Strongly Unforgeable Signatures Resilient to Polynomially Hard-to-Invert Leakage under Standard Assumptions

Transcription

1 Strongly nforgeable Sgnatures Reslent to Polynomally Hard-to-Invert Leakage under Standard Assumptons Masahto Ishzaka and Kanta Matsuura Insttute of Industral Scence, The nversty of Tokyo, Tokyo, Japan. {shmasa, Abstract. A sgnature scheme s sad to be weakly unforgeable, f t s hard to forge a sgnature on a message not sgned before. A sgnature scheme s sad to be strongly unforgeable, f t s hard to forge a sgnature on any message. In some applcatons, the weak unforgeablty s not enough and the strong unforgeablty s requred, e.g., the Canett, Halev and Katz transformaton. Leakage-reslence s a property whch guarantees that even f secret nformaton such as the secret-key s partally leaked, the securty s mantaned. Some securty models wth leakage-reslence have been proposed. The hard-to-nvert leakage model, a.k.a. auxlary (nput) leakage model, proposed by Dods et al. at STOC 09 s especally meanngful one, snce the leakage caused by a functon whch nformaton-theoretcally reveals the secret-key, e.g., one-way permutaton, s consdered. In ths work, we propose a generc constructon of dgtal sgnature strongly unforgeable and reslent to polynomally hard-to-nvert leakage whch can be nstantated under standard assumptons such as the decsonal lnear assumpton. We emphasze that our nstantated sgnature s not only the frst one reslent to polynomally hard-to-nvert leakage under standard assumptons, but also the frst one whch s strongly unforgeable and has hard-to-nvert leakage-reslence. Keywords: Dgtal sgnature, Strong exstental unforgeablty, Leakage-reslence, Hardto-nvert leakage, Auxlary(-nput) leakage. 1 Introducton Strongly nforgeable Sgnature. We say that a sgnature scheme s weakly (exstentally) unforgeable f t s hard to forge a sgnature on a message not sgned before. We say that a sgnature scheme s strongly (exstentally) unforgeable f t s hard to forge a sgnature on any message whch can be a message sgned before. Snce most of the sgnature schemes generate a sgnature randomly, there s a gap between the weak unforgeablty and strong unforgeablty. Moreover, n some applcatons, strongly unforgeable sgnature scheme s requred, e.g., Canett-Halev-Katz transformaton [13]. Ths s the full verson of a short paper appeared n the proceedngs for the 21st Informaton Securty Conference (ISC2018).

2 Leakage-Reslent Cryptography. Leakage-reslence s a property whch guarantees that even f secret nformaton such as the secret key s partally leaked, the securty s mantaned. Any scheme whose securty has been proven only n a securty model wthout leakage-reslence s not guaranteed to be secure when some nformaton about the secret nformaton such as the secret-key are leaked. There exst some sde-channel attacks whch are real threats to us, e.g., cold-boot attack [21], so leakage-reslent cryptographc schemes are practcally desrable. In the securty model consderng leakage-reslence, a sde-channel attack caused by an adversary s modeled as a polynomal tme computable functon f : {0, 1} S ecret {0, 1} 1. The adversary s allowed to choose an arbtrary leakage functon f, query t to the leakage oracle, then learn f (S ecret). If we allow the adversary to choose the dentty map as f, the adversary acqures the secret key entrely and s able to break the securty model wth no falures. Hence, we have to mpose a restrcton on f. Several securty models n whch dfferent restrctons are mposed on f have been proposed. In bounded leakage (BL) model [1], the output bt-length of f s restrcted. More S ecret concretely, only f satsfyng f : {0, 1} {0, 1} l(k) such that l(k) < k can be chosen 2. To make the output bt-length of f unbounded, nosy leakage (NL) model [28] was nvented. In NL model, only f : {0, 1} S ecret {0, 1} such that, when we observe f (S ecret), the mnmum entropy of the secret key sk drops by at most l(k) < k can be chosen. Any functon whch nformaton-theoretcally reveals the secret key sk s excluded n each one of the two models. Thus, for nstance, one-way permutaton cannot be chosen n each one of the models. To remove such a restrcton, hard-tonvert leakage (HL) model, a.k.a. auxlary (nput) leakage (AL) model, was nvented [16]. In HL model, the functon f must be a hard-to-nvert functon. More concretely, only f such that, gven f (S ecret), no PPT algorthm can compute sk wth a probablty larger than µ(k) can be chosen, where µ( ) s a neglgble functon such that µ(k) > 2 k. The larger µ(k) s, the larger the functon class of f s. HL model s a generalzaton of BL and NL model, thus has a larger functon class. Moreover, HL model s useful n the context of the composton. There may be the case when we want to use the same par of publc key and secret key of a hard-to-nvert leakage-reslent cryptographc scheme for multple schemes. Ther composton remans secure as long as each one of the other schemes has been proven to be secure n the standard (non-leakage-reslent) securty model [32, 14]. Large number of cryptographc schemes wth leakage-reslence have been proposed. For nstance, publc-key encrypton [1, 15, 5, 14], dentty-based encrypton [12, 26, 24, 32], attrbute-based encrypton [26, 35, 34, 36], dentfcaton [2, 15], and authentcated key agreement [2, 15], have been proposed. Related Works. Katz and Vakuntanathan [25] defned that fully leakage-reslent (FLR) sgnature s a sgnature reslent to not only the drect leakage from the secret-key, but also the leakage from the randomness used to generate the secret-key and sgna- 1 S ecret denotes the secret nformaton. S ecret denotes the bt-length of S ecret. 2 k denotes the mnmum entropy of the secret key sk. If the secret-key s generated unformly at random, k s equvalent to the bt-length of the secret-key sk. 2

3 tures generated by the sgnng oracle. FLR or non-flr sgnature schemes secure n the bounded-leakage model have been proposed n [2, 25, 27, 10]. The concept of the hard-to-nvert leakage-reslence was presented by Dods et al. [16]. They proposed symmetrc-key encrypton schemes whch s IND-CPA or IND- CCA secure and reslent to exponentally hard-to-nvert leakage. In a subsequent work, Dods et al. [14] started a research on publc-key encrypton wth hard-to-nvert leakagereslence. They defned two leakage-functon classes. The class H ow (ξ(λ)) (resp. H pkow (ξ(λ))) conssts of every polynomal-tme computable functon f : {0, 1} pk + sk {0, 1} such that any PPT algorthm A whch s gven f (pk, sk) (resp. (pk, f (pk, sk))) as nput s able to guess sk correctly only wth a probablty smaller than ξ(λ), where ξ(λ) > 2 k s a neglgble functon and (pk, sk) s a randomly generated key-par. They proved that the BHHO encrypton scheme [7] and a slghtly modfed verson of the GPV encrypton scheme [18] are IND-CPA secure n HL model w.r.t. the functon class H ow (1/µ 1 (λ)), where µ 1 (λ) s a sub-exponental functon. They also mentoned n Subsect. 1.2 of [14] that a PKE scheme whch s IND-CPA secure n HL model w.r.t. H pkow (1/µ 2 (λ)), where µ 2 (λ) s a polynomal functon, s gven n ts full paper. Faust et al. presented the frst research result on dgtal sgnature wth hard-to-nvert leakage-reslence [17]. To construct a sgnature scheme secure n HL model, there s an obstacle whom we have to overcome. It s how to prevent from an adversary choosng an algorthm generatng a vald sgnature on a message as a leakage-functon, then output the par of sgnature and message. Faust et al. proposed a sgnature scheme whch s wef-cma (weakly exstentally unforgeablty under adaptvely chosen messages attack) secure n HL model w.r.t. the functon class H pkow (1/µ 3 (λ)), where µ 3 (λ) s an exponental functon. Ther soluton to overcome the obstacle explaned earler s to nclude a cphertext of the secret-key sk n a sgnature. Specfcally, ther sgnature scheme adopts the labeled publc-key encrypton (LPKE) as a buldng block, and ncludes a cphertext of the secret-key n a sgnature. Moreover, for ther sgnature scheme, the hardness parameter 1/µ 3 (λ) n the leakage functon class s set as 1/µ 3 (λ) << 2 l dk, where l dk N denotes the bt-length of the decrypton-key dk of the LPKE scheme. Ths soluton effectvely works. The reason s as follows. Snce any PPT algorthm s able to guess the decrypton-key dk correctly wth probablty 2 l dk, any PPT nverter n the defnton of the functon class H pkow (1/µ 3 (λ)) whch s gven a sgnature ncludng a cphertext C of the secret-key sk s able to guess sk correctly wth probablty 2 l dk >> 1/µ 3 (λ) by guessng the decrypton-key dk, then decryptng the cphertext C wth the guessed dk. Hence, the sgnng algorthm s excluded from the class H pkow (1/µ 3 (λ)). By the way, they showed that ther sgnature scheme can be nstantated under standard assumptons such as the DLIN assumpton [4]. Independently of Faust et al. [17], Yuen et al. [33] also presented a research result on sgnature secure n HL model. To overcome the obstacle to construct a sgnature wth hard-to-nvert leakage reslence, Yuen et al. proposed an orgnal securty model, whch s named selectve auxlary nput model. In the securty model, the adversary s allowed to choose as the leakage-functons only functons whch are ndependent of the publckey. They proposed a sgnature scheme secure n the securty model. Ther sgnature scheme s FLR and reslent to polynomally hard-to-nvert leakage. Here, ther defnton of leakage functon f beng reslent to polynomally hard-to-nvert leakage s as 3

4 follows: any PPT algorthm whch s gven (pk, S, f (state)) s able to guess sk correctly only wth a neglgble probablty, where (pk, sk) s a randomly generated key-par, S s a set of randomly generated sgnatures on the messages quered to the sgnng oracle, and state s a set of randomnesses used to generate sk and the sgnatures S. Ther defnton of leakage-functon s undesrable snce t depends on the sgnatures generated on the sgnng oracle. Subsequently, Wang et al. [30] proposed a sgnature scheme secure n the selectve auxlary nput model. Ther sgnature scheme s FLR and reslent to polynomally hard-to-nvert leakage. Ther defnton for a functon to be reslent to polynomally hard-to-nvert leakage s not the same as the one by Yuen et al. [33]. It s mproved as follows: any PPT algorthm whch s gven f (sk) s able to dentfy sk only wth a neglgble probablty. However, ther scheme needs dfferng nput obfuscator (do), ndstngushable obfuscator (O), and pont-functon obfuscator wth auxlary nput (AIPO), each one of whch has been constructed only under strong assumptons. Note that each one of the sgnature schemes wth auxlary leakage reslence by Faust et al., Yuen et al., and Wang et al., s not strongly exstentally unforgeable, but weakly exstentally unforgeable. Boneh et al. [9] proposed a method to transform a weakly unforgeable sgnature scheme nto a strongly unforgeable one. However, ther transformaton can be appled to parttoned sgnatures only. In a subsequent work, Stenfeld et al. [29] proposed a method to transform any weakly unforgeable sgnature nto a strongly unforgeable one. Note that each transformaton by Boneh et al. and Stenfeld et al. has a common property such that each one of the publc-key, secret-key and sgnature of the strongly unforgeable sgnature scheme becomes each one of the publc-key, secret-key and sgnature of the weakly unforgeable sgnature whom some new elements are added to. Huang et al. [22] proposed a transformaton whch no new elements are added to the publc-key, secret-key and sgnature. Wang et al. [31] modfed the transformaton by Stenfeld et al. [29] to get a transformaton from a sgnature weakly exstentally unforgeable and FLR n the bounded leakage model to a strongly unforgeable one. The transformaton by Stenfeld et al. utlzes two chameleon hash functons (wth no leakage-reslence). In the transformaton by Wang et al., one of the chameleon hash functons s assumed to satsfy a property such that any PPT algorthm cannot fnd a strong collson even f the algorthm s gven a length-bounded nformaton about the secret-key. The transformaton by Wang et al. needs to add some new elements to both the key-par and sgnature. Huang et al. [20] modfes the transformaton by Huang et al. [22] to get a method to transform a sgnature weakly exstentally unforgeable and FLR n the BL model nto a strongly unforgeable one whch no elements are added to the sgnature 3. Our Results. We propose a generc constructon of sgnature scheme strongly whch s unforgeable and reslent to polynomally hard-to-nvert leakage and can be nstantated under standard assumptons. Specfcally, we gve an example of ts nstantaton under 3 By the transformaton n [20], some new elements are added to the publc-key and secretkey. 4

5 the decsonal lnear (DLIN) assumpton [4]. Our securty model s not the selectve auxlary leakage model [33], so the leakage-functon can be dependent on the publckey. Our result s a desrable one because of the followng two ndependent ponts. Frstly, our sgnature nstantaton s the frst one whch s reslent to polynomally hardto-nvert leakage under standard assumptons. Secondly, our sgnature nstantaton s the frst one whch s strongly unforgeable and has hard-to-nvert leakage-reslence. Our Approach. Our result s obtaned by modfyng the one by Faust et al. [17]. Before explanng how the modfcaton s done, we explan the result by Faust et al. n detal. Faust et al. proposed a generc constructon of a sgnature scheme secure n the wef-cma securty model w.r.t. the functon class H pkow (ξ(λ)). It conssts of three buldng blocks. They are second pre-mage resstant hash functon (SPRHF), labeled PKE (LPKE) whose decrypton-key dk has bt-sze l dk N, and non-nteractve zeroknowledge proof (NIZK) whose trapdoor td has bt-sze l td N. The hardness parameter of the leakage functon class s set as ξ(λ) = 2 (λ+l dk+l td ). A sgnature σ on a message m conssts of an LPKE cphertext c and an NIZK proof π. Concretely, the cphertext c s an LPKE cphertext encryptng the secret-key sk under the label m, and the proof π s an NIZK proof whch proves that there exsts a secret-key sk such that the cphertext c s a cphertext of sk on the label m and the hashed value of sk s equvalent to the hashed value of the real secret-key sk whch s ncluded n the publc-key pk. Intutvely speakng, the securty proof for the sgnature by Faust et al. s done as follows. By modfyng the ntal securty game several tmes, we get the fnal game Game f nal. In Game f nal, for a sgnature σ = (c, π) on the sgnng oracle, the cphertext c s generated by encryptng 0 sk nstead of sk, and the proof π s generated by usng the trapdoor td nstead of sk. In addton, the adversary s consdered to wn the game, f he successfully outputs a sgnature σ = (c, π ) and a message m such that c s a vald cphertext of sk on label m, and π s a vald proof. We prove that every PPT A wns the game only wth a neglgble probablty by a reducton to the hard-to-nvert property of the leakage-functon f H pkow (2 (λ+l dk+l td ) ). In the reducton, a smulator S needs both td and dk to smulate Game f nal and decrypt the cphertext c. However, by the defnton of the leakage functon class H pkow ( ), S s gven nether td nor dk, so S has to guess them, and the guess succeeds wth probablty 2 (l dk+l td ). By the above reason, the hardness parameter for Faust et al. s sgnature scheme becomes 2 (λ+l dk+l td ). The above s the result by Faust et al. We modfy the result wth three steps. In the frst step, we generalze the second pre-mage resstance (SPR) property of the SPRHF, whch s one of the buldng blocks. Intutvely, the SPR property s a property such that no PPTA gven a key-par (pk, sk) s able to fnd a secret-key sk whch s not sk, but has a hashed value equvalent to the hashed value of sk wth a non-neglgble probablty. We generalze t to a property such that no PPTA gven (pk, sk) s able to fnd a secret-key sk such that a relaton holds between sk and sk and another relaton also holds between sk and pk wth a non-neglgble probablty. The second step s to modfy the defnton of the leakage-functon class H pkow ( ). In the modfed defnton of the functon class, the PPT algorthm (or nverter) A s gven not only the publc-key of the key-par (pk, sk), but also some varables whch are generated durng generaton of the key-par and are not drectly ncluded n ether pk or 5

6 sk. Specfcally, for our sgnature scheme, the varables are the decrypton-key dk and the trapdoor td. If the defnton of the leakage-functon class s modfed to such one, the smulator n the proof for Game f nal s not forced to guess dk and td wth probablty 2 (l dk+l td ), so the polynomally hard-to-nvert leakage-reslence securty s acheved. Instantatng the generc constructon of the sgnature scheme, we can concretely generate the frst sgnature scheme (weakly unforgeable and) reslent to polynomally hard-tonvert leakage under standard assumptons such as the DLIN assumpton. In the thrd step, we apply a methodology whch s nvented by modfyng the one by Wang et al. [31] to the weakly unforgeable sgnature scheme n the second step, then get a strongly unforgeable one. Note that unlke Wang et al., we do not propose a generc transformaton from a weakly unforgeable and reslent to hard-to-nvert leakage to a strongly unforgeable one. In the transformaton by Wang et al., a chameleon hash functon wth strong collson-resstance n the bounded leakage model (BLR- CHF) was used. We use a CHF wth strong collson-resstance n HL model (HLR- CHF). Moreover, the secret-key of the strongly unforgeable sgnature scheme obtaned by the transformaton by Wang et al. ncludes not only the orgnal secret-key,.e., the secret-key of the weakly unforgeable sgnature, but also the secret-key of the BLR- CHF. However, the secret-key of our strongly unforgeable sgnature ncludes only the secret-key of the HLR-CHF. By nstantatng the sgnature scheme, we obtan the frst concrete constructon of dgtal sgnature strongly unforgeable and reslent to polynomally hard-to-nvert leakage under standard assumptons such as the DLIN assumpton. Paper Organzaton. Ths paper s organzed as follows. In Sect. 2, we gve basc notatons and the syntax and the defnton of securty or property of labeled publc-key encrypton, non-nteractve zero-knowledge proof and chameleon hash functon. In Sect. 3, we gve the syntax and the defnton of strong unforgeablty n HL model of dgtal sgnature. In Sect. 4, our generc constructon of sgnature and ts securty proof are gven. In Sect. 5, we show that the generc constructon of sgnature n Sect. 4 can be nstantated under the DLIN assumpton. 2 Prelmnares Notaton. For a, b N, [a, b] denotes {x N a x b}. For λ N, 1 λ denotes a securty parameter. We say that a functon h : N R s neglgble f for every c N, there exsts x 0 N such that h(x) x c for every x x 0. G s a functon whch takes 1 λ as nput, and randomly outputs (p, G, g), where p s a prme number whose bt-sze s λ, G s a multplcatve cyclc group whose order s p, and g s a generator of G. PPTA means probablstc polynomal tme algorthm. 2.1 Hardness Assumptons Dscrete Logarthm (DL) Assumpton. For λ N, let (p, G, g) G(1 λ ). DL assumpton holds, f for every PPTA A, the probablty Pr[x A(p, G, g, g x ) x Z p ] s neglgble n λ. 6

7 Decsonal Lnear (DLIN) Assumpton [4]. For λ N, let (p, G, g) G(1 λ ). DLIN assumpton holds, f for every PPTA A, Pr[1 A(p, G, g 1, g 2, g 3, g r 1 1, gr 2 2, gr 1+r 2 3 ) g 1, g 2, g 3 G, r1, r 2 Zp ] Pr[1 A(p, G, g 1, g 2, g 3, g r 1 1, gr 2 2, gu 3 ) g 1, g 2, g 3 G, r1, r 2, u Z p ] s neglgble n λ. 2.2 Labeled Publc Key Encrypton Syntax. Labeled publc key encrypton (LPKE) conssts of three polynomal tme algorthms {Gen, Enc, Dec}. Gen and Enc are probablstc. Dec s determnstc. Gen(1 λ ) (ek, dk). The key generaton algorthm takes 1 λ as nput, and outputs an encrypton key ek, and a decrypton key dk. Plantext space M, cphetext space C, and label space L are unquely determned by ek. Enc(ek, m, L) C. The encrypton algorthm takes the encrypton key ek, a plantext M M, and a label L L as nputs, and outpus a cphertext C. Dec(dk, C, L) M /. The decrypton algorthm 4 takes the decrypton key dk, a cphetext C C, and a label L L as nputs, and outputs a plantext M or. A LPKE scheme must be correct. LPKE scheme Σ LPKE = {Gen, Enc, Dec} s correct, f for every λ N, every (ek, dk) Gen(1 λ ), every M M, every L L, and every C Enc(ek, M, L), t holds that M Dec(dk, C, L) Cphertext Indstngushablty To defne weak cphertext ndstngushablty aganst adaptvely chosen label and cphertexts attacks (IND-wLCCA) for a LPKE scheme Σ LPKE = {Gen, Enc, Dec}, we use the followng game whch s played between an adversary A and challenger CH. Key-Generaton. CH runs (ek, dk) Gen(1 λ ), and sends ek to A. Query. A s allowed to use the decrypton oracle Dec adaptvely. Dec(C, L): A queres a cphertext C C and a label L L. CH returns M / Dec(dk, C, L). Challenge(M 0, M 1, L ). A sends two plantexts M 0, M 1 M, and a label L L. CH sets b {0, 1}, then returns C Enc(ek, M b, L ). Query 2. A s allowed to use the decrypton oracle Dec adaptvely. Dec(C, L): A queres a cphertext C C and a label L L such that L L. CH returns M / Dec(dk, C, L). Guess(b ). A sends b {0, 1} to CH. Defnton 1. LPKE scheme Σ LPKE s IND-wLCCA secure f for any PPT adversary A, (λ) = 2 Pr[b = b] 1 s neglgble. Adv IND-wLCCA A,Σ LPKE 4 Although Dec needs the encrypton-key ek as an nput snce ek ncludes nformaton such as the prme p, the group G, and etc., we often omt ek as the nput. 7

8 2.3 Non-Interactve Zero-Knowledge Proof Syntax. Non-nteractve zero-knowledge proof (NIZK) Π NIZK for a language L conssts of three polynomal tme algorthms {Gen, Pro, Ver}. Each one of Gen and Pro s probablstc. Ver s determnstc. R L denotes the wtness relaton. Gen(1 λ ) crs. The key-generaton algorthm takes 1 λ as an nput, and outputs a common reference strng (CRS) crs. Pro(crs, x, w) π. The proof-generaton algorthm takes the CRS crs, a statement x, and a wtness w as nputs, and outputs a proof π. Ver(crs, x, π) 1 / 0. The proof-verfcaton algorthm takes the CRS crs, a statement x, and a proof π as nputs, and outputs 1 or 0. A NIZK scheme must be correct. A NIZK scheme Σ NIZK = {Gen, Pro, Ver} s correct f for every λ N, every crs Gen(1 λ ), every (x, w) such that (x, w) R L, and every π Pro(crs, x, w), t holds that 1 Ver(crs, x, π). We gve the defntons of soundness and zero-knowledge for a NIZK scheme. Defnton 2. A NIZK scheme Σ NIZK = {Gen, Pro, Ver} s sound f for every λ N, every crs Gen(1 λ ), and every PPT A, s neglgble. Pr [A(crs) (x, π) s.t. [Ver(crs, x, π) 1] [x L]] Defnton 3. A NIZK scheme Σ NIZK = {Gen, Pro, Ver} s zero-knowledge f for every λ N and every PPT A, there exsts a PPT S = (S 1, S 2 ) such that Pr [ A Ocrs 0 (x,w) (crs) 1 Gen(1 λ ) crs ] [ ] Pr A Ocrs,td 1 (x,w) (crs) 1 S 1 (1 λ ) (crs, td) s neglgble, where O crs 0 (x, w) returns Pro(crs, x, w) (resp. ), f (x, w) R L (resp. (x, w) R L ), and O crs,td 1 (x, w) returns S 2 (crs, x, td) (resp. ), f (x, w) R L (resp. (x, w) R L ). 2.4 Chameleon Hash Functon Syntax. A chameleon hash functon (CHF) scheme conssts of the polynomal tme algorthms {Gen, Eval, TC, SKVer, SKVer2}. Gen and TC are probablstc, and Eval, SKVer and SKVer2 are determnstc. Gen(1 λ ) (pk, sk). The key-generaton algorthm takes a securty parameter 1 λ, where λ N, as an nput, and outputs a publc-key pk and a secret-key (or trapdoor) sk. The message space M, randomness space R and hashed value space H are unquely determned by pk. Eval(pk, m; r) h. The evaluaton algorthm takes the publc-key pk and a message m M as nputs, and outputs the hashed value h H whch was calculated under a randomness r R. 8

9 TC(pk, sk, (m 1, r 1 ), m 2 ) r 2. The trapdoor collson fnder algorthm takes the publckey pk, the secret-key sk, a par of a message and randomness (m 1, r 1 ) M R, and a message m 2 M as nputs, and outputs a randomness r 2 R. SKVer(pk, sk ) 1 / 0. The frst secret-key-verfcaton algorthm takes the publckey pk and a secret-key sk as nputs, and outputs 1 or 0. SKVer2(pk, sk, sk ) 1 / 0. The second secret-key-verfcaton algorthm takes the publc-key pk, a secret-key sk, and a secret-key sk as nputs, and outputs 1 or 0. Even f the two secret-keys are nputted n the reversed order, the output s requred to be equvalent. Thus, for any λ N, any (pk, sk) Gen(1 λ ), and any two vald secret-keys sk and sk, t holds that SKVer2(pk, sk, sk ) = SKVer2(pk, sk, sk ). A CHF scheme must be correct. A CHF scheme Σ CHF = {Gen, Eval, TC, SKVer, SKVer2} s correct, f for every λ N, every (pk, sk) Gen(1 λ ), every m M, every m M, every r R, and every r TC(pk, sk, (m, r), m ), t holds that [Eval(pk, m; r) = Eval(pk, m ; r )] [1 SKVer(pk, sk)] [1 SKVer2(pk, sk, sk)]. We gve the defntons of two standard propertes for the CHF scheme. They are strong collson-resstance and random trapdoor collson. Defnton 4. A CHF scheme Σ CHF = {Gen, Eval, TC, SKVer, SKVer2} s strongly collsonresstant, f for every λ N and every PPT A, t holds that Pr[A(pk) ((m 1, r 1 ), (m 2, r 2 )) s.t. [(m 1, r 1 ) (m 2, r 2 )] s neglgble, where (pk, sk) R Gen(1 λ ). [Eval(pk, m 1 ; r 1 ) = Eval(pk, m 2 ; r 2 )]] Defnton 5. A CHF scheme Σ CHF = {Gen, Eval, TC, SKVer, SKVer2} s sad to have the property of random trapdoor collson, f for any λ N, any (pk, sk) Gen(1 λ ) and any two messages m 1, m 2 M, a randomness r 1 chosen unformly at random from R dstrbutes dentcally wth r 2 TC(pk, (m 1, r 1 ), m 2 ). We gve the defnton of an orgnal property for a CHF scheme. The property s hardto-compute-secret-key (HtC-SK). Defnton 6. Σ CHF = {Gen, Eval, TC, SKVer, SKVer2} s sad to have the property of HtC-SK, f for every λ N, and every PPT A, t holds that Pr [ A (pk, sk) sk s.t. [ 1 SKVer(pk, sk ) ] [ 0 SKVer2(pk, sk, sk) ]] s neglgble, where (pk, sk) R Gen(1 λ ). Remark. The property s related to the second pre-mage resstance (SPR) [15, 17]. The algorthm SKVer gven pk and sk as nputs s an algorthm whch verfes whether or not a relaton holds between pk and sk. The algorthm SKVer2 gven two secret-keys sk and sk can be defned as the algorthm outputtng 1 ff the two keys are equvalent. Thus, the HtC-SK property can be the SPR property. We can say that the HtC-SK property s a generalzaton of the SPR property. 9

10 3 Dgtal Sgnature Syntax. Dgtal sgnature conssts of the polynomal tme algorthms {Gen, Sg, Ver}. Gen and Sg are probablstc, and Ver s determnstc. Gen(1 λ ) (pk, sk). The key-generaton algorthm takes 1 λ, where λ N, as an nput, and outputs a publc-key pk and a secret-key sk. The message space M s unquely determned by pk. Sg(pk, m, sk) σ. The sgnng algorthm takes the publc-key pk, a message m M, and the secret-key sk as nputs, and outputs a sgnature σ. Ver(pk, m, σ) 1 / 0. The sgnature-verfcaton algorthm takes the publc-key pk, a message m M, and a sgnature σ as nputs, and outputs 1 or 0. A sgnature scheme must be correct. A sgnature scheme Σ SIG = {Gen, Sg, Ver, SKVer, SKVer2} s correct f for every (pk, sk) Gen(1 λ ), every m M, and every σ Sg(pk, m, sk), t holds that [1 Ver(pk, m, σ)]. 3.1 Strong Exstental nforgeablty n HL Model We defne the strong exstental unfrogeablty n HL model for a sgnature scheme. Specfcally, we defne the strong exstental unforgeablty aganst adaptvely chosen messages attacks n hard-to-nvert leakage model (HL-sEF-CMA) for a sgnature scheme Σ SIG = {Gen, Sg, Ver}. At frst, we defne a game whch s played between an adversary A and challenger CH as follows. Note that a leakage functon f : {0, 1} pk + sk {0, 1} whose randomness space s denoted by R s ncluded n a class F ΣSIG (λ),.e., f F ΣSIG (λ) 5. Key-Generaton. CH runs (pk, sk) SIG.Gen(1 λ ). CH chooses r R R, then computes f (pk, sk; r). CH sends (pk, f (pk, sk; r)) to A. CH ntalzes the lst L S as an empty set. Query. A s allowed to use the sgnng oracle Sgn, adaptvely. Sgn(m M): CH generates σ SIG.Sg(pk, m, sk), then sends σ to A. After that, CH sets L S L S {(m, σ)}. Forgery(m, σ ). CH receves (m, σ ) sent by A. In the above game, A s sad to wn the game f [1 SIG.Ver(pk, m, σ )] [(m, σ ) L S ]. The advantage Adv F (λ) HL sef CMA Σ SIG,A (λ) s defned as the probablty Pr[A wns.]. Defnton 7. Σ SIG s HL-sEF-CMA-secure wth respect to the leakage-functon class F ΣSIG (λ), f for every PPT A and every functon f F ΣSIG (λ), Adv F (λ) HL sef CMA Σ SIG,A (λ) s neglgble. Remark. Weak exstental unforgeablty s defned n the same manner as the strong exstental unforgeablty except for the wnnng condton by the adversary A n the securty game. The adversary s sad to wn the game f the sgnature σ s a vald sgnature on the message m,.e., [1 SIG.Ver(pk, m, σ )], and the message m has not been quered to the sgnng oracle Sgn. 5 In ths paper, the functon class F ΣSIG (λ) can be smply wrtten as F (λ), f t s obvous that the functon class s for the sgnature scheme Σ SIG. 10

11 4 Sgnature Strongly Exstentally nforgeable and Reslent to Polynomally Hard-to-Invert Leakage In Subsect. 4.1, the generc constructon of our sgnature scheme s gven. In Subsect. 4.2, the sgnature scheme s proven to be strongly exstentally unforgeable and reslent to polynomally hard-to-nvert leakage. In the next secton,.e., Secton 5, we show that the sgnature scheme can be nstantated under the DLIN assumpton. 4.1 Constructon Our generc constructon of sgnature scheme Σ SIG = {SIG.Gen, SIG.Sg, SIG.Ver} has the followng 4 buldng blocks: An LPKE scheme Σ LPKE = {LPKE.Gen, LPKE.Enc, LPKE.Dec}, an NIZK scheme Σ NIZK = {NIZK.Gen, NIZK.Pro, NIZK.Ver}, a CHF scheme Σ CHF = {CHF.Gen, CHF.Eval, CHF.TC, CHF.SKVer, CHF.SKVer2} and a CHF scheme Σ CHF2 = {CHF2.Gen, CHF2.Eval, CHF2.TC}. The sgnature scheme Σ SIG s genercally constructed as follows. SIG.Gen(1 λ ): Run (ek, dk) LPKE.Gen(1 λ ), (pk 1, sk 1 ) CHF.Gen(1 λ ) and (pk 2, sk 2 ) CHF2.Gen(1 λ ). Run (crs, td) S 1 (1 λ ), where S 1 s the frst smulator n the defnton of zero-knowledge for Σ NIZK. R E and R E2 denote the randomness space of CHF.Eval and CHF2.Eval, respectvely. M, M, C, P and K 1 denote the message space of Σ CHF, the label space of Σ LPKE (or the hashed value space of Σ CHF2 ), the cphertext space of Σ LPKE, the proof space of Σ NIZK, and the secret-key space of Σ CHF, respectvely. M s a space satsfyng M = M C P. Verfcaton-key and sgnng-key are set as pk (pk 1, pk 2, ek, crs) and sk sk 1, respectvely. Return (pk, sk). We defne language L as L { (c, m) C M sk 1 K 1 s.t. [c LPKE.Enc(ek, sk 1, m)] [ 1 CHF.SKVer(pk 1, sk 1 ) ]}. (1) SIG.Sg(pk, m M, sk): pk s parsed as (pk 1, pk 2, ek, crs). sk s wrtten as sk 1. Do as follows n order. r E R E, r E2 RE2, m M, c C, π P, σ (c, π ). h CHF.Eval(pk 1, m σ ; r E ), m CHF2.Eval(pk 2, h; r E2 ). c LPKE.Enc(ek, sk 1, m), x (c, m), w sk 1, π NIZK.Pro(crs, x, w). σ (c, π), r E CHF.TC(pk 1, sk 1, (m σ, r E ), m σ). Return σ (σ, r E, r E2 ) = (c, π, r E, r E2 ). SIG.Ver(pk, m M, σ ): pk s parsed as (pk 1, pk 2, ek, crs). σ s parsed as (c, π, r E, r E2 ). h CHF.Eval(pk 1, m σ; r E ). m CHF2.Eval(pk 2, h; r E2 ). x (c, m). Return NIZK.Ver(crs, x, π). 4.2 Proof of Strong nforgeablty n Polynomally Hard-to-Invert Leakage Model Before gvng the theorem for the strong unforgeablty n the hard-to-nvert leakage model of the sgnature scheme Σ SIG, we gve the defntons of the leakage-functon 11

12 class FΣ HtI SIG (λ) for the sgnature scheme and the strong collson-resstance n HL model w.r.t. the functon class FΣ HtI SIG (λ) for the chameleon hash functon Σ CHF. Defnton 8. Functon class F HtI Σ SIG (λ) conssts of every polynomal-tme computable probablstc (or determnstc) functon f : {0, 1} pk 1 + pk 2 + ek + crs + sk 1 {0, 1} whch has a randomness space R and satsfes the followng condton: for every PPT B, Pr [ B (pk 1, pk 2, ek, crs, sk 2, dk, td, f (pk 1, pk 2, ek, crs, sk 1 ; r)) sk1 s.t. [ 1 CHF.SKVer ( pk 1, sk1)] [ ( 1 CHF.SKVer2 pk1, sk1, sk )]] 1 (2) s neglgble, where (pk 1, sk 1 ) R CHF.Gen(1 λ ), (pk 2, sk 2 ) R CHF2.Gen(1 λ ), (ek, dk) R LPKE.Gen(1 λ ), (crs, td) R S 1 (1 λ ) and r R R. Remark. If the chameleon hash functon Σ CHF s a CHF wth the second pre-mage resstance [15, 17], the algorthm CHF.SKVer2 s defned as the equalty-checkng algorthm, and the secret-key sk1 whch satsfes [1 CHF.SKVer(pk 1, sk1 )] [1 CHF.SKVer2(pk 1, sk1, sk 1)] s the orgnal secret-key sk 1 only. So, the probablty (2) s smply wrtten as Pr[B(pk 1, pk 2, ek, crs, sk 2, dk, td, f (pk 1, pk 2, ek, crs, sk 1 ; r)) sk 1 ]. Defnton 9. CHF scheme Σ CHF = {CHF.Gen, CHF.Eval, CHF.TC, CHF.SKVer, CHF.SKVer2} s sad to be strongly collson-resstant n HL model wth respect to the functon class FΣ HtI SIG (λ), f for every PPT A and every functon f : {0, 1} pk 1 + pk 2 + ek + crs + sk 1 {0, 1} whch s ncluded n the functon class FΣ HtI SIG (λ) and has a randomness space R, Pr [ A (pk 1, pk 2, ek, crs, sk 2, dk, td, f (pk 1, pk 2, ek, crs, sk 1 ; r)) ((m 1, r 1 ), (m 2, r 2 )) s.t. [(m 1, r 1 ) (m 2, r 2 )] [ CHF.Eval(pk 1, m 1 ; r 1 ) = CHF.Eval(pk 1, m 2 ; r 2 ) ]] s neglgble, where (pk 1, sk 1 ) R CHF.Gen(1 λ ), (pk 2, sk 2 ) R CHF2.Gen(1 λ ), (ek, dk) R LPKE.Gen(1 λ ), (crs, td) R S 1 (1 λ ) and r R R. The strong unforgeablty n HL model of the sgnature scheme Σ SIG s guaranteed by the followng theorem. Theorem 1. Σ SIG s HL-sEF-CMA w.r.t. the functon class F HtI Σ SIG (λ), f Σ LPKE s IND-wLCCA, Σ NIZK s sound and zero-knowledge, Σ CHF s strongly collson-resstant n HL model w.r.t. the functon class FΣ HtI SIG (λ), random trapdoor collson, and HtC-SK, and Σ CHF2 s strongly collson-resstant and random trapdoor collson. Proof of Theorem 1. Hereafter, q s N denotes the number of tmes that PPT adversary A uses the sgnng oracle Sgn. To prove Theorem 1, we use multple games Game, where {0, 1, 2, 3, 4, 5, 6, 7, 7 1,, 7 q s }. The frst game Game 0 s the normal AL-sEF-CMA game w.r.t. the sgnature scheme Σ SIG and the functon class F HtI Σ SIG (λ). Specfcally, Game 0 s the followng game. 12

13 Key-Generaton. CH runs (pk 1, sk 1 ) CHF.Gen(1 λ ), (pk 2, sk 2 ) CHF2.Gen(1 λ ), (ek, dk) LPKE.Gen(1 λ ), and (crs, td) S 1 (1 λ ). pk and sk are set as pk (pk 1, pk 2, ek, crs) and sk sk 1, respectvely. For a functon f F HtI Σ SIG (λ), CH chooses r R R, then computes f (pk, sk; r). CH sends (pk, f (pk, sk; r)) to A. L S s set to. Query. When A ssues a message m M as a query to the sgnng oracle Sgn, CH generates a sgnature (c, π, r E, r E2 ) on the message as follows. r E R E, r E2 RE2, m M, c C, π P, σ (c, π ). h CHF.Eval(pk 1, m σ ; r E ), m CHF2.Eval(pk 2, h; r E2 ). c LPKE.Enc(ek, sk 1, m), x (c, m), w sk 1, π NIZK.Pro(crs, x, w). σ (c, π), r E CHF.TC(pk 1, sk 1, (m σ, r E ), m σ). CH returns a sgnature (c, π, r E, r E2 ) to A. CH sets L S L S {(m, c, π, r E, r E2 )}. Forgery(m, (c, π, re, r E2 )). CH s gven a message m M and a sgnature (c, π, re, r E2 ). A wns the game, f [1 NIZK.Ver(crs, x, π )] [(m, c, π, r E, r E2 ) L S ], where h CHF.Eval(pk 1, m (c, π ); r E ), m CHF2.Eval(pk 2, h ; r E2 ) and x (c, m ). We defne the games Game, where {1, 2, 3, 4, 5, 6, 7, 7 1,, 7 q s }, as follows. Game 1. Game 1 s the same as Game 0 except that CH generates a common reference strng crs by runnng crs NIZK.Gen(1 λ ) n Key-Generaton. Game 2. Game 2 s the same as Game 1 except that A s wnnng condton s changed to the followng one, where sk1 LPKE.Dec(dk, c, m ): [1 NIZK.Ver(crs, x, π )] [(m, c, π, re, r E2 ) L S ] [1 CHF.SKVer(pk 1, sk1 )]. Game 3. Game 3 s the same as Game 2 except that A s wnnng condton s changed to the followng one: [1 NIZK.Ver(crs, x, π )] [(m, c, π, re, r E2 ) L S ] [1 CHF.SKVer(pk 1, sk1 )] [1 CHF.SKVer2(pk 1, sk1, sk 1)]. Game 4 : Game 4 s the same as Game 3 except that A s wnnng condton s changed to the followng one: [1 NIZK.Ver(crs, x, π )] [(m, c, π, re, r E2 ) L S ] [1 CHF.SKVer(pk 1, sk1 )] [1 CHF.SKVer2(pk 1, sk1, sk 1)] [[ m { m 1,, m qs }] [ [1, q s ] s.t. [ m = m ] [(h, re2 ) = (h, r E2, )] [(m, c, π, re ) (m, c, π, r E, )]]], where, for [1, q s ], each one of m, h, r E2,, c, π and r E, s the element whch was generated when computng the reply to the -th sgnng oracle query. Game 5 Game 5 s the same as Game 4 except that when A ssues a message m M as a query to the sgnng oracle Sgn, CH generates a sgnature (c, π, r E, r E2 ) on the message as follows. r E, r E R E, r E2 R E2, m M, c C, π P, σ (c, π ). h CHF.Eval(pk 1, m σ ; r E ), m CHF2.Eval(pk 2, h ; r E2 ). c LPKE.Enc(ek, sk 1, m), x (c, m), w sk 1, π NIZK.Pro(crs, x, w). σ (c, π), h CHF.Eval(pk 1, m σ; r E ). r E2 CHF2.TC(pk 2, sk 2, (h, r E2 ), h). Game 6. Game 6 s the same as Game 5 except that the followng two ponts. Frstly, CH generates a common reference strng crs by runnng (crs, td) S 1 (1 λ ) n Key-Generaton. Secondly, when replyng to a query to Sgn n Query, CH generates a proof π by usng S 2, nstead of NIZK.Pro, where S 2 denotes the second smulator n the defnton of zero-knowledge for Σ NIZK. 13

14 Game 7 (= Game 7 0 ). Game 7 s the same as Game 6 except that A s wnnng condton s changed to the followng one: [1 NIZK.Ver(crs, x, π )] [(m, c, π, re, r E2 ) L S ] [1 CHF.SKVer(pk 1, sk1 )] [1 CHF.SKVer2(pk 1, sk1, sk 1)] [ m { m 1,, m qs }]. Game 7 1,, Game 7 qs. Game 7, where [1, q s ], s the same as Game 7 0 except that when replyng to the j-th sgnng oracle query, where j, CH generates the cphertext c j by runnng c j LPKE.Enc(ek, 0 sk1, m j ), where 0 sk 1 denotes the btstrng of sk 1 number of 0. Hereafter, W, where {0, 1, 2, 3, 4, 5, 6, 7, 7 1,, 7 q s }, denotes the event that A wns the game Game. It holds obvously that Adv F HtI Σ SIG (λ) HL sef CMA Σ SIG,A (λ) = Pr [W 0 ] 7 q s Pr [W 1 ] Pr [W ] + Pr [ ] [ ] W 7 1 Pr W7 [ ] + Pr W7 qs. Theorem 1 s proven by the above nequalty and the followng all lemmas. Lemma 1. Pr[W 0 ] Pr[W 1 ] s neglgble f Σ NIZK s zero-knowledge. Lemma 2. Pr[W 1 ] Pr[W 2 ] s neglgble f Σ NIZK s sound. Lemma 3. Pr[W 2 ] Pr[W 3 ] s neglgble f Σ CHF s HtC-SK. Lemma 4. Pr[W 3 ] Pr[W 4 ] s neglgble f Σ CHF2 s strongly collson-resstant. Lemma 5. Pr[W 4 ] Pr[W 5 ] s neglgble f each one of Σ CHF and Σ CHF2 s random trapdoor collson. Lemma 6. Pr[W 5 ] Pr[W 6 ] s neglgble f Σ NIZK s zero-knowledge. Lemma 7. Pr[W 6 ] Pr[W 7 0 ] s neglgble f Σ CHF s strongly collson-resstant n HL model w.r.t. the functon class F HtI Σ SIG (λ). Lemma 8. For any [1, q s ], Pr[W 7 1 ] Pr[W 7 ] s neglgble f Σ LPKE s INDwLCCA. Lemma 9. Pr[W 7 qs ] s neglgble. Proof of each lemma s gven n Sect. A. 5 Instantaton under the DLIN assumpton As a concrete constructon for the chameleon hash functon Σ CHF, we adopt the chameleon hash functon Π CHF,n gven n Fg. 1. For Π CHF,n, we obtan Theorem 2, Theorem 3, and Theorem 4, whose proofs are gven n A.10, A.11 and A.12, respectvely. Theorem 2. For any n N, Π CHF,n s HtC-SK under the DL assumpton. 14

15 CHF.Gen(1 λ, 1 n ) : (p, G, g) G(1 λ ). x 1,, x n, a 1,, a n Zp. g 1 g a 1,, g n g an.y n g x. Return pk (p, G, g 1,, g n, y) and sk (x 1,, x n ). CHF.Eval(pk, m; r) : ) J(m). r Z n p, where r s parsed as (r 1,, r n ). Return ( y Π n gr CHF.TC(pk, sk, (m, r), m ) : sk Z n p s parsed as (x 1,, x n ). r Z n p s parsed as (r 1,, r n ). For [1, n], r J(m)(x r )/J(m ) x. Return r (r 1,, r n). CHF.SKVer(pk, sk ) : [ sk Z n p s parsed as (x 1,, x n). Return 1, f y = ] n g x. Return 0, otherwse; CHF.SKVer2(pk, sk, sk ) : sk Z n p s parsed as (x 1,, x n). sk Z n p s parsed as (x 1,, x n). Return 1, f [ n [ ]] x = x. Return 0, otherwse; Fg. 1. Constructon of CHF Scheme Π CHF,n, where J : {0, 1} Z p \ {0} s a collson-resstant hash functon. Theorem 3. For any n N, Π CHF,n s random trapdoor collson. Theorem 4. For any chameleon hash functon Π CHF2, any LPKE scheme Π LPKE, any NIZK scheme Π NIZK, and any nteger n N, Π CHF,n s strongly collson-resstant n HL model w.r.t. the functon class FΠ HtI SIG (λ) under the collson-resstance of the hash functon J : {0, 1} Z p \ {0} and the DL assumpton, where Π SIG denotes the nstantaton of the sgnature scheme Σ SIG by Π CHF, Π CHF2, Π LPKE and Π NIZK. As a concrete constructon for the chameleon hash functon Σ CHF2, we adopt the chameleon hash functon Π CHF,1 whch s Π CHF,n n Fg. 1 wth n = 1. The followng corollary s obtaned by Theorem 4, obvously. Corollary 1. For any n N, Π CHF,n s strongly collson-resstant under the collsonresstance of the hash functon J : {0, 1} Z p \ {0} and the DL assumpton. Thus, the random trapdoor collson and strong collson-resstance of the CHF scheme Π CHF,1 are guaranteed by Theorem 3 and Corollary 1, respectvely. As a concrete constructon for the LPKE scheme Σ LPKE, we adopt Π LPKE,l gven n Fg. 2. The LPKE scheme s a modfcaton of the LPKE scheme by Camensch et al. [11] whch s IND-LCCA secure 6 under the DLIN assumpton and the collsonresstance of hash functon. Faust et al. [17] modfes the scheme by Camensch et al. to get the LPKE scheme Π LPKE,l whch acheves a weaker securty,.e., IND-wLCCA, but encrypts a plantext of arbtrary length. Thus, Theorem 5. For any l N, Π LPKE,l s IND-wLCCA under the collson-resstance of the hash functon H CL : {0, 1} Z p and the DLIN assumpton. 6 IND-LCCA s stronger securty noton than IND-wLCCA. For the detals, refer to [17]. 15

16 LPKE.Gen(1 λ, 1 l ) : (p, G, g) G(1 λ ). a 1,, a l, b 1, b 2 Zp. ĝ 0 g, ĝ 1 g b 1, ĝ 2 g b 2, g 1 g a 1,, g l g a l. u 1, u 2, u 3, v 1, v 2, v 3, w 1, w 2, w 3 Zp. d 1 ĝ u 1 0 ĝu 2 1, d 2 ĝ u 1 0 ĝu 3 2, e 1 ĝ v 1 0 ĝv 2 1, e 2 ĝ v 1 0 ĝv 3 2, h 1 ĝ w 1 0 ĝ w 2 1, h 2 ĝ w 1 0 ĝ w 3 2. ek (p, G, ĝ 0, ĝ 1, ĝ 2, g 1,, g l, d 1, d 2, e 1, e 2, h 1, h 2 ). dk (u 1, u 2, u 3, v 1, v 2, v 3, w 1, w 2, w 3 ). Return(ek, dk). LPKE.Enc(ek, x {0, 1} l, L {0, 1} ) : For [1, l], the -th bt of x {0, 1} l s denoted by x {0, 1}. For every [1, l], do: Zp. y (y,1, y,2, y,3 ) (ĝ r +s 0, ĝ r 1, ĝs 2 ). z h r 1 hs 2 gx. 2 )s, where t H CL (y, z, L). c (y, z, c ). r, s c (d 1 e t 1 )r (d 2 e t Return C {c } [1,l]. LPKE.Dec(ek, dk, C, L) : For every [1, l], do: c y u 1+t v 1,1 y u 2+t v 2,2 y u 3+t v 3,3, where t H CL (y, z, L). If c c, then return. Else f z /(y w 1,1 yw 2,2 yw 3,3 ) = g, then x 1. Else, then x 0. The -th bt of x s set as x. Return x {0, 1} l. Fg. 2. Constructon of LPKE Scheme Π LPKE,l, where H CL : {0, 1} Z p s a collson-resstant hash functon. As a concrete constructon for the non-nteractve zero-knowledge proof Σ NIZK, we adopt the Groth-Saha proof Π NIZK n [19] whose soundness and zero-knowledge are guaranteed under the DLIN assumpton. By the schemes Π CHF,n, Π CHF2, Π NIZK and Π LPKE,nλ, where λ denotes the nteger n the securty parameter 1 λ of Π CHF,n, our concrete sgnature scheme Π SIG s constructed. Hereafter, for [1, n] and j [1, λ], the j-th bt of x Z p n Π CHF,n s denoted by x j {0, 1}, and the prme and group n Π LPKE,nλ are wrtten as ˆp and Ĝ, respectvely. By the sgnng algorthm of Π SIG, a cphertext C and a proof π are generated as follows. The cphertext C s generated by runnng C LPKE.Enc(ek, (x 1,, x n ), m), where LPKE.Enc s the encrypton algorthm of Π LPKE,nλ. C s parsed as {c j } [1,n], j [1,λ]. c j s parsed as (y j, z j Ĝ, c j Ĝ). y j s parsed as (y j,1, y j,2, y j,3 ) Ĝ 3. By usng the proof-generaton algorthm of the NIZK scheme Π NIZK, we generate the proof π. Actually, the proof π s a proof whch proves that {r j Z ˆp, s j Z ˆp, x j {0, 1}} [1,n], j [1,λ] such that n λ g 2 j 1 x [[ĝr j = y j +s j ] [ĝr 0 = y j,1 j 1 = y ] [ĝs j,2 j 2 = y ] j,3 j=1 [1,n], j [1,λ] [ h r j 1 hs j 2 ] [ gx j j = z j (d1 e t j 1 )r j (d 2 e t ] [ j 2 )s j = c j x j (1 x j ) = 0 ]], where y = n g x G. 16

17 Acknowledgements Ths work was supported by JSPS KAKENHI (Grant Number JP17KT0081). Ths work was also supported by JSPS and DST under the Japan-Inda Scence Cooperatve Program. References 1. Akava, A., Goldwasser, S., Vakuntanathan, V. :Smultaneous hardcore bts and cryptography aganst memory attacks. In: TCC 2009, LNCS 5444, pp , Alwen, J., Dods, Y., Wchs, D. :Leakage-reslent publc-key cryptography n the boundedretreval model. In: CRYPTO 2009, LNCS 5677, pp , Brands, S.A. :An effcent off-lne electronc cash system based on the representaton problem. Techncal report, Boneh, D., Boyen, X., Shacham, H. :Short group sgnatures. In: CRYPTO 2004, LNCS 3152, pp.41-55, Brakersk, Z., Goldwasser, S. :Crcular and leakage reslent publc-key encrypton under subgroup ndstngushablty (or: quadratc resduosty strkes back). In: CRYPTO 2010, LNCS 6223, pp. 1-10, Bellare, M., Goldrech, O., Goldwasser, S. :Incremental cryptography: the case of hashng and sgnng. In:CRYPTO 1994, LNCS 839, pp , Boneh, D., Halev, S., Hamburg, M., Ostrovsky, R. :Crcular-secure encrypton from decson dffe-hellman. In: CRYPTO 2008, LNCS 5157, pp , Brakersk, Z., Kala, Y.T., Katz, J., Vakuntanathan, V. :Overcomng the hole n the bucket: Publc-key cryptography reslent to contnual memory leakage. In: FOCS 2010, pp , Boneh, D., Shen, E., Waters, B. :Strongly unforgeable sgnatures based on computatonal dffe-hellman. In: PKC 2006, LNCS 3958, pp , Boyle, E., Segev, G., Wchs, D. :Fully leakage-reslent sgnatures. In: EROCRYPT 2011, LNCS 6632, pp , Camensch, J., Chandran, N., Shoup, V. :A publc key encrypton scheme secure aganst key dependent chosen plantext and adaptve chosen cphertext attacks. In: EROCRYPT 2009, LNCS 5479, pp , Chow, S.S.M, Dods, Y., Rouselaks, Y., Waters, B. :Practcal leakage-reslent dentty-based encrypton from smple assumptons. In: ACMCCS 2010, pp , Canett, R., Halev, S., Katz, J. :Chosen-cphertext securty from dentty-based encrypton. In: EROCRYPT 2004, LNCS 3027, pp , Dods, Y., Goldwasser, S., Kala, Y.T., Pekert, C., Vakuntanathan, V. :Publc-key encrypton wth auxlary nputs. In: TCC 2010, LNCS 5978, pp , Dods, Y., Haralambev, K., López-Alt, A., Wchs, D. :Effcent publc-key cryptography n the presence of key leakage. In: ASIACRYPT 2010, LNCS 6477, pp , Dods, Y., Kala, Y.T., Lovett, S. :On Cryptography wth auxlary nput. In: STOC 2009, pp , Faust, S., Haway, C., Nelsen, J.B., Nordholt, P.S., Zottarel, A. :Sgnature schemes secure aganst hard-to-nvert leakage. In: ASIACRYPT 2012, LNCS 7658, pp , Gentry, C., Pekert, C., Vakuntanathan, V. :Trapdoors for hard lattces and new cryptographc constructons. In: STOC 2008, pp , Groth, J., Saha, A. :Effcent non-nteractve proof systems for blnear groups. In: ERO- CRYPT 2008, LNCS 4965, pp ,

18 20. Huang, J., Huang, Q., Pan, C. :A black-box constructon of strongly unforgeable sgnature schemes n the bounded leakage model. In: ProvSec 2016, LNCS 10005, pp , Halderman, J.A., Schoen, S.D., Hennger, N., Clarkson, W., Paul, W., Calandrno, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W. :Lest we remember: cold boot attacks on encrypton keys. In: SENIX Securty Symposum, pp , Huang, Q., Wong, D.S., Zhao, Y. :Generc transformaton to strongly unforgeable sgnatures. In: ACNS 2007, LNCS 4521, pp. 1-17, Ishzaka, M., Matsuura, K. :Strongly unforgeable sgnature reslent to polynomally hardto-nvert leakage under standard assumptons. In: ISC 2018, LNCS????, pp.???-???, Kurosawa, K., Phong, L.T. :Leakage reslent IBE and IPE under the DLIN assumpton. In: ACNS 2013, LNCS 7954, pp , Katz, J., Vakuntanathan, V. :Sgnature schemes wth bounded leakage reslence. In: ASI- ACRYPT 2009, LNCS 5912, pp , Lewko, A., Rouselaks, Y., Waters, B. :Achevng leakage reslence through dual system encrypton. In: TCC 2011, LNCS 6597, pp , Malkn, T., Teransh, I., Vahls, Y., Yung, M. :Sgnatures reslent to contnual leakage on memory and computaton. In: TCC 2011, LNCS 6597, pp , Naor, M., Segev, G. :Publc-key cryptosystems reslent to key leakage. In: CRYPTO 2009, LNCS 5677, pp , Stenfeld, R., Peprzyk, J., Wang, H. :How to strengthen any weakly unforgeable sgnature nto a strongly unforgeable sgnature. In: CT-RSA 2007, LNCS 4377, pp , Wang, Y., Matsuda, T., Hanaoka, G., Tanaka, K. :Sgnatures reslent to unnvertble leakage. In: SCN 2016, LNCS 9841, pp , Wang, Y., Tanaka, K. :Generc transformaton to strongly exstentally unforgeable sgnature schemes wth leakage reslency. In: ProvSec 2014, LNCS 8782, pp , Yuen, T.H., Chow, S.S.M, Zhang, Y., Yu, S.M. :Identty-based encrypton reslent to contnual auxlary leakage. In: EROCRYPT 2012, LNCS 7232, pp , Yuen, T.H., Yu, S.M., Hu, L.C.K. :Fully leakage-reslent sgnatures wth auxlary nputs. In: ACISP 2012, LNCS 7372, pp , Zhang, M. :New model and constructon of ABE: achevng key reslent-leakage and attrbute drect-revocaton. In: ACISP 2014, LNCS 8544, pp , Zhang, M., Sh, W., Wang, C., Chen, Z., Mu, Y. :Leakage-reslent attrbute-based encrypton wth fast decrypton: models, analyss and constructons. In: ISPEC 2013, LNCS 7863, pp , Zhang, M., Wang, C., Takag, T., Mu, Y.: Functonal encrypton reslent to hard-to-nvert leakage. In: The Computer Journal, do: /comjnl/bxt105, A Proofs of Some Theorems and Lemmas A.1 Proof of Lemma 1 We prove that f we assume that there s a PPT adversary A whch makes Pr[W 0 ] Pr[W 1 ] non-neglgble, then we are able to construct a PPT algorthm whch breaks the zero-knowledge property for Σ NIZK. We consder a PPT smulator S. On one hand, the smulator S s a PPT algorthm attemptng to break the zero-knowledge for Σ NIZK. On the other hand, S s the challenger n Game 0 or Game 1. S s gven a common reference strng crs. If crs was generated by (crs, td) S 1 (1 λ ) (resp. crs NIZK.Gen(1 λ )), then S smulates Game 0 (resp. Game 1 ) aganst the PPT adversary A properly. The concrete behavour by S s the followng. 18

19 Key-Generaton. S runs (pk 1, sk 1 ) CHF.Gen(1 λ ), (pk 2, sk 2 ) CHF2.Gen(1 λ ) and (ek, dk) LPKE.Gen(1 λ ). S s gven a common reference strng crs of Σ NIZK. S sets pk and sk to pk (pk 1, pk 2, ek, crs) and sk sk 1, respectvely. S computes f (pk, sk; r) where r R R. S sends (pk, f (pk, sk; r)) to A. S sets L S to. Query. When A ssues a message m M as a query to the sgnng oracle Sgn, S generates a sgnature (c, π, r E, r E2 ) on the message n the normal manner. S sets L S to L S {(m, c, π, r E, r E2 )}. Forgery(m, c, π, r E, r E2 ). S outputs 1, f [1 NIZK.Ver(crs, x, π )] [(m, c, π, r E, r E2 ) L S ], where h CHF.Eval(pk 1, m (c, π ); r E ), m CHF2.Eval(pk 2, h ; r E2 ) and x (c, m ). S outputs 0, otherwse. It s obvous that f the common reference strng s generated by (crs, td) S 1 (1 λ ) (resp. crs NIZK.Gen(1 λ )), then S smulates the game Game 0 (resp. Game 1 ) aganst A perfectly, and f and only f the event W 0 (resp. W 1 ) occurs, S outputs 1. Hence, we obtan Pr[W 0 ] = Pr[1 S(crs) (crs, td) S 1 (1 λ )] and Pr[W 1 ] = Pr[1 S(crs) crs NIZK.Gen(1 λ )]. Hence, Pr[W 0 ] Pr[W 1 ] = Pr[1 S(crs) crs NIZK.Gen(1 λ )] Pr[1 S(crs) (crs, td) S 1 (1 λ )]. A.2 Proof of Lemma 2 We prove that f we assume that there s a PPT adversary A whch makes Pr[W 1 ] Pr[W 2 ] non-neglgble, then we are able to construct a PPT algorthm whch breaks the soundness property for Σ NIZK. We consder a PPT smulator S attemptng to break the soundness of the NIZK scheme Σ NIZK. Specfcally, S behaves as follows. Key-Generaton. S runs (pk 1, sk 1 ) CHF.Gen(1 λ ), (pk 2, sk 2 ) CHF2.Gen(1 λ ) and (ek, dk) LPKE.Gen(1 λ ). S s gven a common reference strng crs of Σ NIZK. S sets pk and sk to pk (pk 1, pk 2, ek, crs) and sk sk 1, respectvely. S computes f (pk, sk; r) where r R R, then sends (pk, f (pk, sk; r)) to A. S sets L S to. Query. When A ssues a message m M as a query to the sgnng oracle Sgn, S generates a sgnature (c, π, r E, r E2 ) on the message n the normal manner. S sets L S to L S {(m, c, π, r E, r E2 )}. Forgery(m, c, π, re, r E2 ). S checks whether the followng condton s satsfed or not: [1 NIZK.Ver(crs, x, π )] [(m, c, π, re, r E2 ) L S ] [0 CHF.SKVer(pk 1, sk1 )], where h CHF.Eval(pk 1, m (c, π ); re ), m CHF2.Eval(pk 2, h ; re2 ), x (c, m ) and sk1 LPKE.Dec(dk, c, m ). If the condton s satsfed, then S outputs (x, π ) = (c, m, π ). It s obvous that S smulates Game 1 or Game 2, perfectly. By the way, the defntons of W 1 and W 2 gves us the followng equatons. Pr [W 1 ] = Pr [[ 1 NIZK.Ver(crs, x, π ) ] [ (m, c, π, re, r E2 ) L ]] S (3) Pr [W 2 ] = Pr [[ 1 NIZK.Ver(crs, x, π ) ] [ (m, c, π, re, r E2 ) L ] S [ 1 CHF.SKVer(pk 1, sk1 )]] (4) 19