Concurrent Blind Signatures without Random Oracles

Transcription

1 Concuent Blind Signatues without Random Oacles Aggelos Kiayias Hong-Sheng Zhou Abstact We pesent a blind signatue scheme that is efficient and povably secue without andom oacles unde concuent attacks utilizing only fou moves of shot communication. The scheme is based on elliptic cuve goups fo which a bilinea map exists and on extactable and equivocable commitments. The unfogeability of the employed signatue scheme is guaanteed by the LRSW assumption while the blindness popety of ou scheme is guaanteed by the Decisional Linea Diffie-Hellman assumption. We pove ou constuction secue unde the above assumptions as well as Paillie s DCR assumption in the concuent attack model of Juels, Luby and Ostovsky fom Cypto 97 using a common efeence sting. Ou constuction is the fist efficient constuction fo blind signatues in such a concuent model without andom oacles. We pesent two vaiants of ou basic potocol: fist, a blind signatue scheme whee blindness still holds even if the public-key geneation is maliciously contolled; second, a blind signatue scheme that incopoates a public-tagging mechanism. This latte vaiant of ou scheme gives ise to a patially blind signatue with essentially the same efficiency and secuity popeties as ou basic scheme. 1 Intoduction Blind signatues wee intoduced by Chaum in [Cha82] and poved to be a most useful cyptogaphic scheme that has been the basis of many complex cyptogaphic constuctions including e-cash systems and e-voting schemes. Infomally, a blind signatue is a signatue scheme that incopoates a signing potocol that allows the signe to sign a document submitted by a use blindly, i.e., without obtaining any infomation about the document itself. It was obseved ealy on (at least as ealy as [Dam88], see also [PW91]) that blind signatues contain an instance of a secue function evaluation potocol in the following sense: the use possesses a pivate input m and a public-input pk which is the veification key of a digital signatue algoithm, and the signe possesses a pivate input sk which is the signing-key of the digital signatue algoithm; with this setup the use and the signe should execute a pobabilistic secue function evaluation potocol that will allow the use to compute σ, a signatue on m unde pk, without evealing m to the signe and without the signe evealing sk to the use. Given the complexity of geneal secue function evaluation though, [Yao86, GMW87], in ealy wok on blind signatues this paadigm was not vey motivating. A moe motivating paadigm was found in divetible zeo-knowledge poofs [OO89, Oka92, CDP94] and many blind signatues wee subsequently designed in this line of easoning [PS96, PS97, Poi98, AO00, AO01, Abe01] as well as the fist attempt to give povably secue constuctions (in the andom oacle model) was due to [PS96]. Regading povably secue constuctions, Pointcheval and Sten [PS96], pesented secue blind signatues with thee communication moves that wee poven secue in the andom oacle model unde the An ealie vesion of this pape was titled Two-ound Concuent Blind Signatues without Random Oacles with each ound meant to include two moves; this poved to be confusing with espect to the use of the tem ound in pevious woks and thus the two-ound was emoved fom the title. The potocols pesented in all vesions of the pesent wok have always been 4-move potocols. Univesity of Connecticut, Compute Science and Engineeing, Stos, CT, USA, {aggelos,hszhou}@cse.uconn.edu. Reseach patly suppoted by NSF CAREER Awad CNS

2 discete-logaithm assumption assuming only logaithmically many messages wee tansmitted by the use. This esult was late impoved to polynomially many messages but five communication moves [Poi98] and the ound complexity was finally deceased to thee moves and polynomially many messages in [AO01, Abe01]. A two moves potocol was pesented in [BNPS01] assuming the RSA invesion oacle assumption. We stess that all these esults wee poven secue in the andom oacle model. Concuency in the context of blind signatues was put foth by Juels, Luby and Ostovsky [JLO97] who pesented the fist secuity model fo blind signatues that takes into account that the advesay may launch many concuent sessions of the blind signing potocol (opeating as eithe the use o the signe). Concuency is paticulaly impotant since in implementations of blind signatues in e-voting and e-cash schemes, see e.g., [Cha82, FOO92, Kim04], the signe is a multi-theaded seve that accepts many concuent sessions of uses that ae executing the signing potocol. Thus, it is of cucial impotance to conside the secuity of blind signatues, when (1) a malicious signe attempts to defeat the blindness of many concuently joining uses, and (2) a coalition of malicious uses attempts to extact infomation about the signing key of the multi-theaded signe seve. Still, the design of schemes that satisfied such stonge models poved elusive. In fact, Lindell [Lin03] showed that concuent secuity fo blind signatues is impossible in the bae model (i.e., without any setup assumption). On the othe hand, in the CRS model, Canetti et al. [CLOS02] gave a geneic constuction fo multi-paty secue function evaluation that achieves an even stonge notion of secuity than concuency (univesal composition) and can be used to solve (geneically) the blind signatue poblem using a CRS. Note that this constuction is not efficient and some tusted setup assumption such as using a CRS is necessay fo a blind signatue given the esult of Lindell [Lin03]. Moe ecently, Camenisch et al. [CKW04] using a weake model than that of [JLO97] that only allowed sequential attacks pesented an eight-move blind signatue scheme that is based on the Stong-RSA assumption leaving as open poblem the possibility of achieving concuent secuity in an efficient scheme. Ou Contibution. In this pape, we give the fist efficient constuction fo blind signatues to achieve concuent secuity in the sense of [JLO97] assuming a common efeence sting. The fou-move inteactions between the use and the signe in the signing potocol equies oveall communication not exceeding 2 Kbytes (about 10.2 Kbits to be pecise) fo a full signatue geneation. Achieving this level of efficiency while simultaneously maintaining povability in a concuency model equied the caeful composition of a numbe of cyptogaphic pimitives. As ou undelying digital signatue scheme (i.e., the type of signatue that is obtained by uses) we use the elliptic cuve based signatue scheme of Camenisch and Lysyanskaya [CL04] (hencefoth called a CL signatue). We also employ a vaiant of Linea Encyption, an encyption scheme that was oiginally intoduced in the context of goup signatues by Boneh, Boyen and Shacham [BBS04]. Hee we find a novel use of this pimitive in the context of blind signatues. In addition to these pimitives, ou constuction makes essential use of discete-logaithm equivocal commitments based on Pedesen commitments [Ped91] and extactable commitments based on Paillie encyption [Pai99]. The cental idea of ou constuction is to use a vaiant of Linea Encyption to poduce a vey efficient secue function evaluation potocol fo CL signatues that poceeds oughly as follows: the use selects on the fly a key fo the encyption scheme and encypts he message with it. The signe upon eceiving this encyption takes advantage of the homomophic popeties of the encyption to blindly tansfom the ciphetext into a andomized encyption of a CL signatue and then tansmits the esulting eandomized ciphetext back to the use. We make an essential use of the homomophic popeties of the undelying encyption in the efficient geneation of non-advesaial andomness between the mutually distustful playes. In ode to pove secuity unde concuent attacks a numbe of povisions have to be taken in the blind signatue potocol design. Most impotantly, in ou signing potocol, both sides will be equied to pove statements about thei local computations. As a esult, pefoming the whole potocol in fou moves is one of the most delicate pats of ou constuction. The homomophic encyption based inteaction that is used fo the secue signatue computation needs to be paied with an extactable commitment. Moeove, an 2

3 equivocable commitment is used fo ensuing that no infomation leakage occus fom the use to the signe o vice vesa. Finally, the signe, poves to the use that he is following the potocol specifications and is applying his signing key to the use s ciphetext wheeas the use has to pove that he is consistent acoss his commitments. The constuction is poven to satisfy the two popeties of the [JLO97] model as follows: the blindness popety is ensued unde the Decisional Composite Residuosity assumption of [Pai99] and the Decision Linea Diffie-Hellman assumption of [BBS04]. The unfogeability popety is poven unde the LRSW assumption of [LRSW99]. Note that the esulting signatue fom the signing potocol is about half the size of an RSA based Chaum blind signatue. Stonge blindness popety. We conside a stonge advesaial model fo blindness whee the public-key is advesaially contolled; we show how it is possible to modify ou basic potocol in a staightfowad way to achieve this stonge blindness popety. Public-tagging and patial blindness. We finally povide an extension of ou scheme that allows the publictagging of blindly signed messages, i.e., all messages that ae obtained by the uses also contain a publicly known tag that is decided pio to the signing potocol execution. This extension is essentially equivalent to a patially blind signatue constuction, a notion that was fomalized in [AF96]. In a patially blind signatue evey message is tagged with a public-sting that is poduced jointly by the use and the signe. The blindness popety is then esticted to hold only fo blind signatues with same tag. Patial blindness is impotant as it allows the signe to euse the same public-key fo a vaiety of diffeent blind signatue functions. 2 Peliminaies Bilinea Goups. Let G = g be a cyclic goup of pime ode p such that e : G G G T is a bilinea map, i.e., fo all t, v G and a, b Z, it holds that e(t a, v b ) = e(t, v) ab and e is non-tivial, i.e., e(g, g) 1. Note that G T = p. Camenisch-Lysyanskaya Signatue. Camenisch and Lysyanskaya [CL04] poposed a digital signatue scheme (which we will call it CL-signatue fo shot) that was adaptively chosen message secue in the standad model. Ou blind signatue will be based on this signatue scheme and we descibe it below: - The key geneation algoithm gen CL : geneate the bilinea goup paamete (p, G, G T, g, e); then choose x, y Z p, and compute X = g x and Y = g y ; set secet key as sk = (x, y) and public key as pk = (p, G, G T, g, e; X, Y ). - The signing algoithm sign CL : on input message m, secet key sk = (x, y), and public key pk = (p, G, G T, g, e; X, Y ), choose a andom a G, and output the signatue σ = (a, a y, a x+mxy ). - The veification algoithm veify CL : on input public key pk = (p, G, G T, g, e; X, Y ), message m, and signatue σ = (a, b, c), check whethe the veification equations e(a, Y ) = e(g, b) and e(x, a)e(x, b) m = e(g, c) hold. The undelying assumption of CL-signatues is called the LRSW assumption, which was intoduced by Lysyanskaya et al. [LRSW99]. Note that in this pape it was also shown that this assumption holds fo geneic goups. Assumption 2.1 (LRSW Assumption). Given the bilinea goup paametes (p, g, G, G T, e). Let X, Y G, X = g x, Y = g y and define O X,Y () to be an oacle that, on input a value m Z p, it outputs a tiple (a, b, c) such that b = a y, and c = a x+mxy whee a G. Then, fo all pobabilistic polynomial time advesaies A, 3

4 [ x, y Zp ; X = g P x ; Y = g y ; (m, a, b, c) A O X,Y : m / Q m Z p m 0 a G b = a y c = a x+mxy ] ɛ whee ɛ is a negligible function in secuity paamete λ, and Q is the set of queies that A made to O X,Y (). Linea Encyption. Boneh et al. [BBS04] poposed a vaiant of ElGamal encyption, called, Linea Encyption that is suitable fo goups ove which the DDH assumption fails. We call it LE fo shot. - The key geneation algoithm gen LE : the public key pk is a tiple of geneatos t, v, w G and the secet key sk is the exponents x, y Z p such that t x = v y = w. - The encyption algoithm enc LE : to encypt a message m G, choose andom values a, b Z p, and output the tiple (t a, v b, m w a+b ). - The decyption algoithm dec LE : given an encyption (T, V, W ), we ecove the plaintext m as follows m = dec LE sk (T, V, W ) = W T x V y. The Linea encyption is based on the Decision Linea Diffie-Hellman assumption, which was fist intoduced by Boneh et al. [BBS04]. With g G as above, along with abitay geneatos t,v, and w of G, conside the following poblem: Definition 2.2 (Decision Linea Diffie-Hellman Poblem in G). Given t, v, w, t α, v β, w γ G as input, output 1 if α + β = γ and 0 othewise. It is believed that DLDH is a had poblem even in bilinea goups whee DDH is easy. Now we define the advantage of an algoithm A in deciding the DLDH poblem in G as Adv A DLDH = P[1 A(t, v, w, t α, v β, w α+β ) : t, v, w G, α, β Z p ] P[1 A(t, v, w, t α, v β, χ) : t, v, w, χ, G, α, β Z p ] Assumption 2.3 (Decision Linea Diffie-Hellman Assumption). We say that the Decision Linea Diffie- Hellman assumption holds in G if fo all PPT algoithms A it holds that Adv A DLDH is negligible in the secuity paamete λ. Paillie-Encyption. In ou scheme we will employ the public-key encyption intoduced by Paillie [Pai99]: - The key geneation algoithm gen Pai : let p and q be andom pimes fo which it holds p q, p = q and gcd(pq, (p 1)(q 1)) = 1; let n = pq, π = lcm(p 1, q 1), K = π 1 mod n, and g = (1 + n); the public key is pk = (n, g) while the secet key is sk = (p, q). - The encyption algoithm enc Pai : the plaintext set is Z n ; given a plaintext m, choose a andom ζ Z n, and let the ciphetext be E m = enc Pai pk (m, ζ) = gm ζ n mod n 2. - The decyption algoithm dec Pai : given a ciphetext E m, let K = π 1 mod n and now obseve that (E m ) πk = g m πk ζ n πk = g m πk mod n ζ n πk mod nπ = g m mod n ζ 0 mod nπ = g m = 1 + mn mod n 2. Thus, it is possible to ecove m = ((Em)πK mod n 2 ) 1 n mod n. The cyptosystem above has been poven semantically secue if and only if the Decisional Composite Residuosity (DCR) assumption [Pai99] is tue. The advantage of an algoithm A in deciding the DCR poblem is defined as follows: Adv A DCR = P[1 A(z) : z Z n 2 ] P[1 A(z) : z HR n n 2 ] whee HR n n 2 is the subgoup of n-th esidues modulo n 2. Assumption 2.4 (Decisional Composite Residuosity Assumption). We say that the DCR assumption holds in G if fo all PPT algoithms A it holds that Adv A DCR is negligible in the secuity paamete λ. 4

5 Commitment Schemes. A commitment scheme is a potocol with two stages, the commit stage and the decommit stage, between two paties, the committe and the eceive. A commitment scheme consists of a key geneation algoithm gen which can be used to poduce a public key pk, a commitment algoithm com which is used by the committe to poduce a commitment to the message m and the decommitment infomation ζ, i.e., (c, ζ) com pk (m), and a decommitment veification algoithm dec which can be used by the eceive to veify the decommitment infomation ζ and the message m with espect to the commitment c, i.e., dec(c, m, ζ) {0, 1}. Fequently the decommitment infomation ζ is the andom coins used by the commitment algoithm and we will wite c com pk (m, ζ). A commitment scheme will satisfy two popeties: hiding, the eceive can not obtain any infomation about m given com pk (m, ζ); and binding, the committe cannot change his mind about m late, i.e. he cannot change the decommitment veification infomation (m, ζ) into some (m, ζ ) whee m m, so that c com pk (m, ζ) and dec(c, m, ζ ) = 1. In an extactable commitment, thee is a tapdoo infomation xk associated to each public key pk that allows the tapdoo owne to compute m fom any com pk (m, ζ). In an equivocable commitment on the othe hand, thee is a tapdoo infomation ek associated to each public key pk that allows a committe who is a tapdoo owne to compute ζ given any m, ζ, m, c com pk (m, ζ) so that dec(c, m, ζ ) = 1. Common Refeence Sting Model. In the common efeence sting (CRS) model, we assume that each playe can access a common sting that is guaanteed to come fom a pescibed distibution. Futhemoe, no playes (including the advesaies) will know the tapdoo infomation elated to the pocedue of choosing the sting. The tapdoo will be known to the simulato in the poof of secuity. In pactice, a tusted thid paty can geneate the CRS by unning the CRS geneato K, i.e. (cs, τ) K(1 λ ), and discading the tapdoo τ. The sting cs is published, and all paties eceive it as additional input. 3 Fomal Model fo Blind Signatues In this section, we evisit in detail the fomal model fo blind signatues as intoduced in [JLO97] and we efomulate it to the common efeence sting (CRS) model. We stess again that some tusted setup assumption is necessay in the light of Lindell s negative esult fo blind signatues [Lin03] in the bae concuent model. 3.1 Blind Signatue Scheme Definition 3.1 (Blind Signatue Scheme). A blind digital signatue scheme is a fou-tuple, consisting of two inteactive Tuing machines (S, U) and two algoithms (gen,veify). Hee S denotes the signe, and U the use. - gen(1 λ ) is a pobabilistic polynomial time key-geneation algoithm which takes as an input a secuity paamete 1 λ and outputs a pai (pk, sk) of public and secet keys. - S(pk, sk) and U(pk, m) is a pai of polynomially time bounded pobabilistic inteactive Tuing machines, whee both machines have the following tapes: ead-only input tape, wite-only output tape, a ead/wite wok tape, a ead-only andom tape, and two communication tapes, a ead-only and a wite-only tape. They ae both given on thei input tapes as a common input a pk poduced by the key geneation algoithm. Additionally S is given on his input tape the coesponding secet key sk and U is given on his input tape a message m, whee the length of all inputs must be polynomial in the secuity paamete 1 λ. Both U and S engage in an inteactive potocol fo some polynomial in λ numbe of moves. At the end of this potocol S outputs eithe completed o not-completed and U outputs eithe σ o. - veify(m, σ, pk) is a deteministic polynomial time algoithm, which outputs 1 o 0. 5

6 The coectness equiement fo the above is that fo any message m, and fo all andom choices of the key geneation algoithm, if both S and U follow the potocol then S always outputs completed, and if the output of the use is σ then veify(m, σ, pk) = 1. Note that in the CRS model, both S, U eceive as additional input the cs sting. 3.2 Blindness and Unfogeability The secuity popeties fo blind signatues defined in [JLO97] ae blindness and unfogeability. Below we evisit thei modelling and we give detailed definitions fo these popeties in the CRS model. Definition 3.2 (Blindness). Assume (cs, τ) K(1 λ ), (pk, sk) gen(1 λ ). We define an oacle I φ with public input (1 λ, cs, pk) which simulates two use instantiations U L and U R, whee φ {0, 1}. The advesay A will be communicating with this oacle tying to pedict φ given input (1 λ, cs, pk, sk). The oacle I φ opeates as follows: - Given challenge, m 0, m 1, the oacle I φ simulates two use instantiations U L and U R with input the public-key pk and the messages m φ and m 1 φ espectively. The oacle I φ keeps a database with the state of each use instantiation; the state includes all coin tosses of the use instantiation and the contents of all tapes including the communication tape. The oacle uses st L (esp. st R ) to ecod the state of U L (esp. U R ). - Given advance, ρ, msg, whee ρ {L, R}, the oacle I φ ecoves the state of st ρ, and simulates the use instantiation U ρ with msg till U ρ eithe teminates o etuns a esponse to the signe. If U ρ etuns a esponse, then I φ etuns this to A. The oacle will ecod the cuent state st, i.e. st ρ = st ρ st. Note that this kind of quey can be executed seveal times depending on the numbe of moves of the blind signatue potocol. - Given teminate, msg L, msg R, the oacle I φ ecoves the state st L (esp. st R ), and simulates the use instantiation U L (esp. U R ) with msg L (esp. msg R ) till U L (esp. U R ) teminates o fails. If both use instantiations teminate successfully and output two signatues, then the oacle etuns these signatues to A, othewise etuns (, ). Given any pobabilistic polynomial time A, we define its advantage against blindness as: Adv A blind (λ) = P [ φ A Iφ (1 λ,cs,pk) (1 λ, cs, pk, sk) : φ {0, 1}, (cs, τ) K(1 λ ), (pk, sk) gen(1 λ ) ] 1 2 and say that the blind signatue scheme satisfies the blindness popety if Adv A blind (λ) is negligible in λ. Definition 3.3 (Unfogeability). We define an oacle I that is simulating concuently an abitay numbe of signe instantiations. The oacle accepts two types of queies defined as follows: - stat, msg. The oacle I selects a session identifie sid, and simulates the signe instantiation S with msg till S eithe teminates o etuns a esponse. If the signe instance etuns a esponse to the use, I etuns this with the session identifie sid as an answe to the oacle quey. The oacle I keeps a database with the state of S fo the session identifie sid; the state includes all coin tosses of S, and the contents of all tapes including the communication tape. - advance, sid, msg. The oacle I looks up the table of sessions and ecoves the state of S fo the session with identifie sid (if session sid exists). Subsequently, I wites msg in the communication tape of S and simulates it till it eithe teminates o etuns a esponse to the use. If it etuns a message to the use, I etuns this as an answe to the oacle quey. If no session identifie exists the oacle etuns fail. 6

7 The oacle I maintains a counte l that counts the numbe of times that the oacle has successfully teminated a signe session. Each time that I successfully teminates a signe session it inceases the counte l by 1. A one-moe fogey advesay against the blind signatue is a polynomial-time pobabilistic machine A that is given as input (1 λ, cs, pk) whee (cs, τ) K(1 λ ) and (pk, sk) gen(1 λ ). The advesay A inteacts with I(cs, pk, sk) and teminates by etuning a sequence of (m 1, σ 1 ),..., (m l, σ l ) whee m i m j fo all i, j : 1 i j l. We define the advantage of A in the above attack by Adv A unfoge (λ) = P[ l i=1(1 veify(pk, m i, σ i )) (l > l)] and say that the blind signatue scheme is unfogeable if Adv A unfoge (λ) is negligible in λ. 4 The Poposed Scheme 4.1 Setup and Geneation of Keys We stat the desciption of ou constuction by descibing the setup definition as well as the way that the involved paties, the use and the signe geneate thei keys. Public Paametes. The public paamete pub contains geneal infomation about all potocol executions as well as a specific bilinea goup paamete (p, G, G T, g, e) appopiately selected. Common Refeence Sting. Next we descibe how the common efeence sting cs is selected. It includes two pats, cs 1 and cs 2. Fist, we geneate paametes fo a Pedesen-like [Ped91] commitment scheme ove an elliptic cuve goup: let G = g be a cyclic elliptic cuve goup of pime ode Q; select Z Q and compute h = g ; set cs 1 = Q, g, h, G, H, whee H : {0, 1} Z Q is a collision esistant hash function and set the tapdoo to be τ 1 =. Then we geneate paametes fo the Paillie encyption: let p and q be andom pimes fo which it holds p q, p = q and gcd(pq, (p 1)(q 1)) = 1; let n = pq, and g = (1 + n); set cs 2 = n, g and the tapdoo τ 2 = p, q. Now we have cs = (cs 1, cs 2 ); the two tapdoos τ 1, τ 2 as well as any andom coins used fo the geneation of cs ae discaded. Signe Paametes. The signe S uses the algoithm gen to geneate his public and secet paametes based on pub. The signe selects x, y Z p and computes X = g x and Y = g y. Then it sets P K S = X, Y and SK S = x, y ; this is the key pai of S. We note that the paametes selected above ae assumed to be long-lived, i.e., they will be used fo many executions of the signing potocol. On the othe hand, the use has no long-lived paametes. Still, as pat of each signing potocol the use will select some public and secet key that will have the lifetime of one signing potocol execution. We stess that this is not a necessity and each use may also keep his public-key paametes the same acoss signing potocol executions; in fact these paametes can be pat of a PKI that all uses ae membes of. This will make the potocol s time-complexity somewhat moe efficient on the side of the use (but will have the cost of maintaining a use PKI). Use Paametes. Each use U geneates his key pai on the fly: he selects w G\{1} and δ, ξ Z p, and set t, v G such that t δ = v ξ = w. Set P K U = t, v, w as his public key and keep secetly SK U = δ, ξ as his secet key. Choice of Paamete Lengths. The length of each paamete p, n, Q is ν p, ν n, ν Q espectively and should be selected so that the following ae satisfied: (i) The DLDH assumption holds ove the bilinea goup paamete (p, G, G T, g, e), (ii) The LSRW assumption holds ove the bilinea goup paamete (p, G, G T, g, e), (iii) The discete-logaithm (DLOG) assumption holds ove the elliptic cuve cyclic goup G, (iv) The DCR assumption holds ove Z n 2. Based on the pesent state of the at with espect to the solvability of the above poblems, a possible choice of the paametes is fo example ν p = 171 bits, ν n = 1024 bits, ν Q = 171 bits. 7

8 4.2 Signing Potocol We give a high-level desciption of ou potocol befoe pesenting in detail. (1) Fist, both the use and the signe obtain the public inputs pub, cs, and P K S, the signe gets the pivate input SK S, and the use gets the pivate input message m. (2) Then the use geneates his key pai (P K U, SK U ) fo Linea Encyption, and keeps SK U secet; the use geneates a Paillie ciphetext fo message m which is used as an extactable commitment; the use geneates a special Linea Encyption ciphetext fo m which will be signed by the signe. (3) To guaantee that the Linea Encyption ciphetext and the Paillie ciphetext ae consistent, the use inteleaves within the potocol execution a 3-move Σ-potocol that shows the consistency of the commitment and the encyption. This potocol employs an equivocal Pedesen commitment scheme to allow zeo-knowledge in the concuent setting (cf. [Dam00]). When the signe successfully veifies the 3-move potocol which was initialized by the use, he will tansfom the Linea Encyption ciphetext by using his signing key SK S and appopiately eandomize it. This will esult in the encyption of a CL-signatue which will be ecoveed by the use using his secet key SK U. (4) To guaantee that the signe follows the potocol specifications, the signe is equied to inteleave a 3-move Σ-potocol as well in ode to show that he is applying his secet-key appopiately on the Linea Encyption ciphetext that is povided by the use. Again we employ an equivocal Pedesen commitment to allow fo concuent zeo-knowledge. (5) When the use veifies successfully the final step of the signing potocol computation, he decypts the CLsignatue fom the signe s ciphetext using his secet-key SK U and obtains a CL-signatue fo the message m. Then he efeshes the andomness of the signatue taking advantage of the andomness homomophic popety of CL-signatues. Σ-potocols and Round-complexity. In ou signing potocol we employ two Σ-potocols fom both sides of the inteaction. Both these potocols have the fom commitment; challenge; esponse, decommitment. A subtle difficulty in the design of ou potocol is that if the two Σ-potocols ae executed sequentially they will esult in an oveall ound complexity of six moves. In ode to maintain the fou-move potocol complexity we want to stat the Σ-potocol fo the signe side befoe the use side Σ-potocol teminates. Nevetheless this will violate the secuity popety of ou scheme, so, in ode to allow an ealy stat of the signe side Σ-potocol we have the signe commit to the value he will pove a statement about and open the commitment only in case the use s side Σ-potocol veifies. We outline the high-level desciption of ou signing potocol in Figue 1. In the fist step, the use U pepaes two diffeent encyptions of his pivate input m, called E m and T, V, W. Moeove, it computes the fist move of a Σ-potocol that shows the consistency of the two encyptions and commits to it into commitment U. In the second step, the signe pepaes an encyption ψ that can be decypted by the use into a CL-signatue but does not tansmit yet this value to the use. Instead, it pepaes the fist move of a Σ-potocol that shows that he computed ψ coectly and commits to ψ as well as the fist move into commitment S. In the thid step, the use, given the challenge of the signe, completes the Σ-potocol that shows he computed the two encyptions E m and T, V, W in a consistent way and tansmits to the signe the decommitment infomation necessay to veify the consistency of the ciphetexts. In the fouth step, the signe veifies the Σ-potocol of the use and if it is accepted, the signe completes his Σ-potocol and tansmits to the use the encyption ψ as well as the decommitment infomation necessay to veify the claim that ψ is coectly computed based on the signe s public-key. Finally the use veifies the Σ-potocol and if accepted it outputs the computed blind signatue. The detailed desciption of the potocol is shown in Figue 2. Note that d 1 < p, d 2 < p, i.e. λ 1 < ν p, λ 2 < ν p. Fo example λ 0 = λ 1 = λ 2 = 80 bits. 8

9 U (P K U, SK U ) gen LE (1 λ ) E m enc Pai (m) Use enc LE ( ) and m to poduce an appopiate ciphetext T, V, W Compute the fist move of the use side Σ-poof and commit it into commitment U Veify the 3-move Σ-potocol commitment S ; challenge S ; esponse S, decommitment S, then get ψ fom decommitment S and decypt it to obtain the signatue. P K U,E m, T,V,W,commitment U Use the homomophic popeties of Linea Encyption and of CLsignatue and tansfom T, V, W into an encyption ψ of a CLsignatue σ on the message m. Compute the fist move of the signe side Σ-poof and commit it togethe with ψ into commitment S. challenge U,commitment S esponse U,decommitment U,challenge S esponse S,decommitment S S Veify the 3-move Σ-potocol commitment U ; challenge U ; esponse U, decommitment U, Figue 1: Oveview of ou blind signatue geneation potocol. 4.3 Signatue Veification Given a message-signatue pai (m; σ), whee σ = a, b, c, the veification algoithm is based on the two veification equations below: e(a, Y ) = e(g, b) and e(x, a)e(x, b) m = e(g, c). 4.4 Coectness and Secuity The coectness and secuity of ou scheme is captued by Theoem 4.1, Theoem 4.3, Theoem 4.5 as descibed hee Coectness Theoem 4.1 (Coectness). If the signe and the use follow the signing potocol, the esulting signatue satisfies the veification with povability 1. Poof. Fist, we check the coectness of the veification equations fo the Σ-potocols. 9

10 cs = Q, g, h, G, H; n, g ; pub = p, g, G, G T, e ; P K S = X, Y U S MSG = m, m [0, 2 νp ] SK S = x, y (P K U, SK U ) gen LE (1 λ ) P K U = t, v, w, SK U = δ, ξ m ±[0, 2 λ0+λ1+νp ], A m, B m Z n α, k, l, k, l Z p, θ G\{1}, µ 1 E m = g m (A m ) n mod n 2 Ê m = g bm (B m ) n mod n 2 T = t k, V = v l, W = θ m w k+l T = t bk, V = v bl, Ŵ = θbm w b k+b l ZQ ω 1 = H(Êm, T, V, Ŵ ), C 1 = g ω1 h µ1 P K U,E m, θ,t,v,w,c 1 d 1 {0, 1} λ 1 d 2 {0, 1} λ 2 d 1,C 2 C 2 = g ω2 h µ2 s m = m d 1 m (in Z) s k = k d 1 k, s l = l d 1 l F m = B m (A m ) d1 mod n α, k, l, x, k, l Zp, µ 2 ZQ a = θ α, b = θ yα T = T xyα t k α, V = V xyα v l α W = W xyα θ xα w k α +l α L T = e(t, b ) bx e(t, a ) b k L V = e(v, b ) bx e(v, a ) b l L W = (e(w, b )e(θ, a )) bx e(w, a ) b k +b l ω 2 = H(a, b, T, V, W, L T, L V, L W ) d 2, s m,s k,s l,f m, b Em,b T, b V, c W,µ1 E m? Z n 2, s m? ±[0, 2 λ0+λ1+νp+1 ] ω 1 = H(Êm, T, V, Ŵ ), C 1 =? g ω1 h µ1 Ê m =? g sm (F m ) n (E m ) d1 mod n 2 T =? t s k T d1, V =? v s l V d1 ω 2 = H(a, b, T, V, W, L T, L V, L W ) C 2 =? g ω2 h µ2 e(a, Y ) =? e(b, g) L T =? e(t, b ) sx e(t, a ) s k e(t, θ) d2 L V =? e(v, b ) sx e(v, a ) s l e(v, θ) d2 L W =? (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d2 ( a = (a ) α, b = (b ) α, c = σ = a, b, c output (m; σ) ) α W T δ V ξ s x,s k,s l a,b,t,v,w,l T,L V,L W,µ 2 Ŵ =? θ sm w s k+s l W d1 s x = x d 2 x, s k = k d 2 k, s l = l d 2 l Figue 2: Blind signatue geneation potocol. 10

11 Ê m = g bm (B m ) n mod n 2 = g sm+d 1 m (F m (A m ) d 1 ) n mod n 2 = (g sm (F m ) n ) (g m (A m ) n ) d 1 mod n 2 = g sm (F m ) n (E m ) d 1 mod n 2, Ŵ = θ bm w b k+ bl = θ sm+d 1 m w (s k+s l )+d 1 (k+l) = (θ sm w s k+s l ) (θ m w k+l ) d 1 = θ sm w s k+s l W d 1, T = t bk = t s k+d 1 k = t s k (t k ) d 1 = t s kt d 1, V = v bl = v s l+d 1 l = v s l (v l ) d 1 = v s lv d 1 ; L T = e(t, b ) bx e(t, a ) b k = e(t, b ) sx+d 2x e(t, a ) s k +d 2k = e(t, b ) sx e(t, a ) s k ( e(t, θ yα ) x e(t, θ α ) k ) d 2 = e(t, b ) sx e(t, a ) s k ( e(t, b ) x e(t, a ) k ) d 2 = e(t, b ) sx e(t, a ) s k (e(t xyα, θ)e(t k α, θ) = e(t, b ) sx e(t, a ) s k e(t xyα t k α, θ) d 2 = e(t, b ) sx e(t, a ) s k e(t, θ) d 2, L V = e(v, b ) bx e(v, a ) b l = e(v, b ) sx+d 2x e(v, a ) s l +d 2l = e(v, b ) sx e(v, a ) s l ( e(v, θ yα ) x e(v, θ α ) l ) d 2 = e(v, b ) sx e(v, a ) s l ( e(v, b ) x e(v, a ) l ) d 2 = e(v, b ) sx e(v, a ) s l (e(v xyα, θ)e(v l α, θ) = e(v, b ) sx e(v, a ) s l e(v xyα v l α, θ) d 2 = e(v, b ) sx e(v, a ) s l e(v, θ) d 2, L W = (e(w, b )e(θ, a )) bx e(w, a ) b k + b l = (e(w, b )e(θ, a )) sx+d2x e(w, a ) (s k +s l )+d 2(k +l ) ( = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l (e(w, b )e(θ, a )) x e(w, a ) k +l ) d 2 ) x = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l ((e(w, θ yα )e(θ, θ α ) e(w, θ α ) k +l ) d 2 = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w xyα θ xα w (k +l )α, θ) d 2 = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2. Then we check the coectness of the CL-signatue. a = (a ) α = θ αα, b = (b ) α = (θ y ) αα = (θ αα ) y = a y, c = (W /(T δ V ξ )) α = ((W xy θ x w k +l )/((T xy t k ) δ (V xy v l ) ξ )) αα = ((W/(T δ V ξ )) xy θ x (w k +l /(t δk v ξl ))) αα = ((θ m ) xy θ x 1) αα = (θ αα ) mxy+x = a mxy+x So, e(a, Y ) = e(g, b) and e(x, a)e(x, b) m = e(g, c) Unfogeability In this subsection, we pove the unfogeability of ou scheme. Befoe poving the unfogeability of ou scheme, we fist build a useful lemma which guaantees that the use will use the same plaintext in the Linea Encyption and in the Paillie encyption based on the thee-move poof in the blind signatue geneation potocol. Based on the lemma, then we can simulate the signe successfully and educe the unfogeability to the unfogeability of the CL-signatue. Lemma 4.2. In the blind signatue geneation potocol, unde the DLOG assumption, a PPT advesay can geneate a valid poof with the signe such that ) d2 ) d2 log θ ( dec LE (T, V, W ) ) dec P ai (E m ) mod p only with pobability 2 λ 1. Poof. Define m = dec P ai (E m ). Paillie encyption is 1-1 ove Z n 2, so it is well-defined and m Z n. Also E m Z n 2 can be witten as E m = g m (A m ) n mod n 2 fo some A m Z n. Similaly, define m = log θ ( dec LE (T, V, W ) ). Recall that θ G\{1} and the ode of G is pime p. So θ is a geneato of G, and we can get θ m = dec LE (T, V, W ) and m Z p. Also t, v G ae geneatos of G, and T, V G can be 11

12 witten as T = t k, V = v l fo some k, l Z p. Note that dec LE (T, V, W ) = W T δ V. So W = θ m T δ V ξ = ξ θ m t kδ v lξ = θ m w k+l. Now we assume that thee is a PPT advesay who can geneate a valid poof with the signe such that m m mod p. Up to now we have equations: m m mod p m Z n, m Z p (1) E m = g m (A m ) n mod n 2 A m Z n (2) W = θ m w k+l k, l Z p (3) T = t k (4) V = v l (5) We have assumed that the poof is valid. So all veification equations hold: Fom equations (2) and (6), we have Ê m = g sm (F m ) n (E m ) d 1 mod n 2 (6) Ŵ = θ sm w s k+s l W d 1 (7) T = t s kt d 1 (8) V = v s lv d 1 (9) E m = g sm (F m ) n (E m ) d 1 mod n 2 = g sm (F m ) n (g m (A m ) n ) d 1 mod n 2 = g sm+d 1m (F m (A m ) d 1 ) n mod n 2 By the simila way, we can get T = t s k+d 1 k, V = v s l+d 1 l, and Ŵ = θsm+d 1m w (s k+d 1 k)+(s l +d 1 l). Now we call m def = s m + d 1 m mod n (10) def B m = F m (A m ) d 1 mod n (11) def k = s k + d 1 k mod p (12) def l = s l + d 1 l mod p (13) m def = s m + d 1 m mod p (14) Conside that gcd(n, p) = 1. Fom the equation (10), we can let m = s m + d 1 m + An, whee A Z. So m s m d 1 m = An. Recall that s m ±[0, 2 λ 0+λ 1 +ν p+1 ], and m ±[0, 2 λ 0+λ 1 +ν p ], d 1 {0, 1} λ 1, and m [0, 2 νp ]. So m s m d 1 m ±[0, 2 λ 0+λ 1 +ν p+2 ], and A = 0 because l n ν p + λ 0 + λ So m = s m + d 1 m. Fom the equation (14), we can let m = s m + d 1 m + Bp whee B Z. So m m = d 1 (m m ) Bp. Recall that p (m m ). We can find such B only in the case of p ( m m ) d 1 (m m ). Note that m, m, m, m is detemined befoe eceiving the challenge d 1 fom the signe because t, v, w, E m, θ, T, V, W ; C 1 is sent befoe eceiving d 1 and Êm, T, V, Ŵ is bound by the commitment C 1 unde the DLOG assumption. So we have only pobability 2 λ 1 to find B. Theefoe, unde the DLOG assumption, the advesay cannot develop a valid poof with m m mod p except negligible pobability 2 λ 1. Theoem 4.3 (Unfogeability). The poposed scheme is unfogeable unde the LRSW assumption. Poof. In this pat, we will show unde LRSW assumption, no PPT advesay use A can achieve onemoe fogey with non-negligible pobability. Let (p, g, G, G T, e; X, Y ) be the input instance of LRSW poblem. If a PPT use A obtains l + 1 valid message-signatue pais afte l times successful executions with the signe, we can constuct oacle I which will output a valid pai (m, a, b, c ), whee m is not queied to the oacle O X,Y. 12

13 1. The oacle sets pub = p, g, G, G T, e and P K S = X, Y. The oacle geneates cs 1 = Q, g, h, G, H and τ 1 = fo the equivocal Pedesen commitment scheme; geneates cs 2 = n, g and τ 2 = p, q fo the Paillie encyption; sets cs = (cs 1, cs 2 ). Now the oacle supplies the advesay with pub, cs, P K S, keeps τ 1, τ The oacle I will be queied by A which opeates like that in one of the two cases below: Case 1: A queies I with stat, msg, whee msg = {P K U, E m, θ, T, V, W, C 1 }. The oacle I will ceate a session identity sid and set the coesponding state st = ; the oacle I will simulates the signe S with msg till S eithe teminates o etuns a esponse sp to the use; the oacle I ecods the cuent state in st. If S etuns sp then I etuns this with the session identity to A, i.e. I etuns {sid, d 1, C 2 } to A, whee d 1 {0, 1} λ 1 and C 2 = g γ 2, γ 2 ZQ. Case 2: A queies I with advance, sid, msg, whee msg = {d 2, s m, s k, s l, F m, Êm, T, V, Ŵ, µ 1 }. The oacle I will simulate the signe S with msg and pevious state st. The S checks whethe all equations hold: C 1 =? g ω 1 h µ 1 whee ω 1 = H(Êm, T, V, Ŵ ), Êm =? g sm (F m ) n (E m ) d 1 mod n 2, T =? t s kt d 1, V =? v s lv d 1, Ŵ =? θ sm w s k+s l W d 1. If not tue, teminates. Othewise, the oacle I geneates an identically distibuted esponse to A. Conside the Pedesen commitment scheme is involved. Fom Lemma 4.2 above, unde the DLOG assumption, except negligible eo pobability 2 λ 1, the oacle I can obtain the m unde {θ, T, V, W } by decypting m fom E m, and then obtain a, b, T, V, W based on this m: the oacle I simulates S to decypt E m into m = dec Pai τ 2 (E m ) by using the tapdoo infomation τ 2 = p, q ; then the oacle I simulates O X,Y with input m mod p which etuns a, b, c, and computes a = a, b = b, W = cw k +l, T = t k, V = v l, whee k, l Zp. Note that hee T, V, W is in fact the ciphetext of c ove the public key t, v, w. The simulated {a, b, T, V, W } is indistinguishable fom the potocol answe conside the eo pobability 2 λ 1 is negligible. In fact, without the eo pobability, the two distibution is identical, i.e. {a, b, cw k +l, t k, v l } {(θ) α, (θ y ) α, (W xy θ x w k +l ) α, (T xy t k ) α, (V xy v l ) α, fo andom k, l and α, k, l. Note that a, b, c is the esponse fom O X,Y. So, a is a andom element in G, b = a y, c = a x+mxy. We know W = θ m w k+l, T = t k, V = v l, fo some k, l Z p. We can compute (W xy θ x w k +l ) α = ((θ m w k+l ) xy θ x w k +l ) α = ((θ) α ) x+mxy w (kxy+k )α +(lxy+l )α, (T xy t k ) α = ((t k ) xy t k ) α = t (kxy+k )α, (V xy v l ) α = ((v l ) xy v l ) α = v (lxy+l )α. Replace θ α, (kxy + k )α, (lxy + l )α with a, k, l, we will know the two pobability distibutions ae identical. Next, the oacle I andomly selects s x, s k, s l Z p, and let L T = e(t, b ) sx e(t, a ) s k e(t, θ) d 2, L V = e(v, b ) sx e(v, a ) s l e(v, θ) d 2, L W = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2 ; computes ω 2 = H(a, b, T, V, W, L T, L V, L W ); uses the tapdoo τ 1 = to compute µ 2 such that C 2 = g ω 2 h µ 2, i.e. µ 2 = γ 2 ω 2. Conside the 3-move poof is zeo-knowledge [Dam00], the simulated distibution {a, b, T, V, W, L T, L V, L W, µ 2 ; s x, s k, s l } is indistinguishable fom that in the potocol answe. 3. A outputs message-signatue pais. Now assume that A can beak the scheme, which means A can geneate l message-signatue pais (m 1 ; σ 1 ), (m 2 ; σ 2 ),..., (m l ; σ l ) with m i m j and l > l. Since l l 1, at least one message, say m O, is not queied to oacle O X,Y, though (m O ; σ O ) is a valid pai. In othe wod, we can constuct a valid pai (m O ; σ O ), whee m O is not in quey histoy. This beaks the LRSW assumption. 13

14 4.4.3 Blindness In this subsection, we show the blindness of ou scheme. Befoe going to the poof of the blindness of ou scheme, we fist build a useful lemma which guaantee that the signe will use the coect ciphetext θ, T, V, W and his secet key x, y to geneate a, b, T, V, W based on the thee-move poof. Lemma 4.4. In the blind signatue geneation potocol, unde the DLOG assumption, a PPT advesay can geneate a valid poof with the use such that log g Y log a b mod p o ( log g X + log g X log g Y log θ dec LE (T, V, W ) ) ( log a dec LE (T, V, W ) ) mod p only with pobability 2 λ 2. Poof. Based on the veification equation e(a, Y ) = e(b, y) it is vey easy to pove the fist pat of the lemma. Next we focus on the second pat. Now we have Y = g y, X = g x, b = (a ) y. Define m = log θ ( dec LE (T, V, W ) ), and we have T = t k, V = v l, W = θ m w k+l fo some k, l Z p by using the same agument in the poof of Lemma 4.2. Note that G T is also ode pime p. Thee exist x, k, l, η, k, l, η Z p such that, L T = e(t, b ) bx e(t, a ) b k (15) L V = e(v, b ) bx e(v, a ) b l (16) L W = (e(w, b )e(θ, a )) bx e(w, a ) bη (17) e(t, θ) = e(t, b ) x e(t, a ) k (18) e(v, θ) = e(v, b ) x e(v, a ) l (19) e(w, θ) = (e(w, b )e(θ, a )) x e(w, a ) η (20) ( Assume thee is a PPT can geneate valid poof such that log g X+log g X log g Y log θ dec LE (T, V, W ) ) ( log a dec LE (T, V, W ) ) mod p; the veification equations ae L T = e(t, b ) sx e(t, a ) s k e(t, θ) d 2 (21) L V = e(v, b ) sx e(v, a ) s l e(v, θ) d 2 (22) L W = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2 (23) Fom equations (15,16,18,19,21,22), we can obtain s x = x + d 2 x mod p (24) s k = k + d 2 k mod p (25) s l = l + d 2 l mod p (26) Fom equations (17, 20, 23, 24), we can obtain s k + s l = η + d 2 η mod p (27) Fom equations (25-27), we can obtain k + l η = d 2 (k + l η) mod p (28) Note that a, b, T, V, W ; L T, L V, L W is bound by commitment C 2 which is sent befoe the challenge d 2 ; and k, l, η, k, l, η is detemined befoe eceiving d 2 fom the use. So, except pobability 2 λ 2, the signe cannot get d 2 befoe eceiving it fom the use. Now the equation η = k + l mod p holds; othewise the signe can compute such d 2 = ( k + l η)/(k + l η) befoe he eceives the value. Put the equation η = k + l mod p into equation (28), we can also get η = k + l mod p. Assume a = θ α and ecall that b = (a ) y, we can obtain T = T xyα t k α fom equation (18); similaly we can obtain V = V xyα v l α and W = W xyα θ xα w k α +l α. Define c = dec LE (T, V, W ). Then c W = = θ (x+xym)α = (a ) x+xym (. And log (T ) δ (V ) ξ a dec LE (T, V, W ) ) = log a c = x + xym = 14

15 ( log g X + log g X log g Y log θ dec LE (T, V, W ) ) mod p which contadicts the assumption. So, based on a secue commitment scheme, except the pobability 2 λ 2 (, no PPT advesay can develop a valid poof such that log g X + log g X log g Y log θ dec LE (T, V, W ) ) ( log a dec LE (T, V, W ) ) mod p. This completes the poof. Theoem 4.5 (Blindness). The poposed scheme is blind unde the DLDH assumption and the DCR assumption. We stat fom the blindness model, and define it as Game 0; we slightly change Game 0 by simulating the left use instantiation by Damgåd s tick in Game 1; and then we slightly change Game 1 again and do the simila simulation fo the ight use instantiation in Game 2. The statistical distance of the pobability distibution of Game 0 and Game 1, and of Game 1 and Game 2 ae negligible. Now we slightly change Game 2 into Game 3 when two use instantiations veify the veification equations successfully: instead of geneating σ based on a, b, T, V, W in Game 2, geneate σ by using the signing key (x, y) on m. Based on Lemma 4.4, we show the statistical distance between Game 2 and Game 3 is negligible. Next we slightly change Game 3 by simulating the left use instantiation with inputting a andom message (not one of the messages selected by the advesay) to the Paillie encyption in Game 4; then do the simila simulation fo the ight use instantiation in Game 5. Both distances between Game 3 and Game 4, and Game 4 and Game 5 ae negligible unde the DCR assumption. Similaly, we slightly change Game 5 into Game 6 by simulating the left use instantiation with inputting a andom message to the linea encyption; then change Game 6 into Game 7 by simila way fo the ight use instantiation. Again the distances between Game 5 and Game 6, and Game 6 and Game 7 ae negligible unde the DLDH assumption. Theefoe, the pobability distibution in Game 0 is indistinguishable fom that in Game 7. Conside in Game 7, the two messages (m 0, m 1 ) have neve been involved in the communications between the use instantiations and the advesay signe, which means the advesay has no advantage to win the game (with just pobability 1 2 to pedict φ). So, in Game 0, the advesay has at most negligible advantage to win the game unde the assumptions. Poof. We use the sequential games technique to pove this pat, and define games G A j between the advesay A and the oacle I φ j which simulates two use instantiation: the left one UL and the ight one U R, whee j = 0, 1,..., 7. Also we define E j to be the event that φ = φ in G A j. Game 0: Follow the blindness model, we can define Game 0 as below: Hee I φ 0 G A 0 (1λ ) 1. φ {0, 1}; 2. (pub, cs, P K S, SK S ) gen(1 λ ); 3. φ A Iφ 0 (1λ,pub,cs,P K S ) (1 λ, pub, cs, P K S, SK S ); 4. if φ = φ then 1; is defined as: - Given challenge, m 0, m 1, the oacle I φ 0 simulates UL (esp. U R ) with m φ (esp. m 1 φ ). The oacle I φ 0 keeps a database with the state of each use instantiation; the state includes all coin tosses of the use instantiation and the contents of all tapes including the communication tape. Hee the oacle uses st L (esp. st R ) to ecod the state of U L (esp. U R ). - Given advance, ρ, msg, whee ρ {L, R}: 15

16 If msg =, then I φ 0 ecoves the state of stρ, and simulates the use instantiation U ρ till U ρ eithe teminates o etuns a esponse to the signe. If U ρ etuns a esponse sp, then I φ 0 etuns sp to A. The oacle will ecod the cuent state st, i.e. st ρ = st ρ st. Let m be the simulated message fo U ρ, i.e. m = m φ fo ρ = L and m = m 1 φ fo ρ = R, we have, (a) (P K ρ U, SKρ U ) genle (1 λ ) (b) m ±[0, 2 λ 0+λ 1 +ν p ], A m, B m Z n, α, k, l, k, l Z p, θ G\{1}, µ 1 ZQ. (c) E m enc Pai cs 2 (m, A m ) (d) T, V, W enc LE pub,p KU(m, ρ θ, k, l) (e) Ê m enc Pai cs 2 ( m, B m ) (f) T, V, Ŵ encle pub,p KU( ρ m, θ, k, l) (g) ω 1 = H(Êm, T, V, Ŵ ), C 1 = g ω 1 h µ 1 (h) sp = {P K U, E m, θ, T, V, W, C 1 } If msg = {d 1, C 2 }, then I φ 0 ecoves the state of stρ, and simulates the use instantiation U ρ with msg till U ρ eithe teminates o etuns a esponse sp to the signe. If U ρ etuns a esponse sp, then I φ 0 etuns sp to A. The oacle will ecod the cuent state st, i.e. stρ = st ρ st. Hee sp is in the fom of {d 2, s m, s k, s l, F m, Êm, T, V, Ŵ, µ 1 }, whee Êm, T, V, Ŵ, µ 1 is ecoveed fom the pevious state of st ρ, and s m, s k, s l, F m is geneated as: s m = m d 1 m in Z, s k = k d 1 k mod p, s l = l d 1 l mod p, F m = B m (A m ) d 1 mod n, d 2 {0, 1} λ 2. - Given teminate, msg L, msg R, the oacle I φ 0 ecoves the state stl (esp. st R ), and simulates the use instantiation U L (esp. U R ) with msg L (esp. msg R ) till U L (esp. U R ) eithe teminates o etuns an output, whee msg ρ is in fom of {s x, s k, s l ; a, b, T, V, W, L T, L V, L W, µ 2 }. Each U ρ will veify all equations: C 2 = g ω 2 h µ 2 whee ω 2 = H(a, b, T, V, W, L T, L V, L W ), e(a, Y ) = e(b, g), L T = e(t, b ) sx e(t, a ) s k e(t, θ) d 2, L V = e(v, b ) sx e(v, a ) s l e(v, θ) d 2, L W = (e(w, b )e(θ, a )) sx e(w, a ) s k +s l e(w, θ) d 2 If the two use instantiations veify the veification equations successfully, each of them geneates σ = (a, b, c) by a = (a ) α, b = (b ) α, c = (W /(T δ V ξ )) α. Let the geneated signatues fom the two use instantiations be σ 0, σ 1 fo message m 0, m 1 espectively. The oacle set sp = (σ 0, σ 1 ). Othewise set sp = (, ). The oacle etuns sp to A. Game 1: We modify G A 0 into GA 1 by changing step 2 into: 2. (pub, cs 2, P K S, SK S ) gen(1 λ ); geneates cs 1 = Q, g, h, G, H and τ 1 = fo the equivocal Pedesen commitment scheme; set cs = (cs 1, cs 2 ). and changing I φ 0 into Iφ 1. Note that Iφ 1 is same as Iφ 0 except that - Given advance, ρ, msg, whee ρ {L, R}. If ρ = R, I φ 1 opeates identically as Iφ 0 ; but if ρ = L, woks as follows: I φ 1 16

17 If msg =, then I φ 1 ecoves the state of stl, and simulates the use instantiation U L till U L eithe teminates o etuns a esponse to the signe. If U L etuns a esponse sp, then I φ 1 etuns sp to A. The oacle will ecod the cuent state st, i.e. st L = st L st. Let m = m φ, we have, (a) (P KU L, SKL U ) genle (1 λ ) (b) A m Z n, α, k, l Z p, θ G\{1}. (c) E m enc Pai cs 2 (m, A m ) (d) T, V, W enc LE (m, θ, k, l) pub,p KU L (e) γ 1 ZQ, C 1 = g γ 1 (f) sp = {P K L U, E m, θ, T, V, W, C 1 } If msg = {d 1, C 2 }, then I φ 1 ecoves the state of stl, and simulates the use instantiation U L with msg till U L eithe teminates o etuns a esponse sp to the signe. If U L etuns a esponse sp, then I φ 1 etuns sp to A. The oacle will ecod the cuent state st, i.e. stl = st L st. (a) s m ±[0, 2 λ 0 +λ 1 +ν p ], F m Z n, s k, s l Zp (b) Ê m = g sm (F m ) n (E m ) d mod n 2 (c) Ŵ = θsm w s k+s l W d 1, T = t s kt d 1, V = v s lv d 1 (d) use τ 1 = to compute µ 1 such that C 1 = g ω 1 h µ 1 µ 1 = γ 1 ω 1 mod Q (e) sp = {d 2, s m, s k, s l, F m, Êm, T, V, Ŵ, µ 1 } whee ω 1 = H(Êm, T, V, Ŵ ), i.e. Game 2: We modify G A 1 into GA 2 by changing Iφ 1 into Iφ 2. Note that Iφ 2 is same as Iφ 1 except that : - Given advance, ρ, msg, whee ρ {L, R}. If ρ = L, I φ 2 opeates identically as Iφ 1 ; but if ρ = R, I φ 2 opeates similaly as the case ρ = L with m = m 1 φ, i.e. uns the same opeations fo the ight use instantiation U R. Game 3: We modify G A 2 into GA 3 by changing Iφ 2 into Iφ 3. Note that Iφ 3 is same as Iφ 2 except that - Given teminate, msg L, msg R, the oacle I φ 3 ecoves the state stl (esp. st R ), and simulates the use instantiation U L (esp. U R ) with msg L (esp. msg R ) till U L (esp. U R ) eithe teminates o etuns an output. If the two use instantiations veify the veification equations successfully, now the oacle geneates two signatues σ 0, σ 1 fo m 0, m 1 by using the signing key: σ = (a, a y, a x+xym ) whee a G. The oacle set sp = (σ 0, σ 1 ). Othewise set sp = (, ). The oacle etuns sp to A. Game 4: We modify G A 3 into GA 4 by changing Iφ 3 into Iφ 4. Note that Iφ 4 is same as Iφ 3 except that - Given challenge, m 0, m 1, the oacle I φ 4 andomly selects m 0, m 1 fom the message space and simulates U L (esp. U R ) with m φ o m 0 (esp. m 1 φ o m 1 ). - Given advance, ρ, msg, whee ρ {L, R}. If ρ = R, I φ 4 opeates identically as Iφ 3 ; but if ρ = L, woks as follows: I φ 4 17