms involving \(z_\ell \) now give us \(M_{t_\ell }=0\). This gives us
$$\begin{aligned}&\rho _{r_\ell }\varvec{\tau }_{t_\ell }\left( (\varvec{u}_\ell ,1)M_\ell +v\varvec{y}\right) ^\top \\= & {} vy_1+bv\varvec{\sigma }_x \varvec{x}^\top \\+ & {} \left( \varvec{u}_\ell ,1\right) \left( \begin{array}{l}\,\,\, \varvec{\mu }+\varvec{x}M_x+\varvec{y}M_y+\sum \nolimits _{j<\ell }\varvec{\mu }_{s_j}z_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\\ +\sum \nolimits _{j<\ell }z_j\left( (\varvec{u}_j,1)M_j+v\varvec{y}+b_jvz_j(y_1+\varvec{u}_j\varvec{x}^\top +v)\mathbf {1}\right) M_{t_j}\end{array}\right) ^\top \end{aligned}$$
Looking at the terms in \(v\varvec{y}\) we now get \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }=(1,0,\ldots ,0)\). This means \((\varvec{u}_\ell ,1)\varvec{m}_\ell ^\top =b\varvec{\sigma }_x\varvec{x}^\top +(\varvec{u}_\ell ,1)\varvec{m}^\top \), where \(\varvec{m}_{\ell }^\top \) is the first column of \(M_\ell \). Looking at the coefficients of \(vx_k\) we see that if \(b\varvec{\sigma }_x=\mathbf {0}\). Since \(\varvec{m}_\ell \) and \(\varvec{m}\) are independent of \(\varvec{u}_\ell \) this means \(\varvec{m}=\mathbf {m}_\ell \).

A similar argument can applied to the remaining \(n-1\) verification equations showing us that in all columns M and \(M_{\ell }\) match. This means \(M=M_{\ell }\), so the signature scheme is existentially unforgeable both for randomizable signatures and strong signatures.

Finally, let us consider the case where \(b=1\), i.e., we are doing a strong signature verification. We have already seen that \(b\varvec{\sigma }_x=\mathbf {0}\) so when \(b=1\) this means \(\varvec{\sigma }_x=\mathbf {0}\). Since \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_\ell \mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) we see that \(b_{\ell }=1\) and \(\rho _{r_\ell }=1\). This means \(s=s_\ell \) and \(r=r_\ell \) and \(\varvec{u}=\varvec{u}_\ell \) and \(M=M_\ell \) and therefore \(\varvec{t}=\varvec{t}_\ell \). So the generic adversary can only satisfy the strong verification equation with \(b=1\) by copying both the message and signature from a previous query with \(b_\ell =1\).

On the other hand, if we have \(b=0\), i.e., we are verifying a randomizable signature, we see from \(\rho _{r_\ell }\varvec{\tau }_{t_\ell }b_l\mathbf {1}^\top =b_\ell =b\frac{1}{\rho _{r_\ell }}\) that \(b_\ell =0\). So the adversary has randomized a signature intended for randomization.    \(\square \)

Notes

Acknowledgment

We thank Masayuki Abe, Markulf Kohlweiss, Miyako Ohkubo and Mehdi Tibouchi for their comments and sharing an early version of [AKOT15] with us.

References

  1. [ACD+12]
    Abe, M., Chase, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Constant-size structure-preserving signatures: generic constructions and simple assumptions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 4–24. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. [ADK+13]
    Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged one-time signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  3. [AFG+10]
    Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. [AGHO11]
    Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  5. [AGO11]
    Abe, M., Groth, J., Ohkubo, M.: Separating short structure-preserving signatures from non-interactive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. [AGOT14]
    Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Unified, minimal and selectively randomizable structure-preserving signatures. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 688–712. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  7. [AHO12]
    Abe, M., Haralambiev, K., Ohkubo, M.: Group to group commitments do not shrink. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 301–317. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  8. [AKOT15]
    Abe, M., Kohlweiss, M., Ohkubo, M., Tibouchi, M.: Fully structure-preserving signatures and shrinking commitments. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 35–65. Springer, Heidelberg (2015)Google Scholar
  9. [ALP12]
    Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. [ALP13]
    Attrapadung, N., Libert, B., Peters, T.: Efficient completely context-hiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. [BBG05]
    Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. Cryptology ePrint Archive, Report 2005/015 (2005)Google Scholar
  12. [BCPW15]
    Benhamouda, F., Couteau, G., Pointcheval, D., Wee, H.: Implicit zero-knowledge arguments and applications to the malicious setting. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 107–129. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  13. [CDEN12]
    Camenisch, J., Dubovitskaya, M., Enderlein, R.R., Neven, G.: Oblivious transfer with hidden access control from attribute-based encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 559–579. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. [CKLM12]
    Chase, M., Kohlweiss, M., Lysyanskaya, A., Meiklejohn, S.: Malleable proof systems and applications. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 281–300. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. [CM15]
    Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. In: ASIACRYPT (2015)Google Scholar
  16. [EHK+13]
    Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for Diffie-Hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. [ElG85]
    ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theor. 31(4), 469–472 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
  18. [Fuc11]
    Fuchsbauer, G.: Commuting signatures and verifiable encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 224–245. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. [FV10]
    Fuchsbauer, G., Vergnaud, D.: Fair blind signatures without random oracles. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 16–33. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. [GH08]
    Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 179–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. [GPS08]
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  22. [Gro06]
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  23. [GS12]
    Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  24. [HJ12]
    Hofheinz, D., Jager, T.: Tightly secure signatures and public-key encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. [LPJY13]
    Libert, B., Peters, T., Joye, M., Yung, M.: Linearly homomorphic structure-preserving signatures and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 289–307. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  26. [LPY12]
    Libert, B., Peters, T., Yung, M.: Group signatures with almost-for-free revocation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 571–589. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  27. [LPY15]
    Libert, B., Peters, T., Yung, M.: Short group signatures via structure-preserving signatures: standard model security from simple assumptions. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 296–316. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  28. [Nec94]
    Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Mat. Zametki 55(2), 91–101 (1994)MathSciNetzbMATHGoogle Scholar
  29. [Sho97]
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  30. [ZLG12]
    Zhang, J., Li, Z., Guo, H.: Anonymous transferable conditional E-cash. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 45–60. Springer, Heidelberg (2013)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologc Research 2015

Authors and Affiliations

  1. 1.University College LondonLondonUK

Personalised recommendations