Dynamic group size accreditation and group discounts preserving anonymity

Abstract

Group discounts are used by vendors and authorities to encourage certain behaviors. For example, group discounts can be applied to highway tolls to encourage ride sharing, or by museum managers to ensure a minimum number of visitors and plan guided tours more efficiently. We show how group discounts can be offered without forcing customers to surrender their anonymity, as long as customers are equipped with some form of autonomous computing device (e.g. smartphone, tablet or computer). Specifically, we present a protocol suite for privacy-aware group discounts that allows a group of customers to prove how many they are without disclosing their identities. The group does not need to be a stable one, but can have been formed on the fly. Coupled with an anonymous payment system, this makes group discounts compatible with buyer privacy (in this case, buyer anonymity). We present a detailed complexity analysis, we give simulation results, and we report on a pilot implementation.

Appendices

Appendix 1: Proof of Theorem 1

We show that a forger \(\mathcal {F}\) implies either a collision-finder for H or an algorithm \(\mathcal {B}\) that computes \(g^{\gamma ^{N+1}}\) from \((g_1,g_2,g_1^{\gamma },\ldots ,\) \(g_1^{\gamma ^N}, g_1^{\gamma ^{N+2}},\ldots ,g_1^{\gamma ^{2N}},g_2^{\gamma },\ldots ,g_2^{\gamma ^N})\), where \(N=n+1\). In the following, we denote by \(\mathbf {\gamma }\) the vector \(\mathbf {\gamma }:=(\gamma ,\gamma ^2,\ldots ,\gamma ^N)\) and by \(z_i\) the value \(z_i:=g_1^{\gamma ^i}\), for each \(i \in \{1,\ldots ,2N\}\). Also, we assimilate a user’s identity-based public key with her identity and denote it as \(\mathbf{id}\).

At the outset of the attack game, \(\mathcal {F}\) declares the challenge set \(\varGamma ^\star =(s^\star ,S^\star )\). Then, \(\mathcal {B}\) prepares the public parameters \(\textsf {pms}\) and the master public key \(\textsf {mpk}\) as follows: it selects a set \(\mathcal {D}\) of n dummy signers and computes the vector \(\mathbf {Y}\) associated with the polynomial \(P_{S^\star }(Z)\) according to Expression (2) using the set \(\mathcal {D}_{n-s^\star }\) of the first \(n-s^\star \) dummy signers. More precisely, \(\mathcal {B}\) picks \(\theta _0,\delta _0 \leftarrow \mathbb {Z}_p\) and a random vector \(\mathbf {\theta } \leftarrow \mathbb {Z}_p^N\) and computes \(\mathbf {H}=(h_1,\ldots ,h_N)^\top =g_1^{\mathbf {\gamma }} \cdot g_1^{\mathbf {\theta }}\), \(\mathbf {F}=(f_1,\ldots ,f_N)^\top =g_2^{\mathbf {\gamma }} \cdot g_2^{\mathbf {\theta }}\) (which implicitly sets \(\mathbf {\alpha }=\mathbf {\gamma }+\mathbf {\theta }\)), \(h_0=g_1^{\theta _0} \cdot g_1^{-\langle \mathbf {\gamma }, \mathbf {Y} \rangle }\), \(f_0=g_2^{\theta _0} \cdot g_2^{-\langle \mathbf {\gamma }, \mathbf {Y} \rangle }\) and \(e(g_1,g_2)^{\alpha } = e(z_N,g_2^{\gamma })^{\delta _0}\); the master secret key (implicitly) is set to \(g_1^\alpha = z_{N+1}^{\delta _0}\). In addition, \(\mathcal {B}\) selects a collision-resistant hash function H which will be treated as a random oracle. It chooses some value \(M^{\dagger } \leftarrow \mathbb {Z}_p\) and stores it to answer random oracle queries. It also defines \(u_0:=z_1^{t_0}\), \(v_0:=(g_2^{\gamma })^{t_0}\), \(u_1:=z_1^{-M^{\dagger } t_0} g_1^{t_1}\), \(v_1:=(g_2^{\gamma })^{-M^{\dagger } t_0} g_2^{t_1}\) for \(t_0,t_1 \leftarrow \mathbb {Z}_p\). The master public key \(\textsf {mpk}=\big (e(g_1,g_2)^{\alpha },h_0,f_0,\mathbf {H},\mathbf {F},\mathbf {U},\mathbf {V},\mathcal {D},H\big )\) is given to \(\mathcal {F}\).

In the following, for any \(\omega \in \mathbb {Z}_p\), we define the vector \(\mathbf {X}_\omega ^n=(1,\omega ,\ldots ,\omega ^{n-1})^\top \). We note that, given any set \(S\subset \mathbb {Z}_p\) of cardinality less than n, the vectors \(\{\mathbf {X}_\omega ^n\}_{\omega \in S}\) are linearly independent.

Random oracle queries: We assume that the number of random oracle queries of an adversary is bounded by some natural number \(q_H\). Algorithm \(\mathcal {B}\) chooses a random index \(i^{\star } \in [q_H]\) and answers the \(i^{\star }\)-th query with the value \(M^{\dagger } \in \mathbb {Z}_p\), and the other queries with randomly chosen elements in \(\mathbb {Z}_p\).

Secret key queries: \(\mathcal {F}\) can obtain secret keys for any identity-based public key, provided that the set of queried identities \(\varOmega \) is such that \(|\varOmega \cap S^\star | < s^\star \). Since \(|\varOmega \cap S^\star | <s^\star \), and \(S^\star \) and \(\mathcal {D}\) are disjoint sets of identity-based public keys (just like \(\varOmega \) and \(\mathcal {D}\)), the cardinality of \((S^\star \cap \varOmega ) \cup \mathcal {D}_{n-s^\star }\) is strictly less than n. Consequently, the vector \(\mathbf {X}^n_{0}=(1,0,\ldots ,0)^\top \) cannot be in the span of the vectors \(\{\mathbf {X}_\omega ^n\}_{\omega \in (S^\star \cap \varOmega ) \cup \mathcal {D}_{n-s^\star }}\). Pick \(\mu \leftarrow \mathbb {Z}_p^*\). We conclude that there exists an efficiently computable vector \(\mathbf {\tau }\) which is uniform conditioned on \(\langle \mathbf {X}_\omega ^n , \mathbf {\tau } \rangle = 0\) for any \(\omega \in (S^\star \cap \varOmega ) \cup \mathcal {D}_{n-s^\star }\) and \(\langle \mathbf {X}^n_{0} , \mathbf {\tau } \rangle = \mu \ne 0\) (according to Proposition 1 in [22]).

To construct a secret key, \(\mathcal {B}\) has to define a random vector \(\mathbf {u}\) which satisfies the constraint \(\langle \mathbf {X}^n_{0} , \mathbf {u} \rangle =\alpha \), i.e. \(\mathbf {u}=(\alpha ,\beta _1,\ldots ,\beta _{n-1})^\top \). This vector defines the coefficients of Q[X]. To this end, \(\mathcal {B}\) proceeds as in the proof of Theorem 3 in [22], by implicitly setting \(\mathbf {u}\) as \(\mathbf {u}=\mathbf {v} + \psi \cdot \mathbf {\tau }\), where \(\mathbf {v}=(v_1,\ldots ,v_n)^\top \in \mathbb {Z}_p^n\) is a randomly chosen vector and \(\psi = (\alpha - v_{1}) /\mu ,\) so that \(\langle \mathbf {X}^n_{0} , \mathbf {u} \rangle =\alpha \). The task of \(\mathcal {B}\) is thus to compute (without knowing the vector \(\mathbf {u}\)) a secret key component

$$\begin{aligned}&\big (D_{\mathbf{id},1},D_{\mathbf{id},2},\{K_{\mathbf{id},i}\}_{i=1}^{N-1} \big )\\&\quad =\big (g_1^{Q(\mathbf{id})} \cdot h_0^{r_\mathbf{id}},g_1^{r_\mathbf{id}},\{ h_1^{-\mathbf{id}^i} h_{i+1} \}_{i=1}^{N-1}\big ), \end{aligned}$$

and

$$\begin{aligned}&\{D_{\mathbf{id},j,1},D_{\mathbf{id},j,2}, \{K_{\mathbf{id},j,i}\}_{i=1}^{N-1} \}_{j=1\ldots n-1} \\&\quad =\{g_1^{Q(d_j)} \cdot h_0^{r_{\mathbf{id},j}},g_1^{r_{\mathbf{id},j}}, \{h_1^{-d_j^i} h_{i+1} \}_{i=1}^{N-1} \}_{j=1\ldots n-1}, \end{aligned}$$

where \(Q(\omega )= \langle \mathbf {X}_{\omega }^n, \mathbf {u} \rangle \), for any \(\omega \in \varOmega \cup \mathcal {D}\).

We first explain how to compute the first row of each secret key, i.e. \(\big (D_{\mathbf{id},1},\) \(D_{\mathbf{id},2},\) \(\{K_{\mathbf{id},i}\}_{i=1}^{N-1} \big )\).

1. 1.

   For each \(\mathbf{id}\in S^*\), we have \(Q(\mathbf{id})=\langle \mathbf {X}_{\mathbf{id}}^n,\mathbf {u} \rangle = \langle \mathbf {X}_{\mathbf{id}}^n, \mathbf {v} \rangle \) which is efficiently computable by \(\mathcal {B}\). Hence, \(\mathcal {B}\) can simply pick \(r_\mathbf{id}\leftarrow \mathbb {Z}_p^*\) and define

   $$\begin{aligned}&D_\mathbf{id}= \big (D_{\mathbf{id},1},D_{\mathbf{id},2}, \{ K_{\mathbf{id},i} \}_{i=1}^{N-1} \big ) = \\&\quad =\Big ( g_1^{Q(\mathbf{id})} \cdot h_0^{r_\mathbf{id}},~g_1^{r_\mathbf{id}},~\{ (h_1^{-\mathbf{id}^i} h_{i+1} )^{r_\mathbf{id}} \}_{i=1}^{N-1} \Big ). \end{aligned}$$
2. 2.

   For each \(\mathbf{id}\in \varOmega \backslash \{S^*\}\), \(\mathcal {B}\) can construct a valid key tuple \(\big (D_{\mathbf{id},-1},D_{\mathbf{id},2},\{K_{\mathbf{id},i}\}_{i=1}^{N-1} \big )\) in two steps. The first step consists in building a tuple of the form

   $$\begin{aligned}&\big (D_{\mathbf{id},1}^*,D_{\mathbf{id},2}^*, \{ K_{\mathbf{id},i}^*\}_{i=1}^{N-1} \big ) = \\&\quad = \Big ( g_1^{\alpha } \cdot h_0^{\tilde{r}_\mathbf{id}},~g_1^{\tilde{r}_\mathbf{id}},~\{ (h_1^{-\mathbf{id}^i} h_{i+1} )^{\tilde{r}_\mathbf{id}} \}_{i=1}^{N-1} \Big ) \end{aligned}$$

   using the fact that \(\mathbf{id}\) is not in \( S^\star \cup \mathcal {D}_{n-s^\star } \). To this end, \(\mathcal {B}\) proceeds as in [11]. Let \(M_{\mathbf{id}} \in \mathbb {Z}_p^{N \times (N-1)}\) be the matrix \(M_{\mathbf{id}}=\Big ( {\begin{matrix} -{\mathbf{id}} \quad -{\mathbf{id}^2} \quad \cdots \quad - {\mathbf{id}^{N-1}} \\ I_{N-1} \end{matrix}} \Big ) .\) Pick \(\xi _1 \leftarrow \mathbb {Z}_p^*\) and define \(\mathbf { \xi }= \xi _1 \cdot (1,\mathbf{id}, \ldots ,\mathbf{id}^{N-1})^\top \), which satisfies \(\mathbf {\xi }^{~\top } M_{\mathbf{id}} = \mathbf {0}\) while \(\langle \mathbf {Y},\mathbf {\xi } \rangle = \xi _1 \cdot P_{S^\star }(\mathbf{id}) \ne 0\). The simulator \(\mathcal {B}\) computes

   $$\begin{aligned}&\big (D_{\mathbf{id},1}^*,D_{\mathbf{id},2}^*\big ) = \Bigl (g_1^{\alpha } \cdot h_0^{\tilde{r}_\mathbf{id}},~g_1^{\tilde{r}_\mathbf{id}}\Bigr ) \nonumber \\&\quad \text { and } \quad \big (K_{\mathbf{id},1}^*,\ldots , K_{\mathbf{id},N-1}^*\big )^\top = g_1^{\tilde{r}_\mathbf{id}M_{\mathbf{id}}^\top \mathbf {\alpha } }, \end{aligned}$$

   (5)

   with \(\mathbf {\alpha }=(\alpha _1,\ldots ,\alpha _N)^\top \) and where the exponent \(\tilde{r}_\mathbf{id}\) is defined as \(\tilde{r}_\mathbf{id}=r + \delta _0 \langle (\gamma ^{N},\gamma ^{N-1}, \ldots ,\gamma )^\top , \mathbf {\xi } \rangle /\langle \mathbf {Y} , \mathbf {\xi } \rangle \) for some \(r \leftarrow \mathbb {Z}_p\) chosen by \(\mathcal {B}\). Since \(g^{M_\mathbf{id}^\top \mathbf {\alpha }}=(h_1^{-\mathbf{id}} h_{2}, \ldots , h_1^{-\mathbf{id}^{N-1}} h_{N})^\top \), if we can argue that both expressions in (5) are computable by \(\mathcal {B}\), we will have concluded the first step. For any \(\mathbf {x} \in \mathbb {Z}_p^N\), the coefficient of \(\gamma ^{N+1}\) in the product \(\tilde{r}_\mathbf{id}\langle \mathbf {x},\mathbf {\gamma } \rangle \) is \(\delta _0 \langle \mathbf {x} , \mathbf { \xi } \rangle / \langle \mathbf {Y}, \mathbf { \xi } \rangle \). The reason why \(\mathcal {B}\) can compute the second factor of \(D_{\mathbf{id},1}^*\) in (5) is that the coefficient of \(g^{\gamma ^{N+1}}\) in \(D_{\mathbf{id},1}^*\) is 0. Indeed, \(D_{\mathbf{id},1}^*=g^{\alpha } \cdot h_0^{\tilde{r}_\mathbf{id}} = z_{N+1}^{\delta _0} \cdot \big ( g^{\theta _0} \cdot g^{ - \langle \mathbf {\gamma }, \mathbf {Y} \rangle } \big )^{\tilde{r}_\mathbf{id}} \) and the coefficient of \(\gamma ^{N+1}\) is \(-\delta _0\) in the product \(- \tilde{r}_\mathbf{id}\langle \mathbf {\gamma }, \mathbf {Y} \rangle \), as we can see by applying the observation above in the case \(\mathbf {x}=\mathbf {Y}\). Since \( M_\mathbf{id}^{~\top } \mathbf {\xi } = \mathbf {0}\), by applying the above observation to the case where \(\mathbf {f}^\top \) is successively set as the rows of \(M_\mathbf{id}^\top \), we find that \(z_{N+1}=g_1^{\gamma ^{N+1}}\) does not appear in \(g_1^{\tilde{r}_j \cdot M_{\mathbf{id}}^\top \mathbf { \alpha }}\), which is computable. This concludes the first step of the key generation process. In the second step, we just have to turn \( \big (D_{\mathbf{id},1}^*,D_{\mathbf{id},2}^*, \{ K_{\mathbf{id},i}^*\}_{i=1}^{N-1} \big ) \) into a suitable key component. Note that

   $$\begin{aligned} \langle \mathbf {X}^n_\mathbf{id}, \mathbf {u} \rangle&= \langle \mathbf {X}^n_\mathbf{id}, \mathbf {v} \rangle + \psi \cdot \langle \mathbf {X}^n_\mathbf{id}, \mathbf {\tau } \rangle \\&= \sum _{j=1}^n \mathbf{id}^{j-1} \Big ( v_{j} + \frac{(\alpha - v_{1} ) }{\mu } \cdot \tau _{j} \Big ) = \kappa _1 \cdot \alpha + \kappa _2, \end{aligned}$$

   where \(\kappa _1= ( \sum _{j=1}^n \mathbf{id}^{j-1} \tau _{j}) \cdot \mu ^{-1}\) and \(\kappa _2= \mu ^{-1} \cdot \sum _{j=1}^n \mathbf{id}^{j-1} \big ( \mu v_{j} - v_{1} \tau _{j} \big )\) are computable, so that \(\mathcal {B}\) can obtain a well-formed tuple \((D_{\mathbf{id},1},D_{\mathbf{id},2},\{K_{\mathbf{id},i}\}_{i=1}^{N-1})\) by picking \(r_j' \leftarrow \mathbb {Z}_p\) and setting

   $$\begin{aligned} SK_\mathbf{id}=&(D_{\mathbf{id},1},D_{\mathbf{id},2}, \{K_{\mathbf{id},i} \}_{i=1}^{N-1})= \\ =&\Bigl ({D_{\mathbf{id},1}^*}^{\kappa _1} \cdot g_1^{\kappa _2} \cdot h_0^{r_\mathbf{id}'}, {D_{\mathbf{id},2}^*}^{\kappa _1} \cdot g_1^{r_\mathbf{id}'}, \\&\{ {K_{\mathbf{id},i}^*}^{\kappa _1} \cdot (h_1^{-\mathbf{id}^i} \cdot h_{i+1} )^{ r_\mathbf{id}'} \}_{i=1}^{N-1} \Bigr ). \end{aligned}$$

Finally, we just have to argue how to compute, for each \(\mathbf{id}\in \varOmega \) and for each \(d_j\), \(j=1,\ldots , n-1\), the rest of the components of the secret key, namely: \(\{D_{\mathbf{id},j,1}, D_{\mathbf{id},j,2},\{ K_{\mathbf{id},j,i} \}_{i=1}^{N-1}\}_{j=1,\ldots ,n-1}\). The analysis is the same as before, namely, for each \(j=1,\dots ,n-s^*\), the tuple is computed as in the first item (i.e. as in the case where \(\mathbf{id}\in S^*\)) and for each \(j=n-s^*+1,\dots ,n-1\) as in the second item (using independent randomness for each id).

Signing queries: At any time, \(\mathcal {F}\) is also allowed to obtain signatures on arbitrary messages. At each signing query, \(\mathcal {F}\) supplies a message \(\textsf {Msg}\) and a threshold access policy \(\varGamma =(s,S)\), where S is a set of identities of size \(s \le n\). To answer such a query, \(\mathcal {B}\) computes \(M=H(\textsf {Msg},\varGamma ) \in \mathbb {Z}_p\) by checking the list of its random oracle queries and aborts if \(M=M^{\dagger }\). Else, \(\mathcal {B}\) constructs the vector \(\mathbf {Y}=(y_1,\ldots ,y_N)^\top \) whose coordinates are the coefficients of the polynomial \(P_S(Z)\) which is obtained following Expression (2), by augmenting S with \(n-s\) dummy signers. Recall that \(\mathcal {B}\) has to generate a signature of the form

$$\begin{aligned} \sigma _1=g_1^{\alpha } \cdot \left( h_0 \cdot \prod _{i=1}^N h_i^{y_i} \right) ^r \cdot (u_0^M \cdot u_1)^{\tilde{z}}, \quad \sigma _2=g_1^r, \quad \sigma _3=g_1^{\tilde{z}},\nonumber \\ \end{aligned}$$

(6)

for some \(r,\tilde{z} \leftarrow \mathbb {Z}_p\). To this end, \(\mathcal {B}\) uses the usual technique (which dates back to [7]) consisting in implicitly defining \(\tilde{z}=z+\dfrac{\gamma ^N \cdot \delta _0}{t_0 \cdot (M-M^{\dagger })}\), for a randomly chosen \(z \leftarrow \mathbb {Z}_p\), and computing

$$\begin{aligned} \sigma _1&=\left( u_0^M \cdot u_1 \right) ^z \cdot z_{N}^{\frac{t_1 \delta _0}{t_0 (M-M^{\dagger })}} \cdot \left( h_0 \cdot \prod _{i=1}^N h_i^{y_i}\right) ^r,\\ \sigma _2&=g_1^r, \quad \sigma _3=g_1^z \cdot z_N^{\frac{\delta _0}{t_0 \cdot (M-M^{\dagger })}}, \end{aligned}$$

for a random \(r \leftarrow \mathbb {Z}_p\). Since \(\alpha \) is implicitly defined as \(\alpha =\gamma ^{N+1}\cdot \delta _0\), the above triple is easily seen to have the required distribution (6).

Forgery: The adversary eventually outputs a forgery \(\sigma ^\star =(\sigma _1^\star ,\sigma _2^\star ,\sigma _3^\star )\) for some message \(\textsf {Msg}^\star \) and the target access policy \(\varGamma ^\star =(s^\star ,S^\star )\). At this step, \(\mathcal {B}\) computes \(M^\dagger =H(\textsf {Msg}^\star ,\varGamma ^\star )\) by checking its list of oracle queries. It aborts if it holds that either:

1. 1.

   The hash value \(M^\star =H(\textsf {Msg}^\star ,\varGamma ^\star )\) is not equal to \(M^{\dagger }\);

2. 2.

   \(\mathcal {F}\) made a signing query \((\textsf {Msg},\varGamma )\) such that \((\textsf {Msg},\varGamma )\ne (\textsf {Msg}^\star , {\varGamma }^\star )\) and \(H(\textsf {Msg},\varGamma )=H(\textsf {Msg}^\star , \varGamma ^\star )\).

Case 2 cannot occur under the assumption that H is collision-resistant. Conditioned on Case 2 not occurring, the complementary event of Case 1 occurs with probability \(1/q_H\).

Assuming the adversary \(\mathcal {B}\) does not abort, it can compute \(z_{N+1}=g_1^{\gamma ^{N+1}}\) as follows. Since the vector \(\mathbf {Y}=(y_1,\ldots ,y_N)^\top \) derived from \(\varGamma ^\star \) is such that \(f_0 \cdot \prod _{i=1}^N f_i^{y_i} =g_2^{\theta _0 + \langle \mathbf {\theta },\mathbf {Y} \rangle } \), \(v_0^{M} \cdot v_1 =v_0^{M^{\dagger }} \cdot v_1= g_2^{t_1}\), and \(\sigma ^\star \) satisfies Eq. (4), we must have

$$\begin{aligned} e(g_1,g_2)^{(\gamma ^{N+1}) \cdot \delta _0}= \frac{ e(\sigma _1^\star ,g_2) }{ e\left( \sigma _2^\star , g_2^{\theta _0 + \langle \mathbf {\theta },\mathbf {Y} \rangle }\right) \cdot e(\sigma _3^\star , g_2^{t_1})}. \end{aligned}$$

This implies that \(z_{N+1}= \Big ( \frac{\sigma _1^\star }{(\sigma _2^\star )^{ \theta _0+ \langle \mathbf {\theta },\mathbf {Y} \rangle } \cdot (\sigma _3^\star )^{t_1} }\Big )^{1/\delta _0},\) which is computable by \(\mathcal {B}\). \(\square \)

Appendix 2: IBDT with special key management

As mentioned in Sect. 4.4, our key management requires slightly modifying the IBDT scheme to use it for \(\ell >1\) (for \(\ell =1\) the scheme would be the same). Indeed, according to our key management structure, a user \(\mathbf{id}_i\) receives all the secret keys associated with a vector of identity-based public keys \(\{\textsf {ik}_1^{\mathbf{id}_i},\ldots ,\textsf {ik}_\ell ^{\mathbf{id}_i}\}\) and we want to make sure that a valid signature is constructed from the secret keys corresponding to s different users \(\mathbf{id}_1,\ldots ,\mathbf{id}_s\) (and not, for example, by combining s different secret keys of a single user).

It is straightforward to modify the IBDT scheme for this special key management. Given a user \(\mathbf{id}\) who requests the secret keys for a set of identity-based public keys \(\mathbf {IK}_{\mathbf{id}}=\{\textsf {ik}_1^{\mathbf{id}},\) \(\ldots ,\) \(\textsf {ik}_\ell ^{\mathbf{id}}\}\), the secret keys that he receives are essentially just \(\ell \) secret keys of the original IBDT scheme described in Sect. 4, except that the keys are randomized to make sure that the secret key for identity-based public key \(\textsf {ik}_j^{\mathbf{id}}\), for any \(j=1,\ldots ,\ell \) can only be used with secret keys for the j-th identity-based public keys of other users. A straightforward application of this idea would mean that each user receives a secret key which is \(\ell \) times the size of a single IBDT key. To increase efficiency, some parts of the keys are reused. More specifically, below we give a detailed account on how to adapt the IBDT scheme to our key management design when \(\ell >1\).

Note that we implicitly assume that, for all \(j \ne j'\), the values of the j-th and the \(j'\)-th component of vector \(\mathbf {IK}_{\mathbf{id}}\) are taken from two disjoint and easily recognizable sets. This is the case for instance if the j-th component of \(\mathbf {IK}_{\mathbf{id}}\) is of the form \(j||d_{j}\), as we suggested.

• \(\blacktriangleright \) Setup \((1^\lambda \), \(\mathcal {ID}\), n,\(\ell )\): The only change here is that now identities are \(\ell \)-dimensional vectors of elements in \([p-1/2]\), denoted by \(\mathbf {ID}_\mathbf{id}\), and that the master secret key is \(\textsf {msk}=(g_1^{\alpha }, Q_1,\ldots ,Q_{\ell })\), where \(Q_i[X]\) are polynomials in \(\mathbb {Z}_p[X]\) of degree \(n-1\) chosen uniformly independently and uniformly at random subject to \(Q_i(0)=\alpha \). Note that \(\textsf {mpk}\) is unchanged.

• \(\blacktriangleright \textsf {Keygen}(\textsf {pms},\textsf {mpk},\textsf {msk}, \mathbf {IK}_\mathbf{id})\): This algorithm generates a secret key vector \(\mathbf SK _{\mathbf{id}}:=(\{\!D_{\mathbf{id},1,k}\}_{k=1}^{\ell }, \!D_{\mathbf{id},2}, K_{\mathbf{id},1}, \dots ,\) \(K_{\mathbf{id},N-1}, \{ \{\!D_{\mathbf{id},j,1,k}\}_{k=1}^{\ell }, D_{\mathbf{id},j,2},K_{\mathbf{id},j,1}, \dots , \) \(K_{\mathbf{id},j,N-1}\}_{j=1\ldots n-1})\) by picking fresh random elements \(r_{\mathbf{id}},r_{\mathbf{id},1},\ldots ,r_{\mathbf{id},n-1} \leftarrow \mathbb {Z}_p\) and setting:

  $$\begin{aligned}&\{D_{\mathbf{id},1,k} = g_1^{Q_{k}(\mathbf{id})} \cdot h_0^{r_{\mathbf{id}}}\}_{k=1}^{\ell }, \nonumber \\&D_{\mathbf{id},2} =g_1^{r_{\mathbf{id}}}, \nonumber \\&\Big \{ K_{\mathbf{id},i} =\big (h_1^{- \mathbf{id}^i} \cdot h_{i+1} \big )^{r_{\mathbf{id}}} \Big \}_{i=1,\dots ,N-1}, \nonumber \\&\Big \{ \{D_{\mathbf{id},j,1,k} = g_1^{Q_{k}(d_j)} \cdot h_0^{r_{\mathbf{id},j}}\}_{k=1}^{\ell }, D_{\mathbf{id},j,2} =g_1^{r_{\mathbf{id},j}}, \nonumber \\&\big \{K_{\mathbf{id},j,i}=\big (h_1^{-d_j^i} \cdot h_{i+1} \big )^{r_{\mathbf{id},j}} \big \}_{i=1,\dots ,N-1} \Big \}_{j=1,\dots ,n-1}. \end{aligned}$$

  (7)

Algorithm \(\textsf {Sign}\) is the same as specified in Sect. 4 except that messages are signed not for the whole vector of identity-based public keys \(\mathbf {IK}_{\mathbf{id}}=\{\textsf {ik}_1^{\mathbf{id}},\ldots ,\textsf {ik}_\ell ^{\mathbf{id}}\}\) but for one single component \(\textsf {ik}_j^{\mathbf{id}}\). Similarly, algorithm \(\textsf {Comb}\) is the same as in the original IBDT, except that it takes as input a set of signatures for some identities \(\textsf {ik}_{j_1}^{\mathbf{id}_1},\ldots , \textsf {ik}_{j_s}^{\mathbf{id}_s}\) and combines them in a single signature in case \(j_1=\ldots =j_s\) and outputs \(\perp \) otherwise.

Note that in terms of efficiency, with respect to the original IBDT scheme, users have to store \(2(\ell -1)\) additional group elements as part as their secret key. The size of the public parameters and the cost of the signing and combining algorithms are unchanged.

The security proof of the original IBDT scheme can be trivially modified to prove the security of this scheme. Indeed, it suffices to define in the new proof \(Q_1[X]:=Q[X]\) and the rest of the polynomials \(Q_j[X]\) as \(Q_j:=Q_1+R_j\), for some polynomial \(R_j\) chosen uniformly at random subject to \(R_j(0)=0\). Since adversary \(\mathcal {B}\) can choose the polynomials \(R_j\) on his own, it is obvious that \(\mathcal {B}\) can simulate the secret keys for any vector of identity-based public keys \(\mathbf {IK}_{\mathbf{id}}=\{\textsf {ik}_1^{\mathbf{id}},\ldots ,\textsf {ik}_\ell ^{\mathbf{id}}\}\) for all \(\mathbf {IK}_{\mathbf{id}}\) not in the challenge set \(S^*\) in the same way \(\mathcal {B}\) simulated the secret keys for all identities not in \(S^*\) in the original IBDT proof.