Keywords

1 Introduction

As introduced by Chaum and van Heyst [27] in 1991, group signatures allow members of a group administered by some authority to anonymously sign messages on behalf of the group. In order to prevent abuses, an opening authority has the power to uncover a signer’s identity if the need arises.

The usual approach for building a group signature consists in having the signer encrypt his group membership credential under the public key of the opening authority while appending a non-interactive zero-knowledge (NIZK) proof, which is associated with the message, claiming that things were done correctly. Until 2006, efficient instantiations of this primitive were only available under the random oracle idealization [14], which is limited to only provide heuristic arguments in terms of security [24]. This state of affairs changed in the last decade, with the emergence of solutions [20, 21, 35, 36] enabled by breakthrough results in the design of relatively efficient non-interactive witness indistinguishable (NIWI) proofs [37]. While drastically more efficient than solutions based on general NIZK proofs [12, 15], the constructions of [20, 21, 35, 36] still incur a substantial overhead when compared with their random-oracle-based counterparts [10, 18, 30]. Moreover, their most efficient variants [21, 36] tend to rely on parametrized assumptions – often referred to as “q-type” assumptions – where the number of input elements is determined by a parameter q which, in turn, depends on the number of users in the system or the number of adversarial queries (or both). Since the assumption becomes stronger as q increases, a different assumption is needed for every adversary (based on its number of queries) and every maximal number of users in the group. Not only does it limit the scalability of realizations, it also restricts the level of confidence in their security.

In this paper, we consider the problem of devising as short as possible group signatures based on simple assumptions. By “simple assumption”, we mean a well-established assumption, like the Decision Diffie-Hellman assumption, which is simultaneously non-interactive and described using a constant number of elements, regardless of the number of users in the system or the number of adversarial queries. We remark that even in the random oracle model, this problem turns out to be highly non-trivial as non-simple assumptions (like the Strong RSA [10, 42] or Strong Diffie-Hellman [18, 30]) are frequently relied on. In the standard model, our main contribution is designing the first group signatures based on simple assumptions and whose size is less than 2 kB for the currently recommended 128-bit security level. In static groups, our most efficient scheme features signatures slightly longer than 1 kB. So far, the best standard-model group signature based on simple assumptions was obtained from the structure-preserving signatures (SPS) of Abe et al. [1, 2] and required 2.875 kB per signature. Along the way and as a result of independent interest, we also build a new structure-preserving signature (SPS) with the shortest length among those based on simple assumptions. Concretely, the best previous SPS based on similar assumptions [1, 2] is shortened by \(25\,\%\).

Related Work. Group signatures have a long history. Still, efficient and provably coalition-resistant constructions (in the random oracle model) remained elusive until the work of Ateniese, Camenisch, Joye and Tsudik [10] in 2000. At that time, however, there was no proper formalization of the security properties that can be naturally expected from group signatures. This gap was filled in 2003 by Bellare, Micciancio and Warinschi [12] (BMW) who captured all the requirements of group signatures in three properties. In (a variant of) this model, Boneh, Boyen and Shacham [18] obtained very short signatures using the random oracle methodology [14].

The BMW model assumes static groups where the set of members is frozen after the setup phase beyond which no new member can be added. The setting of dynamic groups was explored later on by Bellare-Shi-Zhang [15] and, independently, by Kiayias and Yung [42]. In these models [15, 42], short signature lengths were obtained in [30]. A construction based on interactive assumptions in the standard model was also put forth by Ateniese et al. [9]. Using standard assumptions, Boyen and Waters gave a different solution [20] based on the Groth-Ostrovsky-Sahai NIZK proof system [34]. They subsequently managed to obtain O(1)-size signatures at the expense of appealing to a q-type assumption [21]. Their constructions [20, 21] were both analyzed in (a relaxation of) the BMW model [12] where the adversary is not granted access to a signature opening oracle. In dynamic groups [15], Groth [35] obtained constant-size signatures in the standard model but, due to huge hidden constants, his result was mostly a proof of concept. By making the most of Groth-Sahai NIWI proofs [37], he subsequently reduced signatures to 48 group elements [36] with the caveat of resting on relatively ad hoc q-type assumptions. For the time being, the best group signatures based on standard assumptions are enabled by the structure-preserving signatures of Abe, Chase, David, Kohlweiss, Nishimaki, and Ohkubo [1]. In asymmetric pairings \(e: \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\) (where \(\mathbb {G}\ne \hat{\mathbb {G}}\)), anonymously signing messages requires at least 40 elements of \(\mathbb {G}\) and 26 elements of \(\hat{\mathbb {G}}\).

In 2010, Abe et al. [3, 8] advocated the use of structure-preserving cryptography as a general tool for building privacy-preserving protocols in a modular fashion. In short, structure-preserving signatures (SPS) are signature schemes that smoothly interact with Groth-Sahai proofs [37] as messages, signatures public keys all live in the source groups \((\mathbb {G},\hat{\mathbb {G}})\) of a bilinear map \(e: \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\). SPS schemes were initially introduced by Groth [35] and further studied in [25, 31]. In the last three years, a large body of work was devoted to the feasibility and efficiency of structure-preserving signatures [14, 8, 23, 25, 26, 31, 35, 38]. In Type III pairings (i.e., where \(\mathbb {G}\ne \hat{\mathbb {G}}\) and no isomorphism is computable from \(\hat{\mathbb {G}}\) to \(\mathbb {G}\) or backwards), Abe et al. [4] showed that any SPS scheme must contain at least 3 group elements per signature. For a natural class of reductions, the security of optimally short signatures was also shown [5] unprovable under any non-interactive assumption. These impossibility results were recently found [7] not to carry over to Type II pairings (i.e., where \(\mathbb {G}\ne \hat{\mathbb {G}}\) and an efficiently computable isomorphism \(\psi : \hat{\mathbb {G}} \rightarrow \mathbb {G}\) is available).

To the best of our knowledge, the minimal length of structure-preserving signatures based on simple assumptions remains an unsettled open question. We believe it to be of primary importance considering the versatility of structure-preserving cryptography in the design of privacy-related protocols, including group signatures [8], group encryption [25] or adaptive oblivious transfer [33].

Our Results. The first contribution of this paper is to describe a new structure-preserving signature based on the standard Symmetric eXternal Diffie-Hellman (SXDH) assumption and an asymmetric variant of the Decision Linear assumption with only 10 group elements (more precisely, 9 elements of \(\mathbb {G}\) and one element of \(\hat{\mathbb {G}}\)) per signature. So far, the best instantiation of [1, 2] required 7 elements of \(\mathbb {G}\) and 4 elements of \(\hat{\mathbb {G}}\). Since the representation of \(\hat{\mathbb {G}}\) elements is at least twice as long as that of \(\mathbb {G}\) elements, our scheme thus saves \(26\,\%\) in terms of signature length. Armed with our new SPS and other tools, we then construct dynamic group signatures using only 32 elements of \(\mathbb {G}\) and 14 elements of \(\hat{\mathbb {G}}\) in each signature, where Abe et al. [1, 2] need at least 40 elements of \(\mathbb {G}\) and 26 elements of \(\hat{\mathbb {G}}\). For typical parameters, our signatures are thus \(37\,\%\) shorter with a total length of only 1.8 kB at the 128-bit security level. In an independent work, Kiltz, Pan and Wee [45] managed to obtain even shorter structure-preserving signatures than ours under the SXDH assumption. If their construction is used in our dynamic group signature, it allows eliminating at least 4 more elements of \(\mathbb {G}\) from signatures. In the static model of Bellare, Micciancio and Warinschi [12], we describe an even more efficient realization where the signature length decreases to almost 1 kB.

Our Techniques. Our structure-preserving signature can be seen as a non-trivial optimization of a modular design, suggested by Abe et al. [1], which combines a weakly secure SPS scheme and a tagged one-time signature (TOTS). In a TOTS scheme, each signature contains a fresh tag and, without knowing the private key, it should be computationally infeasible to generate a signature on a new message for a previously used tag. The construction of [1] obtains a full-fledged SPS by combining a TOTS scheme with an SPS system that is only secure against extended random message attacks (XRMA). As defined in [1], XRMA security basically captures security against an adversary that only obtains signatures on random group elements even knowing some auxiliary information used to sample these elements (typically their discrete logarithms). While Abe et al. [1] make use of the discrete logs of signed messages in their proofs of XRMA security, their modular construction does not. Here, by explicitly using the discrete logarithms in the construction, we obtain significant efficiency improvements. Using Waters’ dual system techniques [51], we construct an SXDH-based F-unforgeable signature scheme which, according to the terminology of Belenkiy et al. [11], is a signature scheme that remains verifiable and unforgeable even if the adversary only outputs an injective function of the forgery message. Our new SPS is the result of combining our F-unforgeable signature and the TOTS system of [2]. We stress that our scheme can no longer be seen as an instantiation of a generic construction. Still, at the natural expense of sacrificing modularity, it does provide shorter signatures.

In turn, our F-unforgeable signatures are obtained by taking advantage of the quasi-adaptive NIZK (QA-NIZK) arguments of linear subspace membership suggested by Jutla and Roy [40] and further studied in [41, 47], where the CRS may depend on the language for which proofs have to be generated. In a nutshell, our starting point is a signature scheme suggested by Jutla and Roy (inspired by ideas due to Camenisch et al. [22]) where each signature is a CCA2-secure encryption of the private key (made verifiable via QA-NIZK proofs) and the message is included in the label [50]. We rely on the observation that QA-NIZK proofs for linear subspaces [40] (or their optimized variants [41, 47]) make it possible to verify signatures even if the message is only available in the exponent.

In order to save the equivalent of 15 elements of the group \(\mathbb {G}\) and make the group signature as short as possible, we also design a new CCA2-secure tag-based encryption (TBE) scheme [44, 48] which incorporates a Groth-Sahai commitment. In fully anonymous group signatures, CCA2-anonymity is usually acquired by verifiably encrypting the signer’s credential using a CCA2-secure cryptosystem while providing evidence that the plaintext coincides with a committed group element. Inspired by a lossy encryption scheme [13] suggested by Hemenway et al. [39], we depart from this approach and rather use a CCA2-secure encryption scheme which simultaneously plays the role of a Groth-Sahai commitment. That is, even when the Groth-Sahai CRS is a perfectly hiding CRS, we are able to extract committed group elements for any tag but a specific one, where the encryption scheme behaves like a perfectly hiding commitment and induces perfectly NIWI proofs. In order to make the validity of TBE ciphertexts publicly verifiable, we rely on the QA-NIZK proofs of Libert et al. [47] which are well-suited to the specific subspaces encounteredFootnote 1 in this context. We believe this encryption scheme to be of interest in its own right since it allows shortening other group signatures based on Groth-Sahai proofs (e.g., [36]) in a similar way.

Our group signature in the static BMW model [12] does not build on structure-preserving signatures but rather follows the same design principle as the constructions of Boyen and Waters [20, 21]. It is obtained by extending our F-unforgeable signature into a 2-level hierarchical signature [43] (or, equivalently, an identity-based signature [49]) where first-level messages are implicit in the exponent. In spirit and from an efficiency standpoint, our static group signature is thus similar to the second construction [21] of Boyen and Waters, with the benefit of providing full anonymity while relying on the sole SXDH assumption.

2 Background

2.1 Hardness Assumptions

We use bilinear maps \(e:\mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\) over groups of prime order p where \(e(g,\hat{h})\ne 1_{\mathbb {G}_T}\) if and only if \(g \ne 1_{\mathbb {G}}\) and \(\hat{h} \ne 1_{\hat{\mathbb {G}}}\). We rely on hardness assumptions that are non-interactive and described using a constant number of elements.

Definition 1

The Decision Diffie-Hellman (DDH) problem in \(\mathbb {G}\), is to distinguish the distributions \((g^{a},g^b,g^{ab} )\) and \((g^{a},g^b,g^{ c} )\), with \(a,b,c \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\). The DDH assumption is the intractability of the problem for any PPT distinguisher.

In the following, we will rely on the Symmetric external Diffie-Hellman (SXDH) assumption which posits the hardness of DDH in \(\mathbb {G}\) and \(\hat{\mathbb {G}}\) in asymmetric pairing configurations. We also assume the hardness of the following problem, which generalizes the Decision Linear problem [18] to asymmetric pairings.

Definition 2

([1]). In bilinear groups \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\) of prime order p , the eXternal Decision Linear Problem 2 (XDLIN\(_2\)) is to distinguish the distribution

$$\begin{aligned} D_1= & {} \{ (g,g^{a},g^b,g^{ac},g^{bd}, \hat{g},\hat{g}^a, \hat{g}^b,\hat{g}^{ac},\hat{g}^{bd},\hat{g}^{c+d}) \in \mathbb {G}^5 \times \hat{\mathbb {G}}^6 ~|~a,b,c,d \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p \} \\ D_2= & {} \{ (g,g^{a},g^b,g^{ac},g^{bd}, \hat{g},\hat{g}^a, \hat{g}^b,\hat{g}^{ac},\hat{g}^{bd},\hat{g}^{z}) \in \mathbb {G}^5 \times \hat{\mathbb {G}}^6 ~|~a,b,c,d,z \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p \}. \end{aligned}$$

The XDLIN\(_1\) assumption is defined analogously and posits the infeasibility of distinguishing \(g^{c+d}\) and \(g^z\) given \((g,g^{a},g^b,g^{ac},g^{bd}, \hat{g},\hat{g}^a, \hat{g}^b,\hat{g}^{ac},\hat{g}^{bd})\).

2.2 Linearly Homomorphic Structure-Preserving Signatures

Structure-preserving signatures [3, 8] are signature schemes where messages and public keys all consist of elements of a group over which a bilinear map \(e: \mathbb {G}\times \hat{\mathbb {G}} \rightarrow \mathbb {G}_T\) is efficiently computable.

Libert et al. [46] considered structure-preserving signatures with linear homomorphic properties. This section recalls the one-time linearly homomorphic structure-preserving signature (LHSPS) of [46]. In the description below, we assume that all algorithms take as input the description of common public parameters \(\mathsf {cp}\) consisting of asymmetric bilinear groups \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) of prime order \(p>2^\lambda \), where \(\lambda \) is the security parameter.

In [46], Libert et al. suggested the following construction which can be proved secure under the SXDH assumption.

  • : Given common public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) and the dimension \(n \in \mathbb {N}\) of the subspace to be signed. Then, choose \(\hat{g_z},\hat{g_r} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\). For \(i=1\) to n, pick \(\chi _i,\gamma _i \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute \(\hat{g}_i=\hat{g_z}^{\chi _i} \hat{g_r}^{\gamma _i}\). The private key is \(\mathsf {sk}= \{ (\chi _i, \gamma _i ) \}_{i=1}^n \) while the public key is \( \mathsf {pk}=\big (\hat{g_z},~\hat{g_r} ,~\{ \hat{g}_i \}_{i=1}^n \big ) \in \hat{\mathbb {G}}^{n+2}\).

  • : In order to sign a vector \((M_1,\cdots ,M_n) \in \mathbb {G}^n\) using \(\mathsf {sk}= \{ (\chi _i, \gamma _i) \}_{i=1}^n \), output \(\sigma =(z,r ) = \big (\prod _{i=1}^n M_i^{-\chi _i} , \prod _{i=1}^n, M_i^{-\gamma _i} \big ) \).

  • : given \(\mathsf {pk}\) as well as \(\ell \) tuples \((\omega _i,\sigma ^{(i)}) \), parse \(\sigma ^{(i)}\) as \(\sigma ^{(i)}=\big ( z_i,r_i \big ) \) for \(i=1\) to \(\ell \). Return \(\sigma =(z,r ) =\big ( \prod _{i=1}^\ell z_{i}^{\omega _i}, \prod _{i=1}^{\ell } r_i^{\omega _i} \big )\).

  • : Given a signature \(\sigma =(z,r ) \in \mathbb {G}^2\) and a vector \((M_1,\cdots ,M_n)\), return 1 if and only if \((M_1,\cdots ,M_n)\ne (1_{\mathbb {G}},\cdots ,1_{\mathbb {G}})\) and (zr ) satisfy \( 1_{\mathbb {G}_T} = e(z,\hat{g_z}) \cdot e(r,\hat{g_r}) \cdot \prod _{i=1}^n e(M_i,\hat{g}_i) . \)

In [47], (a variant of) this scheme was used to construct constant-size QA-NIZK arguments [40] showing that a vector \({{\varvec{v}}} \in \mathbb {G}^n\) belongs to a linear subspace of rank t spanned by a matrix \({\varvec{\rho }} \in \mathbb {G}^{t \times n}\). Under the SXDH assumption, each argument is comprised of two elements of \(\mathbb {G}\), independently of t or n.

3 An F-Unforgeable Signature

As a technical tool, our constructions rely on a signature scheme which we prove F-unforgeable under the SXDH assumption. As defined by Belenkiy et al. [11], F-unforgeability refers to the inability of the adversary to output a valid signature for a non-trivial message M without outputting the message itself. Instead, the adversary is only required to output F(M), for an injective but not necessarily efficiently invertible function F.

The scheme extends ideas used in signature schemes suggested in [22, 40], where each signature is a CCA2-secure encryption —using the message to be signed as a label—of the private key accompanied with a QA-NIZK proof that the encrypted value is the private key. In their most efficient variant, Jutla and Roy observed [40, Sect. 5] that it suffices to encrypt private keys \(g^\omega \) with a projective hash value \((v^M \cdot w)^r\) [29] so as to obtain signatures of the form \((\sigma _1,\sigma _3,\sigma _3)=(g^\omega \cdot (v^M \cdot w)^r,g^r,h^r )\), which is reminiscent of selectively secure Boneh-Boyen signatures [16].

As in [32, 51], the security proof proceeds with a sequence of games to gradually reach a game where the signing oracle never uses the private key, in which case it becomes easier to prove security. In the final game, signatures always encrypt a random value while QA-NIZK proofs are simulated. When transitioning from one hybrid game to the next one, the crucial step is to argue that, even if the signing oracle produces fewer and fewer signatures using the private key, the adversary’s forgery will still encrypt the private key. This is achieved via an information theoretic argument borrowed from hash proof systems [28, 29].

In order to obtain an F-unforgeable signature which is verifiable given only F(M), our key observation is that QA-NIZK proofs make it possible to verify signatures even if M appears only implicitly in a tuple \((g^{s \cdot M},g^s,h^{s \cdot M},h^s) \in \mathbb {G}^4\).

  • Keygen \((\mathsf {cp})\) : Given common public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) consisting of asymmetric bilinear groups of prime order \(p>2^\lambda \), do the following.

    1. 1.

      Choose \(\omega ,a \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\), \(g ,v,w \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\), \(\hat{g} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\) and set \(h=g^a\), \(\varOmega =h^{\omega }\).

    2. 2.

      Define a matrix \(\mathbf {{M}}=(M_{j,i})_{j,i} \) given by

      (1)
    3. 3.

      Generate a key pair \((\mathsf {sk}_{hsps},\mathsf {pk}_{hsps})\) for the one-time linearly homomorphic signature of Sect. 2.2 in order to sign vectors of dimension \(n=6\). Let \(\mathsf {sk}_{hsps}=\{(\chi _i,\gamma _i)\}_{i=1}^{6}\) be the private key, of which the corresponding public key is \( \mathsf {pk}_{hsps} = \big ( \hat{g_z}, ~ \hat{g_r},~\{ \hat{g}_i \}_{i=1}^{6} \big )\).

    4. 4.

      Using \(\mathsf {sk}_{hsps}=\{ \chi _i, \gamma _i \}_{i=1}^{6} \), generate one-time homomorphic signatures \(\{({z}_j,{r}_j)\}_{j=1}^{3}\) on the rows \({{\varvec{M}}}_{j}=({M}_{j,1},\cdots ,{M}_{j,6})\in {\mathbb {G}}^{6}\) of \(\mathbf {{M}}\). These are obtained as \( ({z}_{j},{r}_{j}) = \left( \prod _{i=1}^{6} {M}_{j,i}^{-\chi _i},~\prod _{i=1}^{6} {M}_{j,i}^{-\gamma _i} \right) ,\) for each \( j \in \{1,2,3\} \) and, as part of the common reference string for the QA-NIZK proof system of [47], they will be included in the public key.

    The private key is \( \mathsf {sk}:=\omega \) and the public key is defined as

    $$ \mathsf {pk}=\Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~p,~g,~h,~\hat{g}, ~(v,w),~\varOmega =h^\omega ,~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{3} \Bigr ).$$

  • Sign \((\mathsf {sk},M)\) : given \(\mathsf {sk}=\omega \) and a message \(M \in \mathbb {Z}_p\), choose \(s \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) to compute

    $$\begin{aligned} \sigma _1= & {} g^\omega \cdot (v^M \cdot w)^{s} , \qquad \qquad \quad ~~~ \sigma _2=g^{s \cdot M}, \qquad \qquad ~~~ \sigma _3 = g^{s } \\ \sigma _4= & {} h^{s \cdot M} \qquad \qquad \qquad \qquad \qquad ~ \!\!\!\!\sigma _5=h^{s} \end{aligned}$$

    Then, generate a QA-NIZK proof that the vector \((\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5,\varOmega ) \in \mathbb {G}^{6} \) is in the row space of \(\mathbf {M}\). This QA-NIZK proof \((z,r) \in \mathbb {G}^2\) is obtained as

    $$\begin{aligned} z= & {} z_1^\omega \cdot (z_2^M \cdot z_3)^{s} , \qquad \qquad r = r_1^\omega \cdot (r_2^M \cdot r_3)^{s} . \end{aligned}$$
    (2)

    Return the signature \(\sigma =\big (\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5, z,r \big ).\)

  • Verify \((\mathsf {pk},\sigma ,{M})\) : parse \(\sigma \) as above and return 1 if and only if it holds that

    $$\begin{aligned} e({z},\hat{g_z})\cdot e({r},\hat{g_r})= & {} e(\sigma _1,\hat{g_1})^{-1}\cdot e(\sigma _3,\hat{g_3}\cdot \hat{g_2}^M)^{-1}\cdot e(\sigma _5,\hat{g_5}\cdot \hat{g_4}^M)^{-1} \\&\qquad \qquad \quad \!\!\!\!\! \cdot e(\varOmega ,\hat{g_{6}})^{-1} \end{aligned}$$

    and \((\sigma _2,\sigma _4)=(\sigma _3^M,\sigma _5^M)\).

Note that a signature can be verified given only \(F(M)=\hat{g}^M\) by testing the equalities \(e(\sigma _2,\hat{g}) = e(\sigma _3,F(M))\), \(e(\sigma _4,\hat{g}) = e(\sigma _5,F(M)) \) and

$$\begin{aligned}&e({z},\hat{g_z}) \cdot e({r},\hat{g_r}) \\&= e(\sigma _1,\hat{g_1})^{-1} \cdot e(\sigma _2,\hat{g_2})^{-1} \cdot e(\sigma _3,\hat{g_3} )^{-1} \cdot e(\sigma _4, \hat{g_4})^{-1} \cdot e(\sigma _5,\hat{g_5} )^{-1} \cdot e(\varOmega ,\hat{g_{6}})^{-1} . \end{aligned}$$

In order to keep the description as simple as possible, the above description uses the QA-NIZK argument system of [47], which is based on linearly homomorphic signatures. However, the security proof goes through if we use the more efficient SXDH-based QA-NIZK argument of Jutla and Roy [41], as explained in the full version of the paper. The pair (zr) can thus be replaced by a single \(\mathbb {G}\)-element.

Under the SXDH assumption, the scheme can be proved to be F-unforgeable for the injective function \(F(M)=\hat{g}^M\). The proof of this result is implied by the security result of Sect. 4 where we describe a generalization of the scheme that will be used to build a group signature in the BMW model.

4 A Two-Level SXDH-based Hierarchical Signature

This section extends our F-unforgeable signature into a 2-level hierarchical signature with partially hidden messages. In a 2-level hierarchical signature [43] (a.k.a. identity-based signature), a signature on a message \(\mathsf {ID}\) (called “identity”) can be used as a delegated key for signing messages of the form \((\mathsf {ID},M)\) for any M. In order to construct group signatures, Boyen and Waters [21] used hierarchical signatures that can be verified even when identities (i.e., first-level messages) are not explicitly given to the verifier, but only appear implicitly in the exponent. The syntax and security definition are given in [20, 21].

In their most efficient construction [21], Boyen and Waters used a non-standard q-type assumption. This section gives a very efficient solution based on the standard SXDH assumption. It is obtained from our signature of Sect. 3 by having a signature \((g^\omega \cdot (v^\mathsf {ID}\cdot w)^s,g^s,h^s)\) on a given identity \(\mathsf {ID}\) serve as a private key for this identity modulo the introduction of a delegation component \(t^s\) akin to those of the Boneh-Boyen-Goh hierarchical IBE [17]. For the security proof to go through, we need to make sure that pairs \((g^{s \cdot M},g^{s})\), \((h^{s \cdot M},h^{s})\) hide the same message M, which is not immediately verifiable in the SXDH setting. To enforce this condition, we thus include \(\hat{g}^M\) in each signature.

  • Setup \((\mathsf {cp})\) : Given public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\), do the following.

    1. 1.

      Choose \(\omega ,a \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\), \(g,t,v,w \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\), \(\hat{g} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\) and set \(h=g^a\), \(\varOmega =h^{\omega }\).

    2. 2.

      Define a matrix \(\mathbf {{M}}=(M_{j,i})_{j,i} \) given by

      (3)
    3. 3.

      Generate a key pair \((\mathsf {sk}_{hsps},\mathsf {pk}_{hsps})\) for the one-time linearly homomorphic signature of Sect. 2.2 in order to sign vectors of dimension \(n=8\). Let \(\mathsf {sk}_{hsps}=\{(\chi _i,\gamma _i)\}_{i=1}^{8}\) be the private key, of which the corresponding public key is \( \mathsf {pk}_{hsps} = \big ( \hat{g_z}, ~ \hat{g_r},~\{ \hat{g}_i \}_{i=1}^{8} \big )\).

    4. 4.

      Using \(\mathsf {sk}_{hsps}=\{ \chi _i, \gamma _i \}_{i=1}^{8} \), generate one-time homomorphic signatures \(\{({z}_j,{r}_j)\}_{j=1}^{4}\) on the rows \({{\varvec{M}}}_{j}=({M}_{j,1},\cdots ,{M}_{j,8})\in {\mathbb {G}}^{8}\) of \(\mathbf {{M}}\). These are obtained as \( ({z}_{j},{r}_{j}) = \left( \prod _{i=1}^{8} {M}_{j,i}^{-\chi _i},~\prod _{i=1}^{8} {M}_{j,i}^{-\gamma _i} \right) \) each for \(j \in \{1,\cdots ,4\}\) and, as part of the common reference string for the QA-NIZK proof system of [47], they will be included in the public key.

    The master secret key is \(\mathsf {msk}:=\omega \) and the master public key is defined as

    $$ \mathsf {mpk}=\Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~p,~g,~h,~\hat{g}, ~(t,v,w),~\varOmega =h^\omega ,~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{4} \Bigr ).$$

  • Extract \((\mathsf {msk},\mathsf {ID})\) : given \(\mathsf {msk}=\omega \) and \(\mathsf {ID} \in \mathbb {Z}_p\), choose \(s \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) to compute

    $$\begin{aligned} K_1= & {} g^\omega \cdot (v^\mathsf {ID}\cdot w)^{s} , \qquad \qquad \quad ~~~ K_2=g^{s \cdot \mathsf {ID}}, \qquad \qquad K_3 = g^{s } \\ K_4= & {} h^{s \cdot \mathsf {ID}} \qquad \qquad \qquad \qquad \qquad ~\!\!\!\! K_5=h^{s} \qquad \qquad \quad ~ \!\!K_6 = t^{s} \end{aligned}$$

    as well as \(\hat{K_7} =\hat{g}^{\mathsf {ID}}.\) Looking ahead, \(K_6\) will serve as a delegation component in the generation of level 2 signatures. Then, generate a QA-NIZK proof that the vector \( (K_1,K_2,K_3,K_4,K_5,1,1,\varOmega ) \in \mathbb {G}^{8} \) is in the row space of the first 3 rows of \(\mathbf {M}\). This QA-NIZK proof \((z,r) \in \mathbb {G}^2\) is obtained as

    $$\begin{aligned} z= & {} z_1^\omega \cdot (z_2^\mathsf {ID}\cdot z_3)^{s} , \qquad \qquad r = r_1^\omega \cdot (r_2^\mathsf {ID}\cdot r_3)^{s} . \end{aligned}$$
    (4)

    Then, generate a QA-NIZK proof \((z_{d},r_{d} )\) that the delegation component \(K_6\) is well-formed. This proof consists of \((z_{d},r_{d})=(z_4^{s} ,r_4^{s} ).\) The private key is

    $$\begin{aligned} K_{\mathsf {ID}}=\big (K_1,K_2,K_3,K_4,K_5,K_6, \hat{K_7}, z,r , z_{d},r_{d} \big ). \quad \end{aligned}$$
    (5)

  • Sign \((\mathsf {mpk},K_{\mathsf {ID}},M)\) : to sign \(M \in \mathbb {Z}_p\), parse \(K_{\mathsf {ID}}\) as in (5) and do the following.

    1. 1.

      Choose \(s' \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute

      $$\begin{aligned} \sigma _1= & {} K_1 \cdot K_6^M \cdot (v^\mathsf {ID}\cdot t^M \cdot w)^{s'} = g^\omega \cdot (v^\mathsf {ID}\cdot t^M \cdot w)^{\tilde{s}} , \end{aligned}$$

      where \(\tilde{s}=s +s'\), as well as

      $$\begin{aligned} \sigma _2= & {} K_2 \cdot g^{s' \cdot \mathsf {ID}} = g^{\tilde{s} \cdot \mathsf {ID}}, \qquad \quad \sigma _3 = K_3 \cdot g^{s' } = g^{\tilde{s} }, \qquad \quad \hat{\sigma _6} = \hat{K_7} = \hat{g}^{\mathsf {ID}} \\ \sigma _4= & {} K_4 \cdot h^{s' \cdot \mathsf {ID}} = h^{\tilde{s} \cdot \mathsf {ID}}, \qquad \quad \sigma _5 = K_5 \cdot h^{s'} = h^{\tilde{s}} . \end{aligned}$$
    2. 2.

      Using (zr) and \((z_{d},r_{d})\), generate a QA-NIZK proof \((\tilde{z},\tilde{r}) \in \mathbb {G}^2\) that the vector \((\sigma _1,\sigma _2,\sigma _3, \sigma _4,\sigma _5,\sigma _3^M,\sigma _5^M,\varOmega ) \in \mathbb {G}^{8}\) is in the row space of \(\mathbf {M}\). Namely, compute \(\tilde{z} = z \cdot z_{d}^M \cdot (z_2^\mathsf {ID}\cdot z_4^M \cdot z_3)^{s '}\) and \(\tilde{r} = r \cdot r_{d}^M \cdot (r_2^\mathsf {ID}\cdot r_4^M \cdot r_3)^{s '}\).

    Return the signature \(\sigma =\bigl ( \sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5 , \tilde{z},\tilde{r}, \hat{\sigma _6} \bigr ) \in \mathbb {G}^{7} \times \hat{\mathbb {G}} .\)

  • Verify \((\mathsf {mpk},\sigma ,M)\) : parse \(\sigma \) as above and return 1 if and only if it holds that

    $$\begin{aligned} e(\tilde{z},\hat{g_z}) \cdot e(\tilde{r},\hat{g_r})= & {} e(\sigma _1,\hat{g_1})^{-1} \cdot e(\sigma _2,\hat{g_2})^{-1} \cdot e(\sigma _3,\hat{g_3} \cdot \hat{g_6}^M)^{-1} \\&\qquad \qquad \!\!\!\! \cdot e(\sigma _4, \hat{g_4})^{-1} \cdot e(\sigma _5,\hat{g_5} \cdot \hat{g_7}^M)^{-1} \cdot e(\varOmega ,\hat{g_{8}})^{-1} \end{aligned}$$

    as well as \(e(\sigma _2,\hat{g}) = e(\sigma _3,\hat{\sigma _6})\) and \(e(\sigma _4,\hat{g}) = e(\sigma _5,\hat{\sigma _6})\).

As in Sect. 3, the technique of [41] can be used to shorten the signature by one element of \(\mathbb {G}\) as it allows replacing \((\tilde{z},\tilde{r})\) by one element of \(\mathbb {G}\).

We prove that, under the sole SXDH assumption, the scheme is secure in the sense of the natural security definition used by Boyen and Waters [20, 21]. In short, this definition requires that the adversary be unable to forge a valid signature for a pair \((\mathsf {ID}^\star ,M^\star )\) such that no private key query was made for \(\mathsf {ID}^\star \) and no signing query was made for the pair \((\mathsf {ID}^\star ,M^\star )\).

Theorem 1

The above hierarchical signature is secure under chosen-message attacks if the SXDH assumption holds in \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\). (The proof is available the full version of the paper).

A simple reduction shows that the signature scheme of Sect. 3 is F-unforgeable so long as the above scheme is a secure 2-level hierarchical signature.

Theorem 2

The signature scheme of Sect. 3 is F-unforgeable under chosen-message attacks for the function \(F(M)=\hat{g}^M\) if the SXDH assumption holds in \((\mathbb {G},\hat{\mathbb {G}},{\mathbb {G}}_T)\). (The proof is available in the full version of the paper).

5 A Structure-Preserving Signature from the SXDH and XDLIN\(_2\) Assumptions

Our F-unforgeable signature of Sect. 3 can be combined with the tagged one-time signature of Abe et al. [2] (or, more precisely, an adaption of [2] to asymmetric pairings) so as to obtain a new structure-preserving signature based on the SXDH and XDLIN\(_2\) assumptions. Like [1], we obtain an SPS scheme based on simple assumptions with only 11 group elements per signature. However, only one of them has to be in \(\hat{\mathbb {G}}\), instead of 4 in [1]. Considering that \(\hat{\mathbb {G}}\) elements are at least twice as long to represent as those of \(\mathbb {G}\), we thus shorten signatures by the equivalent of 3 elements of \(\mathbb {G}\) (or \(20\,\%\)).

Our construction can be seen as an optimized instantiation of a general construction [1] that combines a tagged one-time signature and an SPS scheme which is only secure against extended random-message (XRMA) attacks. A tagged one-time signature (TOTS) is a signature scheme where each signature contains a single-use tag: namely, only one signature is generated w.r.t. each tag. The generic construction of [1] proceeds by certifying the tag of the TOTS scheme using an XRMA-secure SPS scheme. Specifically, our F-unforgeable signature assumes the role of the XRMA-secure signature and its shorter message space allows us to make the most of the optimal tag size of [2]. In [1], the proofs of XMRA security rely on the property that, when the reduction signs random groups elements of its choice, it is allowed to know their discrete logarithms. However, this property is only used in the security proof and not in the scheme itself. Here, we also use the discrete logarithm of the tag in the SPS construction itself, which allows our F-unforgeable signature to supersede the XRMA-secure signature. By exploiting the smaller message space of our F-unforgeable signature, we can leverage the optimal tag size of [2]. Unlike the SPS of [2], we do not need to expand the tag from one to three group elements before certifying it.

  • Keygen \((\mathsf {cp},n)\) : given the length n of messages to be signed and common parameters \(\mathsf {cp}\) specifying the description of bilinear groups \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\) of prime order \(p>2^{\lambda }\), do the following.

    1. a.

      Generate a key pair \((\mathsf {sk}_{fsig},\mathsf {pk}_{fsig}) \leftarrow \mathsf {Setup}(\mathsf {cp})\) for the F-unforgeable signature of Sect. 3. Namely,

      1. 1.

        Choose \(\omega ,a \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\), \(g \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\), \(\hat{g} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\) and set \(h=g^a\), \(\varOmega =h^{\omega }\). Then, choose \( v ,w \mathop {\leftarrow }\limits ^{ _R } \mathbb {G}\).

      2. 2.

        Define a matrix \(\mathbf {{M}}=(M_{j,i})_{j,i} \) given by

        (6)
      3. 3.

        Generate a key pair \((\mathsf {sk}_{hsps},\mathsf {pk}_{hsps})\) for the linearly homomorphic signature of Sect. 2.2 in order to sign vectors of dimension \(n=6\). Let \(\mathsf {sk}_{hsps}=\{(\chi _{0,i},\gamma _{0,i})\}_{i=1}^{6}\) be the private key, of which the corresponding public key is \( \mathsf {pk}_{hsps} = \big ( \hat{g_z}, ~ \hat{g_r},~\{ \hat{g}_i \}_{i=1}^{6} \big )\).

      4. 4.

        Using \(\mathsf {sk}_{hsps}=\{ \chi _{0,i}, \gamma _{0,i} \}_{i=1}^{6} \), generate one-time homomorphic signatures \(\{({z}_j,{r}_j)\}_{j=1}^{3}\) on the rows \({{\varvec{M}}}_{j}=({M}_{j,1},\cdots ,{M}_{j,6})\in {\mathbb {G}}^{6}\) of \(\mathbf {{M}}\). These are obtained as \( ({z}_{j},{r}_{j}) = \left( \prod _{i=1}^{6} {M}_{j,i}^{-\chi _{0,i}},~\prod _{i=1}^{6} {M}_{j,i}^{-\gamma _{0,i}} \right) ,\) for \(j \in \{1,2,3\}\) and, as part of the common reference string for the QA-NIZK proofs of [47], they will be included in the public key.

    2. b.

      Generate a key pair \((\mathsf {pk}_{pots},\mathsf {sk}_{pots})\) for the partial one-time SPS of Abe et al. [1]. Namely, choose \(w_z,w_r,\mu _z,\mu _u ,w_t \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and set

      $$\begin{aligned} \hat{G_z}= & {} \hat{g}^{w_z}, \qquad \hat{G_r}=\hat{g}^{w_r}, \qquad \hat{G_t}=\hat{g}^{w_t}, \qquad \hat{H_z}=\hat{g}^{\mu _z}, \qquad \hat{H_u}=\hat{g}^{\mu _u} \\ {G_z}= & {} {g}^{w_z}, \qquad {G_r}= {g}^{w_r}, \qquad {G_t}={g}^{w_t}, \qquad {H_z}= {g}^{\mu _z}, \qquad {H_u}= {g}^{\mu _u} \end{aligned}$$

      Then, for \(i=1\) to n, choose \(\chi _i,\gamma _i,\delta _i \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute \(\hat{G_i}=\hat{G_z}^{\chi _i} \cdot \hat{G_r}^{\gamma _i}\) and \(\hat{H_i}=\hat{G_z}^{\chi _i} \cdot \hat{G_r}^{\delta _i}\). Define \(\mathsf {sk}_{pots}:=\{(\chi _i,\gamma _i,\delta _i)\}_{i=1}^n\) and

      $$\mathsf {pk}_{pots}:=\big (G_z,G_r,G_t,H_z,H_u,\hat{G_z},\hat{G_r},\hat{G_t},\hat{H_z},\hat{H_u},\{\hat{G_i},\hat{H_i}\}_{i=1}^n \big ).$$

    The private key is \( SK=(\omega ,w_r,\mu _u,\mathsf {sk}_{pots}) \) and the public key consists of

    $$ PK=\Bigl ( ~g,~h,~\hat{g}, ~(v,w),~\varOmega =h^\omega ,~\mathsf {pk}_{pots},~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{3} \Bigr ).$$

  • Sign \((SK,{{\varvec{M}}})\) : given \( SK=(\omega ,w_r,\mu _u,\mathsf {sk}_{pots}) \) and \({{\varvec{M}}}=(M_1,\ldots ,M_n)\in \mathbb {G}^n \),

    1. 1.

      Choose \(s,\tau \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) to compute

      $$\begin{aligned} \sigma _1= & {} g^\omega \cdot (v^\tau \cdot w)^{s} , \quad \qquad \quad ~~~ \sigma _2=g^{s \cdot \tau }, \qquad \qquad ~~~~ \sigma _3 = g^{s }, \\ \sigma _4= & {} h^{s \cdot \tau } \quad \qquad \qquad \qquad \qquad ~ \!\!\!\!\sigma _5=h^{s} ,\qquad \qquad \quad ~~\!\!\! \tilde{\sigma _6}=\hat{g}^\tau . \end{aligned}$$

      Then, generate a QA-NIZK proof that the vector \((\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5,\varOmega ) \) is in the row space of \(\mathbf {M}\). This proof \((z,r) \in \mathbb {G}^2\) is computed as

      $$\begin{aligned} z= & {} z_1^\omega \cdot (z_2^\tau \cdot z_3)^{s} , \qquad \qquad r = r_1^\omega \cdot (r_2^\tau \cdot r_3)^{s}. \end{aligned}$$
      (7)
    2. 2.

      Choose \(\zeta \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute \(Z = g^\zeta \cdot \prod _{i=1}^n M_i^{-\chi _i}\) as well as

      $$\begin{aligned} R= (G_t^{ \tau } \cdot {G_z}^{-\zeta } )^{1/w_r} \cdot \prod _{i=1}^n M_i^{-\gamma _i} , \qquad \qquad U= (H_z^{-\zeta })^{1/\mu _u} \cdot \prod _{i=1}^n M_i^{-\delta _i} \end{aligned}$$

    Return \(\sigma =\big (\sigma _1,\sigma _2,\sigma _3,\sigma _4,\sigma _5,\hat{\sigma _6} ,z,r,Z,R ,U \big ) \in \mathbb {G}^5 \times \hat{\mathbb {G}} \times \mathbb {G}^5.\)

  • Verify \((PK,\sigma ,{{\varvec{M}}})\) : given \({{\varvec{M}}}=(M_1,\ldots ,M_n) \in \mathbb {G}^n\), parse \(\sigma \) as above. Return 1 if and only if \(e(\sigma _2,\hat{g}) = e(\sigma _3,\hat{\sigma _6} )\) and \( e(\sigma _4,\hat{g}) = e(\sigma _5,\hat{\sigma _6} )\) as well as

    $$\begin{aligned} \nonumber e({z},\hat{g_z}) \cdot e({r},\hat{g_r})= & {} \prod _{i=1}^5 e(\sigma _i,\hat{g_i})^{-1} \cdot e(\varOmega ,\hat{g_{6}})^{-1} \\ e(G_t,\hat{\sigma _6})= & {} e(Z,\hat{G_z}) \cdot e(R,\hat{G_r}) \cdot \prod _{i=1}^n e(M_i,\hat{G_i}) \\ \nonumber 1_{\mathbb {G}_T}= & {} e(Z,\hat{H_z}) \cdot e(U,\hat{H_u}) \cdot \prod _{i=1}^n e(M_i,\hat{H_i}). \end{aligned}$$
    (8)

Each signature requires 10 elements of \(\mathbb {G}\) and one element of \(\hat{\mathbb {G}}\). Using the optimized F-unforgeable signature based on the Jutla-Roy QA-NIZK proof [41], we can also save one more element of \(\mathbb {G}\) and obtain signatures in \(\mathbb {G}^9 \times \hat{\mathbb {G}}\), which shortens the signatures of Abe et al. [1] by \(26\,\%\). In the full version of the paper, we give more detailed comparisons among all SPS based on non-interactive assumptions.

In the application to group signatures, it is desirable to minimize the number of signature components that need to appear in committed form. To this end, signatures must be randomizable in such a way that \((\sigma _3,\sigma _5)\) can appear in the clear modulo a re-randomization of \(s\in \mathbb {Z}_p\). To enable this randomization, it is necessary to augment signatures (similarly to [6]) with a randomization token \((g^\tau ,h^\tau ,v^\tau ,z_2^\tau ,r_2^\tau )\). We will prove that the scheme remains unforgeable even when the signing oracle also outputs these randomization tokens at each invocation.Footnote 2 We call this notion extended existential unforgeability (or EUF-CMA\(^*\) for short).

When the re-randomization tokens are used, proving the knowledge of a signature on a committed message \({{\varvec{M}}} \in \mathbb {G}^n\) requires \(2n+24\) elements of \(\mathbb {G}\) and 12 elements of \(\hat{\mathbb {G}}\). In comparison, the best previous solution of Abe et al. costs \(2n+26\) elements of \(\mathbb {G}\) and 18 elements of \(\hat{\mathbb {G}}\).

Theorem 3

The scheme provides EUF-CMA\(^*\) security if the SXDH and XDLIN\(_2\) assumptions hold in \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\). (The proof is given in the full version of the paper).

In short, the proof of Theorem 3 considers two kinds of forgeries. In Type I forgeries, the adversary’s forgery contains an element \(\hat{\sigma _6}^\star \) that did not appear in any signature obtained by the forger during the game. In contrast, Type II forgeries are those for which \(\hat{\sigma _6}^\star \) is recycled from a response of the signing oracle. It is easy to see that a Type I forger allows breaking the security of the F-unforgeable signature. As for Type II forgeries, they are shown to contradict the XDLIN\(_2\) assumption via a careful adaptation of the proof given by Abe et al. for their TOTS scheme [2]. While the latter was originally presented in symmetric pairings, it goes through in Type 3 pairings modulo natural changes that consist in making sure that most handled elements of \(\hat{\mathbb {G}}\) have a counterpart in \(\mathbb {G}\). One difficulty is that, at each query, the reduction must properly simulate the randomization tokens \((v^\tau ,g^\tau ,h^\tau ,z_2^\tau ,r_2^\tau )\) as well as an instance of the F-unforgeable signature without knowing the discrete logarithm \(\log _{\hat{g}}(\hat{\sigma _6})=\hat{g}^\tau \) or that of its shadow \(\log _{{g}}({\sigma _6})={g}^\tau \) in \(\mathbb {G}\). Fortunately, this issue can be addressed by letting the reduction know \(\log _g(v)\) and \(\log _g(w)\).

In an independent work [45], Kiltz, Pan and Wee obtained even shorter signatures, which live in \(\mathbb {G}^6 \times \hat{\mathbb {G}}\) under the SXDH assumption. On the other hand, their security reduction is looser than ours as the gap between the adversary’s advantage and the reduction’s probability to break the underlying assumption is quadratic (instead of linear in our case) in the number of signing queries.

6 A Publicly Verifiable Tag-Based Encryption Scheme

As a tool for constructing a CCA2-anonymous group signature, we describe a new tag-based encryption scheme [44, 48] which is inspired by the lossy encryption scheme [13] of [39]. In our group signature, we will exploit the fact that the DDH-based lossy encryption scheme of Bellare et al. [13] can also be seen as a Groth-Sahai commitment.

  • Keygen \((\mathsf {cp} )\) : Given public parameters \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) specifying asymmetric bilinear groups of prime order \(p>2^\lambda \), conduct the following steps.

    1. 1.

      Choose \({g},{h} \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}\). Choose \(x,\alpha ,\beta \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and set \({X}_1={g}^{x}\), \({X}_2={h}^{x}\), \({S}={g}^\alpha \), \({T}={g}^\beta \), \({W}={h}^\alpha \) and \({V}={h}^\beta \).

    2. 2.

      Generate a key pair \((\mathsf {pk}_{hsig}',\mathsf {sk}_{hsig}')\) for the homomorphic signature of Sect. 2.2 in order to sign vectors in \({\mathbb {G}}^{3}\). Let \(\mathsf {pk}_{hsig}' = \bigl ( \hat{G_z},\hat{G_r}, \{ \hat{G_i} \}_{i=1}^{3} \bigr )\) be the public key and let \(\mathsf {sk}_{hsig}'= \{ ( \varphi _i, \vartheta _i) \}_{i=1}^{3} \) be the private key.

    3. 3.

      Use \(\mathsf {sk}_{hsig}'\) to generate linearly homomorphic signatures \(\{({Z}_i,{R}_i)\}_{i=1}^4\) on the rows of the matrix

      which form a subspace of rank 2. The key pair consists of \(\mathsf {sk}= (x,\alpha ,\beta ) \) and \(\mathsf {pk} := \Big ( {g},{h}, {X}_1,{X}_2, {S},{W} , {T},{V},\mathsf {pk}_{hsig}',\{({Z}_i,{R}_i)\}_{i=1}^4 \Big )\).

  • Encrypt \((\mathsf {pk},{M} ,\tau )\) : To encrypt \({M} \in {\mathbb {G}}\) under the tag \(\tau \), choose \(\theta _{1},\theta _{2} \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute the ciphertext \({{\varvec{C}}} = ({C}_0,{C}_1,{C}_2 ,{Z},{R}) \) as

    $$\begin{aligned} {{\varvec{C}}} = \big ( {M} \cdot {X}_1^{\theta _{1}} \cdot {X}_2^{\theta _{2}}, ~&{g}^{\theta _{1}} \cdot {h}^{\theta _{2}}, ~({S}^\tau \cdot {T})^{\theta _{1}} \cdot ({W}^\tau \cdot {V})^{\theta _{2}}, \\ ~&({Z}_{3}^\tau \cdot {Z}_1)^{\theta _{1}} \cdot ({Z}_4^\tau \cdot {Z}_2)^{\theta _{2}} , ({R}_{3}^\tau \cdot {R}_1)^{\theta _{1}} \cdot ({R}_4^\tau \cdot {R}_2)^{\theta _{2}} \big ). \end{aligned}$$

    Here, (ZR) serves as a proof that the vector \(({C}_1,{C}_1^\tau ,{C}_2)\) is in the row space of \(\mathbf {{L}}\) and satisfies

    $$\begin{aligned} e(Z,\hat{G_z}) \cdot e(R,\hat{G_r})= & {} e(C_1,\hat{G_1}^\tau \cdot \hat{G_2})^{-1} \cdot e(C_2,\hat{G_2})^{-1} \end{aligned}$$
    (9)

  • Decrypt \((\mathsf {sk},{{\varvec{C}}},\tau )\) : Parse \({{\varvec{C}}}\) as above. Return \(\perp \) if (ZR) does not satisfy (9). Otherwise, return \({M} = {C}_0 /{C}_1^x\).

We observe that \(({C}_0,{C}_1)\) form a Groth-Sahai commitment based on the DDH assumption in \({\mathbb {G}}\). If \(\log _{{g}}({X}_1)=\log _{{h}}({X}_2)\), the commitment is extractable. Otherwise, it is perfectly hiding. We will use this CCA2-secure scheme as a commitment that is extractable on all tags, except one \(\tau ^\star \) where it behaves as a perfectly hiding commitment. The above system achieves this while only expanding the original Groth-Sahai commitment \((C_0,C_1)\) by 3 elements of \(\mathbb {G}\).

This scheme will save our group signatures from having to contain (beyond \(({C}_0,{C}_1)\)) an additional CCA2-secure encryption and a NIZK proof that the plaintext coincides with the content of a Groth-Sahai commitment. The above technique allows saving the equivalent of 16 elements of \(\mathbb {G}\). We thus believe this cryptosystem to be of interest in its own right since it can be used in a similar way to shorten other group signatures (e.g., [36]) based on Groth-Sahai proofs.

In the full paper, the scheme is proved secure in the sense of [44].

Theorem 4

The above scheme is selective-tag weakly IND-CCA2-secure if the SXDH assumption holds. (The proof is given in the full paper).

7 Short Group Signatures in the BMW Model

The TBE scheme of Sect. 6 allows us to achieve anonymity in the CCA2 sense by encrypting an encoding of the group member’s identifier. In order to minimize the signature length, we let the TBE ciphertext live in \(\mathbb {G}\) instead of \(\hat{\mathbb {G}}\). To open signatures in constant time, however, the opening algorithm uses the extraction trapdoor of a Groth-Sahai commitment in \(\hat{\mathbb {G}}^2\) rather than the private key \(\mathsf {sk}_{tbe}\) of the TBE system. The latter key is only used in the proof of anonymity where the reduction uses a somewhat inefficient opening algorithm of complexity O(N).

  • Keygen \((\lambda ,N)\) : given a security parameter \(\lambda \in \mathbb {N}\) and the number of users N , choose asymmetric bilinear groups \(\mathsf {cp}=(\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T,p)\) of order \(p>2^\lambda \).

    1. 1.

      Generate a key pair \( (\mathsf {msk},\mathsf {mpk})\) for the two-level hierarchical signature of Sect. 4. Let

      $$ \mathsf {mpk} :=\Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~p, ~g,~h,~ \hat{g}, ~ (t,v,w) ,~\varOmega =h^{\omega },~\mathsf {pk}_{hsps},~\{({z}_j,{r}_j)\}_{j=1}^{4} \Bigr )$$

      be the master public key and \(\mathsf {msk} :=\omega \in \mathbb {Z}_p\) be the master secret key.

    2. 2.

      Generate a key pair \((\mathsf {sk}_{tbe},\mathsf {pk}_{tbe})\) for the tag-based encryption scheme of Sect. 6. Let \(\mathsf {pk}_{tbe} = \Big ( {g},{h}, {X}_1,{X}_2, {S},{W} , {T},{V},\mathsf {pk}_{hsig}',\{({Z}_i,{R}_i)\}_{i=1}^4 \Big ) \) be the public key and \(\mathsf {sk}_{tbe}=(x,\alpha ,\beta )\) be the underlying private key. For simplicity, the element g can be recycled from \(\mathsf {mpk}\).

    3. 3.

      Choose a vector \({\hat{{\varvec{u}}_\mathbf{1}}}=(\hat{u}_{11},\hat{u}_{12}) \mathop {\leftarrow }\limits ^{ _R } \hat{\mathbb {G}}^2\) and set \({\hat{{\varvec{u}}_\mathbf{2}}}={\hat{{\varvec{u}}_\mathbf{1}}}^{\xi }\), where \(\xi \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\). Also, define the vectors \({{{\varvec{u}}}_\mathbf{1}}=({g},{X}_1)\) and \({{\varvec{u}}_\mathbf{2}}=(h,{X}_2)\). These vectors will form Groth-Sahai CRSes \(({{{\varvec{u}}}_1},{{\varvec{u}}_\mathbf{2}})\) and \(({\hat{{\varvec{u}}_\mathbf{1}}},{\hat{{\varvec{u}}_\mathbf{2}}})\) in the perfectly binding setting. Although \(\mathsf {sk}_{tbe}\) serves as an extraction trapdoor for commitments generated on the CRS \(({{\varvec{u}}_\mathbf{1}},{{\varvec{u}}_\mathbf{2}})\), the group manager will more efficiently use \(\zeta =\log _{\hat{u}_{11}}(\hat{u}_{12})\) to open signatures.

    4. 4.

      Choose a chameleon hash function \(\mathsf {CMH} =(\mathsf {CMKg},\mathsf {CMhash},\mathsf {CMswitch})\) with a key pair (hktk) and randomness space \(\mathcal {R}_{hash}\).

    5. 5.

      For each group member i, choose an identifier \(\mathsf {ID}_i \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and use \(\mathsf {msk}\) to compute \(K_{\mathsf {ID}_i}=(K_1,K_2,K_3,K_4,K_5,K_6,\hat{K_7},z,r,z_d,r_d)\), where

      and \((z_{d},r_d) = (z_4^s,r_4^{s})\). For each \(i \in \{1,\ldots ,N\}\), the i-th group member’s private key is \(\mathsf {gsk}[i]=(\mathsf {ID}_i,K_{\mathsf {ID}_i }).\)

    The group manager’s secret key is \(\mathsf {gsk}:=\big (\mathsf {msk}, \zeta =\log _{\hat{u}_{11}}(\hat{u}_{12}) \big )\) while the group public key consists of

    $$\begin{aligned} \mathsf {gpk} := \Bigl ( (\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T),~\mathsf {mpk},~ \mathsf {pk}_{tbe},~({{\varvec{u}}_\mathbf{1}},{{\varvec{u}}_\mathbf{2}}),~({\hat{{\varvec{u}}_\mathbf{1}}},{\hat{{\varvec{u}}_\mathbf{2}}}) ,~\mathsf {CMH}, ~hk \Bigr ) . \end{aligned}$$

  • Sign \((\mathsf {gpk},\mathsf {gsk}{[i]},M )\) : In order to sign a message \(M \in \mathbb {Z}_p\) using the i-th group member’s private key \( \mathsf {gsk}[i]= (\mathsf {ID}_i,K_{\mathsf {ID}_i}) \), conduct the following steps.

    1. 1.

      Using \(K_{\mathsf {ID}_i}=(K_1,K_2,K_3,K_4,K_5,K_6,\hat{K_7},z,r,z_d,r_d)\), derive a second-level hierarchical signature. Namely, choose \(s' \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute

      $$\begin{aligned} \sigma _1= & {} K_1 \cdot K_6^M \cdot (v^{\mathsf {ID}_i} \cdot t^M \cdot w)^{s'} \qquad \qquad \sigma _2=K_2 \cdot g^{s' \cdot \mathsf {ID}_i} = g^{\tilde{s} \cdot \mathsf {ID}_i} \qquad \qquad ~~~ \\= & {} g^\omega \cdot (v^{\mathsf {ID}_i} \cdot t^M \cdot w)^{\tilde{s}} \qquad \qquad \qquad \! ~~~ \sigma _3=K_3 \cdot g^{s'} = g^{\tilde{s}} \qquad \qquad \\ \sigma _4= & {} K_4 \cdot h^{s' \cdot \mathsf {ID}_i} = h^{\tilde{s} \cdot \mathsf {ID}_i} \qquad \qquad \qquad ~~~ \sigma _5 = K_5 \cdot h^{s'} = h^{\tilde{s}} , \qquad \qquad \qquad ~~~~~ \end{aligned}$$

      and \(\hat{\sigma _6}=\hat{K_7} \), where \(\tilde{s}=s+s'\), as well as

      $$\begin{aligned} \tilde{z}= & {} z \cdot z_d^M \cdot (z_2^{\mathsf {ID}_i} \cdot z_4^M \cdot z_3 )^{s'} \qquad \qquad \qquad \tilde{r}= r \cdot r_d^M \cdot (r_2^{\mathsf {ID}_i} \cdot r_4^M \cdot r_3 )^{s'} \\= & {} z_1^\omega \cdot (z_2^{\mathsf {ID}_i} \cdot z_4^M \cdot z_3 )^{\tilde{s}} \qquad \qquad \qquad \qquad ~ \! = r_1^\omega \cdot (r_2^{\mathsf {ID}_i} \cdot r_4^M \cdot r_3 )^{\tilde{s}}. \end{aligned}$$
    2. 2.

      Choose \(\theta _1,\ldots ,\theta _{12} \mathop {\leftarrow }\limits ^{ _R } \mathbb {Z}_p\) and compute Groth-Sahai commitments

      $$\begin{aligned} {{\varvec{C}}}_{\sigma _1}= & {} (1,\sigma _1) \cdot {{{\varvec{u}}}_\mathbf{1}}^{\theta _{ 1}} \cdot {{\varvec{u}}_\mathbf{2}}^{\theta _2}, \qquad \quad {{\varvec{C}}}_{\sigma _2}=(1,\sigma _2) \cdot {{\varvec{u}}_\mathbf{1}}^{\theta _{ 3}} \cdot {{\varvec{u}}_\mathbf{2}}^{\theta _4}, \qquad \quad \\ {{\varvec{C}}}_{\sigma _4}= & {} (1,\sigma _4) \cdot {{\varvec{u}}_\mathbf{1}}^{\theta _{5}} \cdot {{\varvec{u}}_\mathbf{2}}^{\theta _{6}}, \qquad \quad {{\varvec{C}}}_{\hat{\sigma _6}}=(1,\hat{\sigma _6}) \cdot {\hat{{{\varvec{u}}}_\mathbf{1}}}^{\theta _{7}} \cdot {\hat{{\varvec{u}}_\mathbf{2}}}^{\theta _{8}}.\\ {{\varvec{C}}}_{\tilde{z}}= & {} (1,\tilde{z}) \cdot {{\varvec{u}}_1}^{\theta _{ 9}} \cdot {{\varvec{u}}_2}^{\theta _{10}}, \qquad \quad ~~ {{\varvec{C}}}_{\tilde{r}} = (1,\tilde{r}) \cdot {{\varvec{u}}_1}^{\theta _{11}} \cdot {{\varvec{u}}_2}^{\theta _{12}} \end{aligned}$$

      Note that \({{\varvec{C}}}_{{\sigma _2}}\) can be written as \((C_1,C_0)=({g}^{\theta _3} \cdot {h}^{\theta _4}, \sigma _2 \cdot {X}_1^{\theta _3} \cdot {X}_2^{\theta _4})\).

    3. 3.

      Generate Groth-Sahai NIWI proofs \({\varvec{\pi }}_1 \in \hat{\mathbb {G}}^2\), \({\varvec{\pi }}_2 \in \mathbb {G}^2 \times \hat{\mathbb {G}}^2\) and \({\varvec{\pi }}_3 \in \mathbb {G}^2 \times \hat{\mathbb {G}}^2\) that committed variables \((\tilde{z},\tilde{r},\sigma _1,\sigma _2,\sigma _4,\hat{\sigma _6})\) satisfy

      $$\begin{aligned} e(\boxed {\tilde{z}},\hat{g_z}) \cdot e(\boxed {\tilde{r}},\hat{g_r})= & {} e(\boxed {\sigma _1},\hat{g_1})^{-1} \cdot e(\boxed {\sigma _2},\hat{g_2})^{-1} \cdot e(\sigma _3,\hat{g_3} \cdot \hat{g_6}^M)^{-1} \quad \\ \nonumber&\qquad \qquad \cdot e(\boxed {\sigma _4}, \hat{g_4})^{-1} \cdot e(\sigma _5,\hat{g_5} \cdot \hat{g_7}^M)^{-1} \cdot e(\varOmega ,\hat{g_{8}})^{-1} \end{aligned}$$
      (10)

      and

      $$\begin{aligned} e(\boxed {\sigma _2},\hat{g})= & {} e(\sigma _3,\boxed {\hat{\sigma _6}}), \qquad \qquad e(\boxed {\sigma _4},\hat{g}) = e(\sigma _5,\boxed {\hat{\sigma _6}}). \end{aligned}$$
      (11)
    4. 4.

      Choose \(r_{hash} \mathop {\leftarrow }\limits ^{ _R } \mathcal {R}_{hash}\) and compute a chameleon hash value

      $$\tau =\mathsf {CMhash}(hk, ({{\varvec{C}}}_{\sigma _1}, {{\varvec{C}}}_{\sigma _2}, \sigma _3, {{\varvec{C}}}_{\sigma _4},\sigma _5,{{\varvec{C}}}_{\hat{\sigma _6}} ,{{\varvec{C}}}_{\tilde{z}}, {{\varvec{C}}}_{\tilde{r}},{\varvec{\pi }}_1,{\varvec{\pi }}_2,{\varvec{\pi }}_3 ) ,r_{hash}).$$

      Then, using \(\tau \) and \((\theta _3,\theta _4) \in \mathbb {Z}_p^2\), compute \({C}_2=({S}^\tau \cdot {T})^{\theta _3} \cdot ({W}^\tau \cdot {V})^{\theta _4}\). Using \(\mathsf {pk}_{hsig}'\), compute \(({Z},{R})=\big ( ({Z}_3^\tau \cdot {Z}_1)^{\theta _3} \cdot ({Z}_4^\tau \cdot {Z}_2)^{\theta _4}, ({R}_3^\tau \cdot {R}_1)^{\theta _3} \cdot ({R}_4^\tau \cdot {R}_2)^{\theta _4} \big )\) as a QA-NIZK argument that \(({C}_1,{C}_1^\tau ,{C}_2) \) is in the row space of \(\mathbf {{L}}\). This allows turning \({{\varvec{C}}}_{{\sigma _2}}=(C_1,C_0)\) into a TBE ciphertext \({\tilde{{\varvec{C}}}}_{{\sigma _2}} = ({C}_0,{C}_1,{C}_2,{Z},{R})\) as

      $$\begin{aligned} {\tilde{{\varvec{C}}}}_{{\sigma _2}} = \big ( ~\sigma _2&\cdot {X}_1^{\theta _3} \cdot {X}_2^{\theta _4},~{g}^{\theta _3} \cdot {h}^{\theta _4}, ~({S}^\tau \cdot {T})^{\theta _3} \cdot ({W}^\tau \cdot {V})^{\theta _4} ,\\ ~&({Z}_3^\tau \cdot {Z}_1)^{\theta _3} \cdot ({Z}_4^\tau \cdot {Z}_2)^{\theta _4} , ~ ({R}_3^\tau \cdot {R}_1)^{\theta _3} \cdot ({R}_4^\tau \cdot {R}_2)^{\theta _4} \big ) \in {\mathbb {G}}^5 \end{aligned}$$

      for the tag \(\tau \). Note that \({\tilde{{\varvec{C}}}}_{{\sigma _2}} \) contains the original commitment \({{\varvec{C}}}_{{\sigma _2}}\).

    Return \(\sigma = \bigl ( {{\varvec{C}}}_{\sigma _1} ,{\tilde{{\varvec{C}}}}_{\sigma _2},\sigma _3,{{\varvec{C}}}_{\sigma _4}, \sigma _5,{{\varvec{C}}}_{\hat{\sigma _6}}, {{\varvec{C}}}_{\tilde{z}},{{\varvec{C}}}_{\tilde{r}}, {\varvec{\pi }}_1,{\varvec{\pi }}_2,{\varvec{\pi }}_3,r_{hash} \bigr )\).

  • Verify \((\mathsf {gpk},M,\sigma )\) : Parse \(\sigma \) as above. Return 1 if and only if: (i) The proofs \({\varvec{\pi }}_1, {\varvec{\pi }}_2,{\varvec{\pi }}_3 \) verify; (ii) \({\tilde{{\varvec{C}}}}_{{\sigma _2}}\) is a valid TBE ciphertext (i.e., (9) holds) for the tag \(\tau =\mathsf {CMhash}(hk, ({{\varvec{C}}}_{\sigma _1}, {{\varvec{C}}}_{\sigma _2}, \sigma _3, {{\varvec{C}}}_{\sigma _4},\sigma _5,{{\varvec{C}}}_{\hat{\sigma _6}} ,{{\varvec{C}}}_{\tilde{z}}, {{\varvec{C}}}_{\tilde{r}}, {\varvec{\pi }}_1, {\varvec{\pi }}_2,{\varvec{\pi }}_3 ) ,r_{hash}).\)

  • Open \((\mathsf {gpk},\mathsf {gmsk},M,\sigma )\) : To open \(\sigma \) using \(\mathsf {gmsk} =\big (\mathsf {msk},\zeta \big )\), parse \(\sigma \) as above and return \(\perp \) if it is not a valid signature w.r.t. \(\mathsf {gpk}\) and M. Otherwise, use \(\zeta =\log _{\hat{u}_{11}}(\hat{u}_{12})\) to decrypt the Elgamal ciphertext \({{\varvec{C}}}_{\hat{\sigma _6}} \in \hat{\mathbb {G}}^2\). Then, check if the resulting plaintext is \(\hat{g}^{\mathsf {ID}}\) for some group member’s identifier \(\mathsf {ID}\). If so, output \(\mathsf {ID}\). Otherwise, return \(\perp \).

The signature consists of 19 elements of \(\mathbb {G}\), 8 elements of \(\hat{\mathbb {G}}\) and one element of \(\mathbb {Z}_p\). If each element of \(\mathbb {G}\) (resp. \(\hat{\mathbb {G}}\)) has a 256-bit (resp. 512-bit) representation, the entire signature fits within 9216 bits (or 1.125 kB). By using the technique of Jutla and Roy [41] to shorten the hierarchical signature, it is possible to shorten the latter by one group element (as explained in Sect. 4), which saves two elements of \(\mathbb {G}\) in the group signature without modifying the underlying assumption. In this case, the signature length reduces to 8704 bits (or 1.062 kB). Using the technique of Boyen, Mei and Waters [19], it is also possible to eliminate the randomness \(r_{hash}\) and replace the chameleon hash function by an ordinary collision-resistant hash function, as explained in the full version of the paper. By doing so, at the expense of a group public key made of \(\varTheta (\lambda )\) elements of \(\hat{\mathbb {G}}\), we can further compress signatures down to 8448 bits (or 1.031 kB).

To give a concrete comparison with earlier constructions, an implementation of the Boyen-Waters group signature [21] in asymmetric prime order groups requires 8 elements of \(\mathbb {G}\) and 8 elements of \(\hat{\mathbb {G}}\) for a total of 6400 bits per signature. However, besides the SXDH assumption, the resulting scheme relies on the non-standard q-Hidden Strong Diffie-Hellman assumption [21] and only provides anonymity in the CPA sense.

Theorem 5

The scheme provides full traceability under the SXDH assumption.

The proof of Theorem 5 relies on the unforgeability of the two-level hierarchical signature of Sect. 4. By preparing extractable Groth-Sahai CRSes \(({{\varvec{u}}}_\mathbf{1},{{\varvec{u}}}_\mathbf{2})\) and \(({\hat{{\varvec{u}}}_\mathbf{1}},{\hat{{\varvec{u}}}_\mathbf{2}})\), the reduction can always turn a full traceability adversary (see [12] for a definition) into a forger for the hierarchical signature. The proof is straightforward and the details are omitted.

Theorem 6

The scheme provides full anonymity assuming that: (i) The SXDH assumption holds in \((\mathbb {G},\hat{\mathbb {G}},\mathbb {G}_T)\); (ii) \(\mathsf {CMhash}\) is a collision-resistant chameleon hash function. (The proof is given in the full version of the paper).

In the full version of the paper, we extend the above system to obtain dynamic group signatures based on the SXDH and XDLIN\(_2\) assumption. The signature length is only 1.8 kB, which gives us the shortest dynamic group signatures based on constant-size assumptions to date. The construction builds on our structure-preserving signature and the encryption scheme of Sect. 6 in a modular manner. Detailed efficiency comparisons are given in the full paper.