A non-delegatable identity-based strong designated verifier signature scheme

A non-delegatable identity-based strong designated

verifier signature scheme

Bin Wang

Information Engineering College of Yangzhou University Yangzhou City, Jiangsu Province, 225009, P.R.China

E-mail:[email protected]

Abstract: In a strong designated verifier signature scheme, no third party can verify the validity of a signature. On the other hand, non-delegatability, proposed by Lipmaa, Wang and Bao, is another stronger notion for designated verifier signature schemes. In this paper, we formalize a security model for non-delegatable identity based strong designated verifier signature (IDSDVS) schemes. Then a novel non-delegatable IDSDVS scheme based on pairing is presented. The presented scheme is proved to be non-delegatable, non-transferable and unforgeable under the Gap Bilinear Diffie-Hellman assumption.

Keywords: Strong designated verifier signature, Non-delegatability, Bilinear pairing, Gap Bilinear Diffie-Hellman assumption, Random oracle model;

1. Introduction

Jacobsson et al. [2] also introduced a stronger notion of designated verifier signature, called strong designated verifier signature (SDVS). In a SDVS scheme, no third party can verify the validity of a signature without the knowledge of the designated verifier’s secret key. In 2003, Saeednia formalized the notion of strong designated verifier signature(SDVS) [7] and proposed an efficient scheme in their paper. Later, Susilo et al. [8] proposed an identity based SDVS scheme which is only an identity based variant of the scheme of [7].

On the other hand, Lipmaa et al. [5] described another stronger notion of designated verifier signature, called non-delegatability. That is, there exists an efficient knowledge extractor that can extract either the signer’s secret key or the designated verifier’s secret key, when given oracle access to an adversary who can create valid signatures with a high probability. Recently, Zhang and Mao [9] proposed an identity based strong designated verifier signature (IDSDVS) scheme which is claimed to offer non-delegatability. However, Kang et al. [3] showed that Zhang-Mao scheme can not satisfy the strongness property. That is, Zhang-Mao scheme allows anyone who intercepts one signature to verify subsequent signatures. In addition, Kang et al. [4] also proposed an IDSDVS scheme and claimed that the security of their scheme is related to the bilinear Diffie-Hellman problem.

Nevertheless, we show that Kang et al.’s scheme presented in [4] is also vulnerable to the attack described in [3]. The essence of this attack is that the schemes in [4, 9] are delegatable. An effective solution to this problem is to design a non-delegatable IDSDVS scheme. Although Kang et al. [3] presented an efficient IDSDVS scheme, which uses hash operations to destroy algebraic structure of the produced signature in order to avoid the attack described in [3], it is not difficult to show that their scheme is also delegatable. Furthermore, no formal security proof is presented for their scheme in [3].

enjoys a tight reduction without using the Forking Lemma. Finally, we compare the efficiency with other related IDSDVS schemes.

2. Preliminaries

2.1 Bilinear pairing

Let

<

G

₁

,

+ >

be a cyclic additive group generated by

P

, whose order is a large prime

q

,

<

G

₂

,

i

>

be a cyclic multiplicative group of the same order, and let

e G

:

₁

×

G

₁

→

G

₂ be a bilinear pairing with the following properties:

1. Bilinear: For any

Q

,

R

,

T

∈

G

₁ ,

e Q

(

+

R T

, )

=

e Q T e R T

( , ) ( , )

i

and

( ,

)

( , ) ( , )

e Q R T

+

=

e Q R e Q T

i

2. Non-degenerate: There exists

R

,

T

∈

G

₁, such that

e R T

( , )

≠

1

3. Computable: There exists an efficient algorithm to compute

e R T

( , )

for any

R

,

T

∈

G

₁.

2.2 Notation

If

A

is a randomized algorithm, then 1( ), 2( ),

1 2

( ,

,

)

O O

y

←

A

⋅ ⋅

x x

means that

A

has input

x x

₁

,

₂

,

, access to oracles

O O

₁

,

₂

,

, and the output of

A

is assigned to

y

. We use the notation

x

∈

R

S

to mean “the element x is chosen with uniform probability from

the set S”.

2.3 Complexity assumptions

Definition 1: Bilinear Diffie-Hellman(BDH) Problem in

(

G G

₁

,

₂

)

: Given

1

,

,

,

P a P b P c P

⋅

⋅

⋅ ∈

G

for some unknown

a b c

, ,

∈

Z

_q, compute

( , )

2

abc

d

=

e P P

∈

G

.

Definition 2: Decisional Bilinear Diffie-Hellman(DBDH) Problem in

(

G G

₁

,

₂

)

:

( , )

abc

z

=

e P P

holds.

Definition 3: Gap Bilinear Diffie-Hellman(GBDH) Problem in

(

G G

₁

,

₂

)

: Given

1

,

,

,

P a P b P c P

⋅

⋅

⋅ ∈

G

for some unknown

a b c

, ,

∈

Z

_q , compute

d

=

e P P

( , )

abc

∈

G

₂

with the help of a DBDH oracle

O

_DBDH.

Remark: A DBDH oracle

O

DBDH outputs 1 if

( , )

abc

z

=

e P P

and 0 otherwise. The success probability of an algorithm

A

in solving the GBDH problem in

(

G G

1

,

2

)

is

1, 2 ( ) Pr[ ( , , , ) ( , ) : , , ]

DBDH

O

GBDH abc

G G q

Succ A = A P a P b P c P⋅ ⋅ ⋅ =e P P a b c∈Z .

A

( , )

t

ε

-GBDH solver

A

is a probabilistic polynomial-time algorithm running in time at most

t

such that the success probability

1, 2 ( )

GBDH G G

Succ A

≥

ε

. We say that

(

G G

₁

,

₂

)

satisfies the GBDH assumption if there is no polynomial time

( , )

t

ε

-GBDH solver

A

with advantage

ε

non-negligible.

3. Weakness of Kang et al’s scheme [4]

3.1 Review ofKang et al’s scheme [4]

1. Setup: Let

<

G

₁

,

+ >

be a gap Diffie-Hellman group generated by

P

, whose order is a large prime

q

,

<

G

₂

,

i

>

be a cyclic multiplicative group of the same order, and let

1 1 2

:

e G

×

G

→

G

be a bilinear map. Then PKG (private key generation centre) picks a random number s *

q

Z

∈ as the master secret key and sets the master public key to

pub

P

=s P⋅ .

H H

₁

,

₂ are two cryptographic hash functions

* 1

:{0,1}

1

,

H

→

G

H₂:{0,1}* →Z_q*.

The public system parameters are

<

G G P P

₁

,

₂

, ,

_pub

,

H H e q

₁

,

₂

, ,

>

.

secure channel.

3.Sign: To sign a message m intended for a verifier Bob with identity

ID

_B, a signer Alice with identity

ID

_A picks a random number k *

q

Z

∈ and computes

t

=

e P Q

( ,

_B

)

k,

T

= ⋅ +

k P

H m t S

₂

( , )

_A,

σ

=

e T Q

( ,

_B

)

. The signature on m is

( , )

σ

t

.

4.Verify: Given the system parameters,

Q

_A

=

H ID

₁

(

_A

)

, and the signature

( , )

σ

t

on the signed message m, the correctness of

( , )

σ

t

can be verified by Bob as follows:

₍

_,

₎

H2( , )m t

A B

t e Q S

σ

= ⋅

5.Signature Simulation: Bob can produce the simulated signature

σ

intended for him as follows:

(1) Picks a random number

k

∈Z_q*.

(2) Computes

t

=

e P Q

( ,

_B

)

k,

₍

_,

₎

H2( , )m t

A B

t e Q S

σ

= ⋅

.

3.2 Attack onKang et al’s scheme [4]

An adversary who intercepts the signature

( , )

σ

t

can compute

e Q S

(

_A

,

_B

)

as follows:

(

_A

,

_B

)

e Q S

=₍

σ

_t)(H2( , ))m t 1

− .

Thus it is easy to see that the adversary can verify the correctness of subsequent signatures and simulate valid signatures intended for Bob via

e Q S

(

_A

,

_B

)

. The essence of this attack is that Kang et al’s scheme [4] is delegatable. That is, anyone who has the knowledge of the trapdoor

e Q S

(

A

,

B

)

can verify the correctness of signatures and simulate valid signatures. An effective solution to this problem is to design a non-delegatable IDSDVS scheme. The notion of delegatability is discussed in subsection 4.2.3.

presented for their scheme in [3]. In the following, we focus on establishing a security model for non-delegatable IDSDVS schemes and present a scheme secure under this model.

4. Formal model of IDSDVS schemes

4.1 Definition of IDSDVS schemes

An IDSDVS scheme consists of the following polynomial-time algorithms:

1. MasterKeyGen(Master Key Generation): On input a security parameter k∈ Ν, it generates a list of system parameters params, and a master public/secret key pair

(

mpk msk

,

)

. This algorithm is assumed to be run by a Key Generation Center (KGC).

2. KeyGen(User Key Generation): On input msk, an identity

ID

∈

{0,1}

*, it generates a secret key

sk

_ID ←KeyGen

(

ID msk

,

)

. This algorithm is run by the KGC for each user and the generated secret key is assumed to be distributed securely to the corresponding user.

3. SDV_Sign(Signature Generation): On input a signer’s secret key S

ID

sk

, a verifier’s

identity

ID

_D and a message m , it generates a signature by executing

DV

σ

←SDV_Sign

(

,

, )

S

ID D

sk

ID m

. We require that the signer’s identity

ID

_S

≠

ID

_D since it is meaningless to generate a signature to be verified only by the signer.

4. SDV_Verf(Signature Verification): On input the signer’s identity

ID

_S, the verifier’s secret key

D

ID

sk

, the signed message m and the signature

σ

_DV, SDV_Verf returns 1 if

DV

σ

is accepted, and 0 otherwise.

5. SDV_Sim(Signature Simulation): On input the signer’s identity

ID

_S, the verifier’s secret key

D

ID

sk

, and a message m , it generates a simulated signature

DV

σ

←SDV_Sim

(

,

, )

D

ID S

sk

ID m

.

Consistency:

∀

m

∈

{0,1}

*,

ID

∈

{0,1}

*, k∈ Ν ,

(

mpk msk

,

)

←

MasterKeyGen

(1 )

k ,

ID

sk

←

KeyGen

(

ID msk

,

)

, the following hold: (1)

∀

σ

_DV ←SDV_Sign

(

,

, )

S

ID D

sk

ID m

,

Pr[SDV_Verf (

,

, ,

)=1]=1

D

ID S DV

(2)

∀

σ

_DV ←SDV_Sim

(

,

, )

D

ID S

sk

ID m

,

Pr[SDV_Verf (

,

, ,

)=1]=1

D

ID S DV

sk

ID m

σ

.

4.2 Security model

4.2.1 Unforgeability

Let IDSDVS be an identity-based strong designated verifier signature scheme and

k∈ Ν be a security parameter. In this section, we define the existential unforgeability of IDSDVS schemes against an adaptive chosen message and chosen identity adversary

A

as follows. Define a game Exp_{EUF IDSDVS}CMA CID_,, ( , )A k in which the adversary

A

interacts with a game challenger S.

Phase 1: At first, S runs MasterKeyGen

(1 )

k

to get

(

mpk msk

,

)

and a list of system parameters params. In the following, S picks n identities

X

=

{

ID

₁

,

,

ID

_n

}

. Then Corr is initialized to an empty set ∅ which is used to keep track of those corrupted users’ identities. S gives

mpk

, params and

X

to the adversary

A

.

Phase 2:

A

issues the following queries:

1. UserKey queries: On input an identity

ID

∈

X

chosen by

A

, S runs KeyGen

(

ID msk

,

)

to get the secret key

sk

ID and returns

sk

ID to

A

. Then

{

}

Corr

←

Corr

∪

ID

.

2. Sign queries: On input a signer’s identity

ID

_i , a verifier’s identity

ID

_j and a message m adaptively chosen by

A

, S returns a signature by executing

DV

σ

←SDV_Sign

(

,

, )

i

ID j

sk

ID m

.

3. Verf queries: On input the signer’s identity

ID

_i , the verifier’s identity

ID

_j, and a

message/signature pair

( ,

m

σ

_DV

)

provided by

A

, S returns the result of running

SDV_Verf ( , , , )

j

ID i DV

sk ID m

σ

.

4. Sim queries: On input the signer’s identity

ID

i , the verifier’s identity

ID

j and a

DV

σ

←SDV_Sim( , , )

j

ID i

sk ID m .

Phase 3:

A

wins the game if

A

outputs

ID

_S (the signer’s identity),

ID

_D(the

verifier’s identity) and a message/signature pair

(

m

*

,

σ

*_DV

)

such that:

(1)

ID

_S

≠

ID

_D, SDV_Verf ( , , *, * )=1

D

ID S DV

sk ID m

σ

.

(2)

A

never made a Sign query or a Sim query on

(

ID ID m

S

,

D

,

*

)

and

{

S

,

D

}

Corr

∩

ID ID

= ∅

.

We define the success probability of the adversary as

,

, ( , )

CMA CID EUF IDSDVS

Succ A k =Pr[ExpEUF IDSDVSCMA CID_,, ( , )A k =1].

An IDSDVS scheme is existential unforgeable against chosen message and chosen identity attack if the success probability CMA CID_,, ( , )

EUF IDSDVS

Succ A k is negligible for any probabilistic polynomial time (PPT) adversary

A

.

Remark: Zhang-Mao scheme [9] only provided an informal definition of unforgeability. An adversary in the security model of [4] is not allowed to issue Sim queries when attacking unforgeability. In contrast, our model provides a stronger security notion in which an adversary is allowed to issue Sim queries when attacking unforgeability.

4.2.2 Non-transferability

Non-transferability means that a third party is not able to determine whether a message is signed by the signer, or is simulated by the designated verifier. Formally, let IDSDVS be an identity-based strong designated verifier signature scheme, and k∈ Ν be a security parameter. The non-transferability of IDSDVS schemes against adaptive chosen message and chosen identity distinguisher

D

can be defined as follows. Define a game

,

, ( , )

CMA CID Non Tran IDSDVS

Exp ₋ D k in which the distinguisher

D

interacts with a game challenger S.

users’ identities. S gives

mpk

, params and

X

to

D

.

Phase 2: UserKey queries, Sign queries, Verf queries and Sim queries issued by

D

are the same as those defined in section 4.2.1.

Challenge: Once

D

decides that Phase 2 is over,

D

picks a tuple

(

ID ID m

_S*

,

_D*

,

*

)

such that

(

ID ID m

_S*

,

*_D

,

*

)

has not been submitted as one of the Sign queries, Sim queries. Moreover, it is required that

Corr

∩

{

ID ID

_S*

,

*_D

}

= ∅

. Then the challenger S picks a random bit b

∈

{0,1}

. If b = 0 , S returns a real signature

DV

σ

←SDV_Sign *

* *

(

,

,

)

S D

ID

sk

ID m

to the distinguisher

D

. Otherwise, S returns a

simulated signature

σ

_DV ←SDV_Sim *

* *

(

,

,

)

D S

ID

sk

ID m

to the distinguisher

D

.

Phase 3: Upon receiving the challenging response from S,

D

still makes UserKey queries, Sign queries, Sim queries and Verf queries except that he cannot submit

* * *

(

ID ID m

_S

,

_D

,

)

as one of the Sign queries, Sim queries.

Guess: Finally,

D

outputs a bit

b

/.

D

wins the game if

b

/

=

b

. The advantage of

D

in this game is

Adv D k

( , )

=

|Pr[

/

]

1

|

2

b

= −

b

. An IDSDVS scheme is non-transferable against adaptive chosen message and chosen identity distinguisher

D

if for any probabilistic polynomial time (PPT)

D

, the advantage

Adv D k

( , )

is negligible.

4.2.3 Non-delegatability

The definition of non-delegatability is presented in [5]. We provide a straightforward adaptation of [5] to IDSVDS schemes. A delegatable IDSVDS scheme means that the signer identified by

ID

_S , without disclosing his secret key

sk

_S , may disclose some side information

y

_{S D,}

=

f sk ID

(

_S

,

_D

)

to an adversary such that the adversary can produce valid

information

y

_{D S,}

=

f sk

(

_D

,

ID

_S

)

to the adversary such that the adversary can produce valid simulated signatures.

In the original definition of designated verifier proofs [2], a proof of the truth of some statement

Φ

is a designated verifier proof if it is a proof that either

Φ

is true or the prover knows the secret key of the verifier. Clearly, this requirement is not satisfied by delegatable IDSVDS schemes since a signer only proves that either

Φ

is true or he knows some side information

y

_{S D,} or

y

_{D S,} . We formalize the definition of non-delegatable IDSVDS schemes via an alternative formulation from [1] as follows:

Let k

∈

[0,1]

be the knowledge error and

(

sk ID

_S

,

_S

)

(resp.,

(

sk

_D

,

ID

_D

)

) be the secret/public key pair of the signer(resp., verifier). Assume that there is an algorithm

F

that can produce a valid signature

σ

on input a message m such that

SDV_Verf (

,

, , )=1

D

ID S

sk

ID m

σ

with probability

ε

>k. We say that an IDSVDS scheme is

( , )

τ

k

non-delegatable if there is a knowledge extractor

K

that runs in expected polynomial time (without counting the time to make the oracle queries) with access to the oracle

F

( )

i

such that:

( )

Pr[ { , }: ( )] ( )

S D

F ID ID

x∈ sk sk x←K i i ≥

ε

−k

τ

.

5. Our scheme

In this section, we propose a non-delegatable IDSDVS scheme as follows:

1. MasterKeyGen(Master Key Generation): On input a security parameter k∈ Ν, let

1

,

G

<

+ >

be a cyclic additive group generated by

P

, whose order is a large prime

q

,

2

log

q

≈

k

, and

<

G

₂

,

i

>

be a cyclic multiplicative group of the same order.

1 1 2

:

e G

×

G

→

G

represents a bilinear map. Then KGC performs the following operations:

(1) Picks a random number s ∈Z_q* and sets the master public/secret key pair

,

mpk msk

(2) Chooses two collision-resistant hash functions G:{0,1}* →Z Hq, :{0,1}*→G1.

(3) Sets the system parameters params to

<

(

G

₁

, ), (

+

G

₂

, ), , , , ,

i

e q P G H

>

.

KeyGen(User Key Generation): On input an identity

ID

_i , KGC computes

(

)

i i

Q

=

H ID

,

sk

_i=

msk Q

⋅

_i. Then KGC distributes

sk

_i to the corresponding user as his secret key over a secure channel. The user can verify the correctness by checking

(

_i

, )

(

_i

,

)

e sk P

=

e Q mpk

.

SDV_Sign(Signature Generation): Given the signer’s key pair

(

,

)

S

ID S

sk

ID

, the

verifier’s identity

ID

D and a message m, the signer should perform the following steps:

(1) Picks random numbers

r w t

_S

,

_S

,

_S

∈

Z

_q and computes

S

R

=

(

,

)

D

ID s

e Q

r P

⋅

,

T

_S

= ⋅

t

_S

mpk

.

(2) Computes

V

_S=

(

,

)

D

S S ID

e mpk t

⋅ +

P

w Q

⋅

,

h

_S

=

G ID ID

(

_S

,

_D

,

R V m

_S

,

_S

, )

.

(3) Computes

Z

_S=

(

)

S

S S S ID

r P

⋅ +

h

+

w

⋅

sk

(4) The signature is

σ

DV=

<

R w T Z

S

,

S

,

S

,

S

>

.

SDV_Verf(Signature Verification): Given the signer’s identity

ID

_S, the verifier’s key pair

(

,

)

D

ID D

sk

ID

, the signed message m and the corresponding signature

σ

_DV , the

correctness of

σ

_DV=

<

R w T Z

_S

,

_S

,

_S

,

_S

>

can be verified as follows: (1) Computes

V

_S=

( ,

)

D

S S ID

e P T

+

w

⋅

sk

,

h

_S

=

G ID ID

(

_S

,

_D

,

R V m

_S

,

_S

, )

(2) Returns 1 if and only if

(

,

)

D

ID S

e Q

Z

=

R

_S

i

(

, (

)

)

D S

ID S S ID

e sk

h

+

w

⋅

Q

. It is easy to check the correctness of the above verification process as follows:

( ,

)

D

S S ID

e P T

+

w

⋅

sk

=

( ,

(

))

D

S S ID

e P s t

⋅

⋅ +

P

w Q

⋅

=

(

,

)

D

S S ID

e mpk t

⋅ +

P

w Q

⋅

=

V

_S

(

,

)

D

ID S

e Q

Z

=

(

,

(

)

)

D S

ID S S S ID

e Q

r P

⋅ +

h

+

w

⋅

sk

=

(

,

)

D

ID S

e Q

r P

⋅

(

, (

)

)

D S

ID S S ID

=

R

_S

i

(

, (

)

)

D S

ID S S ID

e sk

h

+

w

⋅

Q

SDV_Sim(Signature Simulation): Given the signer’s identity

ID

_S, the verifier’s key

pair

(

,

)

D

ID D

sk

ID

, a message m, a simulated signature

σ

_DV can be generated as follows: (1) Picks random

α

_D

,

λ

_D

∈

Z

_q,

Z

_D

∈

G

₁ and computes

( ,

)

D D

V

=

e P

α

⋅

P

.

(2) Computes

R

_D=

(

,

) (

,

)

D D S

ID D ID D ID

e Q

Z

i

e sk

− ⋅

λ

Q

,

h

_D

=

G ID ID

(

_S

,

_D

,

R V m

_D

,

_D

, )

.

(3) Computes

w

_D

=

(

λ

_D

−

h

_D

) mod

q

. (4) Computes

T

_D=

(

)

D

D

P

w

D

sk

ID

α

⋅ −

⋅

.

(5) The simulated signature is

σ

_DV =

<

R

_D

,

w T Z

_D

,

_D

,

_D

>

The correctness of

σ

_DV can be checked as follows:

( ,

)

D

D D ID

e P T

+

w

⋅

sk

=

e P

( ,

α

_D

⋅

P

)

=

V

_D

(

,

)

(

,

)

D D S

ID D D ID D ID

e Q

Z

=

R e sk

i

λ

⋅

Q

=

(

, (

)

)

D S

D ID D D ID

R e sk

i

h

+

w

⋅

Q

6.Security Analysis

Lemma 1: Given the key pairs

(

,

)

S

ID S

sk

ID

,

(

,

)

D

ID D

sk

ID

, the following distributions are indistinguishable for a polynomial-time adversary in the random oracle model.

2 1

,

(

,

,

,

)

,

(

)

S

S R S R q S S S S S R S R q

S S S S ID

R

G w

Z

R w T Z

T

G h

Z

Z

r P

h

w

sk

δ

⎧

_∈

_∈

⎫

⎪

⎪

⎪

⎪

=

_⎨

∈

∈

_⎬

⎪

_{= ⋅ +}

₊

_⋅

⎪

⎪

⎪

⎩

⎭

1 2 /

,

,

(

,

,

,

)

,

(

)

D

D R D R q D R D D D D D R q D R q

D D D ID

Z

G

Z R

G

R

w T Z

h

Z w

Z

T

P

w

sk

α

δ

α

⎧

_∈

_∈

_∈

⎫

⎪

⎪

⎪

⎪

=

_⎨

∈

∈

_⎬

⎪

₌

_{⋅ −}

_⋅

⎪

⎪

⎪

⎩

⎭

Proof: At first, we choose a valid tuple

σ

/

=

( , , , )

R w T Z

such that for some message m /

SDV_Verf ( , , , )=1

D

ID S

V =

( ,

)

D

ID

e P T

+ ⋅

w sk

,

h

=

G ID ID

(

_S

,

_D

, , , )

R V m

(

, )

D

ID

e Q

Z

=

R

i

(

, (

)

)

D S

ID ID

e sk

h

+

w Q

⋅

.

We then compute the probability of appearance of this tuple following each distribution of probabilities. For the sake of simplicity, we will omit the notation

mod

q

in the rest of the proof.

Claim 1:

Pr[(

R w T Z

_S

,

_S

,

_S

,

_S

)

( , , , )]

R w T Z

δ

=

= 2 1

,

,

Pr[

]

,

,

S S R S S R q S S R

S

R

R R

G

w

w w

Z

T

T T

G

Z

Z

δ

=

∈

⎧

⎫

⎪

₌

_∈

⎪

⎪

⎪

⎨

₌

_∈

⎬

⎪

⎪

⎪

₌

⎪

⎩

⎭

=

1

q

3

Proof: At first,

R w T

_S

,

_S

,

_S are chosen from

G Z G

₂

,

_q

,

₁ respectively. As

R

_S

=

R

,

w

_S

=

w

,

S

T

=

T

, we have

V

_S

=

V h

,

_S

=

h

by the verification equations defined in section 5. In the following, we know that:

(

, )

D

ID

e Q

Z

=

R

i

(

, (

)

)

D S

ID ID

e sk

h

+

w Q

⋅

.

=

R

_S

i

(

, (

)

)

D S

ID S S ID

e sk

h

+

w

⋅

Q

=

(

,

)

D

ID S

e Q

Z

Hence this result implies that

Z

S

=

Z

.

Claim 2:

/

Pr[(

R

_D

,

w T Z

_D

,

_D

,

_D

)

( , , , )]

R w T Z

δ

=

= / 1 2

,

,

Pr[

]

,

D D R D D R D D R q D

Z

Z Z

G

R

R R

G

w

w w

Z

T

T

δ

=

∈

⎧

⎫

⎪

₌

_∈

⎪

⎪

⎪

⎨

₌

_∈

⎬

⎪

⎪

⎪

₌

⎪

⎩

⎭

=

(1

q

3

)(1 1 )

−

q

Proof: At first,

Z

D

,

R

D

,

w

D are chosen from

G G Z

1

,

2

,

q respectively.

As

R

_D

=

R

,

w

_D

=

w Z

,

_D

=

Z

, we have the following equations:

(

, )

D

ID

e Q

Z

=

(

,

)

D

ID D

e Q

Z

(

, )

D

ID

e Q

Z

=

R

i

(

, (

)

)

D S

ID ID

e sk

h

+

w Q

⋅

=

R

_D

i

(

, (

)

)

D S

ID D ID

e sk

h

+

w

⋅

Q

(

,

)

D

ID D

e Q

Z

=

(

, (

)

)

D S

D ID D D ID

Hence this result implies that

h

=

h

D . Then we know that

Pr[

V

_D

=

V h

|

=

h

_D

] 1 1

= −

q

due to the fact that

h

=

G ID ID

(

_S

,

_D

, , , )

R V m

and the hash

function G is assumed to be a random function. So we can assume that

V

_D

=

V

. Finally, we have the following equations:

V =

( ,

)

D

ID

e P T

+ ⋅

w sk

D

V

=

( ,

)

D

D D ID

e P T

+

w

⋅

sk

=

( ,

)

D

D ID

e P T

+ ⋅

w sk

It is easy to see that

T

_D

=

T

on condition that

V

_D

=

V

.

The statistical distance between

δ

and

δ

/ is

1

q

≈

1 2

k. Hence, both distributions of probabilities are indistinguishable for a polynomial time(in k) adversary according to Claim 1 and Claim 2.

Remark: As the distributions are statistically close(i.e., indistinguishable for a polynomial-time adversary), access to simulated signatures will not help the adversary. Hence we will not provide the adversary with simulated signatures when analyzing the unforgeability of our scheme.

The Splitting Lemma [6]: Let

A

⊂ ×

X Y

such that

Pr[( , )

x y

∈

A

]

≥

γ

. For any

α γ

<

, define

/

/

{( , )

| Pr [( ,

)

]

}

y Y

B

x y

X Y

x y

A

γ α

∈

=

∈ ×

∈

≥ −

, then Pr[ | ]B A ≥

α γ

holds.

Theorem 1: Let the knowledge error k=0. Assume that there is an algorithm

F

that can make queries to a random oracle G and produce a real signature

σ

on input a message

m with probability at least

ε

. Let

q

_G be a bound on the number of queries

(

R V m

_j

,

_j

,

_j

)

made by

F

to the random oracle G. Then there is a

(4

q

_G

ε

, 0)

knowledge extractor

K

such that Pr[ : ( )( )] 2 4

S

F

ID G

x=sk x←K i m ≥

ε

q .

σ

=

( , , , )

R w T Z

on input a message m with probability at least

ε

. Since G is a

random oracle, the probability that

( , , )

R V m

, where V =

( ,

)

D

ID

e P T

+ ⋅

w sk

, is not asked to

G is at most 1 q . Hence we can define

Ind

( , )

ω

G

to be the index

j

such that

( , , )

R V m

=

(

R V m

_j

,

_j

,

_j

)

. We then define the following sets:

{( , ) |

G

( )

S

=

ω

G

F

ω

succeeds and

(1

≤

Ind

( , )

ω

G

≤

q

G

)}

{( , ) |

G

( )

i

S

=

ω

G

F

ω

succeeds and

(

Ind

( , )

ω

G

=

i

,1

≤ ≤

i

q

_G

)}

We now apply the Splitting Lemma for each

i

,1

≤ ≤

i

q

_G. We denote by

G

_i the restriction of G to queries of index strictly less than

i

. Let

α

=

ε

2

q

_G,

γ

=

ε

q

_G. Since

Pr[ ]

S

_i

=

ε

q

_G, it is easy to see that there exists a subset

Ω

_i of executions by the Splitting Lemma such that:

For any

（

ω

,

G

）

∈Ω

i , and any

/

G

, if

Pr[( ,

ω

G

/

)

∈

S G

i

|

i/

=

G

i

]

≥

ε

2

q

G , then

Pr[

Ω

_i

|

S

_i

] 1 2

≥

, where

G

/ is another random oracle.

Since all the subsets

S

i are disjoint and

Pr[

S S

i

| ]

is

1

q

G , we have

,

Pr[ (1 G), ( , ) i i| ]

G i q G S S

ω ∃ ≤ ≤

ω

∈Ω ∩

=

1

Pr[ | ]

G

i i i q

S S ≤ ≤

Ω

∑

∩ =

1

Pr[ | ]Pr[ | ]

G

i i i i q

S S S

≤ ≤

Ω

∑

≥

1 2.

We let

β

denote the index

Ind

( , )

ω

G

corresponding to the successful pair. With probability at least 1 2, we have

1

≤ ≤

β

q

_G and

( , )

ω

G

∈Ω

_β

∩

S

_β by the above

argument. Hence with probability at least

ε

2 ,

F

can produce a real signature

(

R w T Z

_β

,

_β

,

_β

, )

σ

=

with such an index

β

.

In the following, if we replay

F

with the fixed random tape

ω

but a randomly chosen oracle

G

/ such that G_β/ =G_β , we know

/

/ /

Pr[( , ) | ] 2 _G

G

G S_β G_β G_β q

ω

∈ = ≥

ε

since

( , )

ω

G

∈Ω

_β

∩

S

_β. Then

/

/

Pr[( , )

G

ω

G ∈Sβ and

/ /

| ]

≥

/

/ /

Pr[( , ) | ]

G

G S_β G_β G_β

ω

∈ = _/ /

Pr[ ]

G

h_β h_β

− =

≥

(

ε

2

q

_G

−

1 )

q

≈

ε

2

q

_G ,

where h_β/ =G ID ID/( _S, _D,R V m_β, _β, _β),h_β =G ID ID( _S, _D,R V m_β, _β, _β).

Then with probability

ε

2

q

_G we get another success

σ

/ =(R w T Z_β, _β, _β, /), where

( ,

)

R

_β

=

e P r

_β

⋅

P

,

T

_β

= ⋅

t

_β

P

,

V

_β =

(

,

)

D

ID

e mpk t

_β

⋅ +

P

w

_β

⋅

Q

and

r w t

_β

,

_β

,

_β are the fixed random coins used by

F

.

Finally, we have the following equations with probability at least

ε

2

4

q

G:

Z

=

(

)

S

ID

r

_β

⋅ +

P

h

_β

+

w

_β

⋅

sk

/

Z

= ( / )

S

ID

rβ⋅ +P hβ +wβ ⋅sk

Hence S

ID

sk

=(h_β/ −h_β)−1⋅(Z/−Z).

Theorem 2: Let the knowledge error k=0. Assume that there is an algorithm

F

that can make queries to a random oracle G and produce a valid simulated signature

σ

on input a message m with probability at least

ε

. Let

q

_G be a bound on the number of queries

(

R V m

_j

,

_j

,

_j

)

made by

F

to the random oracle G . Then there is a

(4

q

_G

ε

, 0)

knowledge extractor

K

such that Pr[ : ( )( )] 2 4

D

F

ID G

x=sk x←K i m ≥

ε

q .

Proof: Assume that

F

is a PPT Turing machine with a random tape

ω

and makes queries to a random oracle G. For a random choice of

( , )

ω

G

,

F

can produce a valid simulated signature

σ

=

( , , , )

R w T Z

on input a message m with probability at least

ε

. Since G

is a random oracle, the probability that

( , , )

R V m

, where V =

( ,

)

D

ID

e P T

+ ⋅

w sk

, is not

asked to G is at most 1 q. Hence we can define

Ind

( , )

ω

G

to be the index

j

such that

( , , )

R V m

=

(

R V m

_j

,

_j

,

_j

)

. We then define the sets:

{( , ) |

G

( )

S

=

ω

G

F

ω

succeeds and

(1

≤

Ind

( , )

ω

G

≤

q

_G

)}

{( , ) |

G

( )

i

We now apply the Splitting Lemma for each

i

,1

≤ ≤

i

q

G. We denote by

G

i the

restriction of G to queries of index strictly less than

i

. Let

α

=

ε

2

q

_G ,

γ

=

ε

q

_G . Since

Pr[ ]

S

_i

=

ε

q

_G , it is easy to see that there exists a subset

Ω

_i of executions by the Splitting Lemma such that:

For any

（

ω

,

G

）

∈Ω

_i , and any

G

/ ,

Pr[( ,

ω

G

/

)

∈

S G

_i

|

_i/

=

G

_i

]

≥

ε

2

q

_G , then

Pr[

Ω

_i

|

S

_i

] 1 2

≥

, where

G

/ is another random oracle.

Since all the subsets

S

_i are disjoint and

Pr[

S S

_i

| ]

is

1

q

_G , we have

,

Pr[ (1 _G), ( , ) _{i i}| ]

G i q G S S

ω ∃ ≤ ≤

ω

∈Ω ∩

=

1

Pr[ | ]

G

i i i q

S S ≤ ≤

Ω

∑

∩ =

1

Pr[ | ]Pr[ | ]

G

i i i i q

S S S

≤ ≤

Ω

∑

≥

1 2.

We let

β

denote the index

Ind

( , )

ω

G

corresponding to the successful pair. With probability at least 1 2, we have

1

≤ ≤

β

q

_G and

( , )

ω

G

∈Ω

_β

∩

S

_β . Hence with probability at least

ε

2,

F

can produce a valid simulated signature

σ

=

(

R w T Z

_β

,

_β

,

_β

,

_β

)

with such an index

β

.

In the following, if we replay

F

with the fixed random tape

ω

but randomly chosen oracle

G

/ such that G_β/ =G_β , we know

/

/ /

Pr[( , ) | ] 2 _G

G

G S_β G_β G_β q

ω

∈ = ≥

ε

since

( , )

ω

G

∈Ω

_β

∩

S

_β. Then

/

/

Pr[( , )

G

ω

G ∈Sβ and

/ /

| ]

h_β ≠h_β G_β =G_β

≥

/

/ /

Pr[( , ) | ]

G

ω

G ∈Sβ Gβ =Gβ / /

Pr[ ]

G hβ hβ

− =

≥

(

ε

2

q

_G

−

1 )

q

≈

ε

2

q

_G ,

where hβ/ =G ID ID/( S, D,R V mβ, β, β),hβ =G ID ID( S, D,R V mβ, β, β).

Then with probability

ε

2

q

_G we get another success

σ

/ =(R w T Z_β, _β/, _β/, _β), where

R

_β=

(

,

) (

,

)

D D S

ID ID ID

e Q

Z

_β

i

e sk

− ⋅

λ

_β

Q

and the fixed random coins used by

F

in this case

are

α λ

_β

,

_β

,

Z

_β since

σ

/ is a valid simulated signature. Note that

w

_β

=

(

λ

_β

−

h

_β

) mod

q

,

/ /

( ) mod

Finally, we have the following equations with probability at least

ε

2

4

q

_G:

T

_β=

(

)

D

ID

P

w

sk

β β

α

⋅ −

⋅

/

T_β=( / )

D

ID

P w sk

β β

α

⋅ − ⋅

Hence D

ID

sk

=(w_β −w_β/)−1⋅(T_β/ −T_β).

Theorem 3: Assume

(

G G

₁

,

₂

)

satisfies the GBDH assumption. Suppose there is a polynomial-time adversary

A

who makes at most

q

_k UserKey queries,

q

_s Sign queries and

q

v Verf queries can existentially forge a signature in our scheme with

non-negligible success probability

ε

in time at most

t

.Then there is an algorithm

B

that solves the GBDH problem in

(

G G

₁

,

₂

)

with probability:

2 /

(1 2 (

a

2)) (2 (

a

a

2) ))

ε

> −

+

+

ε

, where a=

q

_k

+ +

q

_s

q

_v.

Proof: Algorithm

B

is given as input a tuple

( ,

P a P b P c P

⋅

,

⋅

,

⋅

)

, where

P

is the generator of the group

G

₁ with prime order

q

,

a b c

, ,

∈

Z

_q . Then

B

works by interacting with the adversary

A

as follows.

The system parameters are params=

<

(

G

₁

, ), (

+

G

₂

, ), , , , ,

i

e q P G H

>

, where

G H

,

are the random oracles controlled by

B

.

At first,

B

initializes

mpk

with c P⋅ and picks n identities

X

=

{

ID

1

,

,

ID

n

}

.

Then

B

randomly picks two identities

ID ID

_S

,

_D

∈

X

. During the simulation,

B

can answer

A

’s queries as follows:

H

Queries:

B

maintains a list

H

list=

{

<

ID l H ID

, ,

(

) }

>

. On input an identity

ID

∈

X

chosen by

A

, if the queried identity

ID

appears in

H

₁list,

B

returns the previously assigned value. Otherwise,

B

performs as follows:

(1)

ID

∉

{

ID ID

_S

,

_D

}

,

B

picks a random l

∈

Z

_q and responds to

A

with

(

)

(2)

ID

=

ID

S,

B

responds to

A

with

H ID

(

)

=a P⋅ .

(3)

ID

=

ID

_D,

B

responds to

A

with

H ID

(

)

=b P⋅ .

G Queries:

B

maintains a list

G

list=

{ (

<

ID ID R V m g

_i

,

_j

, , , ),

_

hash

}

. On input

(

ID ID R V m

_i

,

_j

, , , )

chosen by

A

, if the queried tuple appears in

G

list,

B

returns the previously assigned value. Otherwise,

B

picks a random k

∈

Z

_q and responds to

A

with

g

_

hash

=k.

UserKey queries:

B

maintains a list

L

=

{

<

ID sk

,

_ID

>

}

. On input an identity

ID

∈

X

chosen by

A

, if the queried identity

ID

appears in

L

,

B

returns the previously assigned value. Otherwise,

B

performs as follows:

(1)

ID

∉

{

ID ID

_S

,

_D

}

,

B

looks up

H

list to extract a tuple

<

ID l H ID

, ,

(

)

>

and responds to

A

with

sk

_ID=

l mpk

⋅

. Then

Corr

←

Corr

∪

{

ID

}

.

(2)

ID

∈

{

ID ID

_S

,

_D

}

,

B

returns

⊥

and aborts.

Sign queries: On input a signer’s identity

ID

_i , a verifier’s identity

ID

_j and a message m adaptively chosen by

A

, if

ID

_i

≠

ID

_j,

B

performs as follows:

(1)

| {

ID ID

_i

,

_j

} {

∩

ID ID

_S

,

_D

} | 1

≤

: If

ID

i

∉

{

ID ID

S

,

D

}

,

B

looks up

L

to extract

i

ID

sk

and returns

σ

_DV ←SDV_Sign

(

,

, )

i

ID j

sk

ID m

. Otherwise,

B

looks up

L

to extract

j

ID

sk and returns

σ

_DV ←SDV_Sim( , , )

j

ID i

sk ID m .

(2)

{

ID ID

_i

,

_j

} {

=

ID ID

_S

,

_D

}

:

B

returns

⊥

and aborts.

Verf queries: Given a signer’s identity

ID

_i , a verifier’s identity

ID

_j, and a message/signature pair

( ,

m

σ

=

( , , , ))

R w T Z

provided by

A

,

ID

_i

≠

ID

_j , if

{

,

}

j S D

ID

∉

ID ID

,

B

returns the result of running SDV_Verf ( , , , )

j

ID i

sk ID m

σ

.

Otherwise,

B

returns

⊥

and aborts.

i

ID

, a verifier’s identity

ID

_j ,

ID

_i

≠

ID

_j , and a message/signature pair

* * * * * *

(

m

,

σ

=

(

R w T Z

,

,

,

))

. If

{

ID ID

_i

,

_j

} {

≠

ID ID

_S

,

_D

}

,

B

returns

⊥

and aborts. Otherwise, if the forgery output by the adversary

A

is successful, the probability that

A

does not issue a G query is at most 1 q. Hence we know that (ID ID R V m_i, _j, *, *, *) is

already in

G

list with probability at least 1 1− q in this case. For the sake of simplicity, we only consider the case

ID

_i

=

ID ID

_S

,

_j

=

ID

_D. The other case

ID

_i

=

ID

_D

,

ID

_j

=

ID

_S can be analyzed similarly.

So we have

h

*

=

G ID ID

(

_S

,

_D

,

R V m

*

,

*

,

*

)

,

(

)

i S

ID ID S

Q

=

Q

=

H ID

= ⋅

a P

,

( )

j D

ID ID D

Q =Q =H ID = b P⋅ ,

D

ID

sk

=

(

cb P

)

⋅

. Let ξ =

e b P Z

(

⋅

,

*

)

. If

* * 1

* ( )

(

,

,

, (

)

h w

)

DBDH

O

a P b P c P

⋅

⋅

⋅

ξ

R

+ − =1, then

B

returns (

ξ

R* ()h*+w*)−1. The reason is that the following equations hold:

*

( , )

D

ID

e Q Z =

R

*

i

* *

( , ( ) )

D S

ID ID

e sk h +w ⋅Q ,

( , )

abc

e P P

=(

ξ

R* ()h*+w*)−1.

Now it remains to analyze the probability of

B

not aborting.

B

aborts if the following events happens:

1

E

:

B

aborts when answering UserKey queries.

2

E

:

B

aborts when answering Sign queries.

3

E

:

B

aborts when answering Verf queries.

4

E

:

A

outputs

ID

_i and

ID

_j such that

{

ID ID

_i

,

_j

} {

≠

ID ID

_S

,

_D

}

.

It is easy to see that

Pr[

E

₁

]

= 2 n ,

Pr[

E

₂

]

= 2 n n( −1) ,

Pr[

E

₃

]

=

2

n

,

4

Pr[

E

]

=1 (2− n n( −1)). Hence the success probability

ε

/ of

B

can be estimated as follows:

/

ε

=

(1 2

−

_n

)

qk+qv

(1 2

−

_{n n}

(

−

1)) (2

qs

_{n n}

(

−

1))

ε

>

2