Algebraic partitioning: Fully compact and (almost) tightly secure cryptography

Transcription

1 Algebrac parttonng: Fully compact and (almost) tghtly secure cryptography Denns Hofhenz October 12, 2015 Abstract We descrbe a new technque for conductng parttonng arguments. Parttonng arguments are a popular way to prove the securty of a cryptographc scheme. For nstance, to prove the securty of a sgnature scheme, a parttonng argument could dvde the set of messages nto sgnable messages for whch a sgnature can be smulated durng the proof, and unsgnable ones for whch any sgnature would allow to solve a computatonal problem. Durng the securty proof, we would then hope that an adversary only requests sgnatures for sgnable messages, and later forges a sgnature for an unsgnable one. In ths work, we develop a new class of parttonng arguments from smple assumptons. Unlke prevous parttonng strateges, ours s based upon an algebrac property of the parttoned elements (e.g., the sgned messages), and not on ther bt structure. Ths allows to perform the parttonng effcently n a hdden way, such that already a sngle slot for a parttonng operaton n the scheme can be used to mplement many dfferent parttonngs sequentally, one after the other. As a consequence, we can construct complex parttonngs out of smple basc (but algebrac) parttonngs n a very space-effcent way. As a demonstraton of our technque, we provde the frst sgnature and publc-key encrypton schemes that acheve the followng propertes smultaneously: they are (almost) tghtly secure under a smple assumpton, and they are fully compact (n the sense that parameters, keys, and sgnatures, resp. cphertexts only comprse a constant number of group elements). Keywords. Parttonng arguments, tght securty proofs, dgtal sgnatures, publc-key encrypton. Karlsruhe Insttute of Technology, Denns.Hofhenz@kt.edu

2 1 Introducton Parttonng arguments. Many securty reductons rely on a parttonng argument. Informally, a parttonng argument dvdes the parts of a large system nto those parts that are under the control of the smulaton, and those parts nto whch a computatonal challenge can be embedded. For nstance, a parttonng argument for a sgnature scheme could dvde the set of message nto sgnable messages (for whch a sgnature can be generated by the securty reducton), and unsgnable messages (for whch any sgnature would solve an underlyng problem). Durng the securty reducton, we hope that an adversary only asks for the sgnatures of sgnable messages, but forges a sgnature for an unsgnable one. Parttonng arguments are a popular means for provng the securty of sgnature schemes (e.g., [35, 17, 38, 29]), dentty-based encypton schemes (e.g., [10, 9, 38, 14]), or tghtly secure cryptosystems (e.g., [15, 6, 32]). The complexty of bt-based parttonng. All of the above works (except for [17, 10], whch use a programmable random oracle to mplement a parttonng) partton messages or denttes accordng to ther bt representaton. For nstance, n the sgnature scheme from [29], messages are sgnable precsely f they do not start wth a partcular bt prefx. Ths non-algebrac approach requres a certan preparaton n the scheme tself: already the scheme must establsh certan dstnctons of messages based on ther bt representaton. For nstance, the sgnature scheme of [38] uses a hash functon of the form H(M) = h 0 j h j,m j, where M j are the bts of the sgned message M, and h 0 and the h j,b are publc group elements. Ths leads to comparatvely large publc parameters or keys, n partcular because all potental dstnctons (based on the values of the M j ) are already present n the scheme. Our contrbuton. In ths work, we develop an entrely dfferent parttonng approach: nstead of parttonng based on the bt representaton, we partton accordng to a smple algebrac predcate. Namely, we vew a message M as above as a Z p -element, and consder varous Legendre symbols L j = ( f j (M)) p for dfferent affne functons fj. Taken together, suffcently many L j unquely determne M, but the computaton of each L j can be encoded as a seres of Z p -operatons. 1 Intutvely, ths algebrac property allows to nternalze and hde the computatons of the L j, e.g., by hdng the f j nsde a homomorphc commtment. As a consequence, only one unversal parttonng (accordng to a sngle L j ) needs to be performed n the scheme tself; n the analyss, several smple parttonngs can then be mplemented sequentally, by varyng the f j. Comparson wth prevous parttonng technques. Compared to prevous, bt-based parttonng approaches, our new strategy has the advantage that t smultaneously leads to compact schemes and to a tght securty reducton. Prevous parttonng strateges were ether based on more complex parttonngs (such as [35, 9, 38, 29]) that lead to a non-tght securty reducton, or on a sequence of smple bt-based parttonngs (such as [15, 6, 32]) that lead to large publc parameters or keys. In contrast, we support many smple algebrac parttonngs (and thus a tght securty reducton), but we occupy only one parttonng slot n the publc parameters. Ths leads to tghtly secure and very compact applcatons, as we wll detal next. Applcatons. Specfcally, we demonstrate the usefulness of our parttonng technque by descrbng the frst (almost) tghtly secure sgnature and PKE schemes that are fully compact, n the sense that parameters, keys, and sgnatures (resp. cphertexts) only contan a constant number of group elements. Our securty reducton loses only a factor of O(k), where k s the securty parameter. In partcular, our securty reducton does not degrade n the number of 1 Techncally, we wll not even need to explctly compute L j, but only prove that L j = 1. Ths s possble usng a quadratc equaton over Z p. 1

3 users or sgnatures, resp. cphertexts. The securty of our schemes s based upon the Decsonal Dffe-Hellman (DDH) assumpton n both premage groups of a parng. (Ths assumpton s also called Symmetrc External Dffe-Hellman or SXDH.) Tables 1 and 2 gve a more detaled comparson wth exstng schemes. In the followng, we gve more detals on our technques and results. To do so, we start wth a lttle background concernng our applcatons. Tght securty reductons. To argue for the securty of a gven cryptographc scheme S, we usually employ a securty reducton. That s, we try to argue that every hypothetcal adversary A S on S can be converted nto an adversary A P on an allegedly hard computatonal problem P. In that sense, the only way to break S s to solve P. Of course, we are mostly nterested n reductons to well-nvestgated problems P. Furthermore, there are reasons to consder the tghtness of the reducton: a tght reducton guarantees that A P s success ε P n solvng P (n a reasonable metrc) s about the same as A S s success ε S n attackng S. To explan the mpact of a (non-)tght reducton n more detal, consder a publc-key encrypton (PKE) scheme S that s deployed n a many-user envronment. In ths settng, an adversary A S on S may observe, say, n C cphertexts generated for each of the, say, n U users. Most known securty reductons n ths settng are non-tght, n the sense that ε P ε S n U n C. As a consequence, keylength recommendatons should also take n U and n C nto account; no unversal keylength recommendaton can be gven for such a scheme. Ths s partcularly problematc n settngs that grow sgnfcantly beyond ntal expectatons. Tghtly secure encrypton and sgnature schemes. The constructon of tghtly secure cryptographc schemes appears to be a nontrval task. For nstance, although already explctly consdered n 2000 [3], tghtly secure PKE schemes have only been constructed very recently [28, 2, 15, 6, 32]. 2,3 Moreover, the schemes from [28, 2] have rather large cphertexts, and the schemes nduced by [15, 6] and from [32] requre large parameters (but offer small keys and cphertexts). The stuaton for tghtly secure sgnature schemes s somewhat brghter, but results are stll lmted. There are effcent sgnature schemes that are tghtly secure under q-type [8, 16, 36] or nteractve [21] assumptons, or n the random oracle model [24, 5, 30]. There are also more recent and somewhat less effcent schemes tghtly secure under smple 4 assumptons [12, 28, 15, 6, 32] (see also [1, 2]). Some of these latter schemes can even be converted nto tghtly secure PKE schemes; however, all of the schemes [12, 28, 2, 15, 6, 32] suffer from asymptotcally large parameters, keys, or sgnatures (resp. cphertexts). The scheme of Chen and Wee. Our techncal deas are best presented wth our sgnature scheme. At a very hgh level, we follow the strategy of Chen and Wee [15] (see also [6]), where we nterpret ther IBE scheme as a sgnature scheme usng Naor s trck [11]. In ther scheme, sgnatures are of the form ( n σ = h 0, sgk h,m ), (1) where sgk s the secret key, M = (M ) n =1 {0, 1}n s the bt representaton of the sgned message, and h 0, (h,0, h,1 ) n =1 are group elements chosen from a jont publc dstrbuton.5 2 Actually, [15, 6] construct tghtly secure dentty-based encrypton (IBE) schemes. However, those IBE schemes can be vewed as tghtly secure sgnature schemes (usng Naor s trck [11]), and then converted nto tghtly secure PKE schemes usng the transformaton from [28]. In fact, the PKE scheme of [32] can be vewed as a (modfed and hghly optmzed) converson of the IBE scheme from [15]. 3 We note that earler PKE schemes acheve at least a certan form of tght securty under q-type assumptons [22, 23, 27], or n the random oracle model [20, 13, 7]. 4 Wth a smple assumpton, we mean one n whch the adversary gets a challenge whose sze only depends on the securty parameter, and s then supposed to output a unque soluton wthout further nteracton. Examples of smple assumptons are DLOG, DDH, d-lin, or RSA, but not, say, Strong Dffe-Hellman [8] or q-abdhe [22]. 5 We note that although ther scheme can be vewed as a generalzaton of Waters sgnatures [38], ther analyss =1 2

4 Scheme parameters verfcaton key sgnature reducton loss assumpton BMS03 [12] 0 k + 3 k + 1 O(k) CDH HJ12 [28] k + 22 O(1) DLIN CW13 [15] 2d 2 (2n + 1) d 4d O(k) d-lin BKP14 [6] d d 2 (2n + 1) 2d + 1 O(k) D d -MDDH LJYP14 [32] 0 O(d 2 n) 2d + 1 O(k) d-lin Ths work O(k) DDH Table 1: Comparson of dfferent (at least almost) tghtly EUF-CMA secure sgnature schemes from smple 4 assumptons n parng-frendly groups. The parameters, verfcaton key, and sgnature columns denote space complexty, measured n group elements. The reducton loss column denotes the (multplcatve) loss of the securty reducton to the respectve assumpton. For the schemes from [15, 6], we assume the sgnature scheme nduced by the presented IBE scheme. Furthermore, n = Θ(k) denotes the btlength of the sgned message (f the sgned message s a btstrng and not a group element or an exponent). We note that [32] menton that ther scheme can be generalzed to the d-lin assumpton (ncludng 1-LIN=DDH). However, snce they only gve explct complextes for the arsng sgnatures (dentcal to the ones from [6]), we restrct to ther DLIN-based scheme. Fnally, we remark that all of these schemes (except for [12]) mply tghtly secure PKE schemes (cf. Table 2). Scheme parameters publc key cphertext reducton loss assumpton HJ12 [28] O(1) O(1) O(k) O(1) DLIN AKDNO13 [2] O(1) O(1) O(k) O(1) DLIN CW13 [15] O(d 2 k) O(d) O(d) O(k) d-lin BKP14 [6] O(d) O(d 2 k) O(d) O(k) D d -MDDH LJYP14 [32] O(1) O(d 2 k) O(d) O(k) d-lin LJYP14 [32] 3 24k O(k) DLIN Ths work O(k) DDH Table 2: Comparson of dfferent (at least almost) tghtly IND-CCA secure PKE schemes from smple 4 assumptons. As n Table 1, the parameters, publc key, and cphertext columns denote space complexty, measured n group elements, and the reducton loss column denotes the (multplcatve) loss of the securty reducton to the respectve assumpton. For the schemes from [15, 6], we assume the PKE scheme nduced by the respectve sgnature scheme when gong through the constructon of [28]. We note that [32] only descrbe a symmetrc-parng verson of ther scheme, so ther DDH-based scheme s not explct. However, we expect that ther DDH-based scheme has slghtly more compact cphertexts than ours. Durng ther proof of exstental unforgeablty (EUF-CMA securty), Chen and Wee gradually modfy sgnatures generated by the securty experment for an adversary A. Ths s done va a small hybrd argument over the bt ndces of messages, and thus yelds a securty proof that loses a factor of O(n). Concretely, n the -th hybrd, generated sgnatures are of the form σ = (h 0, sgk M1,...,M n j=1 h j,m j ), where sgk M1,...,M = R(M 1,..., M ) for a truly random functon R. Smlarly, a forged message-sgnature par (M, σ ) from A s only consdered vald f t s consstent wth sgk M 1,...,M (nstead of sgk). In other words, n the -th hybrd, the secret key used n sgnatures depends on the frst bts of the sgned message. Thus, the dfference between the ( 1)-th and the -th hybrd s an addtonal dependency of used secret keys on the -th message bt M. To progress from hybrd 1 to hybrd, Chen and Wee frst partton the message space n two halves (accordng to M ). Then, usng an elaborate argument, they consstently modfy the secret keys used for messages from one half, and thus essentally decouple those keys from the keys used for messages from the other half. Ths creates an addtonal dependency on M. After n = M such steps, each sgnature uses a dfferent secret key (up to multple sgnatures of the same message). In partcular, A gets no nformaton about the secret key sgk M 1,...,M used to verfy ts own forgery, and exstental n unforgeablty follows. We would lke to hghlght the parttonng character of ther analyss: n ther proof, Chen s entrely dfferent. Also, we omt here certan subtletes regardng the used dstrbutons of group elements. 3

5 and Wee ntroduce more and more dependences of sgnatures on the correspondng messages, and each such dependency s based upon a dfferent parttonng of the message space. 6 Now observe that already regular sgnatures (as n (1)) feature dstnctons based on all bts of M. These dstnctons provde the techncal tool to ntroduce dependences n the securty proof. However, as a consequence, rather complex jont dstrbutons need to be sampled durng sgnature generaton, whch results n publc parameters of O(n) group elements. Algebrac parttonng. In a nutshell, our man techncal tool s a new way to partton the message space of a sgnature scheme. We call ths tool algebrac parttonng. Concretely, a sgnature for a message M Z p n our scheme conssts essentally of an encrypton of the secret key X, along wth a consstency proof: σ = ( C = Enc(pk, X), π ). (2) The correspondng encrypton key pk s part of the verfcaton key vk, and the consstency proof π proves the followng statement: Ether C encrypts the secret key X, or f(m) Z p s a quadratc resdue (or both). Here, p s the order of the underlyng group, and f : Z p Z p s an affne functon fxed (but hdden) n the verfcaton key. Implctly, ths provdes a sngle parttonng of messages nto those for whch f(m) s a quadratc resdue, and those for whch f(m) s not. However, snce f s hdden, many parttonngs can be nduced (one after the other) by varyng f durng a proof. In fact, durng the securty proof, ths parttonng wll fulfll the same role as the bt-based parttonng n the analyss of Chen and Wee. In partcular, t wll help to ntroduce addtonal dependences of the sgnature on the message. More specfcally, n the -th hybrd of the securty proof, C wll not encrypt X, but a value X M that depends on the Legendre symbols ( fj (M) p ) for randomly chosen (but fxed) affne functons f1,..., f. Each new such dependency s ntroduced by frst refreshng the affne functon f hdden n vk, and then modfyng all values encrypted n sgnatures whenever possble (.e., whenever f(m) s a quadratc resdue). 7 Observe that the sngle explct parttonng n regular sgnatures s used several tmes (for dfferent f j ) to ntroduce many dependences of sgnatures on messages n the proof. The remanng strategy can then be mplemented as n [15]. Our dfferent strategy to partton the message space results n a very compact scheme. Namely, snce only one explct parttonng step s performed n the scheme, parameters, keys, and sgnatures comprse only a constant number of group elements. Specfcally, parameters, keys, and sgnatures contan 14, 6, and 25 group elements, respectvely. Besdes, our scheme s compatble wth Groth-Saha proofs [26]. Hence, when used n the constructon of [28], we mmedately get the frst compact (n the above sense) PKE scheme that s tghtly IND-CCA secure under a smple assumpton. 8 Dfferent perspectve: our scheme as a MAC. So far our hgh-level dscusson can be equally used to justfy a smlar message authentcaton code (MAC), n whch verfcaton s nonpublc. Such a MAC can then be converted nto a sgnature scheme, e.g., usng the technque of Bellare and Goldwasser [4]. 9 One could hope that ths yelds a more modular constructon, 6 We note that a smlar technque has also been used n the context of pseudorandom functons [25, 33]. 7 Ths neglects a number of detals. For nstance, n the somewhat smplfed scheme above, π always tes the cphertexts n sgnatures for quadratc non-resdues f(m) to a sngle value X. In our actual proof, we wll thus smulate a part of π, such that the encrypted values can be decoupled from the orgnal secret key X. 8 Actually, pluggng our scheme drectly nto the constructon of [28] yelds an asymptotcally compact, but not very effcent scheme. Thus, we provde a more drect and effcent explct PKE constructon wth parameters, publc keys, and cphertexts comprsed of 15, 2, and 60 group elements, respectvely. 9 In a sgnature scheme derved usng the converson of Bellare and Goldwasser, the verfcaton key contans an encrypton of the MAC secret key. A sgnature for a message M then conssts of a MAC tag τ for M, along wth a non-nteractve zero-knowledge proof that τ s vald relatve to the encrypted MAC key. 4

6 possbly wth a MAC as a smpler basc buldng block. (In partcular, ths approach was suggested by a revewer.) In ths work, we stll present our dea drectly n terms of a sgnature scheme. One reason s that a MAC followng the strategy descrbed above would actually not be sgnfcantly less complex than a full sgnature scheme. In partcular, already a MAC would requre Groth- Saha proofs. Moreover, a modular approach n the sprt of [4] would requre algebracally compatble buldng blocks (to allow for an effcent and tghtly secure overall scheme), and would seem to lead to a more complex presentaton. Open problems. Besdes of course obtanng more effcent (and compact) schemes, t would be nterestng to apply smlar deas n the dentty-based settng. Specfcally, currently there s no fully compact dentty-based encrypton (IBE) scheme whose securty can be tghtly based on a standard assumpton. 10 However, t s not obvous how to use algebrac parttonng n the dentty-based settng. Specfcally, t s not clear how to derve functonalty from vald sgnature proofs, n the followng sense. Namely, frst note that IBE schemes can be nterpreted as sgnature schemes, n a sense noted by Naor (cf. [11]): IBE user secret keys for an dentty M correspond to sgnatures for message M, and verfcaton smply checks whether the alleged sgnature works as a decrypton key for dentty M. It s natural to use the same nterpretaton to try to upgrade a sgnature scheme to an IBE scheme. For ths strategy, however, one must fnd a way to make a sgnature σ act as a decrypton trapdoor, and thus to derve functonalty from σ (as opposed to just check σ for valdty). In common dscrete-log-based IBE schemes, ths functonalty property s acheved by the fact that a parng operaton s used to par IBE user secret keys wth cphertext elements. The result of ths parng operaton s then a common secret that s shared between encryptor and decryptor. Our strategy, however, crucally uses quadratc Z p -equatons n sgnatures (to mplement the algebrac parttonng of messages). In partcular, our sgnature scheme uses a parng operaton already to mplement these quadratc equatons (even though sgnatures n our scheme consst solely of group elements n the source group of the parng). As a consequence, the parng operaton cannot be used anymore to derve a common secret shared wth the encryptor. Hence, at least a straghtforward way to turn our sgnature scheme nto an IBE scheme fals. 11 Roadmap. After recallng some basc defntons, we present our sgnature scheme n Secton 3. In Secton 4, we gve a drect constructon of a PKE scheme derved from our sgnature scheme. In Appendx A, we gve more detals on the exact Groth-Saha equatons arsng from the consstency proofs of sgnatures and cphertexts. In Appendx B, we provde addtonal llustratons for the proof of our sgnature scheme. Acknowledgements. The author would lke to thank Eke Kltz, Jula Hesse, Wll Geselmann, and the anonymous revewers for helpful feedback. 2 Prelmnares Notaton. Throughout the paper, k N denotes the securty parameter. For n N, let [n] := {1,..., n}. For a fnte set S, we denote wth s S the process of samplng s unformly from S. For a probablstc algorthm A, we denote wth y A(x; R) the process of runnng A on nput x and wth randomness R, and assgnng y the result. We wrte y A(x) for 10 The schemes of [22, 23] are tghtly secure and fully compact, but rely on a nonstandard (q-type) assumpton. On the other hand, IBE schemes obtaned through the dual systems technque (e.g., [37, 31]) are compact and secure under standard assumptons, but not known to be tghtly secure. 11 We realze that ths explanaton s somewhat techncal and may not seem very compellng. We wsh we had a better one. 5

7 y A(x; R) wth unformly chosen R, and we wrte A(x) = y for the event that A(x; R) (for unform R) outputs y. If A s runnng tme s polynomal n k, then A s called probablstc polynomal-tme (PPT). A functon f : N R s neglgble f t vanshes faster than the nverse of any polynomal (.e., f c k 0 k k 0 : f(x) 1/k c ). Collson-resstant hashng. A hash functon generator s a PPT algorthm H that, on nput 1 k, outputs (the descrpton of) an effcently computable functon H : {0, 1} {0, 1} k. Defnton 2.1 (Collson-resstance). We say that a hash functon generator H outputs collsonresstant functons H (or, when the reference to H s clear, that such an H s collson-resstant), f [ ] Adv cr H,A(k) = Pr x x H(x) = H(x ) H H(1 k ), (x, x ) A(1 k, H) s neglgble for every PPT adversary A. Sgnature schemes. A sgnature scheme SIG conssts of four PPT algorthms SPars, SGen, Sg, Ver. Parameter generaton SPars(1 k ) outputs publc parameters spp that are shared among all users. Key generaton SGen(spp) takes publc parameters spp, and outputs a verfcaton key vk and a sgnng key sgk. The sgnature algorthm Sg(spp, sgk, M) takes publc parameters spp, a sgnng key sgk, and a message M, and outputs a sgnature σ. Verfcaton Ver(spp, vk, M, σ) takes publc parameters spp, a verfcaton key vk, a message M, and a potental sgnature σ, and outputs a verdct b {0, 1}. For correctness, we requre that 1 Ver(spp, vk, M, σ) = 1 always and for all M, all (vk, sgk) SGen(1 k ), and all σ Sg(spp, sgk, M). For the sake of readablty, we wll omt the publc parameters spp from nvocatons of Sg and Ver when the reference s clear. Defnton 2.2 (Mult-user (one-tme) exstental unforgeablty). Let SIG be a sgnature scheme as above, and consder the followng experment for an adversary A: 1. A specfes (n unary) the number n U N of desred scheme nstances. 2. The experment then samples parameters spp SPars(1 k ) as well as n U keypars (vk (l), sgk (l) ) SGen(spp). 3. A s nvoked on nput (1 k, spp, (vk (l) ) n U l=1 ), and gets access to sgnng oracles Sg(sgk (l), ) for all l [n U ]. Fnally, A outputs an ndex l [n U ] and a potental forgery (M, σ ). 4. A wns ff Ver(vk (l ), M, σ ) = 1 and M has not been quered to Sg(sgk (l ), ). Let Adv euf-mcma SIG,A (k) denote the probablty that A wns n the above experment. We say that SIG s exstentally unforgeable under chosen-message attacks n the mult-user settng (EUF-mCMA secure) ff Adv euf-mcma SIG,A (k) s neglgble for every PPT A. Let Adv ot-euf-mcma SIG,A (k) be the probablty that A wns n the slghtly modfed experment n whch only one Sg-query to each scheme nstance l s allowed. We say that SIG s exstentally unforgeable under one-tme chosen-message attacks n the mult-user settng (OT-EUF-mCMA secure) ff Adv ot-euf-mcma SIG,A (k) s neglgble for every PPT A. Publc-key encrypton schemes. A publc-key encrypton (PKE) scheme PKE conssts of four PPT algorthms (EPars, EGen, Enc, Dec). The parameter generaton algorthm EPars(1 k ) outputs publc parameters epp. Key generaton EGen(epp) outputs a publc key pk and a secret key sk. Encrypton Enc(epp, pk, M) takes parameters epp, a publc key pk, and a message M, and outputs a cphertext C. Decrypton Dec(epp, sk, C) takes publc parameters epp, a secret key sk, and a cphertext C, and outputs a message M. For correctness, we requre Dec(epp, sk, C) = M always and for all M, all epp EPars(1 k ), all (pk, sk) EGen(epp), and all C Enc(epp, pk, M). As wth sgnatures, we usually omt the publc parameters epp from nvocatons of Enc and Dec. Defnton 2.3 (Mult-user, mult-challenge ndstngushablty of cphertexts). For a publc-key encrypton scheme PKE and an adversary A, consder the followng securty experment Exp nd-mcca PKE,A (k): 6

8 1. A specfes (n unary) the number n U N of desred scheme nstances. 2. The experment samples parameters epp EPars(1 k ), and n U keypars through (pk (l), sk (l) ) EGen(epp), and unformly chooses a bt b {0, 1}. 3. A s nvoked on nput (1 k, epp, (pk (l) ) n U l=1 ), and gets access to challenge oracles O (l) and decrypton oracles Dec(sk (l), ) for all l [n U ]. Here, challenge oracle O (l), on nput two messages M 0, M 1, outputs an encrypton C Enc(pk (l), M b ) of M b. 4. Fnally, A outputs a bt b, and the experment outputs 1 ff b = b. A PPT adversary A s vald f every par (M 0, M 1 ) of messages submtted to an O (l) by A satsfes M 0 = M 1, and f A never submts any challenge cphertext (prevously receved from an O (l) ) to the correspondng decrypton oracle Dec(sk (l), ). Let [ ] Adv nd-mcca PKE,A (k) = Pr Exp nd-mcca PKE,A (k) = 1 1/2. We say that PKE has ndstngushable cphertexts under chosen-cphertext attacks n the mult-user, mult-challenge settng (short: s IND-mCCA secure) ff Adv nd-mcca PKE,A (k) s neglgble for all vald A. Let Adv nd-mcpa PKE,A be defned smlarly, except that A has no access to any Dec oracles. PKE has ndstngushable cphertexts under chosen-plantext attacks n the mult-user, mult-challenge settng (short: s IND-mCPA secure) ff Adv nd-mcpa PKE,A (k) s neglgble for all vald A. Quadratc resdues and Legendre symbols. Let p be a prme. Then, QR p Z p s the set of quadratc resdues modulo p,.e., the set of all x Z p for whch an r Z p wth r 2 = x mod p exsts. Gven p and an x QR p, such an r can be computed effcently. For x Z p, we let ( ) p 1 x p = x 2 mod p denote the Legendre of x modulo p. We have ( x p) { 1, 0, 1}, and n partcular ( x p ) = 1 x QRp, as well as ( x p) = 0 x = 0, and ( x p) = 1 x Z p \ QR p. Group and parng generators. A group generator G s a PPT algorthm that, on nput 1 k, outputs the descrpton of a group G, along wth ts (prme) order p, and a generator g of G. A parng generator P s a PPT algorthm that, on nput 1 k, outputs descrptons of: three groups G, ^G, G T of the same prme order p, along wth p, and generators g, ^g of G, ^G, a blnear map e : G ^G G T that s non-degenerate n the sense of e(g, ^g) 1 G T. Occasonally, t wll also be useful to consder a parng generator P as a group generator (that only outputs (G, p, g) or ( ^G, p, ^g)). Assumpton 2.4 (Decsonal Dffe-Hellman). For a group generator G and an adversary A, let Adv ddh G,A(k) be the followng dfference: ] Pr [ A(1 k, G, p, g, g x, g y, g xy ) = 1 [ ] Pr A(1 k, G, p, g, g x, g y, g z ) = 1. Here, the probablty s over (G, p, g) G(1 k ) and unformly chosen x, y, z Z p. We say that the Decsonal Dffe-Hellman (DDH) assumpton holds wth respect to G ff Adv ddh G,A s neglgble for every PPT A. When the reference to G s clear, we also say that the DDH assumpton holds n G (and wrte Adv ddh G,A). On occason, we mght also say that the DDH assumpton holds n groups G or ^G sampled by a parng generator, wth the obvous meanng. ElGamal encrypton. The ElGamal encrypton scheme PKE eg s defned as follows, where we assume a sutable group generator G. EPars eg (1 k ) runs (G, p, g) G(1 k ) and outputs epp = (G, p, g). EGen eg (epp) pcks a unform sk Z p, sets pk = g sk, and outputs (pk, sk). Enc(pk, M), for M G, pcks an R Z p, and outputs C = (g R, pk R M). Dec(sk, C), for C = (C 1, C 2 ) G 2, outputs M = C 2 /C sk 1. 7

9 The ElGamal scheme s tghtly IND-mCPA secure under the DDH assumpton n G. Concretely, for every vald IND-mCPA adversary A, there s a DDH adversary B (of roughly the same complexty as the IND-mCPA experment wth A) wth Adv ddh G,B(k) = Adv nd-mcpa PKE (k). eg,a Groth-Saha proofs. In a settng wth a parng generator, Groth-Saha proofs [26] provde a very versatle and effcent way to prove the satsfablty of very general classes of equatons over G and ^G. We wll not need them n full generalty, and the next defnton only captures a number of abstract propertes of Groth-Saha proofs we wll use. In partcular, we wll not formalze the exact classes of languages amenable to Groth-Saha proofs. (For the exact languages used n our applcaton, however, we gve more detals n Appendx A.1.) Lke [19, 18], we formalze Groth-Saha proofs as commt-and-prove systems: Defnton 2.5 (GS proofs [26]). The Groth-Saha proof system for a gven parng generator P conssts of the followng PPT algorthms, where gpp denotes group parameters sampled by P. Common reference strngs. HGen(gpp) and BGen(gpp) sample hdng, resp. bndng common reference strngs (CRSs) CRS. Commtments. For a (hdng or bndng) CRS CRS and a G-, ^G-, or Z p -element v, the commtment algorthm Com(gpp, CRS, v; R) outputs a commtment C, where R denotes the used random cons. Proofs. Let CRS be a CRS, and let X be a system of equatons. Each equaton may be over G, ^G, or Z p, and nvolve varables and constants. Let (v ) be a varable assgnment that satsfes X, and let (R ) be a vector of random cons for Com. Then Prove(gpp, CRS, X, (v, R ) ) outputs a proof π. Verfcaton. For a CRS CRS, a system X of equatons, a commtment vector (C ) to an assgnment of the varables n X, and a proof π, Verfy(gpp, CRS, X, (C ), π) outputs a verdct b {0, 1}. Smulaton. For a hdng CRS generated as CRS HGen(gpp; R CRS ), a system X of equatons, and a vector (R ) of commtment random cons, we have that Sm(gpp, R CRS, X, (R ) ) outputs a smulated proof π. As wth sgnatures and encrypton, we usually omt the group parameters gpp on nvocatons of Com, Prove, Verfy, Sm when the reference s clear. Theorem 2.6 (Propertes of GS proofs [26]). The algorthms from Defnton 2.5 satsfy the followng for all choces group parameters gpp P(1 k ) (unless noted otherwse): Homomorphc commtments. For any (hdng or bndng) CRS CRS, any two gven commtments Com(CRS, v; R) and Com(CRS, v ; R ) to G-elements v, v allow to effcently compute a commtment Com(CRS, v v ; R R ) to v v. (Note that the correspondng random cons R R can be effcently computed from R and R.) The same holds for two commtments to ^G-elements, and two commtments to Z p -elements (where the homomorphc operaton on Z p -elements s addton). Dual-mode commtments. Consder a commtment C Com(CRS, v; R). If CRS s bndng, then C unquely determnes v, and f CRS s hdng, then the dstrbuton of C does not depend on v. CRS ndstngushablty. For every PPT adversary A, there are PPT adversares A 1 and A 2 wth [ ] [ Pr A(1 k, HGen(gpp)) = 1 Pr A(1 k, BGen(gpp)) = 1] Adv ddh G,A 1 (k) + Adv ddh ^G,A 2 (k) where the probablty s over gpp P(1 k ), and the random cons of HGen, BGen, and A. Perfect completeness. For every (hdng or bndng) CRS CRS, every system X of equatons, every satsfyng assgnment (v ) of X, and every possble vector (C ) of commtments generated through C Com(CRS, v ; R ), we always have Verfy(CRS, X, (C ), Prove(CRS, X, (v, R ) )) = 1. Perfect soundness. For every bndng CRS CRS, every system X of equatons that s not satsfable, and every (C ) and π, Verfy(CRS, X, (C ), π) = 0 always., 8

10 Perfect smulaton. For every hdng CRS CRS HGen(gpp; R CRS ), and every system X of equatons that s satsfed by a varable assgnment (v ), the followng two dstrbutons are dentcal: ( (C ), Prove(CRS, X, (v, R ) ) ) for C Com(CRS, v ; R ) and fresh R, ( (C ), Sm(R CRS, X, (R ) ) ) for C Com(CRS, 1; R ) and fresh R. (The probablty space conssts of the R and the cons of Prove and Sm.) Snce smulaton s perfect (n the sense above), t also holds for reused commtments (.e., when multple adaptvely chosen statements X that nvolve the same varables and commtments are proven, see also [18]). Besdes, perfect smulaton drectly mples perfect wtnessndstngushablty (under a hdng CRS): for any two vectors (v ) and (v ) of satsfyng assgnments of a gven system X of equatons, the correspondng commtments and proofs ((C ), π) and ((C ), π ) are dentcally dstrbuted. Agan, ths holds even f the same commtments are used n several proofs for adaptvely generated statements X. 3 The sgnature scheme 3.1 Scheme descrpton Settng and ngredents. We assume the followng ngredents: A parng generator P that outputs groups G = g and ^G = ^g of prme order p > 2 k and an asymmetrc parng e : G ^G G T. We make the DDH assumpton n both G and ^G. The ElGamal encrypton scheme (gven by algorthms EGen eg, Enc eg, Dec eg ) over G. (That s, we wll use P n place of EPars eg to generate the group G for ElGamal.) A Groth-Saha proof system for P (see Defnton 2.5), gven by algorthms HGen, BGen, Com, Prove, Verfy, Sm. Publc parameters. SPars(1 k ) samples group parameters gpp = (G, ^G, G T, p, g, ^g, e) P(1 k ) and sets epp eg = (G, p, g). Then, SPars generates two bndng Groth-Saha CRSs and two ElGamal keypars: CRS 1 BGen(gpp) (pk 0, sk 0 ) EGen eg (epp eg ) CRS 2 BGen(gpp) (pk 1, sk 1 ) EGen eg (epp eg ). The publc parameters are then defned as spp = (gpp, CRS 1, CRS 2, pk 0, pk 1 ). Key generaton. SGen(spp) frst sets up the exponents Z = X Z p and α = β = 0, and commts to them usng fresh random cons R Z, R α, R β : C α Com(CRS 1, α; R α ), C β Com(CRS 1, β; R β ), C Z Com(CRS 2, Z; R Z ). We wll use that α, β defne an affne functon f : Z p Z p through f(x) = α x + β mod p. 9

11 Verfcaton and sgnng key are gven by vk = (C Z, C α, C β ) sgk = (X, R Z, R α, R β ). Sgnature generaton. Sg(sgk, M), for M Z p, pcks fresh random cons R and encrypts C 0 = Enc eg (pk 0, g Z 0 ; R) C 1 = Enc eg (pk 1, g Z 1 ; R) for Z 0 = Z 1 = X Z p, usng the same cons R n both encryptons for effcency. Then, Sg generates proofs π 1 and π 2 for the respectve statements ( ) Z 0 = Z }{{} 1 f(m) QR p {0} }{{} and Z 0 = Z. }{{} (3) S1 S2 S3 Here, Z 0, Z 1, Z, f refer to the values encrypted (resp. commtted to) n C 0, C 1, C Z, (C α, C β ). Concretely, Sg generates a proof π 1 for S1 S2 under CRS 1, usng as wtness Z 0 = Z 1 = X and the encrypton cons R. Also, Sg computes a proof π 2 for S3 under CRS 2, usng as wtness X and R Z, R. We stress that π 1 and π 2 are ndependently generated, wth dfferent (fresh) Groth- Saha commtments to the respectve wtnesses. We descrbe the exact Groth-Saha equatons for these proofs n Appendx A.1, and gve some ntuton on the meanng of the statements S1-S3 n Secton 3.2 below. The sgnature s then defned as σ = (C 0, C 1, π 1, π 2 ). Verfcaton. Ver(spp, vk, M, σ) outputs 1 f and only f both proofs π 1 and π 2 n σ are vald wth respect to M, C 0, C 1, C Z, C α, C β. Correctness. The completeness of Groth-Saha proofs mples the correctness of SIG. Effcency. SIG has the followng effcency characterstcs (cf. Appendx A.1): The publc parameters consst of 8 G- and 6 ^G-elements, plus the group parameters gpp. Each verfcaton key contans 2 G- and 4 ^G-elements. Each sgnng key contans 7 Z p -exponents. Each sgnature contans 11 G- and 14 ^G-elements. 3.2 Securty analyss More detals on the role of π 1 and π 2 n sgnatures. Before we proceed to the proof, we gve some ntuton on the proofs π 1 and π 2 publshed n sgnatures (and the statements S1-S3): π 1 proves that ether C 0 and C 1 encrypt the same value or that the sgned message satsfes a specal property S2 (or both). In the scheme, all messages are specal n ths sense (because f(m) = 0 for all M). However, n the proof, we can adjust f and, e.g., partton the set of messages nto specal and non-specal ones n a random and roughly balanced way. Intutvely, ths provdes a means to make the double encrypton (C 0, C 1 ) nconsstent (and subsequently change the encrypted values) n sgnatures for specal messages. At the same tme, any vald adversaral forgery on a non-specal message (that does not satsfy S2) must carry a consstent double encrypton (C 0, C 1 ). In the scheme, π 2 tes the plantext encrypted n C 0 to the master secret Z. In the smulaton, we wll remove that connecton by smulatng π 2. Specfcally, recall that π 1 and π 2 are ndependently generated, usng ndependently generated Groth-Saha commtments to the respectve wtnesses. Thus, n the proof, we can smulate π 2 wthout wtness (by choosng a hdng CRS 2 and usng Sm), whle preservng the soundness of π 1 (assumng CRS 1 s bndng). Ths smulaton of π 2 wll be nstrumental n changng the message encrypted n C 0 (when the sgned message s specal n the above sense). 10

12 Theorem 3.1 (Securty of SIG). Under the DDH assumptons n G and ^G, the sgnature scheme SIG from Secton 3.1 s EUF-mCMA secure. Concretely, for every EUF-mCMA adversary A on SIG, there exst DDH adversares B and B (of roughly the same complexty as the EUF-mCMA experment wth A and SIG) wth Adv euf-mcma SIG,A (k) (8n + 1) ddh Adv G,B(k) ddh + (4n + 1) Adv (k) + O(n/2 ^G,B k ) (4) for n = 2 log 2 (p) + k, where p denotes the order of G and ^G, and k s the securty parameter. Proof outlne. The proof starts wth a number of preparatons for the core argument. Our man goal durng ths phase wll be to mplement an addtonal and explct check of A s forgery σ = (C 0, C 1, π 1, π 2 ) for Dec eg(sk 0, C 0 ) = gx. (Note that n the default key setup, ths explct check s redundant, snce vald sgnatures must fulfll statement S3 from (3).) In the core argument (from Game 4 to Game 5, detaled n Lemma 3.2), we replace the value X used n generated sgnatures and the addtonal forgery check wth a value H(M) that depends on the sgned message. We start wth a constant functon H(M) = X (whch corresponds to Game 4), and then ntroduce more and more dependences of H(M) on the Legendre symbols ( f j (M)) p for ndependently and randomly selected (nvertble) affne functons fj. Each such dependency s ntroduced as follows. We start by commttng to (the coeffcents of) a new random functon f n C α, C β. Ths change allows us to modfy the messages Z 0, Z 1 encrypted n generated sgnatures for all M wth f (M) QR p {0} (and only for those M), by provng S2 (and not S1) n sgnatures. We wll also abort f A s forgery satsfes f (M ) QR p {0}, and we wll keep enforcng our forgery check on C 0. Hence, from A s pont of vew, an addtonal dependency on ( f (M)) p s consstently ntroduced on all sgnatures. More mportantly, ths dependency s also enforced durng the addtonal forgery check. After suffcently many such dependences are ntroduced (for several dfferent f ), all sgnatures are consstently generated wth (or checked for) Z 0 = Z 1 = R(M) for a truly random functon R. At ths pont, A has to predct a truly random functon R on a fresh nput M n order to produce a vald forgery. Hence, A s forgery success must be neglgble. Fgs. 1 and 2 (on page 22 and page 23) gve a more techncal summary of the game transtons of the proof (also takng nto account the notaton for the mult-user case). The remander of ths secton s devoted to a detaled proof. Proof of Theorem 3.1. We proceed n games. Let out denote the output of Game. Game 1 s the orgnal EUF-mCMA game wth A and SIG. Of course, Pr [out 1 = 1] = Adv euf-mcma SIG,A (k). (5) In the followng, we apply a superscrpt to varables to denote to whch SIG nstance they belong. For nstance, we denote wth X (l) and sk (l) 0, sk(l) 1 the respectve values from the l-th used SIG nstance. Furthermore, we wrte X for X (l ) for the challenge nstance l selected by A for hs forgery, and smlarly for sk 0 and sk 1. Thus, n Game 2, we mplement an addtonal forgery check. Concretely, we only consder a forgery σ = (C 0, C 1, π 1, π 2 ) from A as vald f π 1 and π 2 are vald and f Dec eg(sk 0, C 0 ) = g X. (Otherwse, the game outputs 0.) Ths change s purely conceptual: ndeed, snce CRS 2 s bndng, we can use the soundness of Groth-Saha proofs. Thus, any vald proof π 2 guarantees that S3 (from (3)) holds, and so Dec eg (sk 0, C 0 ) = gx. We obtan Pr [out 2 = 1] = Pr [out 1 = 1]. (6) 11

13 In Game 3, we generate both CRS 1 and CRS 2 as hdng CRSs, usng HGen. The CRS ndstngushablty of Groth-Saha proofs yelds Pr [out 3 = 1] Pr [out 2 = 1] = Adv ddh G,B 3 (k) + Adv ddh ^G,B 3(k) (7) for sutable DDH adversares B 3 and B 3. (Here, we use the re-randomzablty of DDH tuples. Ths enables a reducton that loses only a factor of 1 nstead of 2.) In Game 4, we smulate all proofs π 2 n sgnatures generated for A, usng the Groth-Saha smulator Sm (on nput the random cons R CRS used to prepare CRS). We also generate the correspondng commtments C Z n all verfcaton keys as C Z Com(CRS 2, 1). We stress that all X (l) are stll chosen randomly, and all sgnatures are generated wth encryptons C 0, C 1 of X (l). By the smulaton property of Groth-Saha proofs (see Theorem 2.6 and the followng comment concernng the reuse of commtments), these changes do not affect A s vew: Pr [out 4 = 1] = Pr [out 3 = 1]. (8) In Game 5, we change the generaton of sgnatures and the forgery check from Game 2 as follows. To descrbe these changes, let R (l) : Z p Z p (for all scheme nstances l [n U ]) be truly random functons. Our changes n Game 5 are then as follows: All sgnatures generated for A contan encryptons C 0, C 1 of exponents Z 0 = Z 1 = R (l) (M) (encoded as g Z 0, g Z 1) nstead of Z 0 = Z 1 = X (l), where M s the sgned message. As n Game 4, the correspondng proof π s generated usng wtnesses for S1 and S3 from (3). Any forgery σ = (C 0, C 1, π 1, π 2 ) for a (fresh) message M from A s consdered vald only f π 1 and π 2 are vald and Dec eg(sk 0, C 0 ) = R (M ) holds. Otherwse, the game outputs 0. (Agan, we use the shorthand notaton R = R (l ) for the challenge nstance l.) In partcular, the second change mples that snce R (M ) s nformaton-theoretcally hdden from A. Hence, t remans to relate Game 4 and Game 5: Pr [out 5 = 1] 1/(p 1) 1/2 k, (9) Lemma 3.2. For n = 2 log 2 (p) + k and sutable DDH adversares B 5 and B 5, we have Pr [out 5 = 1] Pr [out 4 = 1] ddh 8n Adv G,B 5 (k) ddh + 4n Adv ^G,B 5(k) + O(n/2 k ). (10) Before we prove Lemma 3.2, we remark that puttng together (5-10), we obtan (27), whch s suffcent to show Theorem 3.1. Proof of Lemma 3.2. We wll consder a seres of hybrd games between Game 4 and Game 5. Concretely, Game 4. (for 0) s defned lke Game 4, except for the followng changes: We ntally unformly and ndependently choose nvertble affne functons f j : Z p Z p (for j []). The f j defne a partal fngerprnt functon L : Z p { 1, 0, 1} through (( ) f1 (M) L (M) =,..., p ( f (M) p )). (11) For every scheme nstance l [n U ], let H (l) : Z p Z p be the composton of L wth a truly random functon R (l) : { 1, 0, 1} Z p (so that H (l) (M) = R (l) (L (M))). Sgnatures for A contan encryptons C 0, C 1 of exponents Z 0 = Z 1 = H (l) (M). Any forgery σ = (C 0, C 1, π 1, π 2 ) for a (fresh) message M from A s consdered vald only f π 1 and π 2 are vald and Dec eg(sk 0, C 0 ) = H(l) (M ). 12

14 Note that every H (l) 0 s a constant functon that maps every nput M to the same random value. Hence, Game 4.0 s dentcal to Game 4: Pr [out 4.0 = 1] = Pr [out 4 = 1]. (12) Conversely, for large enough and wth hgh probablty, the fngerprnt functon L becomes njectve, so that all H (l) become ndependent truly random functons from Z p to Z p: Lemma 3.3. For n = 2 log 2 (p) + k, the functon L n from (11) s njectve, except wth probablty 1/2 k (over the choce of the nvertble affne functons f j : Z p Z p ). We postpone a proof of Lemma 3.3 for now. Hence, the functons H n (l) = R (l) n L n used n Game 4.n (for n = 2 log 2 (p) + k) are statstcally close to truly random functons R (l) (as used n Game 5): Pr [out 4.n = 1] Pr [out 5 = 1] 1/2 k. (13) The algebrac parttonng. Thus, we only need to show that there s no detectable dfference between Game 4. and Game 4.( + 1) for any. We do so usng a hybrd argument (.e., a sequence of games) that nterpolates between Game 4. and Game 4.( + 1). (See Fg. 2 for an overvew.) In short, we frst refresh the affne functon f from C α, C β to a fresh random (but nvertble) affne functon f. Next, we use f to mplement a dfferent treatment of sgnatures, dependng on ( f(m) ) p. We detal these steps n the followng. Concretely, Game 4..0 s dentcal to Game 4.. Thus, Pr [out 4..0 = 1] = Pr [out 4. = 1]. (14) Step 1: refresh f. In Game 4..1, we ntally choose an nvertble affne functon f : Z p Z p unformly, and we abort (wth output 0) f the message M for whch A fnally prepares a forgery satsfes f (M ) QR p {0}. We stress that f s not (yet) commtted to n any C α, C β, and thus completely hdden from A. Hence, an abort occurs wth probablty p+1 2p = p, ndependently of A s vew, so ( 1 Pr [out 4..1 = 1] = 2 1 ) Pr [out 4..0 = 1] 1 2p 2 Pr [out 4..0 = 1] 1 2p. (15) In Game 4..2, we commt to the coeffcents f 0, f 1 of the functon f from Game 4..1 n C α, C β for all verfcaton keys (nstead of the coeffcents α = β = 0). Accordngly, we generate all sgnatures for A by provng statement S2 (and not S1) from (3) whenever possble (.e., upon all sgnature queres wth f (M) QR p {0}). Snce CRS 1 s hdng, we can use the wtnessndstngushablty of Groth-Saha proofs to obtan Pr [out 4..2 = 1] = Pr [out 4..1 = 1]. (16) Step 2: use f to decouple sgnatures. To descrbe our change n Game 4..3, recall that n Game 4..2, functons H (l) s used to determne both the values Z 0 = Z 1 = H (l) (M) encrypted n C 0, C 1 upon sgnature queres, and to mplement the forgery check. In Game 4..3, we use three such functons H (l), Z (l), Q (l) : Z p Z p. Each of these functons s defned lke H (l), for the same fngerprnt functon L, but wth dfferent (.e., ndependently chosen) random functons R (l). (In other words, we can wrte H (l) = F L, and Z (l) = F L, and Q (l) = F L for ndependently random functons F, F, F : { 1, 0, 1} Z p. Intutvely, thus, Z (l) are decoupled copes of H (l).) 13 and Q (l)

15 Our goal wll be to use the functons H (l), Z (l), Q (l) for messages M satsfyng f (M) / QR p, f (M) = 0, and f (M) QR p, respectvely. (Hence the symbols Z and Q.) Ths wll be conceptually dentcal to usng a sngle functon H (l) +1 for all messages of a gven scheme nstance l. At ths pont, however, we can only partally mplement ths strategy, snce we can only replace the messages encrypted n C 1, but not those from C 0. (Indeed, sk 0 s stll requred to mplement the addtonal forgery check n Game 4..3.) Thus, n Game 4..3, for every scheme nstance l [n U ], we use the respectve functon H (l) to generate all cphertexts C 0, C 1 n sgnatures (as n Game 4..2), wth the followng exceptons: For sgnature queres wth f (M) = 0, we encrypt Z 1 = Z (l) (M) (nstead of Z 1 = H (l) (M)) n the cphertext C 1 of the generated sgnature. For sgnature queres wth f (M) QR p, we encrypt Z 1 = Q (l) (M) n C 1. Note that for sgnatures wth f (M) QR p {0}, the random cons used to generate C 1 (or C 0 ) are not used as a wtness n the process of constructng π. Furthermore, no secret key sk (l) 1 has to be known to the game. A reducton to the (tght) IND-mCPA securty of ElGamal yelds n 1 Pr [out 4..3 = 1] Pr [out 4..2 = 1] = n Adv ddh G,B 4..3 (k) (17) =0 for a sutable DDH adversary B (We note that even though the random cons R of C 1 are not known explctly to B 4..3, a C 0 wth reused R can be constructed from sk (l) 0 and a gven g R.) Our next step wll be to replace the values encrypted n C 0 n a smlar way. To do so, however, we need some preparatons, snce Game 4..3 stll knows the secret keys sk (l) 0 (to fnally mplement the forgery check). Fortunately, however, we can alternatvely use the sk (l) 1 to mplement ths check. (To see why ths yelds the same functonalty, recall that by our abort rule from Game 1, we may restrct to forgeres wth f (M ) / QR p {0}. However, by (3), a vald forgery for such a message must contan C 0 and C 1 that encrypt the same message.) As a frst step, n Game 4..4, we ntally generate a bndng CRS CRS 1 (usng CRS 1 BGen(gpp)). The CRS ndstngushablty of Groth-Saha proofs ensures that n 1 ( ) Pr [out 4..4 = 1] Pr [out 4..3 = 1] = n Adv ddh G,B 4..4 (k) + Adv ddh ^G,B 4..4(k) =0 (18) for sutable DDH adversares B 4..4 and B Next, n Game 4..5, we mplement the forgery check rule from Game 2 usng sk 1 (and not sk 0). That s, when A submts a forgery σ = (C 0, C 1, π 1, π 2 ), we check f Dec eg(sk 1, C 1 ) = H (M ) holds (and reject the forgery f not). We may assume that M / QR p {0} (snce otherwse, we trvally abort anyway). But for such M, a vald forgery must fulfll S1 from (3), snce at ths pont, CRS 1 s bndng. In other words, we have Dec eg (sk 1, C 1 ) = H (M ) f and only f Dec eg (sk 0, C 0 ) = H (M ). Hence, the change n Game 4..5 s purely conceptual, and we get: Pr [out 4..5 = 1] = Pr [out 4..4 = 1]. (19) Snce we no longer use sk 0 (or the random cons from any C 1 generated upon a sgnature query), we can contnue wth our strategy. Specfcally, n Game 4..6, we generate all cphertexts C 0, C 1 n sgnatures as follows: For queres wth f (M) / QR p, we encrypt Z 0 = Z 1 = H (l) (M) n C 0 and C 1. For queres wth f (M) = 0, we encrypt Z 0 = Z 1 = Z (l) (M) n C 0 and C 1. For queres wth f (M) QR p, we encrypt Z 0 = Z 1 = Q (l) (M) n C 0 and C 1. 14

16 Observe that the only dfference to Game 4..5 s that the messages Z 0 encrypted n cphertexts C 0 n sgnatures wth f (M) QR p {0} are changed. For such encryptons, nether secret key nor random cons are used by the game. Hence, a reducton to the (tght) IND-mCPA securty of ElGamal yelds n 1 Pr [out 4..6 = 1] Pr [out 4..5 = 1] = n Adv ddh G,B 4..6 (k) (20) =0 for a sutable DDH adversary B (Agan, a reuse of random cons between C 0 and C 1 s possble snce the secret key sk 1 s known to B 4..6 durng the reducton.) Step 3: clean up. Now n Game 4..6, we handle both sgnature queres and A s forgery wth ether H (l), Z (l), or Q (l), dependng on the Legendre symbol ( ) M p of M. Ths s equvalent to handlng all messages wth a sngle functon H (l) +1 by the defnton of H(l) (see also (11)). Hence, we already almost mplement the rules of Game 4.( + 1), and we only need to clean up thngs a lttle. Namely, n Game 4..7, we agan mplement the forgery check from Game 2 usng sk 0 (and not sk 1). Wth the same reasonng as n Game 5, we get: Pr [out 4..7 = 1] = Pr [out 4..6 = 1]. (21) Next, n Game 4..8, we agan set up CRS 1 as a hdng CRS (usng HGen). Agan, CRS ndstngushablty guarantees n 1 ( ) Pr [out 4..8 = 1] Pr [out 4..7 = 1] = n Adv ddh G,B 4..8 (k) + Adv ddh ^G,B 4..8(k) =0 (22) for sutable DDH adversares B 4..8 and B In Game 4..9, we agan set up the commtments C α, C β n all verfcaton keys as commtments to α = β = 0. Accordngly, we generate all sgnatures for A by provng statement S1 from (3). (Note that ths s possble agan snce all generated pars (C 0, C 1 ) do encrypt the same message.) By the wtness-ndstngushablty of Groth-Saha proofs, Pr [out 4..9 = 1] = Pr [out 4..8 = 1]. (23) Fnally, n Game 4..10, we do not abort anymore. (That s, we take back the abort rule from Game 1.) To see how ths change affects the game s output, we make a few observatons. Frst, note that n both Game 4..9 and Game 4..10, A s vew only depends on the way f parttons the set of messages dependng on ( f (M)) p, but not on whch messages M are mapped by f to squares, and whch to non-squares. (Indeed, any parttonng of the M s nvarant under multplyng f wth an nvertble non-square modulo p. However, multplcaton wth an nvertble non-square nverts the Legendre symbol of f (M).) Thus, the probablty for A to successfully forge a sgnature wth ( f (M )) p = 1 s exactly the same as that to forge a sgnature wth ( f (M )) p = 1. Hence, f we cease to abort upon f (M ) QR p {0}, we at least double A s success probablty: Pr [out = 1] 2 Pr [out 4..9 = 1]. (24) At the same tme, Game s dentcal to Game 4.( + 1). (As argued, the use of three functons H (l), Z (l), Q (l) for each scheme nstance l s equvalent to the use of a sngle functon 15