### Efficient Distributed Tag-Based Encryption and its Application to Group

### Signatures with Efficient Distributed Traceability

Essam Ghadafi

Computer Science Department, University of Bristol, UK

Abstract. In this work, we first formalize the notion of dynamic group signatures with distributed traceability, where the capability to trace signatures is distributed amongnmanagers without requiring any interaction. This ensures that only the participation of all tracing managers permits tracing a signature, which reduces the trust placed in a single tracing manager. The threshold variant follows easily from our definitions and constructions. Our model offers strong security requirements. Our second contribution is a generic construction for the notion which has a concurrent join protocol, meets strong security requirements, and offers efficient traceability, i.e. without requiring tracing managers to produce expensive zero-knowledge proofs for tracing correctness. To dispense with the expensive zero-knowledge proofs required in the tracing, we deploy a distributed tag-based encryption with public verifiability. Finally, we provide some concrete instantiations, which, to the best of our knowledge, are the first efficient provably secure realizations in the standard model simultaneously offering all the aforementioned properties. To realize our constructions efficiently, we construct an efficient distributed (and threshold) tag-based encryption scheme that works in the efficient Type-III asymmetric bilinear groups. Our distributed tag-based encryption scheme yields short ciphertexts (only 1280 bits at 128-bit security), and is secure under an existing variant of the standard decisional linear assumption. Our tag-based encryption scheme is of independent interest and is useful for many applications beyond the scope of this paper. As a special case of our distributed tag-based encryption scheme, we get an efficient tag-based encryption scheme in Type-III asymmetric bilinear groups that is secure in the standard model.

Keywords. Group signatures, distributed traceability, distributed public-key encryption, standard model.

1 Introduction

Group signatures, introduced by Chaum and van Heyst [25], are a fundamental cryptographic primitive allowing a member of a group (administered by a designated manager) to anonymously sign messages on behalf of the group. In the case of a dispute, a designated tracing manager can revoke anonymity by revealing the signer. The downside of granting a single entity the capability to trace signatures is the high trust placed in such an entity. As a result, anonymity in group signatures relying on a single tracing authority only holds if the tracing authority is fully honest. More precisely, a misbehaving tracing au-thority could abuse the power granted to it and open signatures need not be opened. Therefore, reducing the trust placed in the tracing manager by distributing the tracing capability among different parties is desirable. While some of the existing schemes can be translated into the distributed traceability setting by utilizing standard secret-sharing techniques, e.g. [10, 50], unfortunately, most of those secure in the strong Bellare et al. model [13], would become impractical due to the expensive zero-knowledge proofs required in the tracing.

Related Work. After their introduction, a long line of research on group signatures has emerged. Bellare, Micciancio and Warinschi [11] formalized the security definitions for group signatures supporting static groups. In such a notion, the group population is fixed at the setup phase. Moreover, the group manager (which also provides the traceability feature) needs to be fully trusted. Later, Bellare, Shi and Zhang [13] provided formal security definitions for the more practical dynamic case where members can enroll at any time. Also, [13] separated the tracing role from the group management.

group, they cannot frame an honest member. More recently, Sakai et al. [49] strengthened the security definitions of group signatures by adding the opening soundnessrequirement. The stronger variant of opening soundness ensures that even if all entities are corrupt, it is infeasible to produce a signature that traces to two different members.

Constructions of group signatures in the random oracle model [12] include [24, 23, 8, 18, 22, 21, 46, 29, 41, 26, 15]. Constructions not relying on random oracles include [7, 35, 19, 36, 20, 5, 43, 44]. Other measures in which the above mentioned constructions differ are: the security they offer, the size of the signatures they yield and the round complexity of the join protocol. For instance, some constructions, e.g. [18–20, 5], only offer a weaker variant of the anonymity requirement (i.e. CPA-Anonymity [18]) where the adversary is not granted access to a tracing oracle. On the other hand, other constructions, e.g. [36, 26], offer full anonymity where in the game the adversary is allowed to ask for any signature except the challenge signature to be traced.

Different approaches have been proposed to minimize the trust placed in the tracing manager. Sakai et al. [48] recently proposed the notion of group signatures with message-dependent opening. In such a notion, an admitter specifies what messages signatures upon which can be traced. This prevents the tracing manager from opening signatures on messages not admitted by the admitter. In [38], the authors informally highlighted how to extend their linkable group signature scheme (secure in the random oracle model) to provide distributed traceability. In [30], the authors presented a scheme where the roles of the managers can be distributed. Their scheme is only non-frameable against honest tracing managers, and requires both random oracles and the generic group model.

Benjumea et al. [14] introduced the notion of fair traceable multi-group signatures which combines the features of group signatures and traceable signatures [40] and in which traceability requires the co-operation of a judge with designated parties known as fairness authorities. The authors also provided a construction of their primitive in the random oracle model.

Zheng et al. [51] extended Manulis’s notion of democratic group signatures [45] to add threshold traceability where group members must collude to trace signatures. Democratic group signatures differ from group signatures in many aspects. In the former, the roles of the group and tracing managers are eliminated and the group is managed by the members themselves. In addition, signatures are only anonymous to non-members.

Our Contribution. We offer the following contributions:

1. A formal security model for group signatures with distributed traceability without requiring any interaction. Only the participation of allntracing managers makes it possible to trace a signature. The more generalk out ofnthreshold case follows easily from our definitions. Our model offers strong security including the notion of tracing soundness [49].

2. A generic framework for constructing group signatures with efficient (i.e. without requiring expen-sive zero-knowledge proofs in the tracing) distributed traceability that supports dynamic groups with a concurrent join protocol and which is provably secure w.r.t. our strong security model.

3. Instantiations of the generic framework in the standard model. To the best of our knowledge, they are the first provably secure realizations not relying on idealized assumptions offering all the afore-mentioned properties.

Paper Organization. In Section 2, we give some preliminary definitions. We present our model for group signatures with distributed traceability in Section 3. We present the building blocks we use in Section 4. In Section 5, we present our generic construction and provide a proof of its security. In Section 6, we present instantiations in the standard model.

Notation. A functionν(.) : N→ R+is negligible incif for every polynomialp(.)and all sufficiently

large values ofc, it holds thatν(c) < _{p}_{(}1_{c}_{)}. Given a probability distribution Y, we denote byx ← Y
the operation of selecting an element according to Y. IfM is a probabilistic machine, we denote by
M(x1, . . . , xn)the output distribution ofMon inputs(x1, . . . , xn). By[n]we denote the set{1, . . . , n}.

By PPT we mean running in probabilistic polynomial time in the relevant security parameter.

2 Preliminaries

In this section we provide some preliminary definitions.

Bilinear Groups. A bilinear group is a tupleP := (G,G˜,T, p, G,G, e˜ )whereG,G˜ andTare groups of

a prime orderp, andGandG˜generateGandG˜, respectively. The functioneis a non-degenerate bilinear

mape:G×G˜ −→ T. We use multiplicative notation for all the groups. We letG× := G\ {1G}and

˜

G×:= ˜G\ {1_{G}˜}. In this paper, we focus on the efficient Type-III setting [32], whereG6= ˜Gand there

is no isomorphism between the groups in either direction. We assume there is an algorithmBGrpSetup taking as input a security parameterλand outputting a description of bilinear groups.

Complexity Assumptions. We use the following existing assumptions:

Symmetric External Decisional Diffie-Hellman (SXDH). The Decisional Diffie-Hellman (DDH) assump-tion holds in both groupsGandG˜.

Decisional Linear inG(DLING) Assumption [33, 1]. GivenPand a tuple(Gh, Gv, Gu, Grh, Gsv, Gut)∈

G6for unknownh, r, s, t, u, v∈Zp, it is hard to determine whether or nott=r+s.

External Decisional Linear inG(XDLING) Assumption [1]1. GivenP and a tuple(Gh, Gv, Gu, Grh, Gsv, Gut,G˜h,G˜v,G˜u,G˜rh,G˜sv)∈G6×G˜5for unknownh, r, s, t, u, v∈Zp, it is hard to determine

whether or nott=r+s.

q-Strong Diffie-Hellman (q-SDH) Assumption inG[17]. Given the tuple(G, Gx, . . . , Gx

q

)∈_{G}q+1_{for}

x←_{Z}_{p}, it is hard to output a pair(c, Gx+c1 _{)}∈_{Z}

p×Gfor an arbitraryc∈Zp\{−x}.

q-AGHO [3]. Given a random tuple (G,G,˜ W ,˜ X,˜ Y˜) ∈ G× G˜4, and q uniformly random tuples (Ai, Bi, Ri,Di˜ )∈G3×G˜, each satisfying:

e(Ai,D˜i) =e(G,G˜)

e(G,X˜) =e(Ai,W˜)e(Bi,G˜)e(Ri,Y˜),

it is hard to output a new tuple(A∗, B∗, R∗,D˜∗_{)}_{satisfying the above equations.}

Group Signatures. Here we briefly review the model of Bellare et al. [13] for dynamic group signatures with a single tracing authority. A dynamic group signature scheme consists of the following algorithms:

• _{GKg}_{(1}λ_{)}_{outputs a group public key}_{gpk}_{, a group manager’s secret key}_{msk}_{and a tracing key}_{tsk}_{.}
• _{UKg}_{(1}λ_{)}_{outputs a secret/public key pair}_{(}_{usk}_{[}_{uid}_{]}_{,}_{upk}_{[}_{uid}_{])}_{for user}_{uid}_{.}

• h_{Join}_{(}_{gpk}_{,}_{uid}_{,}_{usk}_{[}_{uid}_{])}_{,}_{Issue}_{(}_{msk}_{,}_{uid}_{,}_{upk}_{[}_{uid}_{])}i _{is an interactive protocol between a user}_{uid}

and the group manager GMvia which the user joins the group. If successful, the final state of the Issuealgorithm is stored in the registration table at indexuid(i.e.reg[uid]), whereas that of theJoin algorithm is stored ingsk[uid]and is used as the user’s group signing key.

• _{Sign}_{(}_{gpk}_{,}_{gsk}_{[}_{uid}_{]}_{, m}_{)}_{outputs a group signature}_{Σ}_{on the message}_{m}_{by member}_{uid}_{.}

1

• _{Verify}_{(}_{gpk}_{, m, Σ}_{)}_{verifies whether or not}_{Σ}_{is a valid group signature on}_{m}_{outputting a bit.}
• _{Trace}_{(}_{gpk}_{,}_{tsk}_{, m, Σ,}_{reg}_{)}_{is the tracing algorithm in which the tracing manager uses its tracing key}

tsk to identify the group memberuidwho produced the signatureΣ plus a proofπTrace for such a

claim.

• _{TraceVerify}_{(}_{gpk}_{,}_{uid}_{, π}

Trace,upk[uid], m, Σ) verifies the tracing proof πTrace outputting a bit

ac-cordingly.

Besides correctness, the security requirements defined by [13] are:

• _{Anonymity:}_{A group signature does not reveal the identity of the member who produced it even when}

the keys of the group manager and all group members are all revealed. This requirement relies on the tracing manager being fully honest.

• _{Non-Frameability:} _{Even if the group and tracing managers collude with the rest of the group, they}

cannot frame an honest group member.

• _{Traceability:}_{Even if the tracing manager and all group members are corrupt, they cannot produce a}

signature that does not trace to a member of the group.

3 Syntax and Security of Dynamic Group Signatures with Distributed Traceability

The parties involved in a Dynamic Group Signature with Distributed Traceability (DGSDT) are: a group managerGMwho authorizes who can join the group;κtracing managersTM1, . . . ,TMκ which only the participation of all of which makes it possible to identify who produced a signature; a set of users who can join group at any time by contacting the group manager. ADGSDT scheme consists of the following polynomial-time algorithms:

• _{GKg}_{(1}λ_{, κ}_{)}_{is run by a trusted third party. On input a security parameter}_{λ}_{and the number of tracing}

managersκ, it outputs a group public keygpk, a group manager’s secret keymskand secret tracing keys{tski}κi=1.

• _{UKg}_{(1}λ_{)}_{outputs a secret/public key pair}_{(}_{usk}_{[}_{uid}_{]}_{,}_{upk}_{[}_{uid}_{])}_{for user}_{uid}_{. We assume that the }

pub-lic key tableupkis publicly available (possibly via some PKI) so that anyone can obtain authentic copies of the public keys.

• h_{Join}_{(}_{gpk}_{,}_{uid}_{,}_{usk}_{[}_{uid}_{])}_{,}_{Issue}_{(}_{msk}_{,}_{uid}_{,}_{upk}_{[}_{uid}_{])}i _{is an interactive protocol between a user}_{uid}

and the group managerGM. Upon successful completion,uidbecomes a member of the group. The final state of theIssuealgorithm is stored in the registration table at indexuid(i.e.reg[uid]), whereas that of theJoinalgorithm is stored ingsk[uid]. We assume that the communication in this interactive protocol takes place over a secure (i.e. private and authentic) channel. The protocol is initiated by a call toJoin.

• _{Sign}_{(}_{gpk}_{,}_{gsk}_{[}_{uid}_{]}_{, m}_{)}_{on input the group public key}_{gpk}_{, a user’s group signing key}_{gsk}_{[}_{uid}_{]}_{and}

a messagem, outputs a group signatureΣonmby the group memberuid.

• _{Verify}_{(}_{gpk}_{, m, Σ}_{)} _{is a deterministic algorithm which checks whether or not} _{Σ} _{is a valid group}

signature onmoutputting a bit.

• _{TraceShare}_{(}_{gpk}_{,}_{tsk}

i, m, Σ) on input the group public key gpk, a tracing key tski belonging to tracing managerTMi, a messagem and a signatureΣ, it outputs(ν, πTrace)whereν is the tracing

share ofTMiofΣandπTraceis a proof for the correctness of the tracing share. IfTMi is unable to compute her share, she outputs(⊥,⊥). If the validity of the shares are publicly verifiable, we just omitπTrace.

• _{ShareVerify}_{(}_{gpk}_{,}_{tid}_{, ν, π}

Trace, m, Σ) verifies whether the shareν is a valid tracing share ofΣ by

tracing managerTMtidoutputting a bit accordingly.

• _{TraceCombine}_{(}_{gpk}_{,}{_{(}_{ν, π}

Trace)i}κi=1, m, Σ,reg)on input the group public keygpk,κtracing shares

unable to trace the signature to a user, it returns(0, θTrace). This algorithm does not require any secret

information and hence could be run by any party.

• _{TraceVerify}_{(}_{gpk}_{,}_{uid}_{, θ}

Trace,upk[uid], m, Σ)on input the group public keygpk, a user identityuid,

a tracing proofθTrace, the user’s public keyupk[uid], a messagem, and a signatureΣ, outputs1if

θTraceis a valid proof thatuidhas producedΣor0otherwise.

3.1 Security of Dynamic Group Signatures with Distributed Traceability

Our model extends Bellare’s et al. model [13] to provide distributed traceability and additionally cap-tures tracing soundness as recently defined by [49] in the context of group signacap-tures with a single trac-ing manager, which is vital for many applications as we explain later. Moreover, our non-frameability definition is slightly stronger than that of [13].

The security requirements of a dynamic group signature with distributed traceability are:correctness,

anonymity,non-frameability,traceabilityandtracing soundness. To define those requirements, we use a set of games in which the adversary has access to a set of oracles. The following global lists are maintained:HULis a list of honest users;CULis a list of corrupt users whose personal secret keys have been chosen by the adversary;BULis a list of bad users whose personal and group signing keys have been revealed to the adversary;SLis a list of signatures obtained from theSignoracle;CLis a list of challenge signatures obtained from the challenge oracle.

The details of the following oracles are given in Fig. 1.

AddU(uid) adds an honest useruidto the group.

CrptU(uid,pk)adds a new corrupt user whose public keyupk[uid]is chosen by the adversary. This is called in preparation for calling theSndMoracle.

SndM(uid, Min) used to engage in theJoin-Issueprotocol with the honest,Issue-executing group

man-ager.

SndU(uid, Min) used to engage in theJoin-Issueprotocol with an honest, Join-executing user uid on behalf of the corrupt group manager.

RReg(uid) returns the registration informationreg[uid]of useruid. WReg(uid, val)modifies the entryreg[uid]by settingreg[uid] :=val.

RevealU(uid) returns the personal secret key usk[uid] and the group signing key gsk[uid] of group memberuid.

Sign(uid, m) returns a signature on the messagemby the group memberuid.

CHb(uid0,uid1, m) is a left-right oracle for defining anonymity. The adversary sends a couple of

identi-ties(uid0,uid1)and a messagemand receives a group signature by memberuidbforb← {0,1}. TraceShare(tid, m, Σ) returns the tracing share of signatureΣof tracing managerTMtid.

Trace(m, Σ) returns the identity of the signer of the signatureΣ, i.e. first obtains the different tracing shares and then combines them.

The following security requirements are defined by the games in Fig. 2.

Correctness. This guarantees that: signatures produced by honest users are accepted by the Verify al-gorithm, the tracing shares are accepted by theShareVerifyalgorithm, and the final tracing outcome of TraceCombineis accepted by the TraceVerifyalgorithm and points out to the user who produced the signature.

Formally, a DGSDT scheme is correctif for all λ, κ ∈ _{N}, the advantage AdvCorr_{DGSDT}_{,}_{A}_{,κ}(λ) :=
Pr[ExpCorr_{DGSDT}_{,}_{A}_{,κ}(λ) = 1]is negligible for all PPT adversariesA.

AddU(uid)

?Ifuid∈HUL∪CUL∪BULThen Return⊥.

?(usk[uid],upk[uid])←UKg(1λ).

?HUL:=HUL∪ {uid},certuid:=⊥,decuidIssue:=cont.

?stuid_{Join}:= (gpk,uid,usk[uid]).

?stuid_{Issue}:= (msk,uid,upk[uid]).

?(stuid_{Join}, MIssue,decuidJoin)←Join(st
uid
Join,⊥).

?While(decuid_{Issue}=contanddecuid_{Join}=cont)Do

◦(stuid_{Issue}, MJoin,decuidIssue)←Issue(st
uid

Issue, MIssue).
◦(stuid_{Join}, MIssue,decuidJoin)←Join(st

uid

Join, MJoin).

?IfdecuidIssue=acceptThenreg[uid] :=stuidIssue.

?Ifdecuid_{Join}=acceptThengsk[uid] :=stuid_{Join}.

?Returnupk[uid].

SndU(uid, Min)

?Ifuid∈CUL∪BULThen Return⊥.

?Ifuid∈/HULThen

◦HUL:=HUL∪ {uid}.

◦(usk[uid],upk[uid])←UKg(1λ).

◦gsk[uid] :=⊥,Min:=⊥.

?Ifdecuid_{Join}6=contThen Return⊥.

?IfstuidJoinis undefined

◦stuid_{Join}:= (gpk,uid,usk[uid]).

?(stuid_{Join}, Mout,decJoinuid )←Join(stuidJoin, Min)

?Ifdecuid_{Join}=acceptThengsk[uid] :=stuid_{Join}.

?Return(Mout,decuidJoin).

Trace(m, Σ)

?Return(⊥,⊥)ifVerify(gpk, m, Σ) = 0or(m, Σ)∈CL.

?Fortid= 1ToκDo

◦(ν, πTrace)tid←TraceShare(gpk,tsktid, m, Σ).

?ReturnTraceCombine(gpk,{(ν, πTrace)i}κi=1, m, Σ,reg).

TraceShare(tid, m, Σ)

?Return(⊥,⊥)ifVerify(gpk, m, Σ) = 0or(m, Σ)∈CL.

?ReturnTraceShare(gpk,tsktid, m, Σ).

RevealU(uid)

?Return⊥ifuid∈/HUL\(CUL∪BUL).

?BUL:=BUL∪ {uid}.

?Return(usk[uid],gsk[uid]).

CrptU(uid,pk)

?Return⊥ifuid∈HUL∪CUL.

?CUL:=CUL∪ {uid}.

?upk[uid] :=pk,decuid_{Issue}:=cont.

?stuid_{Issue}:= (msk,uid,upk[uid]).

?Returnaccept.

RReg(uid)

?Returnreg[uid].

WReg(uid, val)

?reg[uid] :=val.

SndM(uid, Min)

?Return⊥ifuid6∈CUL∪BUL.

?Return⊥ifdecuid_{Issue}6=cont.

?Ifstuid_{Issue}is undefined

◦stuid_{Issue}:= (msk,uid,upk[uid]).

?(stuid_{Issue}, Mout,decuidIssue)←Issue(stuidIssue, Min).

?Ifdecuid_{Issue}=acceptThenreg[uid] :=stuid_{Issue}.

?Return(Mout,decuidIssue).

Sign(uid, m)

?Return⊥ifuid∈/HULorgsk[uid] =⊥.

? Σ←Sign(gpk,gsk[uid], m).

?SL:=SL∪ {(uid, m, Σ)}.

?ReturnΣ.

CHb(uid0,uid1, m)

?Return⊥ifuid0∈/HULoruid1∈/HUL.

?Return⊥if∃b∈ {0,1}s.t.gsk[uidb] =⊥.

? Σ←Sign(gpk,gsk[uidb], m).

?CL:=CL∪ {(m, Σ)}.

[image:6.595.84.516.60.458.2]?ReturnΣ.

Fig. 1.Details of the oracles used in the security games

Since the adversary can learn the personal secret and group signing keys of any user, including the challenge users, our definition captures full key exposure attacks. Also, since the adversary can corrupt up toκ−1tracing managers, it can obtain up toκ−1tracing shares of the challenge signature.

In the game, the adversary chooses a message and two group members and gets a signature by either member and wins if it correctly guesses the member. WLOG we allow the adversary a single call to the challenge oracle. A hybrid argument (similar to that used in [13]) can be used to prove that this is sufficient.

Formally, aDGSDT scheme is(fully) anonymousif for allλ, κ∈_{N}, the advantageAdvAnon_{DGSDT}_{,}_{A}_{,κ}(λ)

is negligible for all PPT adversariesA, where

AdvAnonDGSDT,A,κ(λ) :=

Pr[ExpAnon-0_{DGSDT}_{,}_{A}_{,κ}(λ) = 1]−Pr[ExpAnon-1_{DGSDT}_{,}_{A}_{,κ}(λ) = 1]
.

Experiment:ExpCorr_{DGSDT}_{,}_{A}_{,κ}(λ)

•(gpk,msk,{tski}κi=1)←GKg(1λ, κ);HUL:=∅.

•(uid, m)← A(gpk:AddU(·),RReg(·)).

•Ifuid∈/HULorgsk[uid] =⊥Then Return0.

•Σ←Sign(gpk,gsk[uid], m).

•IfVerify(gpk, m, Σ) = 0Then Return 1.

•Fortid= 1ToκDo

◦(ν, πTrace)tid←TraceShare(gpk,tsktid, m, Σ). ◦Ifνtid=⊥orπTracetid=⊥Then Return 1.

◦IfShareVerify(gpk,tid, νtid, πTracetid, m, Σ) = 0Then Return 1.

•(uid∗, θTrace)←TraceCombine(gpk,{(ν, πTrace)tid}κtid=1, m, Σ,reg).

•Ifuid6=uid∗Then Return 1.

•IfTraceVerify(gpk,uid, θTrace,upk[uid], m, Σ)6= 1Then Return 1 Else Return 0.

Experiment:ExpAnon-b_{DGSDT}_{,}_{A}_{,κ}(λ)
•(stinit,BTL⊂[κ])← Ainit(λ, κ).
•(gpk,msk,{tski}κi=1)←GKg(1λ, κ).

•HUL,CUL,BUL,SL,CL:=∅.

•b∗← Aguess`stinit,gpk,msk,{tski}i∈BTL:AddU(·),CrptU(·,·),SndU(·,·),WReg(·,·,),RevealU(·),

TraceShare(·,·,·),Trace(·,·),CHb(·,·,·)

´ .

•Returnb∗.

Experiment:ExpNon-Frame_{DGSDT}_{,}_{A}_{,κ}(λ)
•(gpk,msk,{tski}κi=1)←GKg(1λ, κ).

•HUL,CUL,BUL,SL:=∅.

•(m∗, Σ∗,uid∗, θ∗_{Trace})← A`

gpk,msk,{tski}κi=1:CrptU(·,·),SndU(·,·),WReg(·,·),RevealU(·),

Sign(·,·)´ .

•IfVerify(gpk, m∗, Σ∗) = 0Then Return 0.

•IfTraceVerify(gpk,uid∗, θ∗_{Trace},upk[uid∗], m∗, Σ∗)6= 1Then Return 0.

•Ifuid∗∈/HUL\BULor(uid∗, m∗, Σ∗)∈SLThen Return0Else Return1.
Experiment:ExpTrace_{DGSDT}_{,}_{A}_{,κ}(λ)

•(gpk,msk,{tski}κi=1)←GKg(1 λ

, κ).

•HUL,CUL,BUL,SL:=∅.

•(m∗, Σ∗)← A`

gpk,{tski}κi=1:AddU(·),CrptU(·,·),SndM(·,·),RevealU(·),Sign(·,·),RReg(·)

´ .

•IfVerify(gpk, m∗, Σ∗) = 0Then Return 0.

•Fortid= 1ToκDo

◦(ν, πTrace)tid←TraceShare(gpk,tsktid, m∗, Σ∗). ◦Ifνtid=⊥orπTracetid=⊥Then Return 1.

◦IfShareVerify(gpk,tid, νtid, πTracetid, m

∗_{, Σ}∗_{) = 0}_{Then Return 1.}

•(uid∗, θ∗_{Trace})←TraceCombine(gpk,{(ν, πTrace)i}κi=1, m∗, Σ∗,reg).

•Ifuid∗= 0orTraceVerify(gpk,uid∗, θ_{Trace}∗ ,upk[uid∗], m∗, Σ∗) = 0Then Return 1 Else Return 0.
Experiment:ExpTrace-Sound_{DGSDT}_{,}_{A}_{,κ}(λ)

•(gpk,msk,{tski}κi=1)←GKg(1λ, κ).

•HUL,CUL,BUL,SL:=∅.

•(m∗, Σ∗,uid∗1, θ∗Trace1,uid ∗

2, θ∗Trace2)← A

`

gpk,msk,{tski}κi=1:CrptU(·,·),WReg(·,·)

´ .

•IfVerify(gpk, m∗, Σ∗) = 0oruid∗1=uid∗2oruid∗1=⊥oruid∗2=⊥Then Return 0.

•If∃i∈ {1,2}s.t.TraceVerify(gpk,uid∗i, θTrace∗ i,upk[uid

∗

[image:7.595.86.498.68.590.2]i], m∗, Σ∗) = 0Then Return 0 Else Return 1.

Fig. 2.Security games for dynamic group signatures with distributed traceability

Formally, aDGSDT scheme isnon-frameableif for allλ, κ∈_{N}, the advantageAdvNon-Frame_{DGSDT}_{,}_{A}_{,κ}(λ) :=
Pr[ExpNon-Frame_{DGSDT}_{,}_{A}_{,κ}(λ) = 1]is negligible for all PPT adversariesA.

Traceability. This ensures that the adversary cannot produce a signature that cannot be traced to a member in the group. In the game, the adversary can corrupt any user and learn the tracing keys of all tracing managers. The only restriction is that the adversary is not given the group manager’s secret key as this would allow it to create dummy users which are thus untraceable.

Tracing Soundness. Tracing soundness, as recently defined by [49] in the context of group signatures with a single tracing manager, requires that even if the group and all tracing managers as well as all members of the group collude, they cannot produce a valid signature that traces to two different mem-bers. As shown (in the single tracing authority setting) in [49], such a property is important for many applications. For example, applications where signers might get rewarded or where abusers might be prosecuted. In such applications, it is important that signatures can only trace to one user. Refer to [49] for more details.

Formally, a DGSDT scheme has tracing soundness if for all λ, κ ∈ _{N}, AdvTrace-Sound_{DGSDT}_{,}_{A}_{,κ}(λ) :=
Pr[ExpTrace-Sound_{DGSDT}_{,}_{A}_{,κ}(λ) = 1]is negligible for all PPT adversariesA.

4 Building Blocks

In this section we present the building blocks that we use in our constructions.

4.1 Distributed Tag-Based Encryption with Public Verification

A Distributed Tag-Based Encryption scheme DTBE is a special case of threshold tag-based encryption [6] wherenout ofndecryption servers must compute their decryption shares honestly for the decryp-tion to succeed. Public verificationrequires that checking the well-formedness of the ciphertext only require public information. We say the scheme isnon-interactiveif decrypting a ciphertext requires no interaction among the decryption servers. Also, the scheme isrobustif invalid decryption shares can be identified by the combiner.

Formally, a DTBE scheme for a message space MDT BE and a tag space TDT BE is a tuple of

polynomial-time algorithms(Setup,Enc,IsValid,ShareDec,ShareVerify,Combine),whereSetup(1λ, n)

outputs a public key pk and vectors svk = (svk1, . . . ,svkn) and sk = (sk1, . . . ,skn) of verifica-tion/secret keys for the decryption servers;Enc(pk, t, m)outputs a ciphertextCdtbe on the messagem

under the tagt;IsValid(pk, t, Cdtbe) outputs 1if the ciphertext is valid under the tag tw.r.t. the pubic

keypkor0otherwise;ShareDec(pk,ski, t, Cdtbe)takes as input the public keypk, the i-th server secret

keyski, a tagt, and the ciphertextCdtbe, and outputs the i-th server decryption shareνiofCdtbe or the

reject symbol⊥;ShareVerify(pk,svki, t, Cdtbe, νi)takes as input the public keypk, the i-th server

veri-fication keysvki, a tagt, the ciphertextCdtbe, and the i-th server decryption shareνiand outputs 1 if the decryption shareνi is valid or 0 otherwise.Combine(pk,{svki}in=1,{νi}ni=1, Cdtbe, t)outputs either the

messagemor the reject symbol⊥.

We say the scheme iscorrectif for every messagem ∈ MDT BE, every tagt ∈ TDT BE and every

(pk,{svk}n

i=1,{sk}ni=1)output bySetup, ifCdtbe←Enc(pk, t, m)then we have that:

1. ∀i∈[n], ifνi ←ShareDec(pk,ski, t, Cdtbe)thenShareVerify(pk,svki, t, Cdtbe, νi) = 1. 2. m←Combine(pk,{svki}ni=1,{νi}ni=1, Cdtbe, t).

Besides correctness, we require two security properties: Selective-Tag weak Indistinguishability against Adaptive Chosen Ciphertext Attacks (ST-wIND-CCA)[42] andDecryption Consistency (DEC-CON). Informally, the former requires that an adversary who gets a decryption oracle for any ciphertext under a tag different from the target tag (which is chosen beforehand), cannot distinguish which chal-lenge message was encrypted. The latter requires that an adversary cannot output two different sets of decryption shares of a ciphertext which open differently. The formal definitions of those can be found in Appendix A.

DT BE.Setup(1λ, n).

◦ P ←BGrpSetup(1λ).

◦h, w, z,{ui}ni=1,{vi}ni=1←Zp.

u:=Pn

i=1ui,v:=Pni=1vi,(H,H˜) := (Gh,G˜h),
(U,U˜) := (Hu,H˜u),(V,V˜) := (U1v_{,}_{U}˜

1

v_{)}_{,}
(W,W˜) := (Hw,H˜w),(Z,Z˜) := (Vz,V˜z).

◦ski:= (ui, vi),svki:= ( ˜Ui:= ˜Hui,V˜i:= ˜Vvi). ◦pk:= (P, H,H, U,˜ U , V,˜ V , W,˜ W , Z,˜ Z˜).

DT BE.Enc(pk, t, M)

◦r1, r2←Zp;C1:=Hr1,C2:=Vr2,

C3:=M Ur1+r2,C4:= (UtW)r1,C5:= (UtZ)r2.

◦Cdtbe:=

“

C1, C2, C3, C4, C5

” .

DT BE.Combine(pk,{svki}ni=1,{νi}ni=1, Cdtbe, t) ◦IfDT BE.IsValid(pk, t, Cdtbe) = 0Then Return⊥. ◦ParseCdtbeas(C1, C2, C3, C4, C5).

◦Parseνias(Ci,1, Ci,2)andsvkias( ˜Ui,V˜i).

◦Return⊥if∃is.t.DT BE.ShareVerify(pk,svki, t, Cdtbe, νi) = 0. ◦ReturnM := C3

Qn

i=1Ci,1Ci,2.

DT BE.ShareDec(pk,ski, t, Cdtbe)

◦Return⊥ifDT BE.IsValid(pk, t, Cdtbe) = 0. ◦ParseCdtbeas(Ci)5i=1andskias(ui, vi). ◦Returnνi:= (Ci,1:=C1ui, Ci,2:=C2vi).

DT BE.ShareVerify(pk,svki, t, Cdtbe, νi) ◦Parsesvkias( ˜Ui,V˜i)andνias(Ci,1, Ci,2).

◦ParseCdtbeas(C1, C2, C3, C4, C5).

◦Return0IfDT BE.IsValid(pk, t, Cdtbe) = 0. ◦Ife(Ci,1,H˜)6=e(C1,U˜i)Or

e(Ci,2,V˜)6=e(C2,V˜i)Then Return 0. ◦Else Return 1.

DT BE.IsValid(pk, t, Ctbe)

◦ParseCdtbeas(C1, C2, C3, C4, C5).

◦Ife(C1,U˜tW˜)6=e(C4,H˜)Or

e(C2,U˜tZ˜)6=e(C5,V˜)Then Return 0.

[image:9.595.84.517.73.287.2]◦Else Return 1.

Fig. 3.Our distributed tag-based encryption scheme

its Type-I threshold variant in [6]. Our scheme is efficient and yields ciphertexts of sizeG5. Note that

in Type-III bilinear groups, elements of Gare much smaller than their Type-I counterparts, especially

now that small-characteristic symmetric bilinear groups are rendered insecure [9, 34]. To give a sense of comparison, we outline that at 128-bit security, the size of elements ofGis256bits whereas that of their

large-characteristic symmetric groups counterparts is1536bits. Therefore, our construction yields much
shorter ciphertexts than the variants of Kiltz’s scheme in symmetric bilinear groups. Our scheme is of
independent interest and has other applications beyond the scope of this paper. For instance, combining
it with a strongly unforgeable one-time signature scheme (e.g. the full Boneh-Boyen scheme) as per
the transformation in [42], we get an efficient distributed (or threshold) IND-CCA secure encryption
scheme [27, 28] in Type-III groups which is secure in the standard model under the XDLIN_{G} and
q-SDH assumptions. In addition, whenn = 1, we obtain a tag-based encryption scheme in the efficient
Type-III setting with29%shorter ciphertexts than the Type-III variant of Kiltz’s scheme in [39] (which
yields ciphertexts of sizeG3×G˜2). Unlike the scheme in [39], which only works for a polynomial (in

the security parameter) message space, our scheme has no restriction on the message space.

For simplicity we consider then-out-of-ncase. However, our scheme can, in a straightforward man-ner, be adapted to thek-out-of-ncase by deploying anyk-out-of-nsecret sharing scheme to compute the servers’ secret keys.

We prove the following Theorem in Appendix B

Theorem 1. The construction in Fig. 3 is a secure distributed tag-based encryption scheme if the
XDLIN_{G}assumption holds.

4.2 Digital Signatures

Adigital signaturefor a message spaceMDSis a tuple of polynomial-time algorithmsDS:= (KeyGen, Sign,Verify)whereKeyGenoutputs a pair of secret/public keys(sk,pk);Sign(sk, m)outputs a signature σon the messagem;Verify(pk, m, σ)outputs 1 ifσis a valid signature onm.

DS.KeyGen(P)

◦Choosex, y←Zpand set(X, Y) := (Gx, Gy). ◦Returnsk:= (x, y)andpk:= (X, Y).

DS.Sign(sk, m)

◦Chooser←Zps.t.x+ry+m6= 0,

returnσ˜:= ˜Gx+ry1+m_{.}
DS.Verify(pk, m, σ)

◦Return1iffe(XYrGm,σ˜) =e(G,G˜)

or0otherwise.

DS.KeyGen(P)

◦Choosex←Zpand setX :=Gx. ◦Returnsk:=xandpk:=X.

DS.Sign(sk, m)

◦Ifx+m6= 0, returnσ˜:= ˜Gx+1m_{.}
DS.Verify(pk, m, σ)

◦Return1iffe(XGm,σ˜) =e(G,G˜)

[image:10.595.122.475.71.175.2]or0otherwise.

Fig. 4.The Full Boneh-Boyen (Left) and the Weak Boneh-Boyen (Right) signatures

SPDSS.Setup(1λ) ◦ P ←BGrpSetup(1λ).

◦F ←G. Returnparam:= (P, F).

SPDSS.KeyGen(param)

◦Choosex←Zpand setX˜ := ˜Gx. ◦Setsk:=xandpk:= ˜X. Return(sk,pk).

SPDSS.Sign(sk, M)

◦r←Zp,Ω˜1:= ˜Gr,Ω2:=M

x
r_{F}1r_{,}

Ω3:=Ω

x r

2G 1

r_{, the token is}_{Ω}_{4}_{:=}_{G}1r_{.}
◦Returnσ:=“Ω˜1, Ω2, Ω3

” .

SPDSS.Randomize(M, σ, Ω4)

◦r0←Zp,Ω˜10 :=Ω 1

r0

1 ,Ω20 :=Ωr

0

2,

Ω_{3}0 :=Ω_{3}r02Ωr

0

(1−r0)

4 .

SPDSS.Verify(pk, M, σ)

◦Return 1 ife(Ω2,Ω˜1) =e(M,X˜)e(F,G˜)

ande(Ω3,Ω˜1) =e(Ω2,X˜)e(G,G˜).

SPDSS.Setup(1λ) ◦ P ←BGrpSetup(1λ).

◦Returnparam:=P.

SPDSS.KeyGen(param)

◦w, x, y1, y2←Zp,W˜ := ˜Gw,X˜ := ˜Gx, ˜

Y1:= ˜Gy1,Y˜2:= ˜Gy2.

◦sk:= (w, x, y1, y2),pk:= ( ˜W ,X,˜ Y˜1,Y˜2).

◦Return`

sk,pk´ .

SPDSS.Sign(sk, M)

◦Ω1←G,a←Zp,Ω2:=Ga,Ω˜3:= ˜G 1

a_{,}

Ω4:=Gx−awΩ_{1}−y1M−y2.

◦Returnσ:=“Ω1, Ω2,Ω˜3, Ω4

” .

SPDSS.Verify(pk, M, σ)

◦Return 1 ife(Ω2,Ω˜3) =e(G,G˜)and

e(G,X˜) =e(Ω2,W˜)e(Ω4,G˜)e(Ω1,Y˜1)e(M,Y˜2).

Fig. 5.The structure-preserving signature of [4] (Left) and that of [3] (Right)

In this paper, we use two digital signatures by Boneh and Boyen [17] which we refer to as the Full Boneh-Boyen signature (Fig. 4 (Left)) and the Weak Boneh-Boyen signature (Fig. 4 (Right)), respec-tively. Both schemes are secure under the q-SDH assumption. The weaker scheme is secure under a weak chosen-message attack.

Structure-Preserving Signatures. Structure-preserving signatures [2] are signature schemes where the message, the public key and the signature are all group elements, and signatures are verified by evaluat-ing pairevaluat-ing product equations.

In this paper, we use two structure-preserving signatures from the literature. The first scheme is by Abe et al. [4] which offers controlled re-randomizability where a signature can only be re-randomized if the user has a special randomization token. The scheme in the asymmetric setting is illustrated in Fig. 5 (Left). The unforgeability of the scheme relies on an interactive assumption. Refer to [4] for details. The second scheme we use is that of Abe et al. [3]. The scheme in the asymmetric setting is given in Fig. 5 (Right). The strong unforgeability of the scheme relies on the non-interactiveq-AGHO assumption.

4.3 Strongly Unforgeable One-Time Signatures

[image:10.595.101.490.204.418.2]• _{Pairing Product Equation (PPE):}

n

Q

i=1

e(Ai,Y˜i) m

Q

i=1

e(X_{i},B˜i)
m
Q
i=1
n
Q
j=1

e(Xi,Y˜j)ki,j =tT·

• _{Multi-Scalar Multiplication Equation (MSME) in}_{G:}

n0

Q

i=1

Ay_{i}i

m

Q

i=1

Xibi m Q i=1 n0 Q j=1

Xiki,jyj =T·

• _{Multi-Scalar Multiplication Equation (MSME) in}_{G}˜_{:}

m0

Q

i=1

˜

Bx_{i}i

n

Q

i=1

˜

Yi ai m

0 Q i=1 n Q j=1 ˜ Yi ki,jxj

= ˜T·

• _{Quadratic Equation (QE) in}_{Z}_{p}_{:}

n0

P

i=1

aiyi+ m0

P

i=1

xibi+ m0 P i=1 n0 P j=1

[image:11.595.112.490.71.174.2]xiyj=t·

Fig. 6.Types of equations one can use Groth-Sahai proofs for

4.4 Non-Interactive Zero-Knowledge Proofs

LetRbe an efficiently computable relation. For pairs(x, w) ∈ R, we callxthe statement and wthe witness. We define the language L as all the statements x inR. A Non-Interactive Zero-Knowledge (NIZK) proof system [16] forRis defined by a tuple of algorithmsN IZK := (Setup,Prove,Verify, Extract,SimSetup,SimProve).

Setup(1λ)outputs a common reference stringcrsand an extraction keyxkwhich allows for witness extraction.Prove(crs, x, w)outputs a proofπthat(x, w)∈ R.Verify(crs, x, π)outputs1if the proof is valid, or0otherwise.Extract(crs,xk, x, π)outputs a witness.SimSetup(1λ)outputs a simulated refer-ence stringcrsSimand a trapdoor keytrthat allows for proof simulation.SimProve(crsSim,tr, x)outputs

a simulated proofπSimwithout a witness.

We require: completeness, soundness and zero-knowledge. Completeness requires that honestly gen-erated proofs are accepted; Soundness requires that it is infeasible (but for a small probability) to produce a valid proof for a false statement; Zero-knowledge requires that a proof reveals no information about the witness used. For formal definitions refer to [16].

GROTH-SAHAIPROOFS. Groth-Sahai (GS) proofs [37] are efficient non-interactive proofs in the Com-mon Reference String (CRS) model. The language for the system has the form

L:={statement| ∃witness:Ei(statement,witness)n_{i}_{=1}hold},

where Ei(statement,·) is one of the types of equation summarized in Fig. 6, where X1, . . . , Xm ∈
G,Y˜1, . . . ,Yn˜ ∈ G˜, x1, . . . , xm0, y_{1}, . . . , y_{n}0 ∈ _{Z}_{p} are secret variables (hence underlined), whereas

Ai, T ∈G,B˜i,T˜∈G˜,ai, bi, ki,j, t∈Zp,tT ∈GT are public constants.

The proof system has perfect completeness, (perfect) soundness, composable witness-indistinguishabil-ity/zero-knowledge. We use the SXDH-based instantiation of the proofs. Refer to [37] for details.

5 Our Generic Construction

In this section, we present our generic construction for dynamic group signatures with distributed trace-ability.

Overview of the construction. The idea behind our generic construction has some in common with Groth’s scheme [36] in that we combine a standard NIZK proof system with a weakly secure tag-based encryption scheme and a strong one-time signature scheme to eliminate the need for the more expen-sive simulation-sound NIZK systems [47] and IND-CCA public-key encryption schemes which were required by the construction of Bellare et al. [13]. However, unlike [36], our framework provides dis-tributed traceability, has a concurrent join protocol and achieves tracing soundness.

Join(gpk,uid,usk[uid]) Issue(msk,uid,upk[uid]) (pkuid,skuid)← WDS.KeyGen(1λ)

siguid← DS2.Sign(usk[uid],pkuid) siguid,pkuid −−−−−−−→

Abort ifDS2.Verify(upk[uid],pkuid,siguid) = 0

certuid

←−−−− certuid← DS1.Sign(msk,pkuid)

Abort ifDS1.Verify(pkGM,pkuid,certuid) = 0

[image:12.595.88.508.73.156.2]gsk[uid] := (skuid,pkuid,certuid) reg[uid] := (pkuid,siguid)

Fig. 7.The Join/Issue protocol for our construction

unforgeable one-time signature scheme OT S that is secure against an adaptive chosen-message at-tack. Additionally, we require a NIZK proof of knowledge systemN IZKand a ST-wIND-CCA dis-tributed tag-based encryption schemeDT BE. In order to have efficient tracing, we ask thatDT BE is non-interactive and robust. As was noted by [31], such a propety simplifies tracing even in traditional group signatures with a single tracing manager. Finally, we require a collision-resistant hash function H :{0,1}∗ → TDT BE. For simplicity and WLOG we assume thatTDT BE = MWDS. Otherwise, one

could use a second hash function. Note that one can use the same signature scheme for bothDS1 and

DS_{2}but using different key pairs.

The GKg algorithm runs N IZK.Setup to generate a common reference string crs for N IZK.
It also runs DT BE.Setup to generate (pkDT BE,{svki}κi=1,{ski}κi=1), and DS1.KeyGen to generate
(pk_{GM},skGM). The group public key isgpk:= (1λ,crs,pkGM,pkDT BE,{svki}κ_{i}_{=1},H). The group
man-agers’ secret key ismsk:=skGM, whereas the tracing key of tracing managerTMiistski :=ski.

A new user creates her personal key pair by runningDS_{2}.KeyGento generate(upk[uid],usk[uid]).
When the user wishes to join the group, she generates a key pair(pk_{uid},skuid)for the signature scheme
WDS and then signspk_{uid}usingDS_{2}and her personal secret keyusk[uid]to obtain a signaturesig_{uid}.
We usesig_{uid}as a proof when proving that the user has produced a group signature.

To join the group, the user sendspk_{uid}andsig_{uid} to the group manager. Ifsig_{uid}is valid, the group
manager issues a membership certificatecertuid (which is aDS1 signature on pkuid that verifies w.r.t.

pk_{GM}).

To sign a messagem, the member chooses a fresh key pair(otsvk,otssk)for the one-time signature
OT Sand encrypts her public keypk_{uid}withDT BEusingH(otsvk)as tag (and possibly some
random-nessτ) to obtain a ciphertextCdtbe. She then signsH(otsvk)using the digital signature schemeWDS

and her secret keyskuidto obtain a signatureσ. She then usesN IZKto produce a proofπproving that:

she did the encryption correctly, she has a signatureσonH(otsvk)that verifies w.r.t. her public keypk_{uid}
and she has a certificatecertuidonpkuidfrom the group manager. Finally, she signs(m, Cdtbe,otsvk, π)

using the one-time signature OT S to obtainσots. The group signature isΣ := (σots, π, Cdtbe,otsvk).

To verify the signature, one verifies the proof π and the one-time signature σots, and ensures that the

ciphertextCdtbeis well-formed.

We remark here if DS1 and/orWDS schemes are re-randomizable, one can reveal the signature

components which are independent of their respective messages after re-randomization. This simplifies the proofπand subsequently improves the efficiency. The revealed parts of those signatures can then be included as the part of the message to be signed byOT Sto ensure that one achieves the stronger notion of non-frameability.

To trace a signature, the decryption sharesνiof the ciphertextCdtbeare obtained from the respective

tracing managers and then combined together in order to recover the plaintext pk_{uid}. Then one just
needs to search in the registration tableregto see if any entryreg[j].pkmatchespk_{uid}. If this is the
case,(j,({ν}κ

i=1,pkuid,reg[j].sig))is returned. Otherwise,(0,({ν}κi=1,pkuid,⊥))is returned. Note that

GKg(1λ, κ)

◦(pk_{GM},skGM)← DS1.KeyGen(1λ);(pkDT BE,{svki}κi=1,{ski}iκ=1)← DT BE.Setup(1λ, κ).

◦(crs,xk)← N IZK.Setup(1λ); Choose a collision-resistant hash functionH:{0,1}∗→ TDT BE.

◦Lettski:=ski,gpk:= (1λ,crs,pkGM,pkDT BE,{svki}κi=1,H)andmsk:=skGM. ◦Return(gpk,{tski}κi=1,msk).

UKg(1λ)

◦(upk[i],usk[i])← DS2.KeyGen(1λ). Return(upk[i],usk[i]).

Sign(gpk,gsk[uid], m)

◦(otsvk,otssk)← OT S.KeyGen(1λ);Cdtbe← DT BE.Enc(pkDT BE,H(otsvk),pkuid;τ). ◦σ← WDS.Sign(skuid,H(otsvk)).

◦π← N IZK.Prove(crs,{pk_{uid}, τ, σ,certuid}: (Cdtbe,H(otsvk),pkGM,pkDT BE)∈ L).

◦σots← OT S.Sign(otssk,(m, Cdtbe,otsvk, π)). ◦ReturnΣ:= (σots, π, Cdtbe,otsvk).

Verify(gpk, m, Σ)

◦ParseΣas(σots, π, Cdtbe,otsvk)andgpkas(1λ,crs,pkGM,pkDT BE,{svki}κi=1,H).

◦Return 1 if all the following verify; otherwise, return 0:

?OT S.Verify(otsvk,(m, Cdtbe,otsvk, π), σots)= 1∧ N IZK.Verify(crs, π)= 1.

?DT BE.IsValid(pkDT BE,H(otsvk), Cdtbe)= 1.

TraceShare(gpk,tski, m, Σ)

◦ParseΣas(σots, π, Cdtbe,otsvk)andgpkas(1λ,crs,pkGM,pkDT BE,{svki}κi=1,H).

◦Return⊥ifVerify(gpk, m, Σ) = 0Else ReturnDT BE.ShareDec(pk_{DT BE},tski,H(otsvk), Cdtbe).

ShareVerify(gpk,tid, ν, m, Σ)

◦ParseΣas(σots, π, Cdtbe,otsvk)andgpkas(1λ,crs,pkGM,pkDT BE,{svki}κi=1,H).

◦ReturnDT BE.ShareVerify(pk_{DT BE},svktid,H(otsvk), Cdtbe, ν).

TraceCombine(gpk,{νi}κi=1, m, Σ,reg)

◦ParseΣas(σots, π, Cdtbe,otsvk)andgpkas(1λ,crs,pkGM,pkDT BE,{svki}κi=1,H).

◦Return(0,({ν}κi=1,⊥,⊥))if for anyi∈[κ]DT BE.ShareVerify(pkDT BE,svki,H(otsvk), Cdtbe, νi) = 0. ◦pkuid← DT BE.Combine(pkDT BE,{svki}κi=1,{νi}κi=1, Cdtbe,H(otsvk)).

◦Return(0,({ν}κi=1,⊥,⊥))ifpkuid=⊥.

◦If∃js.t.reg[j].pk=pk_{uid}Then Return(j,({ν}κi=1,pkuid,reg[j].sig)).
◦Return(0,({ν}κi=1,pkuid,⊥)).

TraceVerify(gpk,uid, θTrace,upk[uid], m, Σ)

◦ParseθTraceas({ν}κi=1,pkuid,siguid)andΣas(σots, π, Cdtbe,otsvk). ◦Parsegpkas(1λ,crs,pkGM,pkDT BE,{svki}κi=1,H).

◦pk0_{uid}← DT BE.Combine(pk_{DT BE},{svki}iκ=1,{νi}iκ=1, Cdtbe,H(otsvk)).
◦Ifuid= 0Then Return (pk0_{uid}=⊥ ∨ Verify(gpk, m, Σ) = 0).

◦Ifpk0_{uid}6=pkuidThen Return0Else ReturnDS2.Verify(upk[uid],pkuid,siguid).

Fig. 8.Our generic construction

all decryption shares verify correctly and in the case thatj > 0, one needs to verify that the signature sigverifies w.r.t.upk[j].

The construction is detailed in Fig. 8, whereas the Join/Issue protocol is given in Fig. 7. The language associated with the NIZK proof is as follows, where for clarity we underline the elements of the witness:

L:

n

(Cdtbe,H(otsvk),pkGM,pkDT BE),(pkuid, τ, σ,certuid)

:

DS1.Verify(pkGM,pkuid,certuid) = 1 ∧ WDS.Verify(pkuid,H(otsvk), σ) = 1

∧ DT BE.Enc(pkDT BE,H(otsvk),pkuid;τ) =Cdtbe

o ·

Theorem 2. The construction in Fig. 7 and Fig. 8 is a secure dynamic group signature with distributed traceability providing that the building blocks are secure w.r.t. their security requirements.

The full proof of this Theorem can be found in Appendix D.

6 Instantiations in the Standard Model

Here we provide two example instantiations of the generic framework in the standard model.

6.1 Instantiation I

Here we instantiate the signature schemesDS_{1}andDS_{2}using the recent structure-preserving signature
scheme by Abe et al. [4] (shown in Fig. 5 (Left)), and instantiateWDSandOT S with the weak and full
Boneh-Boyen signature schemes, respectively. We also instantiateN IZKusing the Groth-Sahai proof
system. For the distributed tag-based encryption scheme, we use our new scheme from Fig 3. The size
of the signature of this instantiation isG24×G˜21×Z5p. The details are in Appendix C. The proof for the
following Theorem follows from that of Theorem 2.

Theorem 3. Instantiation I is secure if the Abe et al. signature scheme [4] is unforgeable and the SXDH,
XDLIN_{G}andq-SDH assumptions hold.

6.2 Instantiation II

To eliminate the need for interactive intractability assumptions, we instead use the strongly unforgeable signature scheme by Abe et al. [3] (Fig. 5 (Right)) to instantiateDS1 andDS2signature schemes. The

rest of the tools remain the same as in Instantiation I. The size of the group signature of this instantiation isG28×G˜24×Z3p. The details are in Appendix C. The proof for the following Theorem follows from that of Theorem 2.

Theorem 4. Instantiation II is secure if the SXDH,q-AGHO, XDLIN_{G}andq-SDH assumptions hold.

6.3 Efficiency Comparison

Since there are no existing constructions which simultaneously offer all the properties as our construc-tions, we compare the size of the signature of our instantiations with that of Groth’s scheme [35] for the single tracing manager setting which is considered the-state-of-the-art. Groth’s scheme yields signatures of sizeG46×Zpin symmetric groups. Besides the extra distributed traceability feature, our instantiations involve fewer rounds in the join protocol than [35] and, in addition, satisfy tracing soundness.

Acknowledgments.The author was supported by ERC Advanced Grant ERC-2010-AdG-267188-CRIPTO and EPSRC via grant EP/H043454/1.

References

1. M.Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki and M. Ohkubo. Constant-Size Structure-Preserving Signatures: Generic Constructions and Simple Assumptions. InASIACRYPT 2012, Springer LNCS 7658, 4–24, 2012.

2. M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev and M. Ohkubo. Structure-preserving signatures and commitments to group elements. InCRYPTO 2010, Springer LNCS 6223, 209–236, 2010.

3. M. Abe, J. Groth, K. Haralambiev and M. Ohkubo. Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups. InCRYPTO 2011, Springer LNCS 6841, 649–666, 2011.

4. M. Abe, J. Groth, M. Ohkubo and M. Tibouchi. Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures. In TCC 2014, Springer LNCS 8349, 688–712, 2014.

5. M. Abe, K. Haralambiev and M. Ohkubo. Signing on Elements in Bilinear Groups for Modular Protocol Design. Cryp-tology ePrint Archive, Report 2010/133. http://eprint.iacr.org/2010/133.

6. S. Arita and K. Tsurudome. Construction of Threshold Public-Key Encryptions through Tag-Based Encryptions. InACNS 2009, Springer LNCS 5536, 186–200, 2009.

7. G. Ateniese, J. Camenisch, S. Hohenberger and B. de Medeiros. Practical group signatures without random oracles.

Cryptology ePrint Archive. Report 2005/385, available athttp://eprint.iacr.org/2005/385.

9. R. Barbulescu, P. Gaudry, A. Joux and E. Thom. A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic. InEUROCRYPT 2014, Springer LNCS 8441, 1–16, 2014.

10. G. R. Blakley. Safeguarding Cryptographic Keys. In AFIPS National Computer Conference, AFIPS Press 48, 313–317, 1979.

11. M. Bellare, D. Micciancio and B. Warinschi. Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. InEUROCRYPT 2003, Springer LNCS 2656, 614–629, 2003. 12. M. Bellare and P. Rogaway. Random oracles are practical: A Paradigm for Designing Efficient Protocols. InACM-CCS

1993, ACM, pp. 62–73, 1993.

13. M. Bellare, H. Shi and C. Zhang. Foundations of group signatures: The case of dynamic groups. InCT-RSA 2005, Springer LNCS 3376, 136–153, 2005.

14. V. Benjumea, S. Choi, J. Lopez and M. Yung. Fair Traceable Multi-Group Signatures. InFC 2008, Springer LNCS 5143, 231–246, 2008.

15. J. Bichsel, J. Camenisch, G. Neven, N.P. Smart and B. Warinschi. Get Shorty via Group Signatures without Encryption. InSCN 2010, Springer LNCS 6280, 381–398, 2010.

16. M. Blum, P. Feldman and S. Micali. Non-interactive zero-knowledge and its applications. InSTOC 1988, 103–112, 1988. 17. D. Boneh and X. Boyen. Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. In

Journal of Cryptology, volume 21(2), 149–177, 2008.

18. D. Boneh, X. Boyen and H. Shacham. Short Group Signatures. InCRYPTO 2004, Springer LNCS 3152, 227–242, 2004. 19. X. Boyen and B.Waters. Compact Group Signatures Without Random Oracles. InEUROCRYPT 2006, Springer LNCS

4004, 427–444, 2006.

20. X. Boyen and B.Waters. Full-domain subgroup hiding and constant-size group signatures. InPKC 2007, Springer LNCS 4450, 1–15, 2007.

21. J. Camenisch and J. Groth. Group Signatures: Better Efficiency and New Theoretical Aspects. InSCN 2004, Springer LNCS 2045, 120–133, 2004.

22. J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. InCRYPTO 2004, Springer LNCS 3152, 56–72, 2004.

23. J. Camenisch and M. Michels. A group signature scheme with improved efficiency. InASIACRYPT 1998, Springer LNCS 1514, 160–174, 1998.

24. J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. InCRYPTO 1997, Springer LNCS 1294, 410–424, 1997.

25. D. Chaum and E. van Heyst. Group signatures. InEUROCRYPT 1991, Springer LNCS 547, 257–265, 1991.

26. C. Delerabl´ee and D. Pointcheval. Dynamic Fully Anonymous Short Group Signatures. InVIETCRYPT 2006, Springer LNCS 4341, 193–210, 2006.

27. Y. Desmedt and Y. Frankel. Threshold Cryptosystems. InCRYPTO 1989, Springer LNCS 435, 307–315, 1990.

28. Yair Frankel. A Practical Protocol for Large Group Oriented Networks. InEUROCRYPT 1989, Springer LNCS 434, 56–61, 1989.

29. J. Furukawa and H. Imai. An Efficient Group Signature Scheme from Bilinear Maps. InACISP 2005, Springer LNCS 3574, 455–467, 2005.

30. J. Furukawa and S. Yonezawa. Group Signatures with Separate and Distributed Authorities. InSCN 2004, Springer LNCS 3352, 77–90, 2004.

31. D. Galindo, B. Libert, M. Fischlin, G. Fuchsbauer, A. Lehmann, M. Manulis and D. Schr¨oder. Public-Key Encryption with Non-interactive Opening: New Constructions and Stronger Definitions. InAFRICACRYPT 2010, Springer LNCS 6055, 333–350, 2010.

32. S. Galbraith, K. Paterson and N.P. Smart. Pairings for cryptographers. Discrete Applied Mathematics,156, 3113–3121, 2008.

33. E. Ghadafi, N.P. Smart and B. Warinschi. Groth-Sahai proofs revisited. InPKC 2010, Springer LNCS 6056, 177–192, 2010.

34. R. Granger, T. Kleinjung and J. Zumbr¨agel. Breaking ‘128-bit Secure’ Supersingular Binary Curves (or how to solve
discrete logarithms inF24·1223and_{F}_{2}12·367). InCryptology ePrint Archive, Report 2014/119,http://eprint.iacr.
org/2014/119.pdf.

35. J. Groth. Simulation-sound NIZK proofs for a practical language and constant size group signatures. InASIACRYPT 2006, Springer LNCS 4284, 444–459, 2006.

36. J. Groth. Fully anonymous group signatures without random oracles. InASIACRYPT 2007, Springer LNCS 4833, 164– 180, 2007.

37. J. Groth and A. Sahai. Efficient non-interactive proof systems for bilinear groups. In SIAM Journal on Computing, volume 41(5), 1193–1232, 2012.

38. C. Hlauschek, J. Black, G. Vigna and C. Kruegel. Limited-linkable Group Signatures with Distributed-Trust Traceabil-ity. InTechnical Report, Vienna University of Technology, 2012.http://www.iseclab.org/people/haku/ tr-llgroupsig12.pdf.

40. A. Kiayias, Y. Tsiounis and M. Yung. Traceable Signatures. InEUROCRYPT 2004, Springer LNCS 3027, 571–589, 2004. 41. A. Kiayias and M. Yung. Group Signatures with Efficient Concurrent Join. InEUROCRYPT 2005, Springer LNCS 3494,

198–214, 2005.

42. E. Kiltz. Chosen-Ciphertext Security from Tag-Based Encryption. InTCC 2006, Springer LNCS 3876, 581–600, 2006. 43. B. Libert, T. Peters and M. Yung. Scalable Group Signatures with Revocation. InEUROCRYPT 2012, Springer LNCS

7237, 609–627, 2012.

44. B. Libert, T. Peters and M. Yung. Group Signatures with Almost-for-Free Revocation. InCRYPTO 2012, Springer LNCS 7417, 571–589, 2012.

45. M. Manulis. Democratic group signatures: on an example of joint ventures. InASIACCS 2006, ACM, 365–365, 2006. 46. L. Nguyen and R. Safavi-Naini. Efficient and Provably Secure Trapdoor-Free Group Signature Schemes from Bilinear

Pairings. InASIACRYPT 2004, Springer LNCS 3329, 372–386, 2004.

47. A. Sahai. Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security. InFOCS 1999, 543–553, 1999.

48. Y. Sakai, K. Emura, G. Hanaoka, Y. Kawai, T. Matsuda and K. Omote. Group Signatures with Message-Dependent Opening. InPAIRING 2012, Springer LNCS 7708, 270–294, 2013.

49. Y. Sakai, J. C. N. Schuldt, K. Emura, G. Hanaoka and K. Ohta. On the Security of Dynamic Group Signatures: Preventing Signature Hijacking. InPKC 2012, Springer LNCS 7293, 715–732, 2012.

50. A. Shamir. How to share a secret. InCommunications of the ACM, 22:11, 612–613, 1979.

51. D. Zheng, X. Li, C. Ma, K. Chen and J. Li. Democratic Group Signatures with Threshold Traceability. InCryptology ePrint Archive, Report 2008/112,http://eprint.iacr.org/2008/112.pdf.

A Security of Distributed Tag-Based Encryption

Here we define the security requirements of a distributed tag-based encryption.

• _{Selective-Tag Indistinguishability against Adaptive Chosen Ciphertext Attacks (ST-IND-CCA): This}

requires that for allλ, n∈_{N}, for all polynomial-time adversariesAthe advantage

AdvST-IND-CCA_{DT BE}_{,}_{A}_{,n} (λ) :=Pr[ExpST-IND-CCA-1_{DT BE}_{,}_{A}_{,n} (λ) = 1]−Pr[ExpST-IND-CCA-0_{DT BE}_{,}_{A}_{,n} (λ) = 1]

is negligible inλ, where the game is shown in Fig. 9. In the game,ShareDect∗returns⊥if queried on

(t∗, C_{dtbe}∗ ). A weaker variant of the ST-IND-CCA definition, which we use here, is called
Selective-Tag weak Indistinguishability against Adaptive Chosen Ciphertext Attacks (ST-wIND-CCA) [6],
which is analogous to that defined by Kiltz [42] for traditional tag-based encryption, is when in
the above game ShareDect∗ rejects any query on(t∗,·). Note that by eliminating the requirement
that the adversary outputs the target tag beforehand, one obtains stronger variants of the above two
notions.

• _{Decryption Consistency (DEC-CON): This requirement is similar to that defined in [31] for }

tra-ditional public key encryption and is stronger than the selective-tag variant defined in [6]. This requires that for all λ, n ∈ N, for all PPT adversaries A, the advantage AdvDEC-CONDT BE,A,n(λ) :=

Pr[ExpDEC-CONDT BE,A,n(λ) = 1]is negligible inλ, where the game is defined in Fig. 10.

Experiment:ExpST-IND-CCA-b_{DT BE}_{,}_{A}_{,n} (λ):

•(S⊂[n], t∗,stinit)← Ainit

“

1λ, n”, where|S| ≤n−1.

•(pk,{svki}ni=1,{ski}ni=1)←Setup(1λ, n).

•(m0, m1,stfind)← Afind

“

stinit,pk,{svki}ni=1,{ski}i∈S :ShareDect

∗

(pk,ski,·,·)

”

, where|m0|=|m1|.

•C_{dtbe}∗ ←Enc(pk, t∗, mb).
•b∗← Aguess

“

stfind, Cdtbe∗ :ShareDec t∗

(pk,ski,·,·)

” .

[image:16.595.88.507.602.700.2]•Returnb∗.

Experiment:ExpDEC-CON_{DT BE}_{,}_{A}_{,n}(λ):

•(pk,{svki}ni=1,{ski}ni=1)←Setup(1λ, n).

•(t, Cdtbe,{νi}in=1,{νi0}ni=1)← A(pk,{svki}ni=1,{ski}ni=1).

•IfIsValid(pk, t, Cdtbe) = 0Then Return0.

[image:17.595.89.511.72.153.2]•If∃i∈[n]s.t.ShareVerify(pk,svki, t, Cdtbe, νi) = 0orShareVerify(pk,svki, t, Cdtbe, νi0) = 0Then Return0. •IfCombine(pk,{svki}ni=1,{νi}ni=1, Cdtbe, t)6=Combine(pk,{svki}ni=1,{νi0}ni=1, Cdtbe, t)Then Return 1. •Return0.

Fig. 10.The decryption consistency game for distributed tag-based encryption

B Proof of Theorem 1

Proof. Lemma 1. The construction is selective-tag weakly indistinguishable against adaptive chosen ciphertext attacks.

Proof. We show if there exists an adversaryAwinning the ST-wIND-CCA game, we can construct an adversaryBthat breaks the XDLINGassumption such that

AdvST-wIND-CCADT BE,A,n (λ)≤AdvXDLINB G(λ)

AdversaryBgetsP and the tuple(H, U, V, Hr, Vs, Ut,H,˜ U ,˜ V ,˜ H˜r,V˜s)∈_{G}6_{×}_{˜}

G5from its game

and its aim is to decide whether or nott=r+s. It startsAto get the setSand the target tagt∗. Adversary Bthen selects an indexjfrom the set[n]\S. For all serversi∈[n]\ {j},Bchoosesαi, βi ←Zpthat will be used as the secret key for server i. The corresponding server verification key is computed as

( ˜Ui,V˜i) := ( ˜Hαi,V˜βi). For the remaining server j, B computes its verification key as( ˜Uj,V˜j) :=

(Qn U˜ i=1,i6=jU˜i,

˜

U

Qn

i=1,i6=jV˜i). It also choosesd1, d2

∈_{Z}_{p}and computes(W,W˜) := U−t∗Hd1_{,}_{U}˜−t∗_{H}˜d1_{,}

(Z,Z˜) := U−t∗Vd2_{,}_{U}˜−t∗_{V}˜d2_{. It then sets}_{pk} _{:= (}_{P, H,}_{H, U,}˜ _{U , V,}˜ _{V , W,}˜ _{W , Z,}˜ _{Z}˜_{)} _{and sends}_{pk}_{,}
{svk}n

i=1and{ski}i∈StoA.

When answering ShareDect∗ queries by server i 6= j on any tag t 6= t∗, B first checks that the ciphertext is valid and if so, it returns(Ci,1 := C1αi, Ci,2 := C2βi). For the j-th server, after verifying

that the ciphertext is valid, it returns

Cj,1 := (C4C

−d1 1 )

1 t−t∗

Qn

i=1,i6=jCαi1

, Cj,2 := (C5C

−d2 2 )

1 t−t∗

Qn

i=1,i6=jC2βi

. This is a valid

decryption share satisfyinge(Cj,1,H˜) =e(C1,U˜j)ande(Cj,2,V˜) =e(C2,V˜j).

In the challenge phase, B receives two messages M0 and M1. It randomly chooses b ← {0,1}

and responds with a challenge ciphertext(C1, C2, C3, C4, C5) := (Hr, Vs, Hr d1, Vsd2, MbUt). Note this is a valid ciphertext satisfyinge(C1,U˜tW˜) =e(C4,H˜)ande(C2,U˜tZ˜) =e(C5,V˜). Any further

decryption queries made byAare answered byBas above.

Eventually, whenAoutputs its guessb∗,Bproceeds as follows: ifb∗=b,Bguesses thatt=r+s; otherwise,Bguesses thattis random.

Lemma 2. The construction satisfies decryption consistency.

Proof. Suppose that an adversaryA outputs two valid sets {(Ci,1, Ci,2)}ni=1 and {(Ci,01, Ci,02)}ni=1 of

decryption shares of a ciphertext Cdtbe. For it to win, both sets must contain valid shares, i.e. all 2n

shares must be accepted by theShareVerifyalgorithm. Thus, we must havee(Ci,1,H˜) =e(C1,U˜i)and
e(Ci,2,V˜) =e(C2,Vi˜)fori= 1, . . . , n. This means we must haveQn_{i}_{=1}Ci,1 = C1u and

Qn

i=1Ci,2 =

C_{2}v. Similarly, we must havee(C_{i,}0_{1},H˜) =e(C1,U˜i)ande(Ci,02,V˜) =e(C2,V˜i)fori= 1, . . . , n. This
means that we must haveQn_{i}_{=1}C_{i,}0_{1} =Cu

1 and

Qn

i=1Ci,02 =C2v. Thus, we must haveCi,1 =Ci,01 and

C Instantiations Details

C.1 Instantiation I

Here we havecertuid = ( ˜Ω1, Ω2, Ω3)∈ G˜ ×G2and the user has the re-randomization tokenΩ4 ∈G,

Cdtbe = (C1, C2, C3, C4, C5) ∈ G5,pkGM = ˜X,pkuid ∈G, andpkDT BE = (P, H,H, U,˜ U , V,˜ V , W,˜

˜

W , Z,Z˜).

• _{To prove}DS

1.Verify(pkGM,pkuid,certuid) = 1, the user re-randomizescertuid using the tokenΩ4

to obtain a new membership certificatecert0_{uid} = ( ˜Ω_{1}0, Ω_{2}0, Ω_{3}0)and then proves the following linear
equations

e(Ω_{2}0,Ω˜_{1}0) =e(pk_{uid},X˜)e(F ,G˜) e(Ω_{3}0,Ω˜_{1}0) =e(Ω_{2}0,X˜)e(G,G˜) G−G= 0 F −F = 0

• _{To prove}WDS_{.}_{Verify}_{(}_{pk}

uid,H(otsvk),σ˜) = 1wherepkuid ∈G,σ˜ ∈G˜. The signer proves

e(pk_{uid},σ˜)e(GH(otsvk),˜σ)e(G,G˜) = 1

• _{To prove that}DT BE_{.}_{Enc}_{(}_{pk}

DT BE,H(otsvk),pkuid; (r1, r2)) =Cdtbe, the signer provesC1,C2and

C3were computed correctly and the rest can be verified by checking thate(C4,H˜) =e(C1,U˜H(otsvk)W˜)

ande(C5,V˜) =e(C2,U˜H(otsvk)Z˜). Thus, this requires proving

C1 =Hr1 C2 =Vr2 C3=pkuidUr1Ur2

Note that all the proven equations are simulatable and hence the corresponding proofs are zero-knowledge. The total size of the signature isG24+ ˜G21+Z5p.

C.2 Instantiation II

The only difference from Instantiation I is the manner in whichcertuidis verified. We havepkuid ∈G,

certuid= (Ω1, Ω2,Ω˜3, Ω4)andpkGM= ( ˜W ,X,˜ Y˜1,Y˜2).

To proveDS_{1}.Verify(pk_{GM},pk_{uid},certuid) = 1, the user proves the following equations

e(Ω2,Ω˜3) =e(G,G˜) e(G,X˜) =e(Ω2,W˜)e(Ω4,G˜)e(Ω1,Y˜1)e(pkuid,Y˜2) G−G= 0

The rest of the proofs are the same as in Instantiation I. Again, all the proven equations are simulatable and hence the corresponding proofs are zero-knowledge. The size of the signature isG28×G˜24×Z3p.

D Proof of Theorem 2

Proof. Correctness of the construction follows from that of the underlying building blocks.

Lemma 3. IfN IZKis zero-knowledge, the tag-based encryption schemeDT BEis selective-tag weakly IND-CCA secure, the one-time signatureOT S is strongly existentially unforgeable, and the hash func-tionHis collision-resistant then the construction satisfies strong full anonymity against full-key expo-sure.

Proof. We show that if there exists an adversary B which breaks the anonymity of the construction, we can build adversaries A1 against the collision-resistance of the hash function H, A2 against the

The collision-resistance ofHensures thatBhas a negligible probability in findingotsvk0s.t.H(otsvk0)

collides with the tagH(otsvk∗)we use for the challenge signature. If this is not the case, we can useB to build an adversaryA1that breaks the collision-resistance ofH.

The strong existential unforgeability ofOT S ensures thatBhas a negligible probability in forging a one-time signature underotsvk∗we use in the challenge signature. If this is not the case, we can build an adversaryA2that wins the strong unforgeability game ofOT S.

We startN IZKin the simulation setting which means that the proofπis now zero-knowledge and hence does not reveal any information about the witness.

We now proceed to show how to use Bto build an adversaryA4 against the selective-tag weakly

IND-CCA security of DT BE. Adversary A_{4} startsB to get the list BTL of the tracing managers it
would like to corrupt. Adversary A_{4} runs theGKg algorithm where it starts by randomly choosing a
key pair(otsvk∗,otssk∗)forOT S that it will use in answeringB’s challenge signature. This needed to
be chosen beforehand because the tag-based encryption scheme is only selective-tag secure.A4 sends

(H(otsvk∗),BTL) to its own game and gets backpk_{DT BE},{svki}i∈[κ]and{ski}i∈BTL. In its game,A4

has access to a share decryption oracleShareDecH(otsvk∗)which it can query on any ciphertext under any
tag different from the target tagH(otsvk∗).A_{4}now chooses a simulated stringcrsforN IZKand runs
the rest of the setup normally. It sendsgpk:= (1λ,crs,pk_{GM},pk_{DT BE},{svki}κi=1,H),msk:=skGMand

{ski}i∈BTLtoB.

AllB’s queries are answered normally as in Fig. 1 except the following oracles.

• _{CH}

b: To answer the challenge queryCHb(uid0,uid1, m),A4 sends(pkuid0,pkuid1)as its challenge
in its ST-wIND-CCA game and gets a ciphertext under the tag H(otsvk∗) of either the plaintext
pk_{uid}_{0} orpk_{uid}_{1} which it needs to distinguish.A_{4}then constructs the rest of the challenge signature
by simulating the proofπand signing the whole thing withotssk∗ to obtainσots.

• _{TraceShare}_{:}_{A}

4just uses itsShareDecH(otsvk

∗_{)}

oracle to get the decryption share ofCdtbecontained

within the signature. Note that since we have chosen otsvk∗ uniformly at random and since we already eliminated any case where any signature sent to TraceShareuses the same tag as that we used in the challenge signature, such a query will be accepted by A4’s ShareDecH(otsvk

∗_{)}

oracle because the tag is different from the target tag used in the challenge signature.

• _{Trace}_{: To answer this,} A

4 just uses its ShareDecH(otsvk

∗_{)}

oracle to get all the decryption shares
{ν_{i}}κ

i=1ofCdtbecontained within the signature.

Finally, whenBoutputs its guess,A4’s output is that ofB

Lemma 4. The construction is non-frameable if N IZK is sound, the hash function H is collision-resistant, and the digital signaturesDS2andWDSas well as the one-time signatureOT Sare existen-tially unforgeable.

Proof. We show that if there exists an adversaryB that wins the non-frameability game then we can build adversaries A1 against the unforgeability of signature scheme DS2, adversary A2 against the

unforgeability of the weak digital signature WDS, adversary A_{3} against the strong unforgeability of
the one-time signature schemeOT S,A4against the collision-resistance of the hash functionHandA5

against the soundness ofN IZKrespectively, such that

AdvNon-FrameDGSDT,B,κ(λ)≤γ(λ)· AdvUnforDS2,A1(λ) +Adv Unfor WDS,A2(λ)

+δ(λ)·AdvUnforOT S,A3(λ)

+AdvColl_{H}_{,}_{A}_{4}(λ) +AdvSound_{N IZK}_{,}_{A}_{5}(λ),

whereγ(λ)andδ(λ)are polynomials inλrepresenting an upper bound on the number of honest users and signing queries, respectively,Bis allowed to make in the game.