Constant-Size Structure-Preserving Signatures Generic Constructions and Simple Assumptions

Transcription

1 Constant-Sze Structure-Preservng Sgnatures Generc Constructons and Smple Assumptons Masayuk Abe Melssa Chase Bernardo Davd Markulf Kohlwess Ryo Nshmak Myako Ohkubo NTT Secure Platform Laboratores, NTT Corporaton, Japan Mcrosoft Research, Redmond, USA Unversty of Brasla, Brazl Mcrosoft Research, Cambrdge, UK Securty Archtecture Laboratory, NSRI, NICT, Japan Abstract Ths paper presents effcent structure-preservng sgnature schemes based on assumptons as smple as Decson-Lnear. We frst gve two general frameworks for constructng fully secure sgnature schemes from weaker buldng blocks such as varatons of one-tme sgnatures and random-message secure sgnatures. They can be seen as refnements of the Even- Goldrech-Mcal framework, and preserve many desrable propertes of the underlyng schemes such as constant sgnature sze and structure preservaton. We then nstantate them based on smple (.e., not q-type) assumptons over symmetrc and asymmetrc blnear groups. The resultng schemes are structure-preservng and yeld constant-sze sgnatures consstng of 11 to 17 group elements, whch compares favorably to exstng schemes relyng on q-type assumptons for ther securty. Keywords: Structure-preservng sgnatures, One-tme sgnatures, Groth-Saha proof system, Random message attacks

2 Contents 1 Introducton Our contrbuton Related Works Prelmnares Notaton Blnear groups Assumptons Defntons Common setup Sgnature schemes Partal one-tme and tagged one-tme sgnatures Structure-preservng sgnatures Generc Constructons SIG1: Combnng tagged one-tme and RMA-secure sgnatures SIG2: Combnng partal one-tme and XRMA-secure sgnatures Instantatng SIG Setup for Type-I groups Tagged one-tme sgnature scheme RMA-secure sgnature scheme Securty and effcency of resultng SIG Instantatng SIG Setup for Type-III groups Partal one-tme sgnatures for unlteral messages Partal one-tme sgnatures for blateral messages XRMA-secure sgnature scheme Securty and effcency of resultng SIG Applcatons and Open Questons 24 A Tagged one-tme sgnature scheme (Obsolete) 27

3 1 Introducton A structure-preservng sgnature (SPS) scheme [1] s a dgtal sgnature scheme wth two structural propertes () the verfcaton keys, messages, and sgnatures are all elements of a blnear group; and () the verfcaton algorthm checks a conjuncton of parng product equatons over the key, the message and the sgnature. Ths makes them compatble wth the effcent non-nteractve proof system for parng-product equatons by Groth and Saha (GS) [28]. Structure-preservng cryptographc prmtves promse to combne the advantages of optmzed number theoretc non-blackbox constructons wth the modularty and nsght of protocols that use only generc cryptographc buldng blocks. Indeed the nstantaton of known generc constructons wth a SPS scheme and the GS proof system has led to many new and more effcent schemes: Groth [27] showed how to construct an effcent smulaton-sound zero-knowledge proof systems (ss-nizk) buldng on generc constructons of [15, 37, 32]. Abe et al. [4] show how to obtan effcent round-optmal blnd sgnatures by nstantatng a framework by Fschln [18]. SPS are also mportant buldng blocks for a wde range of cryptographc functonaltes such as anonymous proxy sgnatures [20], delegatable anonymous credentals [6], transferable e-cash [21] and compact verfable shuffles [14]. Most recently, [29] show how to construct a structure preservng treebased sgnature scheme wth a tght securty reducton followng the approach of [24, 16]. Ths sgnature scheme s then used to buld a ss-nizk whch n turn s used wth the Naor-Yung-Saha [33, 36] paradgm to buld the frst CCA secure publc-key encrypton scheme wth a tght securty reducton. Examples for other schemes that beneft from effcent SPS are [7, 11, 8, 30, 25, 5, 35, 22, 19, 26]. Because propertes () and () are the only dependences on the SPS scheme made by these constructons, any structurepreservng sgnature scheme can be used as a drop-n replacement. Unfortunately, all known effcent nstantatons of SPS [4, 1, 2] are based on so-called q-type or nteractve assumptons that are prmarly justfed based on the Generc Group model. An open queston snce Groth s semnal work [27] (only partally answered by [13]) s to construct a SPS scheme that s both effcent n partcular constant-sze n the number of sgned group elements and that s based on assumptons that are as weak as those requred by the GS proof system tself. 1.1 Our contrbuton Our frst contrbuton conssts of two generc constructons for chosen message attack (CMA) secure sgnatures that combne varatons of one-tme sgnatures and sgnatures secure aganst random message attacks (RMA). Both constructons nhert the structure-preservng and constant-sze propertes from the underlyng components. The second contrbuton conssts n the concrete nstantatons of these components whch result n constant-sze structure-preservng sgnature schemes that produce sgnatures consstng of only 11 to 17 group elements and that rely only on basc assumptons such as Decsonal-Lnear (DLIN) for symmetrc blnear groups and analogues of DDH and DLIN for asymmetrc blnear groups. To our knowledge, these are the frst constant-sze structure-preservng sgnature schemes that elmnate the use of q-type assumptons whle achevng reasonable effcency. We nstantate the frst generc constructon for symmetrc (Type-I) and the second for asymmetrc (Type-III) parng groups. See Table 1 and 2 n Secton 5.4 and 6.5, respectvely, for the summary of effcency of the resultng schemes. We gve more detals on our generc constructons and ther nstantatons: The frst generc constructon (SIG1) combnes a new varaton of one-tme sgnatures whch we call tagged one-tme sgnatures and sgnatures secure aganst random message attacks (RMA). A tagged one-tme sgnature scheme, denoted by TOS, s a sgnature scheme that attaches a fresh tag to a sgnature. It s unforgeable wth respect to tags that are used only once. In our constructon, a message s sgned wth our TOS scheme usng a fresh random tag, and then the tag s sgned wth the second sgnature scheme, denoted by rsig. Snce the rsig scheme only sgns random tags, RMA-securty s suffcent. The second generc constructon (SIG2) combnes partal one-tme sgnatures and sgnatures secure aganst extended random message attacks (XRMA). The latter s a novel noton that we explan below. Partal one-tme sgnatures, denoted by POS, are one-tme sgnatures for whch only a part of the one-tme key s renewed for every sgnng operaton. They were frst ntroduced by Bellare and Shoup [9] under the name of two-ter sgnatures. In our constructon, a message s sgned wth the POS scheme and then the random one-tme publc-key s certfed by the second sgnature scheme, denoted by xsig. The dfference between a TOS scheme and a POS scheme s that a one-tme publc-key s assocated wth a one-tme secret-key. Snce the secret-key s needed for sgnng, t must be known to the reducton n the securty proof. XRMA-securty guarantees that xsig s unforgeable even f the adversary s gven auxlary nformaton assocated wth the randomly chosen messages. The auxlary nformaton facltates access to the one-tme secret-key by the reducton. To nstantate SIG1, we construct structure-preservng TOS and rsig sgnature schemes based on DLIN over Type-I blnear groups. Our TOS scheme yelds constant-sze sgnatures and tags. The resultng SIG1 scheme s structurepreservng, produces sgnatures consstng of 17 group elements, and reles solely on the DLIN assumpton. 1

4 To nstantate SIG2, we construct structure-preservng POS and xsig sgnature schemes based on assumptons that are analogues of DDH and DLIN n Type-III blnear groups. The resultng SIG2 scheme s structure-preservng, produces sgnatures consstng of 11 group elements for unlteral messages n a base group or 14 group elements for blteral messages from both base groups. The role of partal one-tme sgnatures s to compress a message nto a constant number of random group elements. Ths observaton s nterestng n lght of [3] that mples the mpossblty of constructng collson resstant and shrnkng structure-preservng hash functons, whch could mmedately yeld constant-sze sgnatures. Our (extended) RMA-secure sgnature schemes are structure-preservng varants of Waters dual-sgnature scheme [39]. In general, the dffculty of constructng CMA-secure SPS arses from the fact that the exponents of the group elements chosen by the adversary as a message are not known to the reducton n the securty proof. On the other hand, for RMA securty, t s the challenger that chooses the message and therefore the exponents can be known n reductons. Ths s the crucal advantage for constructng (extended) RMA-secure structure-preservng sgnature schemes based on Waters sgnature scheme. Fnally, we menton a few new applcatons. Among these s the achevement of a drastc performance mprovement when usng our partal one-tme sgnatures n the work by Hofhenz and Jager [29] to construct CCA-secure publc-key encrypton schemes wth a proof of securty that tghtly reduces to DLIN or SXDH. 1.2 Related Works Even, Goldrech and Mcal [17] proposed a generc framework (the EGM framework) that combnes a one-tme sgnature scheme and a sgnature scheme that s secure aganst non-adaptve chosen message attacks (NACMA) to construct a sgnature scheme that s secure aganst adaptve chosen message attacks (CMA). In fact, our generc constructons can be seen as refnements of the EGM framework. There are two reasons why the orgnal framework falls short for our purpose. The frst s that relaxng to NACMA does not seem a bg help n constructng effcent structure-preservng sgnatures snce the messages are stll under the control of the adversary and the exponents of the messages are not known to the reducton algorthm n the securty proof. As mentoned above, resortng to (extended) RMA s a great help n ths regard. In [17], they also showed that CMA-secure sgnatures exst ff RMA-secure sgnatures exst. The proof, however, does not follow ther framework and ther mpractcal constructon s manly a feasblty result. In fact, we argue that RMA-securty alone s not suffcent for the orgnal EGM framework. As mentoned above, the necessty of XRMA securty arses n the reducton that uses RMA-securty to argue securty of the ordnary sgnature scheme, as the reducton not only needs to know the random one-tme publc-keys, but also ther correspondng one-tme secret keys n order to generate the one-tme sgnature components of the sgnatures. The auxlary nformaton n the XRMA defnton facltates access to these secret keys. Smlarly, tagged one-tme sgnatures avod ths problem as tags do not have assocated secret values. The second reason that the EGM approach s not qute suted to our task s that the EGM framework produces sgnatures that are lnear n the publc-key sze of the one-tme sgnature scheme. Here, tagged or partal one-tme sgnature schemes come n handy as they allow the sgnature sze to be only lnear n the sze of the part of the publc key that s updated. Thus, to obtan constant-sze sgnatures, we requre the one-tme part to be constant-sze. Hofhenz and Jager [29] constructed a SPS scheme by followng the EGM framework. The resultng scheme allows tght securty reducton to DLIN but the sze of sgnatures depends logarthmcally to the number of sgnng operaton as ther NACMA-secure scheme s tree-based lke the Goldwasser-Mcal-Rvest sgnature scheme [24]. Kohlwess and Chase [13] construct a SPS scheme wth securty based on DLIN that mprove the performance of Groth s scheme [27] by several orders of magntude. The sze of the resultng sgnatures, however, are stll lnear n the number of sgned group elements, and an order of magntude larger than n our constructons. 2 Prelmnares 2.1 Notaton Appendng element y to a sequence X = (x 1,..., x n ) s denoted by (X, y),.e., (X, y) = (x 1,..., x n, y). When algorthm A s defned for nput x and output y, notaton y A( x) for x := {x 1,..., x n } means that y A(x ) s executed for = 1,..., n and y s set as y := (y 1,..., y n ). For set X, notaton a X denote a unform samplng from X. Independent multple samplng from the same set X s denoted by a, b, c,.. X. 2.2 Blnear groups Let G be a blnear group generator that takes securty parameter 1 λ and outputs a descrpton of blnear groups Λ := (p, G 1, G 2, G T, e), where G 1, G 2 and G T are groups of prme order p, and e s an effcent and non-degeneratng blnear map G 1 G 2 G T. Followng the termnology n [23] ths s a Type-III parng. In the Type-III settng G 1 G 2 and there 2

5 are no effcent mappng between the groups n ether drecton. In the Type-III settng, we often use twn group elements, (G a, Ĝa ) G 1 G 2 for some bases G and Ĝ. For X n G 1, notaton ˆX denotes for an element n G 2 that log X = log ˆX where logarthms are wth respect to default bases that are unformly chosen once for all and mplctly assocated to Λ. Should ther relaton be explctly stated, we wrte X ˆX. We count the number of group elements to measure the sze of cryptographc objects such as keys, messages, and sgnatures. For Type-III groups, we denote the sze by (x, y) when t conssts of x and y elements from G 1 and G 2, respectvely. We refer to the Type-I settng when G 1 = G 2 (.e., there are effcent mappngs n both drectons). Ths s also called the symmetrc settng. In ths case, we defne Λ := (p, G, G T, e). When we need to be specfc, the group descrpton yelded by G wll be wrtten as Λ asym and Λ sym. 2.3 Assumptons We frst defne computatonal and decsonal Dffe-Hellman assumptons (co-cdh, DDH 1 ) and decson lnear assumpton (DLIN 1 ) for Type-III blnear groups. Correspondng more standard assumptons, CDH, DDH, and DLIN, n Type-I groups are obtaned by settng G 1 = G 2 and G = Ĝ n the respectve defntons. Defnton 1 (Computaton co-dffe-hellman Assumpton: co-cdh). The co-cdh assumpton holds f, for any polynomal-tme algorthm A, probablty Adv co-cdh G,A (λ) := Pr[ Z = G xy Λ G(1 λ ) ; x, y Z p ; Z A(Λ, G, G x, G y, Ĝ, Ĝx, Ĝy ) ] s neglgble n λ. Defnton 2 (Decsonal Dffe-Hellman Assumpton n G 1 : DDH 1 ). Let G ddh1 (1 λ ) be an algorthm that, on nput securty parameter 1 λ, runs group generator Λ := (p, G 1, G 2, G T, e) G(1 λ ), chooses G G 1 and x, y, z Z p, and outputs I ddh1 := (Λ, G, G x, G y ) and (x, y, z). The DDH 1 assumpton holds f for polynomal-tme adversary A, advantage Adv ddh1 G,A (λ) := Pr[ 1 A(I ddh1, G xy ) (I ddh1, x, y, z) G ddh1 (1 λ ) ] Pr[ 1 A(I ddh1, G z ) (I ddh1, x, y, z) G ddh1 (1 λ ) ] s neglgble n λ. Defnton 3 (Decson Lnear Assumpton n G 1 : DLIN 1 ). Let G dln1 (1 λ ) be an algorthm that on nput securty parameter λ, runs group generator Λ := (p, G 1, G 2, G T, e) G(1 λ ), selects x, y, z Z p and G 1, G 2, G 3 G 1, and outputs I dln1 := (Λ, G 1, G 2, G 3, G x 1, G y 2 ) and (x, y, z). The DLIN 1 assumpton holds f, for all polynomal-tme adversary A, advantage Adv dln1 G,A (λ) := Pr[ 1 A(I dln1, G x+y 3 ) (I dln1, x, y, z) G dln1 (1 λ ) ] Pr[ 1 A(I dln1, G z 3 ) (I dln1, x, y, z) G dln1 (1 λ ) ] s neglgble n λ. For DDH 1 and DLIN 1, we defne an analogous assumpton n G 2 (DDH 2 ) by swappng G 1 and G 2 n the respectve defntons. In Type-III blnear groups, t s assumed that both DDH 1 and DDH 2 hold smultaneously. The assumpton s called the symmetrc external Dffe-Hellman assumpton (SXDH), and we defne advantage Adv sxdh G,C by Adv sxdh G,C (λ) def = Adv ddh1 G,A (λ) + Adv ddh2 G,B (λ). We extend DLIN n a smlar manner as DDH, and SXDH. Defnton 4 (External Decson Lnear Assumpton n G 1 : XDLIN 1 ). Let G xdln (1 λ ) be an algorthm that on nput securty parameter λ, runs group generator Λ := (p, G 1, G 2, G T, e) G(1 λ ), selects x, y, z Z p and G 1, G 2, G 3 G 1, Ĝ 1, Ĝ2, Ĝ3 G 2 such that (G 1, G 2, G 3 ) (Ĝ1, Ĝ2, Ĝ3), and outputs I xdln := (Λ, G 1, G 2, G 3, Ĝ1, Ĝ2, Ĝ3, G x 1, G y 2, Ĝx 1, Ĝy 2 ) and (x, y, z). The XDLIN 1 assumpton holds f, for all polynomaltme adversary A, advantage Adv xdln1 G,A (λ) := Pr[ 1 A(I xdln, G x+y 3 ) (I xdln, x, y, z) G xdln (1 λ ) ] Pr[ 1 A(I xdln, G z 3 ) (I xdln, x, y, z) G xdln (1 λ ) ] s neglgble n λ. The XDLIN 1 assumpton s equvalent to the DLIN 1 assumpton n the generc blnear group model [38, 10] where one can smulate the extra elements, Ĝ 1, Ĝ2, Ĝ3, Ĝx 1, Ĝy 2, n XDLIN 1 from G 1, G 2, G 3, G x 1, G y 2 n DLIN 1. We defne the XDLIN 2 assumpton analogously by gvng Ĝx+y 3, respectvely Ĝz 3, to A nstead. Then we defne the smultaneous external decson Dffe-Hellman assumpton, SXDLIN, that assumes that both XDLIN 1 and XDLIN 2 hold at the same tme. By Adv xdln2 G,A (Adv sxdln G,A, resp.), we denote the advantage functon for XDLIN 2 (and SXDLIN, resp.). Fnally we recall two computatonal assumptons (tghtly) reduced from one of the above basc assumptons. Defnton 5 (Double Parng Assumpton n G 1 [4]:DBP 1 ). The DBP 1 assumpton holds f, for any polynomal-tme A, probablty Adv dbp1 def G,A (λ) = Pr[ 1 = e(g z, Z) e(g r, R) Z G 2 Λ G(1 λ ) ; (G z, G r ) G 1 G 1 ; (Z, R) A(Λ, G z, G r ) ] s neglgble n λ. The double parng assumpton n G 2 (DBP 2 ) s defned n the same manner by swappng G 1 and G 2. It s known that DBP 1 (DBP 2, resp.) s mpled by DDH 1 (DDH 2, resp.) and the reducton s tght [4]. Thus the followng holds. 3

6 Lemma 1. SXDH DBP 1 DBP 2. In partcular, Adv dbp1 G,A (λ) + Advdbp2 G,B (λ) Advsxdh G,C (λ) holds. Note that the double parng assumpton does not hold n Type-I groups snce Z = G r, R = G z s a trval soluton. The followng analogous assumpton wll be useful n Type-I groups. Defnton 6 (Smultaneous Double Parng Assumpton [12]: SDP). The SDP assumpton holds f, for any polynomal-tme A, advantage Adv sdp def G,A (λ) = Pr[ 1 = e(g z, Z) e(g r, R) 1 = e(h z, Z) e(h s, S) Z G Λ G(1 λ ) ; (G z, G r, H z, H s ) G 4 ; (Z, R, S) A(Λ, G z, G r, H z, H s ) ] s neglgble n λ. As shown n [12] for the Type-I settng, the smultaneous double parng assumpton holds for G f the decson lnear assumpton holds for G. Lemma 2. DLIN SDP. In partcular, Adv sdp G,A (λ) Advdln G,B(λ) holds. 3 Defntons 3.1 Common setup All buldng blocks make use of a common setup algorthm Setup that takes the securty parameter 1 λ and outputs a global parameters gk that s gven to all other algorthms. Usually gk conssts of a descrpton Λ of a blnear group setup and a default generator for each group. In ths paper, we nclude several addtonal generators n gk for techncal reasons. Note that when the resultng sgnature scheme s used n mult-user applcatons dfferent addtonal generators need to be assgned to ndvdual users or one needs to fall back on the common reference strng model, whereas Λ and the default generators can be shared. Thus we count the sze of gk when we assess the effcency of concrete nstantatons. For ease of notaton, we make gk mplct except w.r.t. key generaton algorthms. 3.2 Sgnature schemes We use the followng syntax for sgnature schemes sutable for the mult-user and mult-algorthm settng. The key generaton functon takes global parameter gk generated by Setup (usually t takes securty parameter 1 λ ), and the message space M s determned solely from gk (usually t s determned from a publc-key). Defnton 7 (Sgnature Scheme). A sgnature scheme SIG s a tuple of three polynomal-tme algorthms (Key, Sgn, Vrf) that; SIG.Key(gk) s a probablstc algorthm that generates a long-term publc-key vk and a secret-key sk. SIG.Sgn(sk, msg) s an algorthm that takes sk and message msg, and outputs sgnature σ. SIG.Vrf(vk, msg, σ) outputs 1 for acceptance or 0 for rejecton. Correctness requres that 1 = SIG.Vrf(vk, msg, σ) holds for any gk generated by Setup, any keys generated as (vk, sk) SIG.Key(gk), any message msg M, and any sgnature σ SIG.Sgn(sk, msg). Defnton 8 (Attack Game(ATK)). Let Osg be an oracle and A be an oracle algorthm. We defne a meta attack game as a sequence of executon of algorthms as follows. gk Setup(1 λ ), ATK(A, λ) = pre A(gk), (vk, sk) SIG.Key(gk), (1) (σ, msg ) A Osg (vk) Adversary A commts to pre, whch s typcally a set of messages, n the frst run. Ths formulaton s to capture non-adaptve attacks. It s mplct that a state nformaton s passed to the second run of A. Let Q m be lst of messages and sgnatures observed by A before outputtng the resultng forgery. The output of ATK s (vk, σ, msg, Q m ). Defnton 9 (Adaptve Chosen-Message Attack (CMA)). Adaptve chosen message attack securty s defned by the attack game ATK where pre s empty and oracle Osg s the sgnng oracle that, on recevng a message msg, performs σ SIG.Sgn(sk, msg), and returns σ. 4

7 Defnton 10 (Non-Adaptve Chosen-Message Attack (NACMA)). Non-adaptve chosen message attack s s attacks game ATK where pre s a lst of messages and oracle Osg returns sgnatures for the messages n pre. Defnton 11 (Random Message Attack (RMA)[17]). Random message attack securty s defned by the attack game ATK where pre s empty and oracle Osg s the followng: on recevng a request, t chooses msg unformly from M defned by gk, computes σ SIG.Sgn(sk, msg), and returns (σ, msg). Let MSGGen be a unform message generator. It s a probablstc algorthm that takes gk and outputs msg M that dstrbutes unformly over M. Furthermore, MSGGen outputs auxlary nformaton aux that may gve a hnt about the random cons used for selectng msg. Defnton 12 (Extended Random Message Attack (XRMA)). Extended random message attack s attack game ATK where pre s empty and oracle Osg s the followng. On recevng a request, t runs (msg, aux) MSGGen(gk), computes σ SIG.Sgn(sk, msg), and returns (σ, msg, aux). For an attack ATK {CMA, NACMA, RMA, XRMA}, we defne unforgeablty as follows. Defnton 13 (Unforgeablty aganst ATK). Sgnature scheme SIG s unforgeable aganst attack ATK (UF-ATK), f for all polynomal-tme oracle algorthm A the advantage functon Adv uf-atk SIG,A s neglgble n λ, where Adv uf-atk SIG,A (λ) = Pr [ msg Q m 1 = SIG.Vrf(vk, σ, msg ) ] (vk, σ, msg, Q m ) ATK(A, λ). (2) Fact 1. UF-CMA UF-NACMA UF-XRMA UF-RMA,.e., Adv uf-cma SIG,A (λ) Advuf-nacma SIG,A (λ) Advuf-xrma Adv uf-rma SIG,A (λ). 3.3 Partal one-tme and tagged one-tme sgnatures SIG,A (λ) Partal one-tme sgnatures, also known as two-ter sgnatures [9], are a varaton of one-tme sgnatures where only part of the publc-key must be updated for every sgnng, whle the remanng part can be persstent. Defnton 14 (Partal One-Tme Sgnature Scheme [9]). A partal one-tme sgnatures scheme POS s a set of polynomaltme algorthms POS.{Key, Update, Sgn, Vrf}. POS.Key(gk) generates a long-term publc-key pk and a secret-key sk. The message space M o s assocated wth pk. (Recall however, that we requre that M o be completely defned by gk.) POS.Update() takes gk as mplct nput, and outputs a par of one-tme keys (opk, osk). We denote the space for opk by K opk. POS.Sgn(sk, msg, osk) outputs a sgnature σ on message msg based on secret-keys sk and osk. POS.Vrf(pk, opk, msg, σ) outputs 1 for acceptance, or 0 for rejecton. For correctness, t s requred that 1 = POS.Vrf(pk, opk, msg, σ) holds except for neglgble probablty for any gk, pk, opk, σ, and msg M o, such that gk Setup(1 λ ), (pk, sk) POS.Key(gk), (opk, osk) POS.Update(), σ POS.Sgn(sk, msg, osk). A tagged one-tme sgnature scheme s a sgnature scheme whose sgnng functon n addton to the long-term secret key takes a tag as nput. A tag s one-tme,.e., t must be dfferent for every sgnng. Defnton 15 (Tagged One-Tme Sgnature Scheme). A tagged one-tme sgnature scheme TOS s a set of polynomaltme algorthms TOS.{Key, Tag, Sgn, Vrf}. TOS.Key(gk) generates a long-term publc-key pk and a secret-key sk. The message space M t s assocated wth pk. TOS.Tag() takes gk as mplct nput and outputs tag. By T, we denote the space for tag. TOS.Sgn(sk, msg, tag) outputs sgnature σ for message msg based on secret-key sk and tag tag. TOS.Vrf(pk, tag, msg, σ) outputs 1 for acceptance, or 0 for rejecton. 5

8 Correctness requres that 1 = TOS.Vrf(pk, tag, msg, σ) holds except for neglgble probablty for any gk, pk, tag, σ, and msg M t, such that gk Setup(1 λ ), (pk, sk) TOS.Key(gk), tag TOS.Tag(), σ TOS.Sgn(sk, msg, tag). A TOS scheme s POS scheme for whch tag = osk = opk. We can thus gve a securty noton for POS schemes that also apples to TOS schemes by readng Update = Tag and tag = osk = opk. Defnton 16 (Unforgeablty aganst One-Tme Adapatve Chosen-Message Attacks). A partal one-tme sgnature scheme s unforgeable aganst one-tme adaptve chosen message attacks (OT-CMA) f for all polynomal-tme oracle algorthm A the advantage functon Adv ot-cma POS,A s neglgble n λ, where (opk, msg, σ) Q m s.t. Adv ot-cma POS,A (λ) = Pr opk gk Setup(1 λ ), = opk msg msg (pk, sk) POS.Key(gk),. (3) 1 = POS.Vrf(pk, opk, σ, msg ) (opk, σ, msg ) A Ot,Osg (pk) Q m s ntally an empty lst. Ot s the one-tme key generaton oracle that on recevng a request nvokes a fresh sesson j, performs (opk j, osk j ) POS.Update(), and returns opk j. Osg s the sgnng oracle that, on recevng a message msg j for sesson j, performs σ j POS.Sgn(sk, msg j, osk j ), returns σ j to A, and records (opk j, msg j, σ j ) to the lst Q m. Osg works only once for every sesson. Strong unforgeablty s defned as well by replacng condton msg msg wth (msg, σ ) (msg, σ). We defne a non-adaptve varant (OT-NACMA) of the above noton by ntegratng Ot nto Osg so that opk j and σ j are returned to A at the same tme. Namely, A must submt msg j before seeng opk j. It s obvous that f a scheme s secure n the sense of OT-CMA, the scheme s also secure n the sense of OT-NACMA. If a scheme s strongly unforgeable, t s unforgeable as well. By Adv ot-nacma (λ) we denote the advantage of A n ths non-adaptve case. For TOS, we use the same POS,A notatons, OT-CMA and OT-NACMA, and defne advantage functons Adv ot-cma TOS,A unforgeablty, we use label sot-cma and sot-nacma. and Advot-nacma TOS,A accordngly. For strong We defne a condton that s relevant for couplng random message secure sgnature schemes wth partal one-tme and tagged one-tme sgnature schemes n later sectons. Defnton 17 (Tag/One-tme Publc-Key Unformty). TOS s called unform-tag f TOS.Tag outputs tag that unformly dstrbutes over tag space T. Smlarly, POS s called unform-key f POS.Update outputs opk that unformly dstrbutes over key space K opk. 3.4 Structure-preservng sgnatures A sgnature scheme s structure-preservng over a blnear group Λ, f publc-keys, sgnatures, and messages are all base group elements of Λ, and the verfcaton only evaluates parng product equatons. Smlarly, partal one-tme sgnature schemes are structure-preservng f ther publc-keys, sgnatures, messages, and tags or one-tme publc-keys consst of base group elements and the verfcaton only evaluates parng product equatons. 4 Generc Constructons 4.1 SIG1: Combnng tagged one-tme and RMA-secure sgnatures Let rsig be a sgnature scheme wth message space M r, and TOS be a tagged one-tme sgnature scheme wth tag space T such that M r = T. We construct a sgnature scheme SIG1 from rsig and TOS. Let gk be a global parameter generated by Setup(1 λ ). SIG1.Key(gk): Run (pk t, sk t ) TOS.Key(gk), (vk r, sk r ) rsig.key(gk). Output vk := (pk t, vk r ) and sk := (sk t, sk r ). SIG1.Sgn(sk, msg): Parse sk nto (sk t, sk r ). Run tag TOS.Tag(), σ t TOS.Sgn(sk t, msg, tag), σ r rsig.sgn(sk r, tag). Output σ := (tag, σ t, σ r ). SIG1.Vrf(vk, σ, msg): Parse vk and σ accordngly. Output 1, f 1 = TOS.Vrf(pk t, tag, σ t, msg) and 1 = rsig.vrf(vk r, σ r, tag). Output 0, otherwse. We prove the securty of the above constructon by showng a reducton to the securty of each component. As our reductons are effcent n ther runnng tme, we only relate success probabltes. 6

9 Theorem 1. SIG1 s unforgeable aganst adaptve chosen message attacks (UF-CMA) f TOS s unform-tag and unforgeable aganst one-tme non-adaptve chosen message attacks (OT-NACMA), and rsig s unforgeable aganst random message attacks (UF-RMA). In partcular, Adv uf-cma SIG1,A (λ) Advot-nacma TOS,B (λ) + Advuf-rma rsig,c (λ). Proof. Any sgnature that s accepted by the verfcaton algorthm must ether reuse an exstng tag, or sgn a new tag. The success probablty Adv uf-cma SIG1,A (λ) of an attacker on SIG1 s bounded by the sum of the success probabltes Advot-nacma TOS,B (λ) of an attacker on TOS and the success probablty Adv uf-rma rsig,c (λ) of an attacker on rsig. Game 0: The actual Unforgeablty game. Pr[Game 0] = Adv uf-cma SIG1,A (λ). Game 1: The real securty game except that the wnnng condton s changed to no longer accept repetton of tags. Lemma 3. Pr[Game 0] Pr[Game 1] Adv ot-nacma TOS,B (λ) Proof. Attacker A wns n Game 0, but loses n Game 1, ff t produces a forgery that reuses a tag from a sgnng query. We descrbe a reducton B that use such an attacker to break the OT-NACMA-securty of TOS The reducton B receves gk and pk t from the challenger of TOS, sets up vk r and sk r honestly by runnng rsig.key(gk), and provdes gk and vk = (vk r, pk t ) to A. To answer a sgnng query, B uses the sgnng oracle of TOS to get tag and σ t, sgns tag usng sk r to produce σ r, and returns (tag, σ t, σ r ). When A produces a forgery (tag, σ t, σ r) on message msg, B outputs (msg, tag, σ t ) as a forgery for TOS. Game 2: The fully dealzed game. The wnnng condton s changed to reject all sgnatures. Lemma 4. Pr[Game 1] P r[game 2] Adv uf-rma rsig,c (λ) Proof. Attacker A wns n Game 1, ff t produces a forgery wth a fresh tag. We descrbe a reducton C that use A to break the UF-RMA securty of rsig. Algorthm C receves gk and vk r, runs (pk t, sk t ) TOS.Key(gk), and provdes gk and vk = (vk r, pk t ) to A. To answer sgnng query on message msg, C consults Osg and receves random message msg r and sgnature σ r. C then uses msg r as a tag,.e., tag = msg r, and create sgnature σ t on msg by runnng TOS.Sgn(sk t, msg, tag). It then returns (tag, σ t, σ r ). Note that for a unform-tag TOS scheme these tags dstrbute unformly over the tag space. Thus the reducton smulaton s perfect. When A produces a forgery (tag, σ t, σ r) on msg, reducton C outputs (tag, σ r) as a forgery. Thus Adv uf-cma SIG1,A (λ) = Pr[Game 0] Advot-nacma TOS,B (λ) + Advuf-rma rsig,c (λ) as clamed. Theorem 2. If TOS.Tag produces constant-sze tags and sgnatures n the sze of nput messages, the resultng SIG1 produces constant-sze sgnatures as well. Furthermore, f TOS and rsig are structure-preservng, so s SIG1. We omt the proof of Theorem 2 as t s done smply by examnng the constructon. 4.2 SIG2: Combnng partal one-tme and XRMA-secure sgnatures Let xsig be a sgnature scheme wth message space M x, and POS be a partal one-tme sgnature scheme wth one-tme publc-key space K opk such that M x = K opk. We construct a sgnature scheme SIG2 from xsig and POS. Let gk be a global parameter generated by Setup(1 λ ). SIG2.Key(gk): Run (pk t, sk t ) POS.Key(gk), (vk x, sk x ) xsig.key(gk). Output vk := (pk t, vk x ) and sk := (sk t, sk x ). SIG2.Sgn(sk, msg): Parse sk nto (sk t, sk x ). Run (opk, osk) POS.Update(), σ t POS.Sgn(sk t, msg, osk), σ x xsig.sgn(sk x, opk). Output σ := (opk, σ t, σ x ). SIG2.Vrf(vk, σ, msg): Parse vk and σ accordngly. Output 1 f 1 = POS.Vrf(pk t, opk, σ t, msg), and 1 = xsig.vrf(vk x, σ x, opk). Output 0, otherwse. 7

10 Theorem 3. SIG2 s unforgeable aganst adaptve chosen message attacks (UF-CMA) f POS s unform-key and unforgeable aganst one-tme non-adaptve chosen message attacks (OT-NACMA), and xsig s unforgeable aganst extended random message attacks (UF-XRMA) wth respect to POS.Update as the message generator. In partcular, Adv uf-cma SIG2,A (λ) (λ) + Advuf-xrma Adv ot-nacma POS,B xsig,c (λ). Proof. The proof s almost the same as that for Theorem 1. The only dfference appears n constructng C n the second step. Snce POS.Update s used as the extended random message generator, the par (msg, aux) s n fact (opk, osk). Gven (opk, osk), adversary C can run POS.Sgn(sk, msg, osk) to yeld legtmate sgnatures. As for our frst generc constructon, the followng theorem holds mmedately from the constructon. Theorem 4. If POS produces constant-sze one-tme publc-keys and sgnatures n the sze of nput messages, resultng SIG2 produces constant-sze sgnatures as well. Furthermore, f POS and xsig are structure-preservng, so s SIG2. 5 Instantatng SIG1 We nstantate the buldng blocks TOS and rsig of our frst generc constructon to obtan our frst SPS scheme. We do so n Type-I blnear group settng. The resultng SIG1 scheme s an effcent structure-preservng sgnature scheme based only on the DLIN assumpton. 5.1 Setup for Type-I groups The followng setup procedure s common for all nstantatons n ths secton. The global parameter gk s gven to all functons mplctly. Setup(1 λ ): Run Λ = (p, G, G T, e) G(1 λ ) and choose random generators (G, C, F, U 1, U 2 ) G 5. Output gk := (Λ, G, C, F, U 1, U 2 ). The parameters gk also fx the message space M r := {(C m1, C m2, F m1, F m2, U m1 1, U m2 2 ) G 6 (m 1, m 2 ) Z 2 p} for the RMA-secure sgnature scheme defned below. For our generc framework to work, the tagged one-tme sgnature schemes should have the same tag space. 5.2 Tagged one-tme sgnature scheme Bascally, a tag n our scheme conssts of a par of elements n G. However, due to a constrant from rsig we show n the next secton, the tags wll have to be n an extended form. We therefore parameterze the one-tme key generaton functon Update wth a flag mode {normal, extended} so that t outputs a key n the orgnal or extended form. Although mode s gven to Update as nput, t should be consdered as a fxed system-wde parameter that s common for every nvocaton of Update and the key space s fxed throughout the use of the scheme. Accordngly, ths extenson does not affect the securty model at all. [Scheme TOS] TOS.Key(gk): Parse gk = (Λ, G, C, F, U 1, U 2 ). Choose w z, w r, µ z, µ s, τ 1, τ 2 randomly from Z p and compute G z := C wz, G r := C wr, H z := C µz, H s := C µs, G t := C τ1 and H t := C τ2. For = 1,..., k, unformly choose χ, γ, δ from Z p and compute G := G χ z G γ r, and H := Hz χ H δ s. (4) Output pk := (G z, G r, H z, H s, G t, H t, G 1,..., G k, H 1,..., H k ) G 2k+6 and sk := (χ 1, γ 1, δ 1,..., χ k, γ k, δ k, w z, w r, µ z, µ s, τ 1, τ 2 ). TOS.Tag(mode): Take (G, C, F, U 1, U 2 ) from gk. Choose (t 1, t 2 ) Z p and output tag := (T 1, T 2 ) = (C t1, C t2 ) G 2 f mode = normal or tag := (T 1, T 2, T 3, T 4, T 5, T 6 ) = (C t1, C t2, F t1, F t2, U t1 1, U t2 2 ) G6 f mode = extended. TOS.Sgn(sk, msg, tag): Parse msg nto (M 1,..., M k ) G k, tag nto (T 1, T 2, T 3, T 4, T 5, T 6 ), and sk accordngly. Choose ζ randomly from Z p and compute Then compute Z := C ζ k M χ and R := (T τ1 1 G ζ z ) 1 wr Output σ := (Z, R, S) G 3 as a sgnature. M γ and S := (T τ2 2 H ζ z ) 1 µs M δ. (5) 8

11 TOS.Vrf(pk, σ, msg, tag): Parse σ as (Z, R, S) G 3, msg as (M 1,..., M k ) G k, and tag as (T 1, T 2, T 3, T 4, T 5, T 6 ) or (T 1, T 2 ) dependng on mode. Return 1 f e(t 1, G t ) = e(g z, Z) e(g r, R) e(g, M ) (6) e(t 2, H t ) = e(h z, Z) e(h s, S) e(h, M ) (7) holds. Return 0, otherwse. The scheme s correct as the followng relaton holds for the verfcaton equaton and the computed sgnatures. e(g z, Z) e(g r, R) e(g, M ) = e(g z, C ζ k M χ ) e(g r, (T τ1 1 G ζ z ) 1 wr = e(g z, C ζ ) e(c, T τ1 1 )e(c, G ζ z ) = e(c, T τ1 1 ) = e(t 1, G t ) M γ ) e(g χ z G γ r, M ) and e(h z, Z) e(h s, S) e(h, M ) = e(h z, C ζ k M χ ) e(h s, (T τ2 2 H ζ z ) 1 µs = e(h z, C ζ ) e(c, T τ2 2 )e(c, H ζ z ) = e(c, T τ2 2 ) = e(t 2, H t ) M γ ) e(hz χ Hs δ, M ) Theorem 5. Above TOS s strongly unforgeable aganst one-tme adaptve chosen message attacks (OT-CMA) f the SDP assumpton holds. In partcular, Adv sot-cma TOS,A Advsdp G,B + 1/p. Proof. Gven successful forger A aganst TOS as a black-box, we construct B that s successful n breakng SDP. We consder the case mode = extended n the followng. The other case, mode = normal can be automatcally obtaned by droppng (T 3, T 4, T 5, T 6 ). Gven nstance I sdp = (Λ, G z, G r, H z, H s ) of SDP, algorthm B smulates the attack game aganst TOS as follows. It frst buld gk. Choose G and C randomly from G, and choose f, u 1, u 2 from Z p. Compute F := C f, U 1 := C u1, U 2 := C u2 and set gk := (Λ, G, C, F, U 1, U 2 ). Ths yelds a gk from the same dstrbuton as produced by Setup. Next B smulates TOS.Key by followng the orgnal prescrpton except that Λ and (G z, G r, H z, H s ) are taken from I sdp. Note that w z, w r, µ z, µ s,.e., the dscrete-logs of G z, G r, H z, H s wth respect to base C, are not known to the smulator, but they are not needed n smulatng G and H as n (4). On recevng one-tme key query, algorthm B smulates TOS.Tag by randomly selectng ζ, ρ, ϕ from Z p and computng T 1 := (G ζ zg ρ r) 1 τ 1, T 2 := (H ζ z H ϕ s ) 1 τ 2, (8) and T 3 := T f 1, T 4 := T f 2, T 5 := T u1 1, T 6 := T u2 2 by usng f, u 1 and u 2 generated n Setup. On recevng sgnng query msg from A, algorthm B smulates Osg by smulatng TOS.Sgn wthout havng w r and µ s. It s done by usng ζ, ρ, and ϕ used n TOS.Tag as follows. Z := C ζ k M χ and R := C ρ 9 M γ and S := C ϕ M δ. (9)

12 The above smulated sgnature (Z, R, S) can satsfy verfcaton equatons. e(g z, Z) e(g r, R) e(g, M ) = e(g z, C ζ k M χ = e(g z, C ζ ) e(g r, C ρ ) ) e(g r, C ρ M γ ) e(g χ z G γ r, M ) = e(g ζ zg ρ r, C) = e((g ζ zg ρ r) 1 τ 1, C τ1 ) = e(t 1, G t ) and e(h z, Z) e(h s, S) e(h, M ) = e(h z, C ζ k M χ = e(h z, C ζ ) e(h s, C ϕ ) ) e(h s, C ϕ M δ ) e(hz χ Hs δ, M ) = e(h ζ z H ϕ s, C) = e((h ζ z H ϕ s ) 1 τ 2, C τ2 ) = e(t 2, H t ) For each sgnng, transcrpt (tag, σ, msg) s recorded. When A outputs a forgery (tag, σ, msg ), algorthm B searches the records for (tag, σ, msg) such that tag = tag and (msg, σ ) (msg, σ). If no such entry exsts, B aborts. Otherwse, B computes Z := Z Z ( ) M χ, and R := R M R ( ) M γ, and S := S M S ( ) M δ, M where (Z, R, S, M 1,..., M k ) and ts dagger counterpart are taken from (σ, msg) and (σ, msg ), respectvely. B fnally outputs (Z, R, S ). Ths completes the descrpton of B. We frst clam that the smulaton by B s perfect. The parameters and keys generated n Setup and TOS.Key due to the unform choce of I sdp = (Λ, G z, G r, H z, H s ). The dstrbuton of every tag and sgnature s perfect as T 1 and T 2 dstrbute unformly due to the randomness of ρ and ϕ, and so does Z due to the randomness of ζ. (T 3,, T 6, R and S are then unquely determned from the relevant relatons.) Accordngly, A outputs successful forgery wth notceable probablty and B fnds a correspondng record (tag, σ, msg). We next clam that each χ s ndependent of the vew of A. We show that, f cons χ 1,..., χ k dstrbute unformly over Z k p, other cons,.e., (γ 1,..., γ k, δ 1,..., δ k ) and (ζ (1), ρ (1), ϕ (1),..., ζ (qs), ρ (qs), ϕ (qs) ) for q s queres, dstrbute unformly as well retanng consstency wth the vew of A. (By ζ (j), we denote ζ wth respect to the j-th query. We follow the conventon hereafter. For smplcty, we assume that A makes q s one-tme key queres and the same number of sgnng queres.) Observe that the vew of A makng q s sgnng queres conssts of ndependent group elements (C, F, U 1, U 2, G z, G r, H z, H s, G t, H t, G 1, H 1,..., G k, H k ) and (T (j) 1, T (j) 2, Z(j), M (j) 1,..., M (j) k ) for j = 1,..., q s. (We omt G from the vew as t s ndependent and not used at all.) We represent the vew by the dscrete-logarthms of these group elements wth respect to base C. Namely, the vew s (1, f, u 1, u 2, w z, w r, µ z, µ s, τ 1, τ 2, w 1,..., w k, µ 1,..., µ k ) and (t (j) 1, t(j) 2, z(j), m (j) 1,..., m(j) ) for j = 1,..., q s. The vew and the cons follow relatons k w = w z χ + w r γ, µ = µ z χ + µ s δ for = 1,..., k, (10) τ 1 t (j) 1 = w z ζ (j) + w r ρ (j), τ 2 t (j) 2 = µ z ζ (j) + µ s ϕ (j), and (11) z (j) = ζ (j) k m (j) χ for j = 1,..., q s. (12) Equatons n (10), (11), and (12) correspond to those n (4), (8), and the frst one n (9), respectvely. Consder χ l for fxed l n {1,..., k}. For every value of χ l, the lnear equatons n (10) determne γ 1,..., γ k and δ 1,..., δ k. Smlarly, f m l 0, equatons n (11), and (12) determne ζ (j), ρ (j), and ϕ (j) for j = 1,..., q s. If m l = 0, then 10

13 χ l s ndependent of ζ (j), ρ (j), and ϕ (j) for j = 1,..., q s. The above holds for every l n {1,..., k}. Thus, f χ 1,..., χ k dstrbutes unformly over Z k p, then other cons dstrbute unformly as well retanng the consstency wth the vew of A. Fnally, we clam that (Z, R, S ) s a vald soluton to the gven nstance of SDP. Snce both forged and recorded sgnatures fulfl equaton (6) (7), dvdng the equatons results n 1 = e = e ) (G z, Z e Z ( G z, Z Z ) k ( ) (G r, R e G χ z G γ r, M R M ) χ ) ( ( M M = e (G z, Z ) e (G r, R ), e G r, R R ( ) M γ ) M and 1 = e = e ) ) (H z, Z e (H s, S k e Z S ( H z, Z Z ( M M ) χ ) e ( Hz χ Hs δ, M M H s, S S ) ( ) M δ M = e (H z, Z ) e (H s, S ). What remans s to prove that Z 1. We have ether msg msg (j) or σ σ. In the former ( case, there exsts l {1,..., k} such that M l M ) χl l M l 1. As already proven, χ l s ndependent of the vew of A. Thus M l dstrbutes unformly over G and Z = 1 holds only f Z = Z (M /M ) χ, whch happens only wth probablty 1/p over the choce of χ l. In the latter case, (Z, R, S ) (Z, R, S) and msg = msg (j). Suppose that, wthout loss of generalty, Z = Z. Then R = R holds snce they are unquely determned from the frst verfcaton equaton. S = S holds as well from the second verfcaton equaton. Thus such a case can never happen. We thus have Adv sot-cma TOS,A +1/p as stated. Advsdp G,B 5.3 RMA-secure sgnature scheme For our random message sgnature scheme we wll use a constructon based on the dual system sgnature proposed n [39]. Whle the orgnal scheme s CMA-secure under the DLIN assumpton, the securty proof makes use of a trapdoor commtment to elements n Z p and consequently messages are elements n Z p rather than G. Our constructon below resorts to RMA-securty and removes ths commtment to allows messages to be a sequence of random group elements satsfyng a partcular relaton. As mentoned above, the message space M x := {(C m1, C m2, F m1, F m2, U m1 1, U m2 2 ) G 6 (m 1, m 2 ) Z 2 p} s defned by generators (C, F, U 1, U 2 ) n gk. [Scheme rsig] rsig.key(gk): Gven gk := (Λ, G, C, F, U 1, U 2 ) as nput, unformly select V, V 1, V 2, H from G and a 1, a 2, b, α, and ρ from Z p. Then compute and output vk := (B, A 1, A 2, B 1, B 2, R 1, R 2, W 1, W 2, V, V 1, V 2, H, X 1, X 2 ) and sk := (vk, K 1, K 2 ) where B := G b, A 1 := G a1, A 2 := G a2, B 1 := G b a1, B 2 := G b a2 R 1 := V V a1 1, R 2 := V V a2 2, W 1 := R b 1, W 2 := R b 2, X 1 := G ρ, X 2 := G α a1 b/ρ, K 1 := G α, K 2 := G α a1. rsig.sgn(sk, msg): Parse msg nto (M 1, M 2, M 3, M 4, M 5, M 6 ). Pck random r 1, r 2, z 1, z 2 Z p. Let r = r 1 + r 2. Compute and output sgnature σ := (S 0, S 1,... S 7 ) where S 0 := (M 5 M 6 H) r1, S 1 := K 2 V r, S 2 := K 1 1 V r 1 G z1, S 3 := B z1, S 4 := V r 2 G z2, S 5 := B z2, S 6 := B r2, S 7 := G r1. 11

14 rsig.vrf(vk, σ, msg): Parse msg nto (M 1, M 2, M 3, M 4, M 5, M 6 ) and σ nto (S 0, S 1,..., S 7 ). Also parse vk accordngly. Verfy the followng parng product equatons: e(s 7, M 5 M 6 H) = e(g, S 0 ) e(s 1, B) e(s 2, B 1 ) e(s 3, A 1 ) = e(s 6, R 1 ) e(s 7, W 1 ) e(s 1, B) e(s 4, B 2 ) e(s 5, A 2 ) = e(s 6, R 2 ) e(s 7, W 2 ) e(x 1, X 2 ) e(f, M 1 ) = e(c, M 3 ) e(f, M 2 ) = e(c, M 4 ) e(u 1, M 1 ) = e(c, M 5 ) e(u 2, M 2 ) = e(c, M 6 ) The scheme s structure-preservng by constructon and the correctness s verfed by nspectng the followng relaton. e(s 1, G b ) e(s 2, G b a1 ) e(s 3, G a1 ) = e(k 2 V r, G b ) e(k 1 1 V r 1 G z1, G b a1 ) e(b z1, G a1 ) = e(g α a1 V r, G b ) e(g α V r 1 G z1, G b a1 ) e(g b z1, G a1 ) = e(g α a1 V r, G b ) e(g α V r 1, G b a1 ) = e(g α a1 V r, G b ) e(g α a1 V r a1 1, G b ) = e(v r, G b ) e(v r a1 1, G b ) = e(g, V V a1 1 )b r e(s 6, V V a1 1 ) e(s 7, R b 1) = e(b r2, V V a1 1 ) e(gr1, V b V b a1 1 ) = e(g b r2, V V a1 1 ) e(gr1, V b V b a1 1 ) = e(g, V V a1 1 )b r Thus, the second equaton holds snce r = r 1 + r 2. The thrd equaton can be verfed analogously, and the remanng equatons are easly verfed. Theorem 6. The above rsig scheme s secure aganst random message attacks under the DLIN assumpton. In partcular, for any polynomal-tme adversary A aganst rsig that makes at most q s sgnng queres, there exsts polynomal-tme algorthm B for DLIN such that Adv uf-rma rsig,a (λ) (q s + 2) Adv dln G,B(λ). Proof. We refer to the sgnatures output by the sgnng algorthm as a normal sgnature. In the proof we wll consder an addtonal type of sgnatures to whch we refer to as smulaton-type sgnatures that are computatonally ndstngushable but easer to smulate. For γ Z p, smulaton-type sgnatures are of the form σ = (S 0, S 1 = S 1 G a1a2γ, S 2 = S 2 G a2γ, S 3, S 4 = S 4 G a1γ, S 5,..., S 7 ) We frst gve the outlne of the proof usng some lemmas. Proofs for the lemmas are gven after the outlne. Lemma 5. Any sgnature that s accepted by the verfcaton algorthm must be formed ether as a normal sgnature, or a smulaton-type sgnature. Based on the noton of smulaton-type sgnatures, we consder a sequence of games. Let p be the probablty that the adversary succeeds n Game, and p norm (λ) and p sm (λ) that he succeeds wth a normal-type respectvely smulaton-type forgery. Then by Lemma 5, p (λ) = p norm (λ) + p sm (λ) for all. Game 0: The actual Unforgeablty under Random Message Attacks game. Lemma 6. In Game 0, the adversary produces a vald forgery whch s a smulaton-type sgnature only wth neglgble probablty p sm 0 (λ) under the DLIN assumpton. More concretely, there exsts an adversary B 1 such that p sm 0 (λ) = Adv dln G,B 1 (λ). Game : The real securty game except that the frst sgnng queres are answered wth smulaton-type sgnatures. 12

15 Lemma 7. The probablty that A outputs a normal-type forgery s the same (up to a neglgble amount) n Game 1 as n Game : p norm 1 (λ) pnorm (λ) + (λ) for some neglgble (λ) under the DLIN assumpton. More concretely, there exsts an adversary B 2 such that p norm 1 (λ) pnorm (λ) = Adv dln G,B 2 (λ). Game q: All prvate key queres are answered wth smulaton-type sgnatures. Lemma 8. In Game q, A outputs a normal-type forgery wth at most neglgble probablty p norm q (λ) under the CDH assumpton. More concretely, there exsts an adversary B 3 such that p norm q (λ) = Adv cdh G,B 3 (λ). We have shown that n Game q, A can output a normal-type forgery wth at most neglgble probablty. Thus, by Lemma 7 we can conclude that the same s true n Game 0. Snce we have already shown that n Game 0 the adversary can output smulaton-type forgeres only wth neglgble probablty, and that any sgnature that s accepted by the verfcaton algorthm s ether normal or smulaton-type, we conclude that the adversary can produce vald forgeres wth only neglgble probablty Adv uf-rma rsig,a (λ) = p 0(λ) = p sm 0 (λ) + p norm 0 (λ) = p sm 0 (λ) + q p norm 1 (λ) p norm (λ) + p norm q (λ) Adv dln G,B 1 (λ) + qadv dln G,B 2 (λ) + Adv cdh G,B 3 (λ) (q + 2) Adv dln G,B(λ). Proof. (of Lemma 5) We have to show that only normal and smulaton-type sgnatures can fulfl these equatons. We gnore the frst row of verfcaton equatons that establsh that M s well-formed. A sgnature has 4 random exponents, r 1, r 2, z 1, z 2. A smulatontype sgnatures has addtonal exponent γ. We nterpret S 7 as G r1, and t follows from the frst verfcaton equaton that S 0 s (M 5 M 6 H) r1. We nterpret S 3 as G bz1, S 5 as G bz2, and S 6 as G r2b. Now we have fxed all exponents of a normal sgnature. The remanng two verfcaton equatons tell us that e(g b, S 1 ) e(g ba1, S 2 ) = e(v V a1 1, Gr2b ) e((v V a1 1 )b, G r1 ) e(g a1, G bz1 ), e(g b, S 1 ) e(g ba2, S 4 ) = e(v V a2 2, Gr2b ) e((v V a2 2 )b, G r1 ) e(g a2, G bz2 ) e(g, G) αa1b. We nterpret S 1 as G α a1 V r G a1a2γ. Now we have two equatons and two unknowns that fx S 2 to G α V r 1 G z1 G a2γ and S 4 to V r 2 G z2 G a1γ respectvely. For γ = 0 we have a normal sgnature otherwse a smulaton-type sgnature. Proof. (of Lemma 6). Suppose for contradcton that there s an adversary A, whch, when playng Game Real (and thus recevng only normal sgnatures), produces forgeres whch are formed lke smulaton-type sgnatures. Then we can create an adversary B for DLIN as follows: Let I dln = (Λ, G 1, G 2, G 3, X, Y, Z) be an nstance of DLIN where there exst random x, y, z Z p such that X = G x 1, Y = G y 2 and Z = Gz 3 or G x+y 3. Gven I dln, adversary B works as follows. It frst sets G := G 3, and A 1 := G 1 and A 2 := G 2. Then t chooses random b, α, ρ Z p and computes B 1 := G b 1 and B 2 := G b 2, K 1 := G α 3, K 2 := G α 1 and X 1 := G ρ 3, X 2 := G αb/ρ 1. It also chooses random v, v 1, v 2 and sets V = G v 3, V 1 = G v1 3, and V 2 = G v2 3. (Ths way we know the dscrete log of these values w.r.t. G 3.) B further computes R 1 = V V a1 1 = G v 3G v1 1 and R 2 := V V a2 2 = G v 3G v2 2. It then chooses U, H at random from G. Our fnal publc-key s and our fnal secret key s vk = (G b 3, G 1, G 2, G b 1, G b 2, G v 3G v1 1, Gv 3G v2 2, Gvb 3 G v1b 1, Gvb 3 G v2b 2, Gv 3, G v1 3, Gv2 3, U, H, X 1, X 2 ) sk = (vk, G α 3, G α 1 ). Note that both the dstrbuton of the publc and secret keys s statstcally close to that n the real DLIN game. Moreover, to sgn random messages, B can follow the real sgnng algorthm by usng sk. Suppose that A produces a vald forgery σ and msg. Then B proceeds as follows: It parses σ as (S 0,..., S 7 ). Recall that n Lemma 5, t s shown that f the verfcaton equatons hold, then we must have S 1 = G αa1 V r G a1a2γ, S 2 = G α V1 r G z1 G a2γ, and S 4 = V2 r G z2 G a1γ. If ths s a smulaton-type sgnature, we wll have γ 0. Rewrtten accordng to our choce of publc-key, ths means that S 1 = G α 1 V r G fγ 2, S 2 = G α 3 V 1 r V z1 G γ 2, and S 4 = V2 r G z2 3 Gγ 1, where 13