Efficient Ring Signatures Without Random Oracles

Transcription

1 Effcent Rng Sgnatures Wthout Random Oracles Hovav Shacham Brent Waters Abstract We descrbe the frst effcent rng sgnature scheme secure, wthout random oracles, based on standard assumptons. Our rng sgnatures are based n blnear groups. For l members of a rng our sgnatures consst of 2l + 2 group elements and requre 2l + 3 parngs to verfy. We prove our scheme secure n the strongest securty model proposed by Bender, Katz, and Morsell: namely, we show our scheme to be anonymous aganst full key exposure and unforgeable wth respect to nsder corrupton. A shortcomng of our approach s that all the users keys must be defned n the same group. 1 Introducton Rng sgnatures were ntroduced by Rvest, Shamr, and Tauman [18, 19]. Each user n the system generates and publshes a publc key. (Ths key can be, for example, the descrpton of an RSA permutaton. In generatng a rng sgnature, a user can choose, arbtrarly, some other users to mplcate n the sgnature. The publc keys of these mplcated users, along wth the sgner s publc key, are sad to form the rng for that sgnature. A verfer s convnced that someone n the rng s responsble for the sgnature, but cannot tell who. In ths paper we present the frst effcent rng sgnature scheme secure, wthout random oracles, based on standard assumptons. Our scheme gves O(l sgnatures, wth no a pror bound on rng sze. Our rng sgnatures are based n blnear groups. In partcular, for l members of a rng our sgnatures consst of 2l + 2 group elements and requre 2l + 3 parngs to verfy. We now outlne our approach. In our rng sgnature scheme each user generates her own publc-prvate keypar from the Waters [20] sgnature scheme defned over a group G of a composte order n, where the group s set up by a trusted authorty. When a user wants to sgn a message M on a rng R she frst creates a cphertext C, whch s a BGN [9] encrypton of her publc sgnng key. Next, she proves that C s an encrypton of exactly one of the publc keys n the the rng R. We use proofs smlar to that of Groth, Ostrovsky, and Saha [16] to do ths effcently. Fnally, she gves an encrypted sgnature of the message M usng her prvate sgnng key and proves that the sgnature verfes under the encrypted key. A shortcomng of our approach s that all the users keys must be defned n the group G. Ths s unlke the generc constructon of Bender, Katz, and Morsell [4], whch does not place restrctons Supported by a Koshland Scholars Program fellowshp. Supported by NSF CNS and the US Army Research Offce under the CyberTA Grant No. W911NF

2 on the user keys, and also unlke some of the random-oracle based schemes (dscussed below that allow for ndependently generated RSA user keys. In compensaton, however, we obtan an effcent scheme provably secure, wthout random oracles, n the strongest securty model proposed by Bender, Katz, and Morsell [4]: namely, we show our scheme to be anonymous aganst full key exposure and unforgeable wth respect to nsder corrupton. Related Work. The constructon of Rvest, Shamr, and Tauman, requres that the users publc keys be for trapdoor-permutaton based schemes,.e., nclude descrptons of a trapdoor permutaton. Subsequently, rng sgnature constructons were presented where the underlyng keys are dscrete-log based [17], dscrete-log based n the blnear map settng [8], factorng-based [15], or a mx of trapdoor-permutaton type and dscrete-log type [1]. Rng sgnatures are also related to group sgnatures, whch were ntroduced by Chaum and Van Heyst [13] and are themselves the subject of much subsequent research. The two concepts dffer n two man ways. Frst, the rng s determned by the sgner and can be dfferent for each sgnatures; n a group sgnature, group membershp s controlled by a group manager and, at any gven tme, s fxed. 1 Second, no one can determne whch member of a rng generated a sgnature; n a group sgnature, a tracng party possesses a specal trapdoor that allows t to determne whch group member s responsble for a sgnature. Applcatons. The canoncal applcaton for rng sgnatures s secret leakng: A sgnature by the rng of all cabnet mnsters on a leaked memo s credble, but doesn t ncrmnate any partcular mnster for the leak. Other applcatons have been proposed [4, 19]. Rng Sgnatures n the Standard Model. The securty of the rng sgnatures proposed by Rvest, Shamr, and Tauman and n most subsequent papers holds n the random oracle model [2]. 2 Some recent papers have consdered how to construct rng sgnatures that are provably secure n the standard model. Xu, Zhang, and Feng [21] descrbe a rng sgnature secure n the standard model, but the proof presented s not rgorous and s apparently flawed [4, n. 1]. Chow et al. [14] gve a rng sgnature scheme wth proof n the standard model, but based on a strong new assumpton. Bender, Katz, and Morsell present a rng sgnature secure n the standard model assumng trapdoor permutatons exst, but the scheme uses generc ZAPs for NP as a buldng block, and s thus mpractcal. In addton, they gve two rng sgnature schemes secure n the standard model but whch allow only two-sgner rngs: one based on the Waters sgnature [20], a second based on the Camensch- Lysyanskaya sgnature [12]. Our rng sgnature scheme s related to a recent group sgnature secure wthout random oracles due to Boyen and Waters [10]. One mportant dfference s that n ther group sgnature paper the master publc key, whch belongs to the group manager, s n the clear and the frst level message, whch corresponds to the user s dentty, s encrypted and then proved to be well formed. In our scheme, on the other hand, the message to be sgned s publc, but the verfcaton key whch belongs to the user who generated the sgnature s encrypted and then a proof s gven that t s well formed. (In our case, well-formed means n the rng. The Boyen-Waters group sgnature 1 Dods et al. [15, Sect. 6.3] descrbe ad-hoc group sgnatures, a prmtve for whch ths dfference s less pronounced. 2 More precsely, Rvest, Shamr, and Tauman analyzed ther constructon n the deal-cpher model; Bresson, Stern, and Szydlo [11] later showed that random oracles suffce for provng ts securty. 2

3 s tself based on two lnes of research: the dentty-based encrypton scheme n the standard model due to Waters [20], whch follows up on earler schemes by Boneh and Boyen [5, 6]; and the perfect non-nteractve zero knowledge proofs of Groth, Ostrovsky, and Saha [16], whch are based on the homomorphc encrypton scheme proposed by Boneh, Goh, and Nssm [9]. 2 Mathematcal Settng Lke Boyen and Waters, we make use of blnear groups of composte order. These were ntroduced by Boneh, Goh, and Nssm [9]. Let n be a composte wth factorzaton n = pq. We have: G s a multplcatve cyclc group of order n; G p s ts cyclc order-p subgroup, and G q s ts cyclc order-q subgroup; g s a generator of G, whle h s a generator of G q ; G T s a multplcatve group of order n; e : G G G T s an effcently computable map wth the followng propertes: Blnear: for all u, v G and a, b Z, e(u a, v b = e(u, v ab ; Non-degenerate: e(g, g = G T whenever g = G; G T,p and G T,q are the G T -subgroups of order p and q, respectvely; the group operatons on G and G T can be performed effcently; and btstrngs correspondng to elements of G (and of G T can be recognzed effcently. In our rng sgnature scheme, the descrpton of such a group G, ncludng the generators g and h, s gven n the common reference strng generated by the setup authorty. 2.1 Complexty Assumptons For our rng sgnature, we assume that two problems are dffcult to solve n the settng descrbed above: computatonal Dffe-Hellman n G p and the Subgroup Decson Problem. Computatonal Dffe-Hellman n G p. Gven the tuple (η, η a, η b, wth η R G p and a, b R Z p, compute and output η ab. In the composte settng one s addtonally gven the descrpton of the larger group G, ncludng the factorzaton (p, q of ts order n. Subgroup Decson. Gven w selected at random ether from G (wth probablty 1/2 or from G q (wth probablty 1/2, decde whether w s n G q. For ths problem one s gven the descrpton of G, but not gven the factorzaton of n. The assumptons are formalzed by measurng an adversary s success probablty for computatonal Dffe-Hellman and an adversary s guessng advantage for the subgroup decson problem. Note that f CDH n G p as we have formulated t s hard then so s CDH n G. The assumpton that the subgroup decson problem s hard s called the Subgroup Hdng (SGH assumpton, and was ntroduced by Boneh, Goh, and Nssm [9]. 3

4 3 Underlyng Sgnature The underlyng sgnature scheme s the Waters sgnature [20]. Ths sgnature was adapted for composte order groups by Boyen and Waters [10]. The varant we descrbe dffers from thers n retanng the orgnal Waters formulaton for the publc key: g 1, g 2 G rather than e(g 1, g 2 G T. Suppose that messages to be sgned are encoded as elements of {0, 1} k for some k. (For example, as the output of a k-bt collson-resstant hash functon. In addton to the system parameters of Sect. 2 above, the Waters scheme makes use of random generators u, u 1, u 2,..., u k n G. The scheme s as follows. WC.Kg. Pck random α, β R Z n and set g 1 g α and g 2 g β. The publc key pk s (g 1, g 2 G 2. The prvate key sk s (α, β. WC.Sg(sk, M. Parse the user s prvate key sk as (α, β Z n and the message M as a btstrng (m 1,..., m k {0, 1} k. Pck a random r R Z n and compute S 1 g αβ (u The sgnature s σ = (S 1, S 2 G 2. k =1 u m r and S 2 g r. WC.Vf(pk, M, σ. Parse the user s publc key pk as (g 1, g 2 G 2, the message M as a btstrng (m 1,..., m k {0, 1} k, and the sgnature σ as (S 1, S 2 G 2. Verfy that ( e(s 1, g e S2 1, u k =1 holds; f so, output vald; f not, output nvald. u m?= e(g1, g 2 (1 Ths sgnature s exstentally unforgeable f computatonal Dffe-Hellman holds on G. The Waters Sgnature n G p. One can also restrct the Waters sgnature to the subgroup G p, obtanng a sgnature scheme to whch we refer as WP. In ths case, the generator g s replaced by a generator η of G p, and exponents are drawn from Z p rather than Z n. In partcular, the verfcaton equaton s (Ŝ 1 e(ŝ1, η e 2, û k =1 û m?= e(η1, η 2. (2 Ths varant s secure assumng CDH s hard n G p, and s used n our reductons. 4 Rng Sgnature Defntons Informally, a rng sgnature scheme should satsfy two securty propertes. Frst, t should be anonymous: an adversary should not be able to determne whch member of a rng generated a sgnature. Second, t should be unforgeable: an adversary should be able to construct a vald sgnature on a rng of publc keys only f he knows the secret key correspondng to one of them. Formalzng ths ntuton s trcky. Rvest, Shamr, and Tauman [18] gave a formalzaton whch 4

5 has been used n much subsequent work. Recently, Bender, Katz, and Morsell [4] descrbed several possble stronger formulatons of each noton. Below, we show our scheme to be anonymous aganst full key exposure and unforgeable wth respect to nsder corrupton. For both anonymty and unforgeablty these are the strongest formulatons consdered by Bender, Katz, and Morsell. We now recall these formulatons; see [4] for addtonal detals and motvaton. RS.Kg. Ths randomzed algorthm outputs a publc verfcaton key pk and a prvate sgnng key sk. RS.Sg(pk, sk, R, M. Ths algorthm takes as nput a keypar (pk, sk and a set of publc keys R that consttutes the rng, along wth a message M n some message space to be sgned. It s requred that pk R hold. The algorthm returns a sgnature σ on M for the rng R. RS.Vf(R, M, σ. The verfcaton algorthm takes as nput a set of publc keys R that consttutes the rng and a purported sgnature σ on a message M. It returns ether vald or nvald. Anonymty. Anonymty aganst full key exposure for a rng sgnature scheme RS s defned usng the followng game between a challenger and an adversary A: Setup. The challenger runs Kg, the key generaton algorthm, l tmes to obtan publc-prvate keypars (pk 1, sk 1,..., (pk l, sk l. In addton, the challenger records the random cons {ω } used n generatng each keypar. Here l s a game parameter. The adversary A s gven the publc keys {pk }. Sgnng Queres. Algorthm A s allowed to make rng sgnng queres of the form (s, R, M. Here M s the message to be sgned, R s a set of publc keys, and s s an ndex such that pk s R holds. (The other keys n R need not be keys n the set {pk }. The challenger responds wth σ = Sg(pk s, sk s, R, M. Challenge. Algorthm A requests a challenge by sendng to the challenger the values ( 0, 1, R, M. Here M s to be sgned wth respect to the rng R, and 0 and 1 are ndces such that pk 0, pk 1 R. (The other keys n R need not be keys n the set {pk }. The challenger chooses a bt b R {0, 1}, computes the challenge sgnature σ Sg(pk b, sk b, R, M, and provdes A wth σ. In addton, the challenger provdes A wth the cons {ω } used to generate the keys; from these, A can recompute {sk }. Output. Algorthm A fnally outputs ts guess b for b, and wns f b = b. We defne Adv rsg-anon-ke RS, A to be the advantage over 1/2 of A n the above game. Unforgeablty. Unforgeablty wth respect to nsder corrupton for a rng sgnature scheme RS s defned usng the followng game between a challenger and an adversary A: Setup. The challenger runs Kg, the key generaton algorthm, l tmes to obtan publc-prvate keypars (pk 1, sk 1,..., (pk l, sk l. Here l s a game parameter. The adversary A s gven the publc keys {pk }. The challenger also ntalzes the set C of corrupted users as C. 5

6 Queres. Algorthm A s allowed to make rng sgnng queres and corrupton queres. A rng sgnng query s of the form (s, R, M. Here M s the message to be sgned, R s a set of publc keys, and s s an ndex such that pk s R holds. (The other keys n R need not be keys n the set {pk }. The challenger responds wth σ = Sg(pk s, sk s, R, M. A corrupton query s of the form s, where s s agan an ndex. The challenger provdes sk s to A and adds pk s to C. Output. Eventually, A outputs a tuple (R, M, σ and wns the game f (1 t never made a rng sgnng query (s, R, M for any s; (2 R {pk } \ C; and (3 Vf(R, M, σ = vald. We defne Adv rsg-uf-c RS, A to be the probablty that A wns n the above game. Trusted Setup. In our model we allow for a trusted global setup by an authorty. Ths s a stronger setup assumpton than what was used n prevous results. However, ths setup allows us to realze the benefts of an effcent scheme provably secure n the standard model. In practce the authorty role can be splt amongst several partes. For example, usng technques lke those of Boneh and Frankln [7] several partes could generate a shared modulus n and group descrpton effcently for our scheme. 5 On Bender, Katz, and Morsell s Two-User Rng Sgnatures Bender, Katz, and Morsell propose a rng sgnature secure wthout random oracles based on the Waters sgnature. Ths rng sgnature allows only two-sgner rngs, but ths suffces for some applcatons of rng sgnatures, n partcular desgnated-verfer sgnatures. Unlke the scheme we present, the BKM rng sgnature s proven unforgeable only aganst chosen-subrng attacks. In ths secton, we recall the BKM rng sgnature and show that t s, n fact, nsecure wth respect to nsder corrupton. We stress that Bender, Katz, and Morsell do not clam that ther scheme s secure wth respect to nsder corrupton. They prove securty aganst chosen-subrng attacks, a weaker noton, and ths proof s correct. Our contrbuton n ths secton s to demonstrate a practcal attack aganst the scheme n the more general model. Consder a group G of prme order p, together wth a blnear map e : G G G T, where G T s also of sze p. (Ths s unlke the composte-order setup of our paper. Each user has a prvate key α Z p and a publc key that ncludes g 1 = g α and her own Waters hash generators u, u 1,..., u k G. Now, f Alce wshes to sgn a message M = (m 1,..., m k n a rng that comprses her and Bob, whose publc key s (ḡ 1, ū, ū 1,..., ū k, she pcks r R Z p and computes S 1 (ḡ 1 α (u k =1 um r (ū k =1 ūm r and S 2 g r. For any two users, the values (g 1, ḡ 1 act lke the Waters publc key (g 1, g 2 ; the value g αᾱ acts as a shared sgnng key. Snce ether user s capable of computng ths value, anonymty s uncondtonal. Unforgeablty aganst chosen-subrng attacks follows from the securty of the underlyng Waters sgnature. Ths scheme has the advantage that t requres no shared setup beyond the group descrpton. Ths justfes makng each sgner generate and publsh her own Waters hash generators, snce a 6

7 thrd party trusted wth generatng them for all users could use ts knowledge of ther dscrete logs to recover the shared sgnng key g αᾱ from any sgnature. The unforgeablty condton under whch Bender, Katz, and Morsell prove ther scheme secure does not allow for adversarally generated keys. We show that the scheme s n fact nsecure aganst such attacks, whch, for a two-user rng sgnature, have the followng form: Alce and Bob publsh ther publc keys. Then Veronca publshes her key and trcks Alce nto sgnng a message for the Alce-Veronca rng; what she learns from ths sgnature allows her to forge an Alce-Bob rng sgnature. Suppose Alce s publc key s (g 1, u, u 1,..., u k and Bob s publc key s (ḡ 1, ū, ū 1,..., ū k. In our attack, Veronca pcks s, t R, t 1,..., t k Zp and sets ĝ 1 ḡ 1 g s and û g t /u and û g t /u 1 k. Now when Alce generates an Alce-Veronca rng sgnature on a message M = (m 1,..., m k we wll have S 1 = (ĝ 1 α (u û k =1 (u û m r = (ḡ1 α (g s α (g t r where t = t + k =1 m t, and Veronca recovers the shared Alce-Bob sgnng key g αᾱ as S 1 /(g1 sst 2. Note that Veronca need not know the dscrete logarthms of all her Waters generators. It suffces for her to pck û specally whle lettng the rest be globally specfed. In ths varant, Veronca pcks ahead of tme a message M = (m 1,..., m k that she thnks she can trck Alce nto sgnng. She then chooses s, t R Zp, and computes ĝ 1 ḡ 1 g s and û / ( g t u k (u û m. =1 Now, when Alce generates an Alce-Veronca rng sgnature on M, we have S 1 = (ḡ 1 α (g s α (g t r, from whch Veronca can recover g αᾱ. The attack descrbed above s prevented f all users share the same Waters generators (u, u 1,..., u k ; but even n ths case Veronca can stll obtan from Alce an Alce-Bob rng sgnature when Alce thnks she s generatng an Alce-Veronca rng sgnature. To acheve ths, Veronca chooses s R Z p and sets ĝ 1 (ḡ 1 s. Now an Alce-Veronca rng sgnature on M = (m 1,..., m k wll have the form S 2 = g r and S 1 = (ĝ 1 α (u k =1 um r = (ḡ α 1 s (u k =1 um and therefore (S 1/s 1, S 1/s 2 s an Alce-Bob rng sgnature on M wth randomness r/s. Attack on the Camensch-Lysyanskaya Based Scheme. In the full verson of ther paper [3], Bender, Katz, and Morsell also gve a two-user rng sgnature based on Camensch-Lysyanskaya sgnatures [12]. As wth ther Waters-based scheme, they clam and prove securty aganst chosensubrng attacks. Here, we show an attack on ths rng sgnature smlar to the attack above, agan wth respect to nsder corrupton. We stress once more that Bender, Katz, and Morsell do not clam securty n ths stronger model. Suppose that Alce and Bob have respectve secret keys x and y, and publc keys X = g x and Y = g y. Ther rng sgnature on a message m Z p s (a, a y, a x+mxy, where a s random n G. r, 7

8 If a = g r wth r Z p then Alce computes the rng sgnature as (a, Y r, a x Y mxr and Bob as (a, a y, X r+mry. If Veronca plays the part of Alce, she publshes as her key ˆX = X s for s R Z p. Bob then generates the Veronca-Bob sgnature (S 1, S 2, S 3 = (a, a y, a sx+msxy, from whch Veronca can produce an Alce-Bob rng sgnature on m as (S 1, S 2, S 1/s 3. If Veronca plays the part of Bob, she publshes as her key Ŷ = Y s for s R Z p. Alce then generates the Alce-Veronca sgnature (S 1, S 2, S 3 = (a, a sy, a x+mxsy, from whch Veronca can produce an Alce-Bob rng sgnature on m = ms as (S 1, S 1/s 2, S 3. Implcatons for Desgnated-Verfer Sgnatures. The attack descrbed above demonstrates a trade-off between our Waters-based rng sgnature and the BKM one. Our scheme requres a trusted setup, but acheves securty even n the presence of adversarally generated keys. Ths s mportant for desgnated-verfer sgnatures, the man proposed applcaton for two-user rng sgnatures, snce there s no reason that Alce wll only wsh to desgnate as verfers users whose keys she trusts to have been properly generated. 6 Our Rng Sgnature Constructon In ths secton, we descrbe our rng sgnature scheme. As noted n the ntroducton, n our rng sgnature all the users keys must be defned n a group G of composte order. That group must be set up by a trusted authorty, snce the factorzaton of ts order n must be kept secret. In addton to settng up the group G, the setup authorty must also set up some addtonal parameters, usng a global setup algorthm we now descrbe. Global Setup. The trusted rng sgnng setup algorthm frst constructs a group G of composte order n = pq as descrbed n Sect. 2 above. It then chooses exponents a, b 0 R Zn and sets A g a and B 0 g b 0 and  h a. Let H : {0, 1} {0, 1} k be a collson-resstant hash functon. The setup algorthm pcks Waters hash generators u, u 1, u 2,..., u k R G. The publshed common reference strng ncludes a descrpton of the group G and of the collsonresstant hash H, along wth (A, B 0,  and (u, u 1,..., u k. The factorzaton of n s not revealed. Note that anyone can use the parng to verfy that the par (A,  s properly formed. The Scheme. Indvdual users now use the publc parameters publshed by the setup algorthm n generatng ther keys, sgnng, and verfyng. The algorthms they use are as follows. LRS.Kg. Choose a random exponent b R Z n ; set pk g b G and sk A b G. Recall that n the varant of the Waters sgnature scheme that we use a publc key s a par of group elements n G. Here, one of the two group elements for a user s key s always the global setup value A. In effect the user s publc key s lke the Waters publc key A, g b. However, all users share the element A. 8

9 LRS.Sg(pk, sk, R, M. The sgnng algorthm takes as nput a message M {0, 1}, a rng R of publc keys, and a keypar (pk, sk G 2. No key may appear twce n R, and R must nclude pk. Compute (m 1,..., m k H(M, R. Let l = R ; parse the elements of R as v G, 1 l. Let be the ndex such that v = pk. Defne {f } l =1 as { 1 f =, f = 0 otherwse. Now for each, 1 l, choose a random exponent t R Zn and set C (v /B 0 f h t and π ( (v /B 0 2f 1 h t t. As n the papers of Groth, Ostrovsky, and Saha [16] and Boyen and Waters [10], the value π acts as a proof that C s well-formed here, specfcally, that f {0, 1}. Let C l =1 C and t l =1 t. Observe that, when there s exactly one non-zero value amongst {f }, vz., f, we have B 0 C = (v (h t, so C serves as an encrypton of the user s publc key. (The role of B 0 s dscussed below. Fnally, choose r R Z n and compute S 1 sk (u k j=1 um j j r  t and S 2 g r The sgnature s output as σ = ( (S 1, S 2, {(C, π } l =1 G 2l+2. LRS.Vf(R, M, σ. Compute (m 1,..., m k H(M, R. Let l = R ; parse the elements of R as v G, 1 l. Verfy that no element s repeated n R and reject otherwse. Parse the sgnature σ as ( (S 1, S 2, {(C, π } l =1 G 2l+2. (If ths parse fals, reject. Check frst that the proofs {π } are vald: for each, 1 l, that e ( C, C /(v /B 0? = e(h, π (3 holds. If any of the proofs s nvald, reject. Otherwse, set C l =1 C. Accept f the followng equaton s satsfed: e(a, B 0 C =? e(s 1, g e ( S2 1, k u j=1 um j j. (4 Dscusson. As outlned n the ntroducton, n our rng sgnature scheme we wsh to prove that the value C whch s computed by multplyng all C values together contans an encrypton of exactly one key from the rng. Ths can be done by both usng GOS proofs to show that each C s ether an encrypton of the proper publc key or the dentty element and that exactly one of these s not the dentty element. (If every C were an encrypton of the dentty element everywhere, the publc key encrypted n C would be the dentty element and trval for the adversary to forge under. Instead of drectly provng ths, whch would requre larger though stll O(l-szed 3 proofs, we have the user prove that each C s an encrypton of the dentty element or the -th publc 3 A possble crcut s as follows. Let {f } be the ndcator varables. Let c 1 0 = c 2 0 = 0, and for 1 compute c 1 and c 2 as c 1 c 1 1 f and c 2 c 2 1 (f c 1 1. Fnally, prove that c 1 l = 1 and c 2 l = 0. 9

10 key n the rng tmes some group element B 0 gven by the setup algorthm. Thus, C wll be an encrypton of a publc key tmes B 0. Now a sgner wll nstead prove that the sgnature verfes under the encrypted key dvded by B 0, whch s the sgner s orgnal publc key. In ths way f a forger attempts to forge by lettng all C be encryptons of the dentty element, he wll need to forge under the publc key B 0. 7 Securty We now prove that our rng sgnature scheme s anonymous aganst full key exposure and unforgeable wth respect to nsder corrupton. 7.1 Anonymty The anonymty proof closely follows that gven by Boyen and Waters for ther group sgnature [10]. Theorem 7.1. Our rng sgnature scheme s anonymous aganst full key exposure f SGH s hard. Proof. The proof proceeds n games. We defne Games 0 and 1 as follows. In Game 0, h s chosen unformly from G q ; n Game 1, h s chosen unformly from G. Games 0 and 1. Algorthm B s gven: the group order n (but not ts factorzaton; the descrpton of the group G, together wth generators g of G and h; n Game 0, h s chosen from G q ; n Game 1, h s chosen from all of G. Algorthm B chooses a collson resstant hash functon H : {0, 1} {0, 1} k. It follows the setup algorthm above to obtan system parameters (A, B 0, Â and (u, u 1,..., u k. Algorthm B then runs Kg l tmes to obtan publc-prvate keypars {(pk, sk } l =1, recordng n addton the randomnesses {b } used n each run. Algorthm B runs A, provdng to t the followng: the descrpton of the group G, ncludng ts order n and the generators g and h; the common parameters (A, B 0, Â and (u, u 1,..., u k, along wth the descrpton of the hash functon H; and the challenge publc keys {pk } l =1. When A makes a sgnng query of the form (s, R, M, A responds wth σ = Sg(pk s, sk s, R, M. Fnally, A requests a challenge wth the values ( 0, 1, R, M. Algorthm B chooses a bt b R {0, 1}, computes the challenge sgnature σ Sg(pk b, sk b, R, M, and provdes A wth σ. In addton, the challenger provdes A wth the random cons {b } used to generate the prvate keys. Algorthm A fnally outputs ts guess b for b; B outputs 1 f b = b, 0 otherwse. Dscusson. Denote by Adv game-0 B the advantage B has over 1/2 n Game 0, and by Adv game-1 B the advantage over 1/2 t has n Game 1. Clearly, we have Adv game-0 B = Adv rsg-anon-ke LRS, A, (5 snce n Game 0 A s envronment s exactly as specfed n the anonymty game. Moreover, suppose that Bś output were dfferent n the two games. Then we could use B, wth A as a subroutne, to solve SGH: gven generators (g, h to test, we provde them to B and output 1 f B does. Ths gves 10

11 a new algorthm C for whch we have Adv sgh C = Pr [ B = 1 h R ] [ R ] G p Pr B = 1 h G ( 2 Pr [ B = 1 h R ] ( [ R ] G p 1 2 Pr B = 1 h G 1 = 1 2 = 1 2 Adv game-0 B Adv game-1 B. (6 But now, we argue that Adv game-1 B = 0, even f A s computatonally unbounded. Consder the dstngushng challenge ( (S 1, S 2, {(C, π } l =1 G 2l +2. For each, we have C = (v /B 0 f h t wth f {0, 1} and t Z n. But when h s a generator of G there exst τ 0, τ 1 Z n such that C = (v /B 0 h τ 1 = h τ 0 and, moreover, denotng by (π f = b the value whch π s assgned f f s set to b {0, 1}, we have (π f = 1 = ((v /B 0 1 h τ 1 τ 1 = (h τ 0 τ 1 = (h τ 1 τ 0 = ((v /B 0 1 h τ 0 τ 0 = (π f = 0, so for each the par (C, π s consstent wth ether f = 0 or f = 1, and A can gan no nformaton from ths part of the sgnature. The value S 2 = g r s unrelated to the choce of sgner. Thus f A can gan nformaton, t s only from S 1. But, havng fxed S 2 and {(C, π }, S 1 s the unque value satsfyng (4. Specfcally, lettng A = g a, S 2 = g r, and C/B 0 = g c (all of whch a computatonally unbounded adversary can calculate, we have S 1 = g ac (u k j=1 um j r. j Thus ths value gves no nformaton about whether sk 0 or sk 1 was used to generate the challenge sgnature, and A can do no better than guess b. Ths establshes Puttng equatons (5, (6, and (7 together, we see that Adv game-1 B = 0 (7 Adv rsg-anon-ke LRS, A 2Adv sgh C. To nterpret ths result concretely, we note that the algorthm B used n the reducton took O(1 operatons to set up and obtan the result, and O(1 tme to answer each of A s queres. To nterpret t asymptotcally, we ntroduce the securty parameter that we have suppressed, note that the reducton s polynomal-tme n that parameter, and observe that f Adv rsg-anon-ke LRS, A s non-neglgble, then so s Adv sgh C. Ether nterpretaton mples the result stated nformally n the theorem. 7.2 Unforgeablty We show that our rng sgnature scheme s unforgeable. We present a proof sketch here, wth the proof relegated to Appendx A. Theorem 7.2. Our rng sgnature scheme s unforgeable wth respect to nsder corrupton f H s collson resstant and CDH s hard n G p. 11

12 sketch. The algorthm that makes the reducton s gven the factorzaton of n. Usng ths and standard Chnese Remanderng technques, t can decompose an element of G nto ts G p and G q consttuents. Ths allows t to undo BGN blndng wth h t terms, and to recover from a sgnature the values f used n generatng t. Each of these must be n the set {0, 1} by the perfect soundness of GOS proofs. Frst, we ensure that any forgery (M, R s such that H(M, R s not equal to H(M, R for any prevous sgnng query (M, R made by the adversary. Ths s easy: an adversary for whch ths s not true would break the collson resstance of H. Havng dsposed of ths possblty, we dstngush between two types of adversares. Consder the values {f } that we recover from the forgery. For the frst type of adversary, the number of s such that f = 0 s ether 0 or more than 1. For the second type, exactly one f equals 1. For the frst type of adversary, we note that each C such that f = 1 contrbutes a (v /B 0 term to the encrypted Waters key C = C. Thus the Waters key under whch the encrypted sgnature (S 1, S 2 s verfed, B 0 C, wll nclude a B 1 f 0 term, where f = f 1 for ths type of adversary. Thus f we embed a CDH challenge n A and B 0, but construct the Waters hash generators (u, u 1,..., u k and user keys {v } so that we know ther dscrete logarthms, we wll obtan from the forgery values (S 1, S 2 such that e(a, B 1 f 0 η r = e(s 1, η e ( S2 1, ηx, where r and x are numbers we compute. From ths we easly obtan the CDH soluton. (Because we must project nto G p to recover the f s, we obtan a CDH soluton n G p rather than G, whch s why the generator η of G p has replaced g n the verfcaton equaton above. For the second type of adversary, we obtan a Waters sgnature forgery. Gven the challenge Waters publc key (η 1, η 2, whch agan s n G p, and the Waters hash generators (û, û 1,..., û k, we place η 1 n A, addng a random G q component so that A spans G, and pck B 0 arbtrarly. We smlarly extend the challenge waters hash generators to G. We pck all the user keys arbtrarly except one, whch we nstantate usng η 2, properly extended to G. Now we can handle corrupton queres for every user except the specal one. Sgnng queres we can answer drectly for the normal users, and can answer for the specal user usng our Waters sgnng oracle. Ths oracle returns a sgnature (Ŝ1, Ŝ2 G 2 p; extendng ths to a properly-blnded sgnature n G takes a bt of work, but sn t terrbly dffcult. The ndex of the specal user s kept hdden from the adversary, so wth probablty 1/l he doesn t make a corrupton query for that user but then does make hs forgery for that user. (Recall that ths type of adversary always has exactly one user for whch f = 1. We convert the adversary s forgery to a Waters sgnature forgery n G p. Because H(M, R s dfferent for ths forgery than for prevous sgnng queres, the forgery s nontrval. Thus we obtan from a rng sgnature forgng adversary a break of ether the collson resstance of H or the CDH hardness of G p or (wth a 1/l loss of advantage to the unforgeablty of the Waters sgnature n G p. However, the Waters sgnature n G p s unforgeable f CDH s hard n G p, and the theorem statement follows. 8 Conclusons and Open Problems We presented the frst effcent rng sgnatures that are provably secure wthout random oracles under standard assumptons. Sgnatures n our scheme are of sze 2l + 2 group elements for l members n a rng. We showed our sgnatures to be secure for the strongest defntons of securty. Two nterestng open problems reman: to obtan a rng sgnature secure wthout random oracles where (1 user keys need not be generated n a partcular shared group; or (2 sgnature length s 12

13 ndependent of the number of sgners mplcated n the rng. References [1] M. Abe, M. Ohkubo, and K. Suzuk. 1-out-of-n sgnatures from a varety of keys. In Y. Zheng, edtor, Proceedngs of Asacrypt 2002, volume 2501 of LNCS, pages Sprnger-Verlag, Dec [2] M. Bellare and P. Rogaway. Random oracles are practcal: A paradgm for desgnng effcent protocols. In D. Dennng, R. Pyle, R. Ganesan, R. Sandhu, and V. Ashby, edtors, Proceedngs of CCS 1993, pages ACM Press, Nov [3] A. Bender, J. Katz, and R. Morsell. Rng sgnatures: Stronger defntons, and constructons wthout random oracles. Cryptology eprnt Archve, Report 2005/304, acr.org/. [4] A. Bender, J. Katz, and R. Morsell. Rng sgnatures: Stronger defntons, and constructons wthout random oracles. In S. Halev and T. Rabn, edtors, Proceedngs of TCC 2006, volume 3876 of LNCS, pages Sprnger-Verlag, Mar [5] D. Boneh and X. Boyen. Effcent selectve-id secure dentty based encrypton wthout random oracles. In C. Cachn and J. Camensch, edtors, Proceedngs of Eurocrypt 2004, volume 3027 of LNCS, pages Sprnger-Verlag, May [6] D. Boneh and X. Boyen. Secure dentty based encrypton wthout random oracles. In M. Frankln, edtor, Proceedngs of Crypto 2004, volume 3152 of LNCS, pages Sprnger- Verlag, Aug [7] D. Boneh and M. Frankln. Effcent generaton of shared RSA keys. J. ACM, 48(4:702 22, July [8] D. Boneh, C. Gentry, B. Lynn, and H. Shacham. Aggregate and verfably encrypted sgnatures from blnear maps. In E. Bham, edtor, Proceedngs of Eurocrypt 2003, volume 2656 of LNCS, pages Sprnger-Verlag, May [9] D. Boneh, E.-J. Goh, and K. Nssm. Evaluatng 2-DNF formulas on cphertexts. In J. Klan, edtor, Proceedngs of TCC 2005, number 3378 n LNCS, pages Sprnger-Verlag, Feb [10] X. Boyen and B. Waters. Compact group sgnatures wthout random oracles. In S. Vaudenay, edtor, Proceedngs of Eurocrypt 2006, volume 4004 of LNCS, pages Sprnger-Verlag, May [11] E. Bresson, J. Stern, and M. Szydlo. Threshold rng sgnatures and applcatons to ad-hoc groups. In M. Yung, edtor, Proceedngs of Crypto 2002, volume 2442 of LNCS, pages Sprnger-Verlag, Aug [12] J. Camensch and A. Lysyanskaya. Sgnature schemes and anonymous credentals from blnear maps. In M. Frankln, edtor, Proceedngs of Crypto 2004, volume 3152 of LNCS, pages Sprnger-Verlag, Aug

14 [13] D. Chaum and E. van Heyst. Group sgnatures. In D. W. Daves, edtor, Proceedngs of Eurocrypt 1991, volume 547 of LNCS, pages Sprnger-Verlag, Apr [14] S. Chow, J. Lu, V. We, and T. H. Yuen. Rng sgnatures wthout random oracles. In S. Sheh and S. Jajoda, edtors, Proceedngs of ASIACCS 2006, pages ACM Press, Mar [15] Y. Dods, A. Kayas, A. Ncolos, and V. Shoup. Anonymous dentfcaton n ad hoc groups. In C. Cachn and J. Camensch, edtors, Proceedngs of Eurocrypt 2004, volume 3027 of LNCS, pages Sprnger-Verlag, May [16] J. Groth, R. Ostrovsky, and A. Saha. Perfect non-nteractve zero knowledge for NP. In S. Vaudenay, edtor, Proceedngs of Eurocrypt 2006, volume 4004 of LNCS, pages Sprnger-Verlag, May [17] J. Herranz and G. Sáez. Forkng lemmas for rng sgnature schemes. In T. Johansson and S. Matra, edtors, Proceedngs of Indocrypt 2003, volume 2904 of LNCS, pages Sprnger-Verlag, Dec [18] R. Rvest, A. Shamr, and Y. Tauman. How to leak a secret. In C. Boyd, edtor, Proceedngs of Asacrypt 2001, volume 2248 of LNCS, pages Sprnger-Verlag, Dec [19] R. Rvest, A. Shamr, and Y. Tauman. How to leak a secret: Theory and applcatons of rng sgnatures. In O. Goldrech, A. Rosenberg, and A. Selman, edtors, Essays n Theoretcal Computer Scence: n Memory of Shmon Even, volume 3895 of LNCS Festschrft, pages Sprnger-Verlag, [20] B. Waters. Effcent dentty-based encrypton wthout random oracles. In R. Cramer, edtor, Proceedngs of Eurocrypt 2005, volume 3494 of LNCS, pages Sprnger-Verlag, May [21] J. Xu, Z. Zhang, and D. Feng. A rng sgnature scheme usng blnear parngs. In C. H. Lm and M. Yung, edtors, Proceedngs of WISA 2004, volume 3325 of LNCS, pages Sprnger-Verlag, Aug A Proof of Theorem 7.2 Proof. We show how to construct, based on a forger algorthm A, an algorthm B that breaks one of our complexty assumptons. Algorthm B s gven the factorzaton n = pq. We begn by makng some observatons about workng wth a group of composte order; these follow trvally from the Chnese Remander Theorem. 1. Let δ p be such that δ p = 0 mod q and δ p = 1 mod p. Now for all z G we have z δp G p ; specfcally, z δp = 1 ff z G q. Now, for some rng sgnature, consder a par (C, π that satsfes (3. By the perfect soundness of Groth-Ostrovsky-Saha proofs, we know that C = (v /B 0 f h t wth f {0, 1}. But by the observaton above we have C δp = 1 ff f = 0. Thus, gven a vald rng sgnature, B can recover the values {f }. (Ths s provded that v /B 0 / G q. For a nontrval forgery, however, each v wll come from the set of challenge keys, whch B wll choose so that ths property holds. 14

15 2. Gven generators η of G p and h of G q, η r 1 h r 2 s a generator of G for all r 1 Z p, r 2 Z q. By drawng r 1, r 2 at random, we obtan a random generator of G. If η s kept ndependent of the adversary s vew, we can set r 1 = 1 and mantan the randomness of the generator; smlarly for h and r Gven some element u G and generator g as above, the representatons u = g a wth a Z n and u = η x h y wth (x, y Z p Z q are one-to-one; and u s projectons nto G p and G q are η x and h y, respectvely. 4. For all u G p and v G q, we have e(u, v = 1. Ths mples that for all u 1, u 2 G p and v 1, v 2 G q, we have e(u 1 v 1, u 2 v 2 = e(u 1, u 2 e(v 1, v 2. Wth ths n mnd, we dstngush three types of adversares: Type I. Amongst ts sgnng queres and ts forgery, A ssues two message rng pars (M, R and (M, R such that (M, R (M, R but H(M, R = H(M, R. Type II. Algorthm A never causes a hash collson as above. Further, ts forgery s not such that exactly one of the exponents {f } equals 1: ether f = 0 for all or f > 1. Type III. Algorthm A never causes a hash collson as above, and ts forgery s such that exactly one of the exponents {f } equals 1. We handle each type of adversary separately. Type-I Adversary. We convert a Type-I forger A to a break of the collson-resstance of H. Algorthm B smply follows the unforgeablty game of Sect. 4 usng the algorthms specfed above for our rng sgnature. In addton, B keeps track of the pars (M (, R ( ncluded n A s rng sgnng queres, and the par (M, R ncluded n ts forgery. Snce A s a Type-I adversary, these nclude two pars (M, R and (M, R such that H(M, R = H(M, R. Algorthm B outputs ths par as a collson. Clearly, B succeeds whenever A does, so we have establshed that for a Type-I adversary we have Adv rsg-uf-c LRS, A Advcoll H, B. (8 Type-II Adversary. We convert a Type-II forger A to a CDH breaker for the subgroup G p. Algorthm B s gven: the group order n and ts factorzaton n = pq; the descrpton of the group G, together wth generators η of G p and h of G q ; and, n addton, a par (η α, η β G 2 p. Its goal s to compute η αβ. Algorthm B chooses a collson resstant hash functon H : {0, 1} {0, 1} k as above. It pcks r 1 R Z q and sets g ηh r 1 ; ths s a random generator of G, by the observaton above. Now B pcks r 2, r 3 R Zq and sets A η α h r 2 and  h r 2/r 1 and B 0 η β h r 3 ; here  s correctly formed by the observaton that begns the proof; ndeed, we have e(a, h = e(h, h r 2 = e(h r 2/r 1, h r 1 = e(â, g, where we have twce used the fact that e(η, h = 1. Algorthm B pcks exponents x, x 1, x 2,..., x k R Zn, and sets u g x and, for 1 j k, u j g x j. Fnally, B generates the user keys by choosng for each, 1 l, random 15

16 R exponents b Zn, and settng pk g b and sk A b. Algorthm B runs A, provdng to t the followng: the descrpton of the group G, ncludng the generators g and h; the common parameters (A, B 0, Â and (u, u 1,..., u k, along wth the descrpton of H; and the challenge publc keys {pk } l =1. When A makes a corrupton query at ndex s, 1 s l, B responds wth sk s. When A makes a rng sgnng query of the form (s, R, M, A responds by computng σ Sg(pk s, sk s, R, M. If the sgnng algorthm returns an error condton, ndcatng that the request s nvald, B declnes to answer the sgnng query; otherwse t responds wth σ. Fnally, A outputs a forgery σ on a rng R for message M. Let l = R. Parse the rng R as (v 1,..., v l. Snce the forgery s nontrval, none of the publc keys s repeated, and there s a mappng t : [1, l ] [1, l] such that v = pk t( for each, 1 l. Moreover, A must not have made a corrupton query at any of the ndces {t(} l =1, though ths s not mportant n ths case. Algorthm B parses σ as ( (S 1, S 2, {(C, π } =1 l G 2l +2. Agan, snce the forgery s nontrval, ths parse must succeed. Each par (C, π must satsfy (3, and all the condtons hold for recoverng {f } =1 l from {C } as descrbed at the begnnng of the proof, and we have, for each, C δp = ( v δp f /Bδp 0 = ( (g b t( δp /B δp f 0 = ( η b t( /η β f. (9 Let b = l =1 f b t( and f = l =1 f. Then by (9 C δp = l =1 C δp = η b /(η β f. (10 Fnally, B computes (m 1,..., m k H(M, R and lets x x + k j=1 m x. Ths value s such that u k j=1 um j j = g x. Snce the forgery s vald, the verfcaton equaton (4 must hold; rasng both sdes to power δ p and usng (10 gves 4 or, rearrangng, so the answer to the CDH problem s e((η α, (η β η b /(η β f = e(s δp 1, η e( (S δp 2 1, η x e(η α, η β 1 f = e((η α b S δp 1 (Sδp 2 x, η, [ (η α b S δp 1 (Sδp 2 x] 1/(1 f ; we are allowed to take (1 f-th roots of both sdes because we are guaranteed, for a Type-II adversary, that f 1. Algorthm B performs ths calculaton and outputs the result. Clearly, B succeeds whenever A does, so we have establshed that for a Type-II adversary we have Adv rsg-uf-c LRS, A Advcdh G p, B. (11 4 Note that rasng the parngs to power δ p suffces: forcng one argument to G p makes the G q component of the other argument rrelevant, snce e(u, v = 1 for all u G p and v G q. 16

17 Type-III Adversary. We convert a Type-III forger A to a Waters sgnature forger n the subgroup G p. Algorthm B s gven: the group order n and ts factorzaton n = pq; the descrpton of the group G, together wth generators η of G p and h of G q ; and, n addton, WP publc parameters û, û 1,..., û k all n G p, and a WP publc key (η 1, η 2 G 2 p. Algorthm B chooses a collson resstant hash functon H : {0, 1} {0, 1} k R as above. It pcks r 1 Z q and sets g ηh r 1. Now B pcks r 2, r 3 R Zq and x R Z p sets A η 1 h r 2 and  h r 2/r 1 and B 0 η x h r 3. Note that n ths case B 0 s unrelated to the challenge WP key. Algorthm B pcks random exponents s R, s 1, s 2,..., s k Zq and sets u û h s and, for 1 j k, u j ûh s j. Fnally, B generates the user keys. It pcks R {1, 2,..., l}. For each, t chooses a random exponent b R Zn and sets pk g b and sk A b. For user, algorthm B pcks R r 4 Zq and sets pk = pk η 2 h r 4. Algorthm B does not know b and sk, and sets these to placeholder values. It s easy to see, usng the observatons made at the begnnng of the proof, that f the WP challenge gven to B s proper and unformly dstrbuted then the rng forgng challenge gven to A s also proper and unformly dstrbuted. Now algorthm B runs A, provdng to t the followng: the descrpton of the group G, ncludng the generators g and h; the common parameters (A, B 0,  and (u, u 1,..., u k, along wth the descrpton of H; and the challenge publc keys {pk } l =1. When A makes a corrupton query at ndex s, 1 s l, B responds wth sk s unless s equals, n whch case B declares falure and exts. When A makes a rng sgnng query of the form (s, R, M, A responds as follows. It frst checks that the query s properly formed, and declnes to answer otherwse. Now f s, B knows sk s, so t computes σ Sg(pk s, sk s, R, M, and responds to A wth ths value. If s =, B computes σ by queryng ts own WP sgnng oracle for an ordnary sgnature n G p and computng based on ths a blnd sgnature n G, as follows. It frst requests from ts sgnng oracle a WP sgnature on (m 1,..., m k = H(M, R. The sgnng oracle responds wth (Ŝ1, Ŝ2 G 2 p. Let l = R, and parse R as (v 1,..., v l. Now, for 1 l, algorthm B sets f 0 f v pk, and f 1 for the sngle such that v = pk. (We are guaranteed that {v } wll behave ths way by the well-formedness of the query. For each agan, B pcks a random exponent t R Zn and sets C (v /B 0 f h t and π ( (v /B 0 2f 1 h t t. These are formed exactly as n the descrpton of Sg. Algorthm B sets t l =1 t. Then we have Now B chooses r R Z q and computes C = l C = (pk /B 0 h t. (12 =1 S 1 Ŝ1 h r 2r 4 /r1 (h s /r 1 k j=1 hs jm j /r 1 r h r 2 t/r 1 and S 2 Ŝ2 h r. 17

18 Gven ths, we have e(s 1, g = e(ŝ1, g e(h r 2r 4 /r 1, g e(h s /r 1 k j=1 hs jm j /r 1, g r e(h r 2t/r 1, g = e(ŝ1, η e(h r 2r 4 /r 1, h r 1 e(h s /r 1 k j=1 hs jm j /r 1, h r 1 r e(h r 2t/r 1, h r 1 = e(ŝ1, η e(h r 2, h r 4 e(h s k j=1 hs jm j, h r e(h r 2t, h where we have used the decomposton g = ηh r 1 and the fact that e(η, h = 1. Now, snce (Ŝ1, Ŝ2 satsfes the WP verfcaton equaton (2, we have e(s 1, g = (Ŝ 1 = e(η 1, η 2 e 2, k û = e(a, pk e (Ŝ2, û k j=1 ûm j j j=1 ûm j j 1 e(h r 2, h r 4 e(h s k e ( h r, h s k j=1 hs jm j, h r e(h r 2t, h j=1 hs jm j e(h r 2 t, h. Next, we use the fourth observaton made at the begnnng of the proof to combne the parngs dealng wth message bts m j : e(s 1, g = = e(a, pk e (Ŝ2 h r, (û h s k (û jh s j m j e(h r2t, h j=1 = e(a, pk e ( S 2, u k e(h r 2 t, h Fnally, we substtute (12 for pk, obtanng e(s 1, g = j=1 um j j = e(a, CB 0 h t e ( S 2, u k j=1 um j j = e(a, CB 0 e(h r 2, h t e ( S 2, u k = e(a, CB 0 e ( S 2, u k j=1 um j j. e(h r 2 t, h j=1 um j j e(h r 2 t, h But ths s just the rng sgnature verfcaton equaton (4. Thus the sgnature as constructed s vald. We have already shown that the components {(C, π } are dstrbuted exactly as n Sg. We need only show that (S 1, S 2 s properly dstrbuted. Observe that Ŝ2 s properly dstrbuted wth some randomness ˆr Z p. Ths, combned wth the randomness r Z q we chose means that S 2 s properly dstrbuted n G. Gven a choce for S 2 and {(C, π }, there s only one choce of S 1 that satsfes the verfcaton equaton. Thus the sgnature s properly formatted. Algorthm B computes and responds to A wth σ = ( (S 1, S 2, {(C, π } l =1 G 2l+2. Fnally, A outputs a forgery σ on a rng R for message M. Let l = R. Parse the rng R as (v 1,..., v l. As before, snce the forgery s nontrval, none of the publc keys s repeated, and there s a mappng t : [1, l ] [1, l] such that v = pk t( for each, 1 l. Moreover, A must not have made a corrupton query at any of the ndces {t(} l =1. 18

19 Algorthm B parses σ as ( (S 1, S 2, {(C, π } =1 l G 2l +2. Agan, snce the forgery s nontrval, ths parse must succeed. As before, we recover {f } l =1 satsfyng Cδp = ( v δp f /Bδp 0. What s more, snce A s Type III, we know that there s exactly one ndex s {1, 2,..., l } such that f s = 1. If t(s, B declares falure and exts. Otherwse we have C δp = l =1 C δp = (pk δp /B δp 0. (13 Fnally, B computes (m 1,..., m k H(M, R. Snce the forgery s vald, the verfcaton equaton (4 must hold; rasng both sdes to power δ p and then substtutng for C δp wth (13, we obtan e(s δp 1, η e( (S δp 2 1, û k j=1 ûm j j = e(η1, B δp 0 Cδp = e ( η 1, (pk δp = e(η 1, η 2, So (S δp 1, Sδp 2 s a vald WP sgnature on H(M, R. Snce A s Type III, we know that H(M, R s dfferent from H(M, R for any (M, R for whch A made a rng sgnng query, and therefore dfferent from any H(M, R for whch B made a WP sgnng query. The forgery s thus nontrval, and A outputs t and halts. All that remans s to bound the probablty that B aborts n the smulaton above. But ths s a standard argument. The specal key s hdden at ndex, whch s unformly chosen from the set {1, 2,..., l}. Algorthm B can answer all sgnng queres correctly, so f t has not aborted after A s frst c corrupton queres, the value of s ndependent of A s vew, and the probablty that A chooses t s 1/(l c. Algorthm A may make at most l 1 corrupton queres, and ts forgery must come from the set of uncorrupted keys where, agan, s ndependent of ts vew f B dd not abort n the corrupton phase. A smple calculaton shows that regardless of A s behavor, B does not abort n ether phase wth probablty 1/l. Whenever algorthm B does not abort and A succeeds n forgng a rng sgnature, B n turn succeeds n creatng a WP forgery, so we have establshed that for a Type-III adversary we have Adv rsg-uf-c LRS, A l Advsg-uf-cma WP, B. (14 Summary. Puttng together equatons (8, (11, and (14, we obtan the followng reducton: Adv rsg-uf-c LRS, A Advcoll H, B 1 + Adv cdh G p, B 2 + l Adv sg-uf-cma WP, B 3. (15 To nterpret (15 concretely, we note that the reducton for each type of adversary took O(1 operatons to set up and obtan the result, and O(1 tme to answer each of A s queres. We can, moreover, guess whch type of adversary we are dealng wth, sustanng a 1/3 loss n advantage. To nterpret (15 asymptotcally, we ntroduce the securty parameter that we have suppressed, note that the reductons are all polynomal-tme n that parameter, and observe that f Adv rsg-uf-c LRS, A s non-neglgble, then one of the advantages on the rght hand sde must also be non-neglgble. Ether nterpretaton mples the result stated nformally n the theorem, snce WP s unforgeable f CDH s hard n G p. 19