Download PDF
Research Article  |  Open Access  |  19 Sep 2024

Decentralized multi-authority anonymous credential system with bundled languages on identifiers in bilinear groups

Views: 72 |  Downloads: 10 |  Cited:  0
J Surveill Secur Saf 2024;5:160-83.
10.20517/jsss.2024.08 |  © The Author(s) 2024.
Author Information
Article Notes
Cite This Article

Abstract

We propose a multi-show decentralized multi-authority attribute-based anonymous credential system (dACS). Referring to previous work, we give a new syntax and three security notions: unforgeability, anonymity and unlinkability. Especially, corruption of authorities is considered to reflect a real scenario. Then we give a generic construction of dACS. In our dACS, an attribute authority who issues a private secret key to an entity only has to sign the entity’s identifier. Then, according to the principle of "commit-to-identifier", the entity generates a proof of knowing credentials. There are two building blocks: the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system, both of which are in asymmetric bilinear groups. The principle is realized with a bundled language that is simultaneous pairing-product equations on the identifier. There, the bundled language works for preventing collusion attacks. Finally, we instantiate our generic dACS under the Symmetric External Diffie-Hellman (SXDH) assumption, compare the instantiated scheme with previous work, and evaluate the performance.

Keywords

Anonymous credential system, decentralized multi-authority, Groth-Sahai proofs, structure-preserving signatures

INTRODUCTION

A global identifier is a string of a digital identity that is linked to an entity in our cyberspace. An e-mail address issued by a reliable organization and a universally unique identifier (UUID) stipulated by ISO/IEC 11578:1996[1] can be a global identifier. Global identifiers are registered by authorities and used by entities to execute some rights in the space. An anonymous credential system (ACS) that was first proposed by Chaum is a system in which an entity with an identifier is given a credential of a right issued by an authority[2]. Then the entity can prove possession of the credential to a verifier, which is typically a service provider, without leaking its identity information. Thus, a primary aim of ACS is privacy protection in transactions in which a right of an entity is checked.

Towards real applications, ACS has been studied for efficiency in the mathematical structures of Rivest-Shamir-Adleman (RSA), discrete logarithm, bilinear groups, lattices, etc.[3-6]. As for functions of ACS, whether anonymous credentials are single-show or multi-show[3] is critical. A single-show ACS was introduced firstly by Brands[7], in which a credential can be proven only once; if it is proven more than once, then those proofs are possibly linked to avoid double spending. On the other hand, a multi-show ACS was introduced firstly by Camenisch-and-Lysyanskaya[3], in which a credential can be proven more than once keeping unlinkability. Another function of importance is to treat attribute credentials. Tan-and-Groß[8] introduced an attribute-based ACS (abACS), in which an entity can prove possession of a number of credentials simultaneously. For instance, it can prove possession of its attributes such as age = 30 AND gender} = female AND nationality USA. Further, Chan and Yuen developed an attributed-based ACS which supports both single-show and multi-show selectively[9]. In the design of such abACS, a primary target is efficiency from the viewpoints of computational amount and data length of a proof that an entity is in possession of claimed attribute credentials. Since a naive construction with linear complexity is easy because a simultaneous showing of their proofs suffices the need, asymptotic behavior smaller than linear complexity was pursued[8,9]. In contrast, a decentralized multi-authority ACS (dACS) that was introduced by Garman et al. is a different direction of study[10]. In a dACS, there are a number of authorities of issuing attribute credentials, and there is no central authority among them. Each authority is responsible for each attribute, and once a global identifier is linked to an entity, the authority is able to issue its attribute credential to the identifier.

A challenging task in the design of dACS is to attain collusion resistance. That is, in the case of dACS, the verifier should resist collusion attacks by adversaries who bring together their attribute credentials issued to different global identifiers. Note that the collusion resistance has been studied in attribute-based cryptographic primitives such as attribute-based encryption[11] and signatures[12], but in the case of dACS, it has not been studied yet. Another challenging task is to design dACS so that it is capable of treating any given formula for fine-grained access control, such as a monotone formula over attributes. Actually, the notion of "attributed-based" was initially introduced in the case of encryption and decryption by Sahai and Waters[13], and was developed by the subsequent work by, for example, Goyal et al.[14], Chase-and-Chow[15], etc. The anonymity, collusion resistance and fine-grained access control are three properties that need appropriate (and subtle) design techniques.

Our contribution

In this paper, we propose a multi-show dACS, which is able to treat any given all-AND formula. We first give syntax of our dACS. Then we give three security notions. One is existential unforgeability (EUF) against collusion attacks. There, we introduce corruption of authorities reflecting a real scenario that an adversary can corrupt some of the authorities and get their master secret keys. The second and third are anonymity and unlinkability of proofs. In our definitions, anonymity means that any probabilistic polynomial-time (PPT) adversary including the issuer can get only a negligible amount of information on identifiers from given proofs. On the other hand, unlinkability means that any PPT adversary cannot distinguish two cases; the first case is that two given proofs are generated by a single entity and the second case is that the two proofs are generated by two entities with different identifiers. Thus, the unlinkability of proofs is a stronger notion than the anonymity in our definitions, and we will prove the implication.

We then give a generic construction of dACS. In our dACS, a feature is that an attribute authority who issues a private secret key to an entity only has to sign the entity's identifier. At that time, the authority uses a set of common public parameters in a standard like NIST FIPS 186-4[16]. Then, according to the principle of "commit-to-identifier", the entity generates a proof of knowing credentials. There are two building blocks in the construction. One is the structure-preserving signature scheme[17] and the other is the Groth-Sahai non-interactive proof system[18,19], where both blocks are based on Type 3 asymmetric bilinear groups[20]. In the construction, the principle is realized with a bundled language that is simultaneous pairing-product equations on the entity's identifier and a structure-preserving signature on the identifier. Thus, the bundled language works for preventing collusion attacks. The bundled language is a special case of simultaneous equation systems. It would be natural to consider a generalization into the case of more than one common variable. The study of this direction is of independent interest.

In the succeeding section, we instantiate our generic dACS under the Symmetric External Diffie-Hellman (SXDH) assumption[17-19] on the Type 3 pairings. Then we compare features of our instantiated $$ \mathrm{dACS_{sxdh}} $$ with previous work and evaluate efficiency. As a result, it turns out that "decentralized multi-authority, security in the standard model and unforgeability under the (simple) SXDH assumption" is a positive aspect, as well as security considering partial corruption of authorities. Efficiency evaluation of our $$ \mathrm{dACS_{sxdh}} $$ shows that, when the number of attribute credentials involved in a proof is two, the data length of a proof is 68k bytes, and generation and verification times are 2.8 and 1.8 s, respectively. Since the proof size is linear in the number of attribute credentials involved in a proof, a construction with smaller asymptotic behavior should be our future work.

Related recent work

From the viewpoint of issuing authorities, the work by Garman et al. is the first ACS with decentralized multi-authority in the attribute-based setting (dACS, for short), which is capable of treating all-AND formulas[10]. Our dACS, in addition, is proven secure even when some of the authorities are corrupted (i.e., the master secret keys of them are leaked to adversaries).

Collusion attacks are also considered in the work by Garman et al., but the security claim is in the random oracle model[10]. As for collusion resistance in the standard model, Camenisch et al. proposed a dACS that has the property[21]. Moreover, the ACS[21] has the security of the universal composability[22,23]. Our $$ \mathrm{dACS_{sxdh}} $$ instantiated under the SXDH assumption is also universally composable due to the universal composability of the Groth-Sahai proof system[18,19]. We note that, though the dACS[21] and our $$ \mathrm{dACS_{sxdh}} $$ attain similar properties, the ACS by Camenisch et al. needs more assumptions than our $$ \mathrm{dACS_{sxdh}} $$ in the security proof of unforgeability[21].

As for fine-grained access control, the abACS by Sadiah et al. is capable of treating monotone formulas, though the proof size is exponential to the number of attributes appearing in the formula[24]. The abACS by Okishima-and-Nakanishi[25] is capable of treating Conjunctive Normal Form (CNF) formulas. The abACS by Fuchsbauer et al. is capable of treating all-and formulas with an advantage of prover anonymity at issuing phase[26]. We note that these three abACSs have not been studied in a security experiment of collusion resistance. Though the two abACSs by Tan and Groß[8] and Chan and Yuen[9] mentioned above are capable of treating monotone formulas and have collusion resistance, they are not in the setting of decentralized multi-authority. Concerning the attributes issued under each authority, our dACS can treat any access policy of an all-AND formula that covers plural attributes for each authority (and the number of authorities is more than one). From the viewpoint, designing a decentralized multi-authority abACS with more fine-grained access policies, for instance, any monotone formulas, is a challenging problem.

Replay attack is one of the most typical threats to authentication systems. In a replay attack, an attacker intercepts valid data that are transmitted from a prover to a verifier. Then it maliciously re-sends them, after some time intervals, to make the verifier accept the prover. Thus, the aim of a replay attack is to cause mis-authentication that leads to potential stronger security breaches. It is also possibly applicable to ACSs, especially because of anonymity. One of the typical countermeasures against replay attack is introducing interactive proofs. That is, the verifier generates a random challenge message at every session of authentication to reject a re-sent response message. As for non-interactive proofs, in recent privacy-preserving systems[27,28] in which proofs are non-interactive, permissioned blockchains are employed, which is in contrast with the permissionless blockchain employed in Bitcoin[29]. A permissioned blockchain fits our dACS because transactions including anonymous credentials are permitted by the authorities. In the systems, the replay attack can be detected by the authorities.

Finally, we note here recent studies that developed more functions than our dACS. Au et al. proposed a dynamic $$ k $$-times anonymous authentication ($$ k $$-TAA) scheme, which allows members of a group to be authenticated anonymously by application providers for a bounded number of times, where application providers can independently and dynamically grant or revoke access rights to members in their own group[30]. Concerning a revocation mechanism that is needed for real usage, Ma and Chow[31] proposed updatable anonymous credentials with revocation and reputation management. Extending these concepts to multi-authority systems (as discussed in its appendix) would provide a broader context for our dACS. As for threshold signatures, Doerner et al. proposed an ACS with threshold issuance by constructing a secure multiparty signing protocol for the BBS+ signature scheme[32]. Wong et al. proposed a secure multiparty computation of threshold signatures, which presented an efficient threshold Elliptic Curve Digital Signature Algorithm (ECDSA) protocol[33].

Our work in this paper is a significantly extended version of the proceeding paper presented at SecITC 2020[34]. Especially the sections of "Introduction", "Instantiation" and "Feature Comparison and Efficiency Evaluation" are totally expanded.

Organization of the paper

In Section "PRELIMINARIES", we fix notations and summarize the needed notions for later sections. In Section "BUNDLED LANGUAGE", we explain our ideas, which is for the Groth-Sahai proofs. In Section "DECENTRALIZED MULTI-AUTHORITY ANONYMOUS CREDENTIAL SYSTEM", we propose the syntax and security definitions of our dACS. In Section "GENERIC CONSTRUCTION", we give a construction of our dACS employing the Groth-Sahai proof system and a structure-preserving signature scheme. In Section "INSTANTIATION", we concretely describe our dACS under the SXDH assumption. In Section "FEATURE COMPARISON AND EFFICIENCY EVALUATION", we compare the features of our instantiated $$ \mathrm{dACS_{sxdh}} $$ with those of the previous abACSs. Then we evaluate efficiency of our $$ \mathrm{dACS_{sxdh}} $$ by partial implementation and estimation. In Section "CONCLUSION", we summarize our work and state future directions.

PRELIMINARIES

$$ \mathbb{N} $$ denotes the set of natural numbers. $$ [n] $$ represents the subset $$ \{1, \dots, n\} \subset \mathbb{N} $$. $$ \mathbb{Z}_p $$ indicates the residue class ring of integers modulo a prime number $$ p $$. $$ \lambda $$ stands for the security parameter, where $$ \lambda \in \mathbb{N} $$. A function $$ P( \lambda) $$ is said to be negligible in $$ \lambda $$ if for any given positive polynomial $$ \text{poly}( \lambda) $$$$ P( \lambda) < 1/ \text{poly}( \lambda) $$ for sufficiently large $$ \lambda $$. Two functions $$ P( \lambda) $$ and $$ Q( \lambda) $$ are said to be computationally indistinguishable in $$ \lambda $$ if $$ | P( \lambda) - Q( \lambda) | $$ is negligible in $$ \lambda $$, which we denote $$ P( \lambda) \approx_{ \text{c}} Q( \lambda) $$. $$ a \in_R S $$ denotes a uniform random sampling of an element $$ a $$ from a set $$ S $$. $$ a =_{?} b $$ points to a boolean decision, which returns $$ 1 $$ if $$ a = b $$ and $$ 0 $$ otherwise. $$ z \gets A(a; r) $$ denotes that $$ z $$ is returned by a probabilistic algorithm $$ A $$ with an input $$ a $$ and a randomness $$ r $$ on a random tape. $$ S t $$ corresponds to the inner state of an algorithm. $$ (c_{i})_{i} $$ abbreviates a vector $$ c = (c_{i})_{i \in I} $$. Similarly, $$ (c^{a})^{a} $$ abbreviates a vector $$ c = (c^{a})^{a \in A} $$, and $$ (c^{a}_{i})^{a}_{i} $$ abbreviates a vector $$ c = (c^{a}_{i})^{a \in A}_{i \in I} $$.

Bilinear groups

Let $$ \mathcal{BG} $$ be a generation algorithm of bilinear groups[20]: $$ \mathcal{BG}(1^{ \lambda}) \to (p, {\hat{\mathbb G}}, \check{{\mathbb G}}, \mathbb{T}, e, \hat{G}, \check{G}) $$. Here $$ p $$ is a prime number of bit-length $$ \lambda $$, $$ {\hat{\mathbb G}}, \check{{\mathbb G}} $$ and $$ \mathbb{T} $$ are cyclic groups of order $$ p $$, and $$ \hat{G} $$ and $$ \check{G} $$ are generators of $$ {\hat{\mathbb G}} $$ and $$ \check{{\mathbb G}} $$, respectively. We denote operations in $$ {\hat{\mathbb G}} $$, $$ \check{{\mathbb G}} $$ and $$ \mathbb{T} $$ multiplicatively. $$ e $$ is the bilinear map $$ {\hat{\mathbb G}} \times \check{{\mathbb G}} \to \mathbb{T} $$. $$ e $$ should have the following two properties: Non-degeneracy: $$ e( \hat{G}, \check{G}) \neq 1_{ \mathbb{T}} $$, and Bilinearity: $$ \forall a \in \mathbb{Z}_p, \forall b \in \mathbb{Z}_p, \forall \hat{X} \in {\hat{\mathbb G}}, \forall \check{Y} \in \check{{\mathbb G}}, e( \hat{X}^{a}, \check{Y}^b) = e( \hat{X}, \check{Y})^{ab} $$. Hereafter we denote an element in $$ {\hat{\mathbb G}} $$ and $$ \check{{\mathbb G}} $$ with hat "$$ \hat{\ } $$" and check "$$ \check{\ } $$", respectively. Then, according to the previous work by Escala and Groth[19], we introduce the following linear algebra-friendly additive notations.

$$ \forall \hat{x}_1, \forall \hat{x}_2 \in {\hat{\mathbb G}} \ \ \hat{x}_1 + \hat{x}_2 \stackrel{ \text{def}}{=} \hat{x}_1 \hat{x}_2, \ \ \forall \check{y}_1, \forall \check{y}_2 \in \check{{\mathbb G}}\ \ \check{y}_1 + \check{y}_2 \stackrel{ \text{def}}{=} \check{y}_1 \check{y}_2, $$

$$ \forall \hat{x} \in {\hat{\mathbb G}}\, \forall a \in \mathbb{Z}_p \ \hat{x} a \stackrel{ \text{def}}{=} \hat{x}^a, \ \ \forall \check{y}\in \check{{\mathbb G}}, \forall b \in \mathbb{Z}_p\ \ b \check{y} \stackrel{ \text{def}}{=} \check{y}^b, $$

$$ \forall \hat{x} \in {\hat{\mathbb G}}, \forall \check{y} \in \check{{\mathbb G}}\ \ \hat{x} \cdot \check{y} \stackrel{ \text{def}}{=} e( \hat{x}, \check{y}), $$

$$ \forall z_1, \forall z_2 \in \mathbb{T} \ \ z_1 + z_2 \stackrel{ \text{def}}{=} z_1 z_2. $$

Then, for further simplicity, we introduce the following notation.

$$ \forall \hat{x} \in {\hat{\mathbb G}}, \forall a \in \mathbb{Z}_p, \forall \check{y}\in \check{{\mathbb G}}\ \ \hat{x} a \check{y} \stackrel{ \text{def}}{=} \hat{x} a \cdot \check{y} = \hat{x} \cdot a \check{y}. $$

Then it is easy to see that the following equality holds.

$$ \begin{align} &\forall \hat{x}_1, \forall \hat{x}_2 \in {\hat{\mathbb G}}, \forall a, \forall b, \forall c, \forall d \in \mathbb{Z}_p, \forall \check{y}_1, \forall \check{y}_2 \in \check{{\mathbb G}} \\ & ( \hat{x}_1, \hat{x}_2) \begin{pmatrix} ac & ad \\ bc & bd \end{pmatrix} ( \check{y}_1, \check{y}_2)^{\top} = e( \hat{x}_1^a \hat{x}_2^b, \check{y}_1^c \check{y}_2^d) \ \in \mathbb{T}. \end{align} $$

Finally, we extend the notation [Equation (3)] to a vector and a matrix form in the following way.

$$ \begin{align} &\forall \hat{x}_1, \forall \hat{x}_2 \in {\hat{\mathbb G}}, \forall \check{y}_1, \forall \check{y}_2 \in \check{{\mathbb G}} \\ &\begin{pmatrix} \hat{x}_1\\ \hat{x}_2 \end{pmatrix} \cdot ( \check{y}_1, \check{y}_2) = \begin{pmatrix} e( \hat{x}_1, \check{y}_1) & e( \hat{x}_1, \check{y}_2)\\ e( \hat{x}_2, \check{y}_1) & e( \hat{x}_2, \check{y}_2) \end{pmatrix} \ \in \mathbb{T}^{2 \times 2}, \end{align} $$

and

$$ \begin{align} &\forall \hat{x}_1, \forall \hat{x}_2, \forall \hat{x}_3, \forall \hat{x}_4 \in {\hat{\mathbb G}}, \forall \check{y}_1, \forall \check{y}_2, \check{y}_3, \forall \check{y}_4 \in \check{{\mathbb G}} \\ &\begin{pmatrix} \hat{x}_{1, 1} & \hat{x}_{1, 2}\\ \hat{x}_{2, 1} & \hat{x}_{2, 2} \end{pmatrix} \cdot \begin{pmatrix} \check{y}_{1, 1} & \check{y}_{1, 2}\\ \check{y}_{2, 1} & \check{y}_{2, 2} \end{pmatrix} = \begin{pmatrix} e( \hat{x}_{1, 1}, \check{y}_{1, 1}) e( \hat{x}_{1, 2}, \check{y}_{2, 1}) & e( \hat{x}_{1, 1}, \check{y}_{1, 2}) e( \hat{x}_{1, 2}, \check{y}_{2, 2})\\ e( \hat{x}_{2, 1}, \check{y}_{1, 1}) e( \hat{x}_{2, 2}, \check{y}_{2, 1}) & e( \hat{x}_{2, 1}, \check{y}_{1, 2}) e( \hat{x}_{2, 2}, \check{y}_{2, 2}) \end{pmatrix} \ \in \mathbb{T}^{2 \times 2}. \end{align} $$

Structure-preserving signature scheme

The structure-preserving signature scheme[17,35]$$ \textsf{Sig} $$ consists of four PPT algorithms: $$ \textsf{Sig} = $$$$ ( \textsf{Sig.Setup}, $$$$ \textsf{Sig.KG}, $$$$ \textsf{Sig.Sign}, $$$$ \textsf{Sig.Vrf}) $$.

$$ \textsf{Sig.Setup}(1^{ \lambda}) \to pp $$. On input the security parameter $$ 1^{ \lambda} $$, this PPT algorithm executes the generation algorithm of bilinear groups, and it sets the output as a set of public parameters: $$ \mathcal{BG}(1^{ \lambda}) \to (p, {\hat{\mathbb G}}, \check{{\mathbb G}}, \mathbb{T}, e, \hat{G}, \check{G}) =: pp $$. It returns $$ pp $$.

$$ \textsf{Sig.KG}() \to ( \text{PK}, \text{SK}) $$. Based on the set of public parameters $$ pp $$, this PPT algorithm generates a signing key $$ \text{SK} $$ and the corresponding public key $$ \text{PK} $$. It returns $$ ( \text{PK}, \text{SK}) $$.

$$ \textsf{Sig.Sign}( \text{PK}, \text{SK}, m) \to \sigma $$. On input the public key $$ \text{PK} $$, the secret key $$ \text{SK} $$ and a message $$ m \in {\hat{\mathbb G}} $$ or $$ \check{{\mathbb G}} $$, this PPT algorithm generates a signature $$ \sigma $$. In the case of the structure-preserving signatures, $$ \sigma $$ consists of elements $$ (V_{i})_{i} $$ where $$ V_i $$ is in either $$ {\hat{\mathbb G}} $$ or $$ \check{{\mathbb G}} $$. It returns $$ \sigma := (V_{i})_{i} $$.

$$ \textsf{Sig.Vrf}( \text{PK}, m, \sigma) \to d $$. On input the public key $$ \text{PK} $$, a message $$ m \in {\hat{\mathbb G}} $$ or $$ \check{{\mathbb G}} $$ and a signature $$ \sigma = (V_{i})_{i} $$, this deterministic algorithm returns a boolean decision $$ d $$.

The correctness should hold for the scheme $$ \textsf{Sig} $$: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets \textsf{Sig.Setup}(1^{ \lambda}) $$ and any message $$ m $$, $$ \Pr[ d = 1 \mid ( \text{PK}, \text{SK}) \gets \textsf{Sig.KG}(), \sigma \gets \textsf{Sig.Sign}( \text{PK}, \text{SK}, m), d \gets \textsf{Sig.Vrf}( \text{PK}, m, \sigma) ] = 1 $$.

Adaptive chosen-message attack of an existential forgery on the scheme $$ \textsf{Sig} $$ by a forger algorithm $$ \mathbf{F} $$ is defined by the following algorithm of an experiment.

$$ \begin{align} & \textsf{Exp}^{ \text{euf-cma}}_{\textsf{Sig}, \mathbf{F}}(1^\lambda): \\ & \quad pp \gets \textsf{Sig.Setup}(1^{ \lambda}), ( \text{PK}, \text{SK}) \gets \textsf{Sig.KG}() \\ & \quad (m^*, \sigma^*) \gets \mathbf{F}^{ \mathbf{SignO}( \text{PK}, \text{SK}, \cdot)}( pp, \text{PK}) \\ & \quad \text{If } m^* \notin \{ m_j \}_{1 \leq j \leq q_{ \text{s}}} \text{ and } \textsf{Sig.Vrf}( \text{PK}, m^*, \sigma^*)= 1, \\ & \quad \text{then Return } \text{Win} \text{ else Return } \text{Lose} \end{align} $$

In the above experiment, $$ \mathbf{F} $$ issues a query $$ m_j $$ to its signing oracle $$ \mathbf{SignO}( \text{PK}, \text{SK}, \cdot) $$. Then $$ \mathbf{F} $$ receives a valid signature $$ \sigma_j $$ as a reply. The queries are at most $$ q_{ \text{s}} $$ times ($$ 1 \leq j \leq q_{ \text{s}} $$), and are bounded by a polynomial in $$ \lambda $$. After receiving the replies, $$ \mathbf{F} $$ returns a message-signature pair $$ (m^*, \sigma^*) $$. A restriction is imposed on $$ \mathbf{F} $$ that the message $$ m^* $$ of the forgery should not be contained in the set of queries $$ \{ m_j \}_{1 \leq j \leq q_{ \text{s}}} $$. The advantage of $$ \mathbf{F} $$ over $$ \textsf{Sig} $$ is defined as $$ \mathbf{Adv}^{ \text{euf-cma}}_{\textsf{Sig}, \mathbf{F}}(\lambda) := \Pr[ \textsf{Exp}^{ \text{euf-cma}}_{\textsf{Sig}, \mathbf{F}}(1^\lambda) \text{ returns } \text{Win}] $$.

Definition 1 (EUF-CMA[36]) The scheme $$ {Sig} $$ is said to be existentially unforgeable against adaptive chosen-message attacks (EUF-CMA) if, for any PPT algorithm $$ \mathbf{F} $$, the advantage $$ \mathbf{Adv}^{ {euf-cma}}_{{Sig}, \mathbf{F}}(\lambda) $$ is negligible in $$ \lambda $$.

Non-interactive commit-and-prove scheme for structure-preserving signatures

According to the "fine-tuning Groth-Sahai proofs" system[19], we survey here the non-interactive commit-and-prove scheme on pairing-product equations, though we treat them in their additive forms. A commit-and-prove scheme $$ \textsf{CmtPrv} $$ consists of six PPT algorithms: $$ \textsf{CmtPrv} = [ \textsf{CmtPrv}\textsf{.Setup}, \textsf{Cmt} = ( \textsf{Cmt.KG}, \textsf{Cmt.Com}, \textsf{Cmt.Vrf}), \Pi = ( \textsf{Prv.P}, \textsf{Prv.V})] $$. Intuitively, there are three parts in $$ \textsf{CmtPrv} $$ and they function as follows. The first part $$ \textsf{CmtPrv}\textsf{.Setup} $$ generates a set of public parameters $$ pp $$. The second, commit-part, provides a set of tools that realize a "cryptographic envelope" from a sender to a receiver, which is along the technique of "dual-mode" commitment[18]. The third, prove-part, is for a prover to generate a proof to a verifier, which is to prove that the prover knows the data committed by the commit-algorithm of the commit-part, in a witness-indistinguishable way.

Language

We first describe the language for which our scheme will work. The language is dependent on the type of verification equations of the Groth-Sahai proofs (group-dependent languages[18]). For this purpose, we first fix the set of public parameters.

$$ \bullet \ \textsf{CmtPrv}\textsf{.Setup} (1^{ \lambda}) \to pp $$. On input the security parameter $$ 1^{ \lambda} $$, this PPT algorithm executes a generation algorithm of bilinear groups $$ \mathcal{BG} $$, and it sets the output as the public parameters $$ pp $$: $$ \mathcal{BG}(1^{ \lambda}) \to (p, {\hat{\mathbb G}}, \check{{\mathbb G}}, \mathbb{T}, e, \hat{G}, \check{G}) =: pp $$. It returns $$ pp $$.

Let $$ n \in \mathbb{N} $$ be a constant. Suppose that we are given an equation system with $$ n $$ equations and with variables $$ ( \hat{X}_{i})_{i} $$ and $$ ( \check{Y}_{j})_{j} $$:

$$ \begin{align} \begin{cases} &\sum_{i} \hat{X}_{i} \cdot \check{B}_{1i} +\sum_{j} \hat{A}_{1j} \cdot \check{Y}_{j} +\sum_{i}\sum_{j} \hat{X}_{i} \gamma_{1ij} \check{Y}_{j} = t_{ \mathbb{T} 1}, \\ &\vdots\\ &\sum_{i} \hat{X}_{i} \cdot \check{B}_{ni} +\sum_{j} \hat{A}_{nj} \cdot \check{Y}_{j} +\sum_{i}\sum_{j} \hat{X}_{i} \gamma_{nij} \check{Y}_{j} = t_{ \mathbb{T} n}. \end{cases} \end{align} $$

Let $$ L $$ denote the set of coefficients of the equation system [Equation (9)] and $$ W(x) $$ denote the set of solutions for $$ x \in L $$:

$$ L := \{ x \in (\prod\limits_{i} {\hat{\mathbb G}} \times \prod\limits_{j} \check{{\mathbb G}} \times \prod\limits_{i}\prod\limits_{j} \mathbb{Z}_p)^{n} \mid x = (( \check{B}_{ki})_{i}, ( \hat{A}_{kj})_{j}, ( \gamma_{kij})_{i, j})_{k=1}^{n} \}, $$

$$ W(x) := \{ w \in \prod\limits_{i} {\hat{\mathbb G}} \times \prod\limits_{j} \check{{\mathbb G}} \mid w = (( \hat{W}_i)_{i}, ( \check{W}_{j})_{j}) \text{ satisfies }(9) \text{ for } x \}, $$

$$ \begin{align} &R := \{ (x, w) \in (\prod\limits_{i} {\hat{\mathbb G}} \times \prod\limits_{j} \check{{\mathbb G}} \times \prod\limits_{i}\prod\limits_{j} \mathbb{Z}_p)^{n} \times \prod\limits_{i} {\hat{\mathbb G}} \times \prod\limits_{j} \check{{\mathbb G}} \\ & \quad \mid (x, w) = ( (( \check{B}_{ki})_{i}, ( \hat{A}_{kj})_{j}, ( \gamma_{kij})_{i, j})_{k=1}^{n}, (( \hat{W}_i)_{i}, ( \check{W}_{j})_{j}) ) \text{ satisfies }(9) \}. \end{align} $$

For a fixed parameter set $$ pp $$, we call $$ L $$, $$ W(x) $$ and $$ R $$ the group-dependent language with $$ pp $$, the witness space of $$ x $$ with $$ pp $$ and the relation with $$ pp $$, respectively.

Commit-part

The commit-part[18,19]$$ \textsf{Cmt} = ( \textsf{Cmt.KG}, \textsf{Cmt.Com}, \textsf{Cmt.Vrf}) $$ is described as follows.

$$ \bullet \ \textsf{Cmt.KG}( \texttt{mode}) \to key $$. On input a string $$ \texttt{mode} $$, this PPT algorithm generates a $$ key $$. If $$ \texttt{mode} = \texttt{nor} $$, then $$ key = ck $$ which is a commitment key. If $$ \texttt{mode} = \texttt{ext} $$, then $$ key = ( ck, xk) $$ which is a pair of $$ ck $$ and an extraction key $$ xk $$. If $$ \texttt{mode} = \texttt{sim} $$, then $$ key = ( ck, tk) $$ which is a pair of $$ ck $$ and a trapdoor key $$ tk $$. It returns $$ key $$.

We put $$ pp := ( pp, ck) $$. Note here that the commitment key $$ ck $$, which is a common reference string (CRS) in the term of non-interactive proof systems[18,19], is treated as one of the public parameters.

$$ \bullet \ \textsf{Cmt.Com}(w; r) \to (c, r) $$. On input a message $$ w $$ (which will be a witness in the proof-part), this PPT algorithm generates a commitment $$ c $$ with a randomness $$ r $$. $$ r $$ will also be a verification key. It returns $$ (c, r) $$. When $$ w $$ is a vector $$ w = (w_{i})_{i} $$, $$ c $$ and $$ r $$ are also vectors of the same number of components: $$ c = (c_{i})_{i} $$ and $$ r = (r_{i})_{i} $$. Note that computation is executed in the componentwise way; $$ \textsf{Cmt.Com}(w_i; r_i) \to (c_i, r_i) $$.

$$ \bullet \ \textsf{Cmt.Vrf}(c, w, r) \to d $$. On input a commitment $$ c $$, a message $$ w $$ and a verification key $$ r $$, this deterministic algorithm generates a boolean decision $$ d $$. It returns $$ d $$.

The commit-part $$ \textsf{Cmt} $$ of the Groth-Sahai proof system has the four properties[19]: (1) perfect correctness, (2) dual mode, (3) perfectly binding and (4) perfectly hiding. We remark here that the properties (3) and (4) cannot stand simultaneously in principle (see "Commitment Scheme"[37], etc.). The trick is that, when the $$ \texttt{mode} $$ is $$ \texttt{ext} $$, the $$ key $$ is $$ ( ck, xk) $$ and the property (3) "perfectly binding" holds. When the $$ \texttt{mode} $$ is $$ \texttt{sim} $$, the $$ key $$ is $$ ( ck, tk) $$ and the property (4) "perfectly hiding" holds. Importantly for security proofs, the two modes of commitment keys ($$ ck $$s) are assumed to be computationally indistinguishable under an appropriate assumption. The detailed definitions are given in Definition 3.

Prove-part

The prove-part[18,19]$$ \Pi = ( \textsf{Prv.P}, \textsf{Prv.V}) $$ is described as follows.

$$ \bullet \ \textsf{Prv.P}(x, c, w, r) \to \pi $$. On input a statement $$ x $$, a commitment $$ c $$, a witness $$ w $$ and a randomness $$ r $$ which was used to generate a commitment $$ c $$, this PPT algorithm executes the proof-generation algorithm of the Groth-Sahai proof system to obtain a proof $$ \pi $$ (see ref[19] for the details and ref[17,38] for instantiations). It returns $$ \pi $$.

$$ \bullet \ \textsf{Prv.V}(x, c, \pi) \to d $$. On input a statement $$ x $$, a commitment $$ c $$ and a proof $$ \pi $$, this deterministic algorithm executes the verification algorithm of the Groth-Sahai proof system to obtain a boolean decision $$ d $$ (see ref[19] for the details). It returns $$ d $$.

The proof-part $$ ( \textsf{CmtPrv}\textsf{.Setup}, \Pi) $$ of the Groth-Sahai proof system has the four properties[19]: (1) perfect correctness, (2) perfect soundness, (3) perfect $$ F $$-knowledge and (4) composable witness-indistinguishability [especially (4) means perfect witness-indistinguishability]. The detailed definitions are given later.

Four properties of commit-part

Definition 2 (Correctness[18,19]) A commitment scheme $$ {Cmt} $$ is said to be correct if it satisfies the following condition: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$, any commitment key $$ ck \gets {Cmt.KG}( {mode}) $$ where $$ {mode} = {nor} $$ or $$ {ext} $$ or $$ {sim} $$, and any message $$ w $$,

$$ \Pr[ d = 1 \mid (c, r) \gets {Cmt.Com}(w), d \gets {Cmt.Vrf}(c, w, r) ] = 1. $$

Definition 3 (Dual Mode[18]) A commitment scheme $$ {Cmt} $$ is said to be dual mode if it satisfies the following condition: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$ and any PPT algorithm $$ \mathbf{A} $$,

$$ \Pr[ \mathbf{A}( pp, ck) = 1 \mid ck \gets {Cmt.KG}( {nor}) ] = \Pr[ \mathbf{A}( pp, ck) = 1 \mid ( ck, xk) \gets {Cmt.KG}( {ext}) ], $$

$$ \Pr[ \mathbf{A}( pp, ck) = 1 \mid ck \gets {Cmt.KG}( {nor}) ] \approx_{ {c}} \Pr[ \mathbf{A}( pp, ck) = 1 \mid ( ck, tk) \gets {Cmt.KG}( {sim}) ]. $$

From Equation (13), the computational indistinguishability [(Equation (14)] is equivalent to the following: For any security parameter $$ 1^{ \lambda} $$, for any set of public parameters $$ pp \gets \textsf{CmtPrv}\textsf{.Setup}(1^{ \lambda}) $$ and any PPT algorithm $$ \mathbf{A} $$, the advantage $$ \mathbf{Adv}^{ \text{ind-dual}}_{\textsf{Cmt}, \mathbf{A}}(\lambda) $$ of $$ \mathbf{A} $$ over $$ \textsf{Cmt} $$ defined by the difference below is negligible in $$ \lambda $$:

$$ \begin{align} \mathbf{Adv}^{ \text{ind-dual}}_{\textsf{Cmt}, \mathbf{A}}(\lambda) \stackrel{ \text{def}}{=} |\Pr&[ \mathbf{A}( pp, ck) = 1 \mid ( ck, xk) \gets \textsf{Cmt.KG}( \texttt{ext}) ] \\ - \Pr&[ \mathbf{A}( pp, ck) = 1 \mid ( ck, tk) \gets \textsf{Cmt.KG}( \texttt{sim}) ]|. \end{align} $$

The indistinguishability [Equation (15)] holds, for example, for an instance of the Groth-Sahai proof system under the SXDH assumption[18,19].

Definition 4 (Perfectly Binding[18]) A commitment scheme $$ {Cmt} $$ is said to be perfectly binding if it satisfies the following condition for some unbounded algorithm $$ {Cmt.Open} $$: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$, any commitment key $$ ck \gets {Cmt.KG}( {nor}) $$ and any message $$ w $$,

$$ \Pr[ w = w' \mid (c, r) \gets {Cmt.Com}(w; r), w' \gets {Cmt.Open}(c) ] =1. $$

Definition 5 (Perfectly Hiding[18]) A commitment scheme $$ {Cmt} $$ is said to be perfectly hiding if it satisfies the following condition: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$, any commitment key $$ ck $$ s.t. $$ ( ck, tk) \gets {Cmt.KG}( {sim}) $$ and any PPT algorithm $$ \mathbf{A} $$,

$$ \begin{align} \Pr[& \mathbf{A}( S t, c) = 1 \mid (w, w', S t) \gets \mathbf{A}( pp, ck, tk), (c, r) \gets {Cmt.Com}(w) ] \\ = \Pr[& \mathbf{A}( S t, c') = 1 \mid (w, w', S t) \gets \mathbf{A}( pp, ck, tk), (c', r') \gets {Cmt.Com}(w') ]. \end{align} $$

Four properties of prove-part

Definition 6 (Perfect Correctness[18]) A commit-and-prove scheme $$ {CmtPrv} $$ is said to be perfectly correct if it satisfies the following condition: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$, any commitment key $$ ck \gets {Cmt.KG}( {mode}) $$ where $$ {mode} = {nor} $$ or $$ {ext} $$ or $$ {sim} $$ with $$ pp := ( pp, ck) $$, and any PPT algorithm $$ \mathbf{A} $$,

$$ \begin{align} \Pr[ & {Prv.V}(x, c, \pi) = 1 \; if \; ( ck, x, w) \in R \mid \\ &(x, w) \gets \mathbf{A}( pp), (c, r) \gets {Cmt.Com}(w), \\ &\pi \gets {Prv.P}(x, c, w, r) ] = 1. \end{align} $$

Definition 7 (Perfect Soundness[18]) A commit-and-prove scheme $$ {CmtPrv} $$ is said to be perfectly sound if it satisfies the following condition for some unbounded algorithm $$ {Cmt.Open} $$: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$, any commitment key $$ ck \gets {Cmt.KG}( {nor}) $$ and any PPT algorithm $$ \mathbf{A} $$,

$$ \begin{align} \Pr&[ {Prv.V}(x, c, \pi) =0 \; or \; ( ck, x, w) \in R \mid \\ &(x, c, \pi) \gets \mathbf{A}( pp), w \gets {Cmt.Open}(c) ] = 1. \end{align} $$

Let $$ \mathcal{C}_{ ck} $$ be the set of commitments under $$ ck $$ to some message $$ w $$.

Definition 8 (Perfect Knowledge Extraction[18]) A commit-and-prove scheme $$ {CmtPrv} $$ is said to be perfectly knowledge extractable if it satisfies the following condition for some PPT algorithm $$ {Cmt.Ext} $$: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$, any commitment key $$ ( ck, xk) \gets {Cmt.KG}( {ext}) $$ and any PPT algorithm $$ \mathbf{A} $$,

$$ \Pr[ c \notin \mathcal{C}_{ ck} \; or \; {Cmt.Ext}( xk, c) = {Cmt.Open}(c) \mid c \gets \mathbf{A}( pp, ck, xk) ] = 1. $$

Definition 9 (Composable Witness-Indistinguishability[18]) A commit-and-prove scheme $$ {CmtPrv} $$ is said to be composably witness-indistinguishable if it satisfies the following condition: For any security parameter $$ 1^{ \lambda} $$, any set of public parameters $$ pp \gets {CmtPrv}{.Setup}(1^{ \lambda}) $$ and any PPT algorithm $$ \mathbf{A} $$, the following holds.

$$ \begin{align} \Pr&[( ck, x, w), ( ck, x, w') \in R \; and \; \mathbf{A}( S t, \pi) = 1 \mid ( ck, tk) \gets {Cmt.KG}( {sim}), pp := ( pp, ck), \\ &(x, w, w', S t) \gets \mathbf{A}^{ {Cmt.Com}(\cdot)}( pp, ck, tk), (c, r) \gets {Cmt.Com}(w), \pi \gets {Prv.P}(x, c, w, r) ] \\ =\Pr&[( ck, x, w), ( ck, x, w') \in R \; and \; \mathbf{A}( S t, \pi') = 1 \mid ( ck, tk) \gets {Cmt.KG}( {sim}), pp := ( pp, ck), \\ &(x, w, w', S t) \gets \mathbf{A}^{ {Cmt.Com}(\cdot)}( pp, ck, tk), (c', r') \gets {Cmt.Com}(w'), \pi' \gets {Prv.P}(x, c', w', r') ]. \end{align} $$

Especially, perfect witness-indistinguishability holds from Equation (17).

BUNDLED LANGUAGE

In this section, we define a notion of a bundled language in the case of a group-dependent language that is pairing-product equations. Intuitively, the notion is a simultaneous equation system whose coefficients form a language.

For a polynomially bounded integer $$ q $$, we first prepare for $$ q $$ independent copies of an equation system with variables $$ ( \hat{X}_{i}^{a})_{i} $$ and $$ ( \check{Y}_{j}^{a})_{j} $$, as follows. (We remark that$$ {\ }^{a} $$ is an index.)

$$ \begin{align} & \text{For } a \in [q], \\ &\begin{cases} &\sum_{i} \hat{X}_{i}^{a} \cdot \check{B}_{1i}^{a} +\sum_{j} \hat{A}_{1j}^{a} \cdot \check{Y}_{j}^{a} +\sum_{i}\sum_{j} \hat{X}_{i}^{a} \gamma_{1ij}^{a} \check{Y}_{j}^{a} = t_{ \mathbb{T} 1}^{a}, \\ &\vdots\\ &\sum_{i} \hat{X}_{i}^{a} \cdot \check{B}_{ni}^{a} +\sum_{j} \hat{A}_{nj}^{a} \cdot \check{Y}_{j}^{a} +\sum_{i}\sum_{j} \hat{X}_{i}^{a} \cdot \check{Y}_{j}^{a} = t_{ \mathbb{T} n}^{a}. \end{cases} \end{align} $$

Now we impose a constraint that the above $$ q $$ equation systems have a common variable. For simplicity, we enforce that

$$ \hat{X}_{1}^{1} = \cdots = \hat{X}_{1}^{q} = \hat{X}_{1}. $$

Definition 10 (Bundled language) Let $$ L $$ be the language [Equation (10)]. For a polynomially bounded integer $$ q $$, put $$ A := [q] $$. The $$ q $$-bundled language $$ \prod_{a \in A}^{ {bnd}} L $$ of the languages $$ L $$ is the subset of the $$ q $$-Cartesian product of $$ L $$ with the constraint [Equation (19)]:

$$ \prod\limits_{a \in A}^{ {bnd}}L \stackrel{ {def}}{=} \{ (x^{a})^{a \in A} \in \prod\limits_{a \in A} L \mid \ \hat{X}_{1}^{1} = \cdots = \hat{X}_{1}^{q} = \hat{X}_{1} \}. $$

DECENTRALIZED MULTI-AUTHORITY ANONYMOUS CREDENTIAL SYSTEM

In this section, we provide syntax and security definitions of dACS. We introduce three security definitions. The first is EUF against collusion attacks that cause mis-authentication, the other two are anonymity and unlinkability of proofs.

Syntax

Our dACS consists of five PPT algorithms, $$ ( \textsf{Setup} $$, $$ \textsf{AuthKG} $$, $$ \textsf{PrivKG} $$, $$ \textsf{Prover} $$, $$ \textsf{Verifier}) $$. Intuitively, $$ \textsf{Setup} $$ generates a set of common public parameters $$ pp $$. In a real use, it is executed only once by an entity that maintains a standard like NIST FIPS 186-4[16]. Then a key-issuing authority of an attribute executes $$ \textsf{AuthKG} $$ to generate its master secret key and public key. Then, the authority, being asked by an entity possessing an attribute, generates and issues a private secret key of the attribute for the entity. By using the private secret key(s), the entity executes $$ \textsf{Prover} $$ to generate a proof of knowing the key(s) of attribute(s). Receiving the proof, any verifier executes $$ \textsf{Verifier} $$ and decides whether the proof is valid to confirm the knowledge of attribute(s) or not.

$$ \bullet \ \textsf{Setup}(1^{ \lambda}) \to pp $$. This PPT algorithm is needed to generate a set of public parameters $$ pp $$. On input the security parameter $$ 1^{ \lambda} $$, it generates the set $$ pp $$. It returns $$ pp $$.

$$ \bullet \ \textsf{AuthKG}(a) \to ( \text{PK}^{a}, \text{MSK}^{a}) $$. This PPT algorithm is executed by a key-issuing authority indexed by $$ a $$. On input the authority index $$ a $$, it generates the $$ a $$-th public key $$ \text{PK}^{a} $$ of the authority and the corresponding $$ a $$-th master secret key $$ \text{MSK}^{a} $$. It returns $$ ( \text{PK}^{a}, \text{MSK}^{a}) $$.

$$ \bullet \ \textsf{PrivKG}( \text{PK}^{a}, \text{MSK}^{a}, \texttt{i}) \to \text{sk}^{a}_{ \texttt{i}} $$. This PPT algorithm is executed by the $$ a $$-th key-issuing authority. On input the $$ a $$-th public and master secret keys $$ ( \text{PK}^{a}, \text{MSK}^{a}) $$ and an element $$ \texttt{i} \in {\hat{\mathbb G}} $$ (that is an identifier of a prover), it generates a private secret key $$ \text{sk}^{a}_{ \texttt{i}} $$ of a prover. It returns $$ \text{sk}^{a}_{ \texttt{i}} $$.

$$ \bullet \ \textsf{Prover}(( \text{PK}^{a})^{a \in A'}, \texttt{i}, ( \text{sk}^{a}_{ \texttt{i}})^{a \in A'}) \to \pi $$. This PPT algorithm is executed by a prover who is to be authenticated, where $$ A' $$ denotes a subset of the set $$ A $$. On input the public keys $$ ( \text{PK}^{a})^{a \in A'} $$, an identity element $$ \texttt{i} $$ and the corresponding private secret keys $$ ( \text{sk}^{a}_{ \texttt{i}})^{a \in A'} $$, it returns a proof $$ \pi $$.

$$ \bullet \ \textsf{Verifier}(( \text{PK}^{a})^{a \in A'}, \pi) \to d $$. This deterministic polynomial-time algorithm is executed by a verifier who confirms that the prover certainly knows the secret keys for indices $$ a \in A' $$. On input the public keys $$ ( \text{PK}^{a})^{a \in A'} $$ and the proof $$ \pi $$, it returns $$ d: = 1 $$ ("accept") or $$ d := 0 $$ ("reject").

Security definitions

We define three security notions for our ACS dACS; EUF against collusion attacks, anonymity and unlinkability of proofs. Hereafter, the notation "(algorithm name)+O" means the oracle that functions as the algorithm.

EUF against collusion attack

Formally, we define the following experiment on dACS and an adversary algorithm $$ \mathbf{A} $$.

$$ \begin{align} & \textsf{Exp}^{ \text{euf-coll}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)}: \\ & \quad pp \gets \textsf{Setup}(1^{ \lambda}), A := [\mu], \text{For } a \in A : ( \text{PK}^{a}, \text{MSK}^{a}) \gets \textsf{AuthKG}(a) \\ & \quad (\tilde{A}, S t) \gets \mathbf{A}( pp, ( \text{PK}^{a})^{a \in A}), \bar{\tilde{A}} := A \backslash \tilde{A}\\ & \quad (\pi^*, A^*) \gets \mathbf{A}^{ \mathbf{PrivKO}( \text{PK}^{\cdot}, \text{MSK}^{\cdot}, {\cdot})}( S t, ( \text{MSK}^{a})^{a \in \tilde{A}})\\ & \quad \textsf{Verifier}(( \text{PK}^{a})^{a \in A^*}, \pi^*) \to d \\ & \quad \text{If } d = 1 \text{ then return } \text{Win} \text{ else return } \text{Lose} \end{align} $$

Intuitively, the above experiment describes the attack as follows. On input the public keys $$ ( \text{PK}^{a})^{a \in A} $$, $$ \mathbf{A} $$ outputs a set $$ \tilde{A} $$ of indices of corrupted authorities. Then $$ \mathbf{A} $$ issues a query of the form $$ (a, \texttt{i}_j) $$, where $$ a \in \bar{\tilde{A}}:= A \backslash \tilde{A} $$ and $$ \texttt{i}_j \in {\hat{\mathbb G}} $$ for $$ j \in [q_{ \text{sk}}] $$ to the private secret key oracle $$ \mathbf{PrivKO}( \text{PK}^{\cdot}, \text{MSK}^{\cdot}, {\cdot}) $$. We denote by $$ A_j $$ the set of authority indices for which the private secret key queries were issued with $$ \texttt{i}_j $$. That is, $$ A_j := \{ a \in A \ |\ \mathbf{A} \text{ is given } \text{sk}^{a}_{ \texttt{i}_j} \} \subset \bar{\tilde{A}} $$. We note that the maximum number of private secret key queries is $$ \mu \cdot q_{ \text{sk}} $$. We require that the numbers $$ \mu $$ and $$ q_{ \text{sk}} $$ are bounded by a polynomial in $$ \lambda $$. At the end $$ \mathbf{A} $$ returns a forgery proof $$ \pi^* $$ together with the target set of authority indices $$ A^* $$ that is a subset of $$ \bar{\tilde{A}} $$: $$ A^* \subset \bar{\tilde{A}} $$. If the decision $$ d $$ on $$ \pi^* $$ by $$ \textsf{Verifier} $$ is $$ 1 $$ under $$ ( \text{PK}^{a})^{a \in A^*} $$, then the experiment returns $$ \text{Win} $$; otherwise, it returns $$ \text{Lose} $$.

A restriction is imposed on the adversary $$ \mathbf{A} $$: the queried $$ \texttt{i}_j $$s are pairwise different, and any $$ A_j $$ is a proper subset of the target set $$ A^* $$:

$$ \texttt{i}_{j_1}\neq \texttt{i}_{j_2} \text{ for } j_1, j_2 \in [q_{ \text{sk}}], j_1 \neq j_2, $$

$$ A_j \subsetneq A^*, \ j \in [q_{ \text{sk}}]. $$

These restrictions are because, otherwise, the adversary $$ \mathbf{A} $$ can trivially succeed in causing forgery.

The advantage of an adversary $$ \mathbf{A} $$ over an ACS dACS in the experiment is defined as: $$ \mathbf{Adv}^{ \text{euf-coll}}_{\textsf{dACS}, \mathbf{A}}{(\lambda, \mu)} \stackrel{ \text{def}}{=} \Pr[ \textsf{Exp}^{ \text{euf-coll}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)}= \text{Win}] $$.

Definition 11A scheme dACS is said to be existentially unforgeable against collusion attacks if, for any PPT algorithm $$ \mathbf{A} $$, the advantage $$ \mathbf{Adv}^{ {euf-coll}}_{{dACS}, \mathbf{A}}{(\lambda, \mu)} $$ is negligible in $$ \lambda $$.

Anonymity of proofs

Formally, we define the following experiment on dACS and an adversary algorithm $$ \mathbf{A} $$.

$$ \begin{align} & \textsf{Exp}^{ \text{ano-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)}: \\ & \quad pp \gets \textsf{Setup}(1^{ \lambda}), A := [\mu], \text{For } a \in A : ( \text{PK}^{a}, \text{MSK}^{a}) \gets \textsf{AuthKG}(a)\\ & \quad ( \texttt{i}_0, \texttt{i}_1, S t) \gets \mathbf{A}( pp, ( \text{PK}^{a})^{a \in A} ) \\ & \quad \text{For } a \in A: \text{For } i = 0, 1: \text{sk}^{a}_{ \texttt{i}_i} \gets \textsf{PrivKG}( \text{PK}^{a}, \text{MSK}^{a}, \texttt{i}_i) \\ & \quad b \in_R \{0, 1\}, b' \gets \mathbf{A}^{ \textsf{Prover}(( \text{PK}^{a})^{a \in A}, \texttt{i}_b, ( \text{sk}^{a}_{ \texttt{i}_b})^{a \in A}) }( S t, ( \text{MSK}^{a}, \text{sk}^{a}_{ \texttt{i}_0}, \text{sk}^{a}_{ \texttt{i}_1})^{a \in A}) \\ & \quad \text{If } b = b' \text{ then return } \text{Win}, \text{ else return } \text{Lose} \end{align} $$

Intuitively, the above experiment describes the attack as follows. On input the set of public parameters $$ pp $$ and the issued public keys $$ ( \text{PK}^{a})^{a \in A} $$, $$ \mathbf{A} $$ designates two identity elements $$ \texttt{i}_0 $$ and $$ \texttt{i}_1 $$, and $$ \mathbf{A} $$ is given two kinds of private secret keys $$ ( \text{sk}^{a}_{ \texttt{i}_0}, \text{sk}^{a}_{ \texttt{i}_1}) $$ for all $$ a \in A $$. Next, for randomly chosen $$ b \in \{0, 1\} $$, which is hidden from $$ \mathbf{A} $$, $$ \mathbf{A} $$ does oracle-access to a prover $$ \textsf{Prover} $$ that is on input the identity $$ \texttt{i}_b $$ and the private secret keys $$ ( \text{sk}^{a}_{ \texttt{i}_b})^{a \in A} $$. If the decision $$ b' $$ of $$ \mathbf{A} $$ is equal to $$ b $$, then the experiment returns $$ \text{Win} $$; otherwise, it returns $$ \text{Lose} $$.

The advantage of an adversary $$ \mathbf{A} $$ over an ACS dACS in the experiment is defined as: $$ \mathbf{Adv}^{ \text{ano-prf}}_{\textsf{dACS}, \mathbf{A}}{(\lambda, \mu)} \stackrel{ \text{def}}{=} \bigl| \Pr[ \textsf{Exp}^{ \text{ano-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} = \text{Win}] - (1/2) \bigr| $$.

Definition 12An ACS dACS is said to have anonymity of proofs if, for any PPT algorithm $$ \mathbf{A} $$, the advantage $$ \mathbf{Adv}^{ {ano-prf}}_{{dACS}, \mathbf{A}}{(\lambda, \mu)} $$ is negligible in $$ \lambda $$.

Unlinkability of proofs

Formally we define the following experiment on dACS and an adversary algorithm $$ \mathbf{A} $$.

$$ \begin{align} & \textsf{Exp}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)}: \\ & \quad pp \gets \textsf{Setup}(1^{ \lambda}), A := [\mu], \text{For } a \in A : ( \text{PK}^{a}, \text{MSK}^{a}) \gets \textsf{AuthKG}(a)\\ & \quad ( \texttt{i}_0, \texttt{i}_1, S t) \gets \mathbf{A}( pp, ( \text{PK}^{a})^{a \in A} ) \\ & \quad \text{For } a \in A: \text{For } i = 0, 1: \text{sk}^{a}_{ \texttt{i}_i} \gets \textsf{PrivKG}( \text{PK}^{a}, \text{MSK}^{a}, \texttt{i}_i) \\ & \quad b \in_R \{0, 1\} \\ & \quad \text{If }b=0 \text{ then } S t \gets \mathbf{A}^{ \textsf{Prover}(( \text{PK}^{a})^{a \in A}, \texttt{i}_0, ( \text{sk}^{a}_{ \texttt{i}_0})^{a \in A}) }( S t, ( \text{MSK}^{a}, \text{sk}^{a}_{ \texttt{i}_0}, \text{sk}^{a}_{ \texttt{i}_1})^{a \in A}) \\ & \quad d \gets \mathbf{A}^{ \textsf{Prover}(( \text{PK}^{a})^{a \in A}, \texttt{i}_1, ( \text{sk}^{a}_{ \texttt{i}_1})^{a \in A}) }( S t) \\ & \quad \text{else } \quad S t \gets \mathbf{A}^{ \textsf{Prover}(( \text{PK}^{a})^{a \in A}, \texttt{i}_0, ( \text{sk}^{a}_{ \texttt{i}_0})^{a \in A}) }( S t, ( \text{MSK}^{a}, \text{sk}^{a}_{ \texttt{i}_0}, \text{sk}^{a}_{ \texttt{i}_1})^{a \in A}) \\ & \quad d \gets \mathbf{A}^{ \textsf{Prover}(( \text{PK}^{a})^{a \in A}, \texttt{i}_0, ( \text{sk}^{a}_{ \texttt{i}_0})^{a \in A}) }( S t) \\ & \quad \text{If } b = d \text{ then return } \text{Win}, \text{ else return } \text{Lose} \end{align} $$

Intuitively, the above experiment resembles the experiment of anonymity $$ \textsf{Exp}^{ \text{ano-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$. The difference is that, in the above experiment, the adversary $$ \mathbf{A} $$ has to distinguish whether the proofs $$ (\pi) $$ are of the same entity or of the other entity.

The advantage of an adversary $$ \mathbf{A} $$ over an ACS dACS in the experiment is defined as: $$ \mathbf{Adv}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{A}}{(\lambda, \mu)} \stackrel{ \text{def}}{=} \bigl| \Pr[ \textsf{Exp}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} = \text{Win}] - (1/2) \bigr| $$.

Definition 13An ACS dACS is said to have unlinkability of proofs if, for any PPT algorithm $$ \mathbf{A} $$, the advantage $$ \mathbf{Adv}^{ {unlink-prf}}_{{dACS}, \mathbf{A}}{(\lambda, \mu)} $$ is negligible in $$ \lambda $$.

Proposition 1 (Unlinkability Implies Anonymity). For any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ {Exp}^{ {ano-prf}}_{{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$, there exists a PPT algorithm $$ \mathbf{B} $$ that is in accordance with the experiment $$ {Exp}^{ {unlink-prf}}_{{dACS}, \mathbf{B}}{(1^\lambda, 1^\mu)} $$ and the following inequality holds.

$$ \mathbf{Adv}^{ {ano-prf}}_{{dACS}, \mathbf{A}}{(\lambda, \mu)} \leq \mathbf{Adv}^{ {unlink-prf}}_{{dACS}, \mathbf{B}}{(\lambda, \mu)}. $$

Proof. Suppose that any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ \textsf{Exp}^{ \text{ano-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$ is given. Then we construct a PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ \textsf{Exp}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{B}}{(1^\lambda, 1^\mu)} $$ as follows. $$ \mathbf{B} $$ employs $$ A $$ as a subroutine. $$ \mathbf{B} $$ is able to generate $$ \mathbf{A} $$'s input by using $$ \mathbf{B} $$'s input and $$ \mathbf{A} $$'s output. Also, $$ \mathbf{B} $$ is able to answer to $$ \mathbf{A} $$'s queries by issuing queries to $$ \mathbf{B} $$'s oracle and using the answers. Finally, when $$ \mathbf{A} $$ outputs $$ b' $$, $$ \mathbf{B} $$ sets $$ d:=b' $$.

GENERIC CONSTRUCTION

In this section, we provide a generic construction of the scheme dACS. Here we employ two building blocks. One is the structure-preserving signature scheme[17,35]. The other is the commit-and-prove scheme of the "fine-tuning Groth-Sahai proofs" system[18,19] on pairing-product equations of our "bundled language".

Construction

According to our syntax, the scheme dACS consists of five PPT algorithms: $$ \textsf{dACS} = $$$$ ( \textsf{Setup}, $$$$ \textsf{AuthKG}, $$$$ \textsf{PrivKG}, $$$$ \textsf{Prover}, $$$$ \textsf{Verifier}) $$.

$$ \bullet \ \textsf{Setup}(1^{ \lambda}) \to pp $$. On input the security parameter $$ 1^{ \lambda} $$, it runs the generation algorithm of bilinear groups, and it sets the output as a set of public parameters: $$ \mathcal{BG}(1^{ \lambda}) \to (p, {\hat{\mathbb G}}, \check{{\mathbb G}}, \mathbb{T}, e, \hat{G}, \check{G}) =: pp $$. Note that $$ pp $$ is common for both the structure-preserving signature scheme $$ \textsf{Sig} $$ and the commit-and-prove scheme $$ \textsf{CmtPrv} $$. Besides, it runs the generation algorithm of commitment key: $$ \textsf{Cmt.KG}( \texttt{nor}) \to ck $$. It returns $$ pp := ( pp, ck) $$.

$$ \bullet \ \textsf{AuthKG}(a) \to ( \text{PK}^{a}, \text{MSK}^{a}) $$. On input an authority index $$ a $$, it executes the key-generation algorithm $$ \textsf{Sig.KG}() $$ to obtain $$ ( \text{PK}, \text{SK}) $$. It sets $$ \text{PK}^{a} := \text{PK} $$ and $$ \text{MSK}^{a} := \text{SK} $$. It returns $$ ( \text{PK}^{a}, \text{MSK}^{a}) $$.

$$ \bullet \ \textsf{PrivKG}( \text{PK}^{a}, \text{MSK}^{a}, \texttt{i}) \to \text{sk}^{a}_{ \texttt{i}} $$. On input $$ \text{PK}^{a} $$, $$ \text{MSK}^{a} $$ and an element $$ \texttt{i} \in {\hat{\mathbb G}} $$, it sets $$ \text{PK} := \text{PK}^{a} $$ and $$ \text{SK} := \text{MSK}^{a} $$ and $$ m := \hat{M} := \texttt{i} $$. It executes the signing algorithm $$ \textsf{Sig.Sign}( \text{PK}, \text{SK}, m) $$ to obtain a signature $$ \sigma $$. It sets $$ \text{sk}^{a}_{ \texttt{i}} := \sigma $$. It returns $$ \text{sk}^{a}_{ \texttt{i}} $$.

$$ \bullet \ \textsf{Prover}(( \text{PK}^{a})^{a \in A'}, \texttt{i}, ( \text{sk}^{a}_{ \texttt{i}})^{a \in A'}) \to \pi $$. On input $$ ( \text{PK}^{a})^{a \in A'} $$, $$ \texttt{i} $$ and $$ ( \text{sk}^{a}_{ \texttt{i}})^{a \in A'} $$, it first commits to $$ \texttt{i} $$:

$$ c_0 \gets \textsf{Cmt.Com}( \texttt{i}; r_0). $$

Second, for each $$ a \in A' $$, it commits to the components $$ ( \sigma^{a}_{k})_{k} $$ of the signature $$ \sigma^{a} $$ in the componentwise way.

$$ (c^{a}_{k})_{k} \gets \textsf{Cmt.Com}(( \sigma^{a}_{k})_{k}; (r^{a}_{k})_{k} ). $$

Then, for each authority index $$ a $$ it sets $$ x^{a} := \text{PK}^{a} $$. It also sets $$ c^{a} := (c_0, (c^{a}_{k})_{k}) $$, $$ w^{a} := (w_0, (w^{a}_{k})_{k}) := ( \texttt{i}, ( \sigma^{a}_{k})_{k}) $$ and $$ r^{a} := (r_0, (r^{a}_{k})_{k}) $$. It executes the prove-algorithm to obtain a proof:

$$ \pi^{a} \gets \textsf{Prv.P}(x^{a}, c^{a}, w^{a}, r^{a}), a \in A'. $$

It sets $$ \bar{\pi}^{a} := ( (c^{a}_{k})_{k}, \pi^{a} ) $$ for each $$ a \in A' $$, and it merges all the $$ \bar{\pi}^{a} $$s and the commitment $$ c_0 $$ as $$ \pi := (c_0, (\bar{\pi}^{a})^{a \in A'} ) $$. It returns $$ \pi $$.

$$ \bullet \ \textsf{Verifier}(( \text{PK}^{a})^{a \in A'}, \pi) \to d $$. On input $$ ( ( \text{PK}^{a})^{a \in A'}, \pi) $$, it sets $$ x^{a} := \text{PK}^{a} $$ and it sets $$ c^{a} := (c_0, (c^{a}_{k})) $$ for each $$ a \in A' $$. Then it executes the verify-algorithm for each $$ a \in A' $$ to obtain the decisions:

$$ d^{a} \gets \textsf{Prv.V}(x^{a}, c^{a}, \pi^{a}), a \in A'. $$

If all the decisions $$ d^{a} $$s are $$ 1 $$, then it returns $$ d := 1 $$; otherwise, it returns $$ d := 0 $$.

Security proofs

Theorem 1 (EUF against Collusion Attacks). For any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ {Exp}^{ {euf-coll}}_{{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$, there exists a PPT algorithm $$ \mathbf{F} $$ that is in accordance with the experiment $$ {Exp}^{ {euf-cma}}_{{Sig}, \mathbf{F}}(1^\lambda) $$ and the following inequality holds.

$$ \mathbf{Adv}^{ {euf-coll}}_{{dACS}, \mathbf{A}}{(\lambda, \mu)} = \mu \cdot \mathbf{Adv}^{ {euf-cma}}_{{Sig}, \mathbf{F}}(\lambda). $$

Theorem 1 means that, if the structure-preserving signature scheme $$ \textsf{Sig} $$ is existentially unforgeable against adaptive chosen-message attacks, then our $$ \textsf{dACS} $$ is EUF against collusion attacks.

Proof. Given any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ \textsf{Exp}^{ \text{euf-coll}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$, we construct a PPT algorithm $$ \mathbf{F} $$ that generates an existential forgery of $$ \textsf{Sig} $$ according to the experiment $$ \textsf{Exp}^{ \text{euf-cma}}_{\textsf{Sig}, \mathbf{F}}(1^\lambda) $$. $$ \mathbf{F} $$ is given as input the set of public parameters $$ pp $$ and a public key $$ \text{PK}_{ \textsf{Sig}} $$. $$ \mathbf{F} $$ is also given an auxiliary input $$ \mu $$. $$ \mathbf{F} $$ executes $$ \textsf{Cmt.KG}( \texttt{ext}) $$ to obtain a pair $$ ( ck, xk) $$. $$ \mathbf{F} $$ sets $$ pp := ( pp, ck) $$. $$ \mathbf{F} $$ invokes the algorithm $$ \mathbf{A} $$ with $$ 1^{ \lambda} $$ to obtain the number $$ \mu $$ and $$ S t $$. $$ \mathbf{F} $$ chooses a target index$$ a^{\dagger} $$ from the set $$ A := [\mu] $$uniformly at random. $$ \mathbf{F} $$ executes the generation algorithm of an authority key honestly for $$ a \in A $$except the target index $$ a^{\dagger} $$. As for $$ a^{\dagger} $$, $$ \mathbf{F} $$ uses the input public key:

$$ \begin{align} & \text{For } a \in A, a \neq a^{\dagger}: ( \text{PK}^{a}, \text{MSK}^{a}) \gets \textsf{AuthKG}(a), \\ & \text{For } a = a^{\dagger}: \text{PK}^{a^{\dagger}} := \text{PK}_{ \textsf{Sig}}. \end{align} $$

$$ \mathbf{F} $$ inputs $$ S t $$ and the public keys $$ ( \text{PK}^{a})^{a \in A} $$ into $$ \mathbf{A} $$. Then $$ \mathbf{F} $$ obtains a set of corrupted authority indices $$ \tilde{A} $$ from $$ \mathbf{A} $$. $$ \mathbf{F} $$ sets $$ \bar{\tilde{A}} := A \backslash \tilde{A} $$. If $$ a^{\dagger} \in \bar{\tilde{A}} $$ (the case $$ \text{TgtIdx}_1 $$), then $$ a^{\dagger} $$ is not in $$ \tilde{A} $$ and $$ \mathbf{F} $$ is able to input $$ [ S t, ( \text{MSK}^{a})^{a \in \tilde{A}}] $$ into $$ \mathbf{A} $$. Otherwise, $$ \mathbf{F} $$ aborts.

Simulation of private secret key oracle. When $$ \mathbf{A} $$ issues a private secret key query with $$ a \in A_j \subsetneq \bar{\tilde{A}} $$ and $$ \texttt{i}_j \in \mathbb{Z}_p (j=1, \dots, q_{ \text{sk}}) $$, $$ \mathbf{F} $$ executes the generation algorithm of private secret key with $$ \texttt{i}_j $$ honestly for $$ a \in \bar{\tilde{A}} $$ such that $$ a \neq a^{\dagger} $$. As for $$ a = a^{\dagger} $$, $$ \mathbf{F} $$ issues a signing query to its oracle with $$ \texttt{i}_j $$:

$$ \begin{align} & \text{For } a \in \bar{\tilde{A}} \text{ s.t. } a \neq a^{\dagger}: \text{sk}^{a}_{ \texttt{i}_j} \gets \textsf{PrivKG}( \text{PK}^{a}, \text{MSK}^{a}, \texttt{i}_j), \\ & \text{For } a = a^{\dagger}, \text{sk}^{a^{\dagger}}_{ \texttt{i}_j} \gets \mathbf{SignO}( \text{PK}, \text{SK}, \texttt{i}_j). \end{align} $$

$$ \mathbf{F} $$ replies to $$ \mathbf{A} $$ with the secret key $$ \text{sk}^{a}_{ \texttt{i}_j} $$. This is a perfect simulation.

At the end $$ \mathbf{A} $$ returns a forgery proof and the target set of authority indices $$ (\pi^*, A^*) $$. Note here that $$ A^* \subset \bar{\tilde{A}} $$ as in the definition.

Generating Existential Forgery. Next, $$ \mathbf{F} $$ runs a $$ \textsf{Verifier} $$ with an input $$ [( \text{PK}^{a})^{a \in A^*}, \pi^*] $$. If the decision $$ d $$ of $$ \textsf{Verifier} $$ is $$ 1 $$, then $$ \mathbf{F} $$ executes for each $$ a \in A^* $$ the extraction algorithm $$ \textsf{Cmt.Ext}( xk, c^{a}) $$ to obtain a committed message $$ (w^{a})^* = ((w^{a}_0)^*, ((w^{a}_{k})^*)_{k} ) $$ (see Definition 8). Note here that, for all $$ a \in A^* $$, $$ (w^{a}_0)^* $$ is equal to a single element $$ (w_0)^* $$ in $$ {\hat{\mathbb G}} $$. This is because of the perfectly binding property of $$ \textsf{Cmt} $$. Then $$ \mathbf{F} $$ sets $$ \texttt{i}^* := (w_0)^* $$. Here the restriction [Equations (21)and (22)] assures that, if $$ q_{ \text{sk}} > 0 $$, then there exists at least one $$ \hat{a} \in (A^* \backslash A_j) $$ for some $$ j \in [q_{ \text{sk}}] $$. If $$ q_{ \text{sk}} = 0 $$, then there exists at least one $$ \hat{a} \in A^* $$. $$ \mathbf{F} $$ chooses one such $$ \hat{a} $$ and sets $$ \sigma^* := ( \sigma^{\hat{a}})^* :=[(w^{\hat{a}}_{k})^*]_{k} $$. $$ \mathbf{F} $$ returns a forgery pair of a message and a signature $$ ( \texttt{i}^*, \sigma^*) $$. This completes the description of $$ \mathbf{F} $$.

Probability evaluation. The probability that the returned value $$ ( \texttt{i}^*, \sigma^*) $$ is actually an existential forgery is evaluated as follows. We name the events in the above $$ \mathbf{F} $$ as:

$$ \begin{align} \text{Acc} &: d = 1, \\ \text{Ext} &: \textsf{Cmt.Ext} \text{ returns a witness } (w^{a})^* \\ \text{TgtIdx} &: \hat{a} = a^{\dagger}, \\ \text{Forge} &: ( \texttt{i}^*, \sigma^*) \text{ is an existential forgery on } \textsf{Sig}. \end{align} $$

We have the following equalities.

$$ \mathbf{Adv}^{ \text{euf-coll}}_{\textsf{dACS}, \mathbf{A}}{(\lambda, \mu)} = \Pr[ \text{Acc} ], $$

$$ \Pr[ \text{Acc}, \text{Ext}, \text{TgtIdx} ] = \Pr[ \text{Forge} ], $$

$$ \Pr[ \text{Forge} ] = \mathbf{Adv}^{ \text{euf-cma}}_{\textsf{Sig}, \mathbf{F}}(\lambda) . $$

The left-hand side of the equality [Equation (24)] is expanded as follows.

$$ \begin{align} \Pr[ \text{Acc}, \text{Ext}, \text{TgtIdx} ] &= \Pr[ \text{TgtIdx} ] \cdot \Pr[ \text{Acc}, \text{Ext} ] \\ &= \Pr[ \text{TgtIdx} ] \cdot \Pr[ \text{Acc} ] \cdot \Pr[ \text{Ext} \mid \text{Acc} ]. \end{align} $$

Claim 1

$$ \Pr[ \text{TgtIdx} ] = 1/|A| = 1/\mu. $$

Proof. $$ \hat{a} $$ coincides with $$ a^{\dagger} $$ with probability $$ 1/|A| $$ because $$ a^{\dagger} $$ is chosen uniformly at random from $$ A $$ by $$ \mathbf{F} $$ and no information of $$ a^{\dagger} $$ is leaked to $$ \mathbf{A} $$.

Claim 2If $$ \text{TgtIdx} $$ occurs, then $$ \texttt{i}^* $$ is not queried by $$ \mathbf{F} $$ to its oracle $$ \mathbf{SignO} $$.

Proof. This is because of the restriction [Equations (21) and (22)].

Claim 3

$$ \Pr[ \text{Ext} \mid \text{Acc} ] = 1. $$

Proof. This is because of the perfect knowledge extraction of $$ \Pi $$ (see Definition 8).

Combining Equations (23)-(28) we have:

$$ \mathbf{Adv}^{ \text{euf-coll}}_{\textsf{dACS}, \mathbf{A}}{(\lambda, \mu)} = \mu \cdot \mathbf{Adv}^{ \text{euf-cma}}_{\textsf{Sig}, \mathbf{F}}(\lambda), $$

as is claimed in Theorem 1.

Theorem 2 (Unlinkability of Proofs). For any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ {Exp}^{ {unlink-prf}}_{{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$, there exists a PPT algorithm $$ \mathbf{D} $$ and the following inequality holds.

$$ \mathbf{Adv}^{ {unlink-prf}}_{{dACS}, \mathbf{A}}{(\lambda, \mu)} \leq \mathbf{Adv}^{ {ind-dual}}_{{Cmt}, \mathbf{D}}(\lambda). $$

[For the definition of $$ \mathbf{Adv}^{ {ind-dual}}_{{Cmt}, \mathbf{D}}(\lambda) $$, see Definition 3.]

Theorem 2 means that, if the dual-mode commitment keys are indistinguishable, then our dACS has unlinkability.

Proof. Suppose that any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ \textsf{Exp}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$ is given. We set a sequence of games, $$ \textsf{Game}_0 $$ and $$ \textsf{Game}_1 $$, as follows. $$ \textsf{Game}_0 $$ is exactly the same as $$ \textsf{Exp}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$. Note that when a set of public parameters $$ pp = ( pp', ck) $$ is given to $$ \mathbf{A} $$ where $$ pp' $$ is for bilinear groups, the commitment key $$ ck $$ is chosen as a commitment key $$ ck $$ of the mode $$ \texttt{nor} $$. We denote the probability that $$ \textsf{Game}_0 $$ returns $$ \text{Win} $$ as $$ \Pr[ \text{Win}_0] $$.

$$ \textsf{Game}_1 $$ is the same as $$ \textsf{Game}_0 $$ except that, when a set of public parameters $$ pp = ( pp', ck) $$ is given to $$ \mathbf{A} $$, the commitment key $$ ck $$ is chosen as a commitment key $$ ck $$ of the mode $$ \texttt{sim} $$. We denote the probability that $$ \textsf{Game}_1 $$ returns $$ \text{Win} $$ as $$ \Pr[ \text{Win}_1] $$. The values in $$ \textsf{Game}_1 $$ are distributed identically for both $$ \texttt{i}_0 $$ and $$ \texttt{i}_1 $$ due to the perfectly hiding property [Equation (16)] and the perfect witness-indistinguishability [Equation (17)]. Therefore, $$ \Pr[ \text{Win}_1] = 1/2 $$.

Employing $$ \mathbf{A} $$ as a subroutine, we construct a PPT distinguisher algorithm $$ \mathbf{D} $$ as follows. Given an input $$ pp, ck $$, $$ \mathbf{D} $$ reads out the security parameter. $$ \mathbf{D} $$ simulates the environment of $$ \mathbf{A} $$ in $$ \textsf{Game}_0 $$ or $$ \textsf{Game}_1 $$ honestly except that $$ \mathbf{D} $$ sets $$ pp := ( pp, ck) $$ instead of executing $$ \textsf{Setup}(1^{ \lambda}) $$. If $$ b = b' $$, then $$ \mathbf{D} $$ returns $$ 1 $$, and otherwise, $$ 0 $$. By Equations (13) and (14) (see Definition 3), $$ \Pr[ \mathbf{D}( pp, ck) = 1 \mid ck \gets \textsf{Cmt.KG}( \texttt{nor}) ] = \Pr[ \text{Win}_0] $$ and $$ \Pr[ \mathbf{D}( pp, ck) = 1 \mid ( ck, tk) \gets \textsf{Cmt.KG}( \texttt{sim}) ] = \Pr[ \text{Win}_1] $$, and

$$ \mathbf{Adv}^{ \text{ind-dual}}_{\textsf{Cmt}, \mathbf{D}}(\lambda) = | \Pr[ \text{Win}_0] - \Pr[ \text{Win}_1] |. $$

Therefore,

$$ \begin{align} \mathbf{Adv}^{ \text{unlink-prf}}_{\textsf{dACS}, \mathbf{A}}{(\lambda, \mu)} &= | \Pr[ \text{Win}_0] - (1/2) | \\ &\leq | \Pr[ \text{Win}_0] - \Pr[ \text{Win}_1] | + | \Pr[ \text{Win}_1] - (1/2) | \\ &= \mathbf{Adv}^{ \text{ind-dual}}_{\textsf{Cmt}, \mathbf{D}}(\lambda) + 0 = \mathbf{Adv}^{ \text{ind-dual}}_{\textsf{Cmt}, \mathbf{D}}(\lambda), \end{align} $$

as is claimed in Theorem 2.

INSTANTIATION

In this section, we instantiate our dACS in bilinear groups of Type 3 pairing[20]. The security properties are guaranteed under the SXDH assumption[35,38]. In accordance with the generic construction in the previous section, we employ two building blocks. One is the structure-preserving signature scheme by Abe et al.[17], and the other is the commit-and-prove scheme of the "fine-tuning Groth-Sahai proofs" system by Escala-and-Groth[19] on the pairing-product equations of our bundled language, which is a simultaneous verification equation system of the structure-preserving signatures on an identity element $$ \texttt{i} $$.

Construction

According to our syntax, our instantiated scheme $$ \mathrm{dACS_{sxdh}} $$ consists of five PPT algorithms: $$ \textsf{dACS}_{ \text{sxdh}} = $$$$ ( \textsf{Setup}, $$$$ \textsf{AuthKG}, $$$$ \textsf{PrivKG}, $$$$ \textsf{Prover}, $$$$ \textsf{Verifier}) $$.

$$ \bullet \ \textsf{Setup}(1^{ \lambda}) \to pp $$. On input the security parameter $$ 1^{ \lambda} $$, it runs the generation algorithm of bilinear groups, and it sets the output as a set of public parameters: $$ \mathcal{BG}(1^{ \lambda}) \to (p, {\hat{\mathbb G}}, \check{{\mathbb G}}, \mathbb{T}, e, \hat{G}, \check{G}) =: pp $$. Note that $$ pp $$ is common for both the commit-and-prove scheme $$ \textsf{CmtPrv} $$ and the structure-preserving signature scheme $$ \textsf{Sig} $$. Besides, it runs the generation algorithm of a commitment key: $$ \textsf{Cmt.KG}( \texttt{nor}) \to ck $$. That is, it generates a CRS of mode $$ \texttt{nor} $$ for the Groth-Sahai NIZK proof system[19] as Diffie-Hellman tuples, as follows. It first samples $$ \chi, \xi, \chi', \xi' \in_R \mathbb{Z}_p $$, and it computes $$ \hat{Q} :=\chi \hat{G}, \hat{U} :=\xi \hat{G}, \hat{V} :=\chi\xi \hat{G} $$, $$ \check{Q} :=\chi' \check{G}, \check{U} :=\xi' \check{G}, \check{V} :=\chi'\xi' \check{G} $$. Then it sets

$$ \hat{\mathbf{crs}}_{ \Pi} := \begin{bmatrix} \hat{G} & \hat{Q} \\ \hat{U} & \hat{V} \\ \end{bmatrix}, \check{\mathbf{crs}}_{ \Pi} := \begin{bmatrix} \check{G} & \check{Q} \\ \check{U} & \check{V}, \\ \end{bmatrix}, $$

and it sets

$$ ck:=( \hat{\mathbf{crs}}_{ \Pi}, \check{\mathbf{crs}}_{ \Pi}). $$

It returns $$ pp := ( pp, ck) $$.

$$ \bullet \ \textsf{AuthKG}(a) \to ( \text{PK}^{a}, \text{MSK}^{a}) $$. On input an authority index $$ a $$, it executes the key-generation algorithm of the structure-preserving signature scheme[17], $$ \textsf{Sig.KG}(1^{ \lambda}) $$, to obtain $$ ( \text{PK}, \text{SK}) $$. Precisely, it generates a CRS of mode $$ \texttt{nor} $$ for the Groth-Sahai proof systems[19]$$ \Pi_{ \textsf{Sig}, 0} $$ and $$ \Pi_{ \textsf{Sig}, 1} $$ as Diffie-Hellman tuples, as follows. (Note that the authority index $$ a $$ is omitted for simplicity). That is, for $$ i=0, 1 $$, it first samples $$ \chi_i, \xi_i, \chi'_i, \xi'_i \in_R \mathbb{Z}_p $$, and it computes $$ \hat{Q}_i :=\chi_i \hat{G}, \hat{U}_i :=\xi_i \hat{G}, \hat{V}_i :=\chi_i\xi_i \hat{G} $$, $$ \check{Q}_i :=\chi'_i \check{G}, \check{U}_i :=\xi'_i \check{G}, \check{V}_i :=\chi'_i\xi'_i \check{G} $$. Then it sets

$$ \hat{\mathbf{crs}}_0 := \begin{bmatrix} \hat{G} & \hat{Q}_0 \\ \hat{U}_0 & \hat{V}_0 \\ \end{bmatrix}, \hat{\mathbf{crs}}_1 := \begin{bmatrix} \hat{G} & \hat{Q}_1 \\ \hat{U}_1 & \hat{V}_1 \\ \end{bmatrix}, \check{\mathbf{crs}}_1 := \begin{bmatrix} \check{G} & \check{Q}_1 \\ \check{U}_1 & \check{V}_1 \\ \end{bmatrix}. $$

Then it generates exponent values as

$$ x_0 \in_R \mathbb{Z}_p, \ x_1 := x_2 := 0. $$

Then it generates the secret keys of the ElGamal encryption as

$$ y_0, y_1, y_2 \in_R \mathbb{Z}_p, \ \check{Y}_0 :=y_0 \check{G}, \check{Y}_1 :=y_1 \check{G}, \check{Y}_2 :=y_2 \check{G}. $$

Then it generates commitments as

$$ \begin{align} &\hat{[x_0]}_0 := \textsf{Com}( \hat{\mathbf{crs}}_0, x_0; r_{x_{00}}), \ \hat{[x_1]}_0 := \textsf{Com}( \hat{\mathbf{crs}}_0, x_1; r_{x_{10}}), \\ & \check{[x_2]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, x_2; r_{x_{21}}), \hat{[y_0]}_0 := \textsf{Com}( \hat{\mathbf{crs}}_0, y_0; r_{y_{00}}), \\ &\hat{[y_0]}_1 := \textsf{Com}( \hat{\mathbf{crs}}_1, y_0; r_{y_{01}}), \hat{[y_1]}_1 := \textsf{Com}( \hat{\mathbf{crs}}_1, y_1; r_{y_{11}}), \\ & \check{[y_2]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, y_2; r_{y_{21}}), \end{align} $$

where $$ [\hat{ \textsf{x}}]_i $$ and $$ [ \check{ \textsf{y}}]_j $$ ($$ i=0, 1, \ j=0, 1 $$) are computed as follows.

$$ \begin{align} &\hat{[ \textsf{x}]}_i := \textsf{Com}( \hat{\mathbf{crs}}_i, \textsf{x}; r_{ \textsf{x}_i}) := ( \textsf{x} \hat{U}_i + r_{ \textsf{x}_i} \hat{G}, \textsf{x}( \hat{V}_i + \hat{G}) + r_{ \textsf{x}_i} \hat{Q}_i), \\ & \check{[ \textsf{y}]}_j := \textsf{Com}( \check{\mathbf{crs}}_j, \textsf{y}; r_{ \textsf{y}_i}) := ( \textsf{y} \check{U}_j + r_{ \textsf{y}_i} \check{G}, \textsf{y}( \check{V}_j + \check{G}) + r_{ \textsf{y}_i} \check{Q}_j). \end{align} $$

Then it generates a basis of messages as

$$ \omega \in_R \mathbb{Z}_p, \ \check{G}_r := \omega \check{G}, \ \gamma_1 \in_R \mathbb{Z}_p, \ \check{G}_1 := \gamma_1 \check{G}_r. $$

Finally, it sets

$$ \text{PK}:=( \hat{\mathbf{crs}}_0, \hat{\mathbf{crs}}_1, \check{\mathbf{crs}}_1, \check{Y}_0, \check{Y}_1, \check{Y}_2, \hat{[x_0]}_0, \hat{[x_1]}_0, \check{[x_2]}_1, \hat{[y_0]}_0, \hat{[y_0]}_1, \hat{[y_1]}_1, \check{[y_2]}_1, \check{G}_r, \check{G}_1), $$

$$ \text{SK}:=(x_0, y_0, y_1, y_2, r_{x_{00}}, r_{x_{10}}, r_{x_{21}}, r_{y_{00}}, r_{y_{01}}, r_{y_{11}}, r_{y_{21}}, \omega, \gamma_1). $$

It sets $$ \text{PK}^{a} := \text{PK} $$ and $$ \text{MSK}^{a} := \text{SK} $$. It returns $$ ( \text{PK}^{a}, \text{MSK}^{a}) $$.

$$ \bullet \ \textsf{PrivKG}( \text{PK}^{a}, \text{MSK}^{a}, \texttt{i}) \to \text{sk}^{a}_{ \texttt{i}} $$. On input $$ \text{PK}^{a} $$, $$ \text{MSK}^{a} $$ and an element $$ \texttt{i} \in {\hat{\mathbb G}} $$, it sets $$ \text{PK} := \text{PK}^{a} $$ and $$ \text{SK} := \text{MSK}^{a} $$ and $$ m := \hat{M} := \texttt{i} $$. It executes the signing algorithm $$ \textsf{Sig.Sign}( \text{PK}, \text{SK}, m) $$ to obtain a signature $$ \sigma $$ on $$ \texttt{i} $$. Precisely, it generates a one-time key pair $$ \alpha \in_R \mathbb{Z}_p^* $$ and $$ \check{A}:= \alpha \hat{G} $$, and it generates a one-time signature $$ ( \hat{Z}, \hat{R}) $$ as

$$ \rho \in_R \mathbb{Z}_p, \ \hat{Z}:= ( \alpha - \rho \omega) \hat{G}, \ \hat{R}:= \rho \hat{G} - \gamma_1 \hat{M}. $$

Then it encrypts $$ z_0=z_1:=x_0 $$ and $$ z_2:=0 $$ as

$$ s \in_R \mathbb{Z}_p, \ ( \check{E}_{z_0}, \check{E}_{z_1}, \check{E}_{s}) := (z_0 \check{G} + s \check{Y}_0, z_1 \check{G} + s \check{Y}_1, s \check{G}), $$

$$ t \in_R \mathbb{Z}_p, \ ( \hat{E}_{z_2}, \hat{E}_{t}) := (z_2 \hat{G} + t \hat{Y}_2, t \hat{G}). $$

Then it generates commitments as

$$ \begin{align} & \check{[z_0]}_0 := \textsf{Com}( \check{\mathbf{crs}}_0, z_0; r_{z_{00}}), \\ & \check{[z_0]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, z_0; r_{z_{01}}), \\ & \check{[z_1]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, z_1; r_{z_{11}}), \end{align} $$

$$ \hat{[z_2]}_1 := \textsf{Com}( \hat{\mathbf{crs}}_1, z_2; r_{z_{21}}). $$

where $$ \hat{[z_2]}_1 $$, $$ \check{[z_0]}_0 $$, $$ \check{[z_0]}_1 $$ and $$ \check{[z_1]}_1 $$ are computed as follows.

$$ \begin{align} & \check{[z_0]}_0 := \textsf{Com}( \check{\mathbf{crs}}_0, z_0; r_{z_{00}}) = (z_0 \check{U}_0 + r_{z_{00}} \check{G}, z_0( \check{V}_0 + \check{G}) + r_{z_{00}} \check{Q}_0), \\ & \check{[z_0]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, z_0; r_{z_{01}}) = (z_0 \check{U}_1 + r_{z_{01}} \check{G}, z_0( \check{V}_1 + \check{G}) + r_{z_{01}} \check{Q}_1), \\ & \check{[z_1]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, z_1; r_{z_{11}}) = (z_1 \check{U}_1 + r_{z_{11}} \check{G}, z_1( \check{V}_1 + \check{G}) + r_{z_{11}} \check{Q}_1), \\ &\hat{[z_2]}_1 := \textsf{Com}( \hat{\mathbf{crs}}_1, z_2; r_{z_{21}}) = (z_2 \hat{U}_1 + r_{z_{21}} \hat{G}, z_2( \hat{V}_1 + \hat{G}) + r_{z_{21}} \hat{Q}_1). \end{align} $$

Then it generates commitments as

$$ \begin{align} \hat{[1]}_0 := \textsf{Com}( \hat{\mathbf{crs}}_0, 1; 0) = ( \hat{U}_0, \hat{V}_0 + \hat{G}), \\ \hat{[1]}_1 := \textsf{Com}( \hat{\mathbf{crs}}_1, 1; 0) = ( \hat{U}_1, \hat{V}_1 + \hat{G}), \\ \check{[1]}_1 := \textsf{Com}( \check{\mathbf{crs}}_1, 1; 0) = ( \check{U}_1, \check{V}_1 + \check{G}). \end{align} $$

Then it generates Groth-Sahai proofs as

$$ \begin{align} &\rho_{0, 0}:=\pi_{0, 0}, \\ &\rho_{0, 1}:=\pi_{0, 1}, \\ &\rho_{1, 0}:=( \theta_{1, 0, 1}, \theta_{1, 0, 2}, \pi_{1, 0, 1}, \pi_{1, 0, 2}), \\ &\rho_{1, 1}:=\pi_{1, 1}, \\ &\rho_{1, 2}:=\pi_{1, 2}, \\ &\rho_{1, 3}:=\pi_{1, 3}, \end{align} $$

where $$ \pi_{0, 0} $$, $$ \pi_{0, 1} $$, $$ \theta_{1, 0, 1} $$, $$ \theta_{1, 0, 2} $$, $$ \pi_{1, 0, 1} $$, $$ \pi_{1, 0, 2} $$, $$ \pi_{1, 1} $$, $$ \pi_{1, 2} $$ and $$ \pi_{1, 3} $$ are computed as follows.

$$ \begin{align} &\pi_{0, 0}:= r_{z_{00}} \check{G} - r_{x_{00}} \check{G} - r_{x_{10}} \check{A}, \\ &\pi_{0, 1}:= 0 \check{E}_{z_0} - r_{z_{00}} \check{G} - r_{y_{00}} \check{E}_{s}, \\ & \theta_{1, 0, 1}:= (z_0(r_{x_{21}}-r_{z_{21}})-z_1(r_{x_{21}}-r_{z_{21}})) \hat{U}_1 + ((x_2-z_2)(z_0-z_1)-\psi) \hat{G}, \\ & \theta_{1, 0, 2}:=(z_0(r_{x_{21}}-r_{z_{21}})-z_1(r_{x_{21}}-r_{z_{21}}))( \hat{V}_1 + \hat{G}) + ((x_2-z_2)(z_0-z_1)-\psi) \hat{Q}_1, \\ &\pi_{1, 0, 1}:= (x_2(r_{z_{01}}-r_{z_{11}})-z_2(r_{z_{01}}-r_{z_{11}})) \check{U}_1 + \psi \check{G}, \\ &\pi_{1, 0, 2}:=(x_2(r_{z_{01}}-r_{z_{11}})-z_2(r_{z_{01}}-r_{z_{11}}))( \check{V}_1 + \check{G}) + \psi \check{Q}_1, \\ &\pi_{1, 1}:= 0 \check{E}_{z_0} - r_{z_{01}} \check{G} - r_{y_{01}} \check{E}_{s}, \\ &\pi_{1, 2}:= 0 \check{E}_{z_1} - r_{z_{11}} \check{G} - r_{y_{11}} \check{E}_{s}, \\ &\pi_{1, 3}:= 0 \hat{E}_{z_2} - r_{z_{21}} \hat{G} - r_{y_{21}} \hat{E}_{t}. \end{align} $$

Then it sets

$$ \sigma:= ( \check{A}, \hat{Z}, \hat{R}, \check{E}_{z_0}, \check{E}_{z_1}, \check{E}_{s}, \hat{E}_{z_2}, \hat{E}_{t}, \check{[z_0]}_0, \check{[z_0]}_1, \check{[z_1]}_1, \hat{[z_2]}_1, \rho_{0, 0}, \rho_{0, 1}, \rho_{1, 0}, \rho_{1, 1}, \rho_{1, 2}, \rho_{1, 3}). $$

It sets $$ \text{sk}^{a}_{ \texttt{i}} := \sigma $$. It returns $$ \text{sk}^{a}_{ \texttt{i}} $$.

$$ \bullet \ \textsf{Prover}(( \text{PK}^{a})^{a \in A'}, \texttt{i}, ( \text{sk}^{a}_{ \texttt{i}})^{a \in A'}) \to \pi $$. According to the previous work on the structure-preserving signatures[17], verification equations are given as an equation system below. In the equation system, we denote $$ ( \hat{C}_{ \textsf{x}, 1}, \hat{C}_{ \textsf{x}, 2})_i = [\hat{ \textsf{x}}]_i $$ and $$ ( \check{D}_{ \textsf{y}, 1}, \check{D}_{ \textsf{y}, 2})_j = [ \check{ \textsf{y}}]_j $$ for a variable $$ \textsf{x}, \textsf{y} $$ and the indices $$ i, j $$. Also note that we put an index $$ {\ }^a $$ to distinguish each equation for $$ a \in A' $$, while the identity element $$ \hat{M} (= m = \texttt{i}) $$ is simultaneous for those equations.

$$ \begin{align} & \text{For }\forall a \in A' \ \ ( \text{where } a \text{ is not an exponent but an index})\\ & \text{// To check the one-time key, message and one-time signature } ( \check{A}^a, \hat{M}, ( \hat{Z}^a, \hat{R}^a)): \\ & \quad \hat{G} \cdot \check{A}^a = \hat{Z}^a \cdot \check{G} + \hat{R}^a \cdot \check{G}_r + \hat{M} \cdot \check{G}_1, \end{align} $$

$$ \begin{align} & \text{// To check the proof } \rho_{0, 0}^a = \pi_{0, 0}^a: \\ & \quad ( \hat{C}_{z_0, 1}^a - \hat{C}_{x_0, 1}^a) \cdot \check{G} - \hat{C}_{x_1, 1}^a \cdot \check{A}^a = \hat{G} \cdot \pi_{0, 0}^a, \\ & \quad ( \hat{C}_{z_0, 2}^a - \hat{C}_{x_0, 2}^a) \cdot \check{G} - \hat{C}_{x_1, 2}^a \cdot \check{A}^a = \hat{Q}_0^a \cdot \pi_{0, 0}^a, \end{align} $$

$$ \begin{align} & \text{// To check the proof } \rho_{0, 1}^a = \pi_{0, 1}^a: \\ & \quad \hat{C}_{z_0, 1}^a \cdot \check{E}_{z_0}^a - \hat{C}_{x_0, 1}^a \cdot \check{G} - \hat{C}_{x_1, 1}^a \cdot \check{E}_{s}^a = \hat{G} \cdot \pi_{0, 1}^a, \\ & \quad \hat{C}_{z_0, 2}^a \cdot \check{E}_{z_0}^a - \hat{C}_{x_0, 2}^a \cdot \check{G} - \hat{C}_{x_1, 2}^a \cdot \check{E}_{s}^a = \hat{Q}_0^a \cdot \pi_{0, 1}^a, \end{align} $$

$$ \begin{align} & \text{// To check the proof } \rho_{1, 0}^a = (\pi_{1, 0, 1}^a, \pi_{1, 0, 2}^a, \theta_{1, 0, 1}^a, \theta_{1, 0, 2}^a): \\ & \quad ( \hat{C}_{z_0, 1}^a - \hat{C}_{z_1, 1}^a) \cdot ( \check{D}_{x_2, 1}^a + \check{D}_{z_2, 1}^a) = \hat{G} \cdot \pi_{1, 0, 1}^a + \theta_{1, 0, 1}^a \cdot \check{G}, \\ & \quad ( \hat{C}_{z_0, 2}^a - \hat{C}_{z_1, 2}^a) \cdot ( \check{D}_{x_2, 1}^a + \check{D}_{z_2, 1}^a) = \hat{Q}_1^a \cdot \pi_{1, 0, 1}^a + \theta_{1, 0, 2}^a \cdot \check{G}, \\ & \quad ( \hat{C}_{z_0, 1}^a - \hat{C}_{z_1, 1}^a) \cdot ( \check{D}_{x_2, 2}^a + \check{D}_{z_2, 2}^a) = \hat{G} \cdot \pi_{1, 0, 2}^a + \theta_{1, 0, 1}^a \cdot \check{Q}_1^a, \\ & \quad ( \hat{C}_{z_0, 2}^a - \hat{C}_{z_1, 2}^a) \cdot ( \check{D}_{x_2, 2}^a + \check{D}_{z_2, 2}^a) = \hat{Q}_1^a \cdot \pi_{1, 0, 2}^a + \theta_{1, 0, 2}^a \cdot \check{Q}_1^a, \end{align} $$

$$ \begin{align} & \text{// To check the proof } \rho_{1, 1}^a = \pi_{1, 1}^a: \\ & \quad \hat{C}_{z_0, 1}^a \cdot \check{E}_{z_0}^a - \hat{C}_{x_0, 1}^a \cdot \check{G} - \hat{C}_{x_1, 1}^a \cdot \check{E}_{s}^a = \hat{G} \cdot \pi_{1, 1}^a, \\ & \quad \hat{C}_{z_0, 2}^a \cdot \check{E}_{z_0}^a - \hat{C}_{x_0, 2}^a \cdot \check{G} - \hat{C}_{x_1, 2}^a \cdot \check{E}_{s}^a = \hat{Q}_0^a \cdot \pi_{1, 1}^a, \end{align} $$

$$ \begin{align} & \text{// To check the proof } \rho_{1, 2}^a = \pi_{1, 2}^a: \\ & \quad \hat{C}_{z_0, 1}^a \cdot \check{E}_{z_1}^a - \hat{C}_{x_0, 1}^a \cdot \check{G} - \hat{C}_{x_1, 1}^a \cdot \check{E}_{s}^a = \hat{G} \cdot \pi_{1, 2}^a, \\ & \quad \hat{C}_{z_0, 2}^a \cdot \check{E}_{z_1}^a - \hat{C}_{x_0, 2}^a \cdot \check{G} - \hat{C}_{x_1, 2}^a \cdot \check{E}_{s}^a = \hat{Q}_0^a \cdot \pi_{1, 2}^a, \end{align} $$

$$ \begin{align} & \text{// To check the proof } \rho_{1, 3}^a = \pi_{1, 3}^a: \\ & \quad \hat{E}_{z_2}^a \cdot \check{D}_{z_0, 1}^a - \hat{G} \cdot \check{D}_{x_0, 1}^a - \hat{E}_{t}^a \cdot \check{D}_{x_1, 1}^a = \pi_{1, 3}^a \cdot \check{G}, \\ & \quad \hat{E}_{z_2}^a \cdot \check{D}_{z_0, 2}^a - \hat{G} \cdot \check{D}_{x_0, 2}^a - \hat{E}_{t}^a \cdot \check{D}_{x_1, 2}^a = \pi_{1, 3}^a \cdot \check{Q}_1^a . \end{align} $$

We note that each of the Equations (50)-(56) can be transformed into the following canonical form.

$$ \hat{\mathit{\boldsymbol{x}}} = ( \hat{x}_1, \dots, \hat{x}_m), \ \check{\mathit{\boldsymbol{y}}} = ( \check{y}_1, \dots, \check{y}_n)^{\top}, \ \varGamma \in \mathbb{Z}_p^{m \times n}, $$

$$ \hat{\mathit{\boldsymbol{x}}} \varGamma \check{\mathit{\boldsymbol{y}}} = 0_{ \mathbb{T}}. $$

Then the $$ \textsf{Prover} $$ algorithm applies the Groth-Sahai NIZK proof system to Equation (58), as follows. First, by using $$ \hat{\mathbf{crs}}_{ \Pi} $$ and $$ \check{\mathbf{crs}}_{ \Pi} $$, set

$$ \hat{\mathit{\boldsymbol{v}}} := ( \hat{Q}, \hat{G})^{\top}, \ \hat{\mathit{\boldsymbol{w}}} := ( \hat{V}, \hat{U})^{\top}, \ \ \check{\mathit{\boldsymbol{v}}} := ( \check{Q}, \check{G}), \ \check{\mathit{\boldsymbol{w}}} := ( \check{V}, \check{U}). $$

Also, set scalar vectors as

$$ \mathit{\boldsymbol{e}} := (0, 1) \in \mathbb{Z}_p^2, \ \ \mathit{\boldsymbol{r}}_x, \mathit{\boldsymbol{s}}_x \in_R \mathbb{Z}_p^m, \ \ \mathit{\boldsymbol{r}}_y, \mathit{\boldsymbol{s}}_y \in_R \mathbb{Z}_p^n. $$

Then, generate commitments as follows.

$$ \hat{\mathit{\boldsymbol{c}}} \gets \mathit{\boldsymbol{e}}^{\top} \hat{\mathit{\boldsymbol{x}}} + \hat{\mathit{\boldsymbol{v}}} \mathit{\boldsymbol{r}}_x + \hat{\mathit{\boldsymbol{w}}} \mathit{\boldsymbol{s}}_x \in {\hat{\mathbb G}}^{2 \times m}, $$

$$ \check{\mathit{\boldsymbol{d}}} \gets \check{\mathit{\boldsymbol{y}}} \mathit{\boldsymbol{e}} + \mathit{\boldsymbol{r}}_y^{\top} \check{\mathit{\boldsymbol{v}}} + \mathit{\boldsymbol{s}}_y^{\top} \check{\mathit{\boldsymbol{w}}} \in \check{{\mathbb G}}^{n \times 2}. $$

We stress that, in the computation of the commitment $$ \hat{\mathit{\boldsymbol{c}}} $$ for the equation Equation (50), the randomness to compute the commitment $$ \hat{\mathit{\boldsymbol{c}}}_0 (\in {\hat{\mathbb G}}^{2 \times 1}) $$ to $$ \hat{M} (= \texttt{i}) $$ is common over all $$ a \in A' $$, and hence the randomness is sampled only once. This is why a single identity $$ \texttt{i}^* $$ is extracted in the security proof of unforgeability against collusion attacks.

Then, from Equations (58), (61) and (62), generate

$$ \check{\mathit{\boldsymbol{\pi}}}'_{ \hat{v}} := \mathit{\boldsymbol{r}}_x \varGamma \check{\mathit{\boldsymbol{d}}} \in \check{{\mathbb G}}^{1 \times 2}, \quad \check{\mathit{\boldsymbol{\pi}}}'_{ \hat{w}} := \mathit{\boldsymbol{s}}_x \varGamma \check{\mathit{\boldsymbol{d}}} \in \check{{\mathbb G}}^{1 \times 2}, $$

$$ \hat{\mathit{\boldsymbol{\pi}}}'_{ \check{v}} := ( \hat{\mathit{\boldsymbol{c}}} - \hat{\mathit{\boldsymbol{v}}} \mathit{\boldsymbol{r}}_x - \hat{\mathit{\boldsymbol{w}}} \mathit{\boldsymbol{s}}_x) \varGamma \mathit{\boldsymbol{r}}_y \in {\hat{\mathbb G}}^{2 \times 1}, \ \ \hat{\mathit{\boldsymbol{\pi}}}'_{ \check{w}} := ( \hat{\mathit{\boldsymbol{c}}} - \hat{\mathit{\boldsymbol{v}}} \mathit{\boldsymbol{r}}_x - \hat{\mathit{\boldsymbol{w}}} \mathit{\boldsymbol{s}}_x) \varGamma \mathit{\boldsymbol{s}}_y \in {\hat{\mathbb G}}^{2 \times 1}. $$

Finally, obtain a Groth-Sahai proof $$ ( \check{\mathit{\boldsymbol{\pi}}}_{ \hat{v}}, \check{\mathit{\boldsymbol{\pi}}}_{ \hat{w}}, \hat{\mathit{\boldsymbol{\pi}}}_{ \check{v}}, \hat{\mathit{\boldsymbol{\pi}}}_{ \check{w}}) $$ by randomizing Equations (64) and (65), as follows.

$$ \alpha, \beta, \gamma, \delta \in_R \mathbb{Z}_p, \\ \check{\mathit{\boldsymbol{\pi}}}_{ \hat{v}} := \check{\mathit{\boldsymbol{\pi}}}'_{ \hat{v}} + \alpha \check{\mathit{\boldsymbol{v}}} + \beta \check{\mathit{\boldsymbol{w}}} \in \check{{\mathbb G}}^{1 \times 2}, \ \ \check{\mathit{\boldsymbol{\pi}}}_{ \hat{w}} := \check{\mathit{\boldsymbol{\pi}}}'_{ \hat{w}} + \gamma \check{\mathit{\boldsymbol{v}}} + \delta \check{\mathit{\boldsymbol{w}}} \in \check{{\mathbb G}}^{1 \times 2}, $$

$$ \hat{\mathit{\boldsymbol{\pi}}}_{ \check{v}} := \hat{\mathit{\boldsymbol{\pi}}}'_{ \check{v}} - \hat{\mathit{\boldsymbol{v}}} \alpha - \hat{\mathit{\boldsymbol{w}}} \beta \in {\hat{\mathbb G}}^{2 \times 1}, \ \ \hat{\mathit{\boldsymbol{\pi}}}_{ \check{w}} := \hat{\mathit{\boldsymbol{\pi}}}'_{ \check{w}} - \hat{\mathit{\boldsymbol{v}}} \gamma - \hat{\mathit{\boldsymbol{w}}} \delta \in {\hat{\mathbb G}}^{2 \times 1} . $$

To summarize, the $$ \textsf{Prover} $$ algorithm obtains Groth-Sahai proofs by computing $$ ( \hat{\mathit{\boldsymbol{c}}}, \check{\mathit{\boldsymbol{d}}}, \check{\mathit{\boldsymbol{\pi}}}_{ \hat{v}}, \check{\mathit{\boldsymbol{\pi}}}_{ \hat{w}}, \hat{\mathit{\boldsymbol{\pi}}}_{ \check{v}}, \hat{\mathit{\boldsymbol{\pi}}}_{ \check{w}}) $$ for each of the fifteen equations in Equations (50)-(56). We distinguish them by double index $$ (a, k) $$, where $$ a \in A' $$ and $$ k \in [15] $$. Then the algorithm returns all the commitments and proofs as $$ \mathit{\boldsymbol{\pi}} $$, but the commitment $$ \hat{\mathit{\boldsymbol{c}}}_0 $$ to $$ \texttt{i} (= \hat{M}) $$ is especially placed at the first entry. That is,

$$ \mathit{\boldsymbol{\pi}} := ( \hat{\mathit{\boldsymbol{c}}}_0, ( \hat{\mathit{\boldsymbol{c}}}^{a, k}, \check{\mathit{\boldsymbol{d}}}^{a, k}, \check{\mathit{\boldsymbol{\pi}}}_{ \hat{v}}^{a, k}, \check{\mathit{\boldsymbol{\pi}}}_{ \hat{w}}^{a, k}, \hat{\mathit{\boldsymbol{\pi}}}_{ \check{v}}^{a, k}, \hat{\mathit{\boldsymbol{\pi}}}_{ \check{w}}^{a, k})^{a \in A', k \in [15]} ). $$

$$ \bullet \ \textsf{Verifier}(( \text{PK}^{a})^{a \in A'}, \pi) \to d $$. On input $$ ( ( \text{PK}^{a})^{a \in A'}, \mathit{\boldsymbol{\pi}}) $$, this verification algorithm does the checks the following evaluation.

$$ \begin{align} & \text{For } a \in A': \\ & \quad \text{For } k \in [15]: \\ & \quad d^{a, k} := ( \hat{\mathit{\boldsymbol{c}}}^{a, k} \varGamma \check{\mathit{\boldsymbol{d}}}^{a, k} =_{?} \hat{\mathit{\boldsymbol{v}}} \cdot \check{\mathit{\boldsymbol{\pi}}}_{ \hat{v}}^{a, k} + \hat{\mathit{\boldsymbol{w}}} \cdot \check{\mathit{\boldsymbol{\pi}}}_{ \hat{w}}^{a, k} + \hat{\mathit{\boldsymbol{\pi}}}_{ \check{v}}^{a, k} \cdot \check{\mathit{\boldsymbol{v}}} + \hat{\mathit{\boldsymbol{\pi}}}_{ \check{w}}^{a, k} \cdot \check{\mathit{\boldsymbol{w}}}) \ ( \text{as four equations in } \mathbb{T}^{2 \times 2}) \\ & \quad d^a := \land_{k \in [15]} d^{a, k} \\ & \text{Return } d := \land_{a \in A'} d^a. \end{align} $$

Theorem 3 (EUF against Collusion Attacks) For any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ sf{Exp}^{ {euf-coll}}_{sf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$, our instantiated $$ {dACS_{sxdh}} $$ is EUF against collusion attacks under the SXDH assumption.

Theorem 4 (Unlinkability of Proofs) For any PPT algorithm $$ \mathbf{A} $$ that is in accordance with the experiment $$ sf{Exp}^{ {unlink-prf}}_{sf{dACS}, \mathbf{A}}{(1^\lambda, 1^\mu)} $$, our instantiated $$ {dACS_{sxdh}} $$ is unlinkable under the SXDH assumption.

FEATURE COMPARISON AND EFFICIENCY EVALUATION

In this section, we compare the features of our instantiated $$ \mathrm{dACS_{sxdh}} $$ with those of the previous abACS. Then we evaluate efficiency of our $$ \mathrm{dACS_{sxdh}} $$ by partial implementation and estimation.

In Table 1, "Multi-Authority" means whether the issuing function is decentralized multi-authority or not. "Collusion Resistance" means whether the system has collusion resistance or not. "Formula of Proof" means the type of boolean formulas associated with the proofs. "R.O.", "Std." and "Gen.Grp." mean that the security proof is in the random oracle model, the standard model and the generic group model, respectively. "all-AND", "CNF", and "monotone" mean all-AND, CNF and monotone formulas, respectively. "Unlinkability" means whether unlinkability of proofs is assured or not. "Unforgeability" means the assumptions under which unforgeability is assured. "Size of a Proof" means asymptotic behavior of data length of a proof of credentials. $$ \mathrm{dACS_{sxdh}} $$ means our instantiated dACS under the SXDH assumption. For each "Unforgeability Assumption", see the cited references.

Table 1

Feature comparison of our $$ \textsf{dACS}_{\text{sxdh}} $$ with previous work

ACS/FeatureMulti-authorityformulas for proofsSecurity modelUnlinkabilityUnforgeabilityCollusion resistanceSize of a proof
GGM14[10]$$\checkmark$$All-ANDR.O.$$\checkmark$$SRSA & DL$$\checkmark$$$$ {O}(1) $$
CDHK15[21]$$\checkmark$$All-ANDStd.$$\checkmark$$SXDH, $$ J $$-RootDH, etc.$$\checkmark$$$$ {O}(|A'|) $$
SNBF17[24]-MonotoneStd.$$\checkmark$$$$ t $$-co-DL,-$$ {O}(2^{|A'|}) $$
ON19[25]-CNFStd.$$\checkmark$$DLIN, $$ q $$-SFP, $$ n $$-DHE-$$ {O}(1) $$
FHS19[26]-All-ANDGen.Grp.$$\checkmark$$$$ t $$-co-DL,-$$ {O}(1) $$
TG20[8]-MonotoneStd.$$\checkmark$$(co-)SDH$$\checkmark$$$$ {O}(|A'|) $$
CY22[9]-MonotoneStd.$$\checkmark$$(co-)SDH$$\checkmark$$$$ {O}(|A'|) $$
Our $$ \textsf{dACS}_{\text{sxdh}} $$$$\checkmark$$All-ANDStd.$$\checkmark$$SXDH$$\checkmark$$$$ {O}(|A'|) $$

Along with Table 1, feature comparison is explained at "Related Recent Work" in Introduction. We add a few remarks about the three decentralized multi-authority abACS (dACSs) in Table 1. The dACS by Garman et al. has good features, and especially it shows asymptotic behavior of a constant size of a proof[10]. However, its security model is in the random oracle model. The security model of the dACS by Camenisch et al. and our $$ \mathrm{dACS_{sxdh}} $$ is the standard model[21]. Both of them have similar features, and especially they show the same asymptotic behavior of linear complexity in the number of proven attribute credentials, $$ |A'| $$. The difference lies in their unforgeability assumptions. Actually, in addition to the SXDH assumption, the dACS by Camenisch et al. needs more assumptions of $$ J $$-RootDH, $$ n $$-BSDH, $$ q $$-SDH, XDLIN, co-CDH, and DBP[21].

Then, we show a concrete evaluation about computational amount of our $$ \mathrm{dACS_{sxdh}} $$. The number of group elements in a proof $$ \mathit{\boldsymbol{\pi}} $$ is estimated as follows. $$ \mathit{\boldsymbol{\pi}} $$ consists of components Equation (67), where the indices $$ a $$ and $$ k $$ run in $$ |A'| $$ and $$ [15] $$, respectively. In Equation (67), the commitments $$ \hat{\mathit{\boldsymbol{c}}}^{a, k} $$ and $$ \check{\mathit{\boldsymbol{d}}}^{a, k} $$ consist of group elements in $$ {\hat{\mathbb G}} $$ and $$ \check{{\mathbb G}} $$, and the number of the elements is decided by $$ m $$ and $$ n $$, respectively. Table 2 shows the number of the elements. As for the Groth-Sahai proofs $$ \check{\mathit{\boldsymbol{\pi}}}_{ \hat{v}}^{a, k} $$, $$ \check{\mathit{\boldsymbol{\pi}}}_{ \hat{w}}^{a, k} $$, $$ \hat{\mathit{\boldsymbol{\pi}}}_{ \check{v}}^{a, k} $$ and $$ \hat{\mathit{\boldsymbol{\pi}}}_{ \check{w}}^{a, k} $$, each of them consists of two group elements in $$ {\hat{\mathbb G}} $$ and $$ \check{{\mathbb G}} $$ [Table 3]. Therefore, as summarized in Table 4, the number of group elements in our proof $$ \mathit{\boldsymbol{\pi}} $$ is $$ (180, 176) \in ( {\hat{\mathbb G}}, \check{{\mathbb G}}) $$ for $$ |A'| = 1 $$. As an example, when $$ |A'|=2 $$, it is $$ (358, 352) $$, where we subtract two group elements $$ \in {\hat{\mathbb G}} $$ because the commitment $$ \hat{\mathit{\boldsymbol{c}}}_0 $$ to $$ \hat{M} (= \texttt{i}) $$ is reused. When we use the TEPLA pairing library[39] that is in the C language, an element in $$ {\hat{\mathbb G}} $$ is $$ 65 $$ bytes and an element in $$ \check{{\mathbb G}} $$ is $$ 129 $$ bytes. Therefore, the data length of $$ \mathit{\boldsymbol{\pi}} $$ is $$ 34 $$k bytes for $$ |A'| = 1 $$ and $$ 68 $$k byte for $$ |A'| = 2 $$.

Table 2

Number of elements in $$ ( \hat{\boldsymbol{c}}^{a, k}, \check{\boldsymbol{d}}^{a, k}) $$

$$ k $$1234$$ \cdots $$1
$$ (m, n) $$(4, 4)(4, 3)(4, 3)(4, 4)$$ \cdots $$(4, 4)
#elem.$$ \in {\hat{\mathbb G}}\times \check{{\mathbb G}} $$(8, 8)(8, 6)(8, 6)(8, 8)$$ \cdots $$(8, 8)
Table 3

Number of elements in $$ ( \check{\boldsymbol{\pi}}_{ \hat{v}}^{a, k}, \check{\boldsymbol{\pi}}_{ \hat{w}}^{a, k}, \hat{\boldsymbol{\pi}}_{ \check{v}}^{a, k}, \hat{\boldsymbol{\pi}}_{ \check{w}}^{a, k}) $$

$$ k $$1$$ \dots $$15
#elem.$$ \in \check{{\mathbb G}}\times \check{{\mathbb G}}\times {\hat{\mathbb G}}\times {\hat{\mathbb G}} $$(2, 2, 2, 2)$$ \cdots $$(2, 2, 2, 2)
Table 4

Total number of elements in $$ \boldsymbol{\pi} = ( \hat{\boldsymbol{c}}^{a, k}, \check{\boldsymbol{d}}^{a, k}, \check{\boldsymbol{\pi}}_{ \hat{v}}^{a, k}, \check{\boldsymbol{\pi}}_{ \hat{w}}^{a, k}, \hat{\boldsymbol{\pi}}_{ \check{v}}^{a, k}, \hat{\boldsymbol{\pi}}_{ \check{w}}^{a, k}) $$

$$ k $$1234$$ \cdots $$Further total over all $$ k $$
#elem.$$ \in {\hat{\mathbb G}}\times \check{{\mathbb G}} $$(12, 12)(12, 10)(12, 10)(12, 12)$$ \cdots $$(12, 12)(180, 176)

Further, we estimate the execution time of the $$ \textsf{Prover} $$ and $$ \textsf{Verifier} $$ algorithms. Using TEPLA[39] in C, we implement the scalar-multiplications in $$ {\hat{\mathbb G}} $$ and $$ \check{{\mathbb G}} $$ and the bilinear map $$ e: {\hat{\mathbb G}} \times \check{{\mathbb G}} \to \mathbb{T} $$ because the execution time of $$ \textsf{Prover} $$ is mostly occupied by them. The elliptic curve used is CBN254a known as the BN curve with 128 bit intended security ($$ \lambda = 128 $$), which is one of the pairing-friendly curves. As for our hardware, CPU of 2.80 GHz and DRAM of 4 GB are used. Table 5 shows the result. One execution of elliptic scalar-multiplication in $$ {\hat{\mathbb G}} $$, that is, $$ \hat{G} \alpha $$ for $$ \alpha \in_R \mathbb{Z}_p $$, needs about 0.30 ms on average. one execution in $$ \check{{\mathbb G}} $$, that is, $$ \beta \check{G} $$ for $$ \beta \in_R \mathbb{Z}_p $$, needs about $$ 1.60 $$ ms on average. On the other hand, one execution of the pairing $$ e $$, that is, $$ \hat{X} \cdot \check{Y} (= e( \hat{X}, \check{Y})) $$ for random $$ \hat{X} $$ and $$ \check{Y} $$, needs about 2.74 ms on average. Then we count the number of computations of the scalar-multiplications and the bilinear map to generate a proof $$ \mathit{\boldsymbol{\pi}} $$ in a similar way to count the number of group elements. By a naive counting, it turns out that $$ \textsf{Prover} $$ needs $$ (324, 934) $$ scalar-multiplications in $$ ( {\hat{\mathbb G}}, \check{{\mathbb G}}) $$, and $$ \textsf{Verifier} $$ needs $$ 120 $$ scalar-multiplication in $$ {\hat{\mathbb G}} $$ and $$ 292 $$ computations of the bilinear map $$ e $$. As an example, $$ ( \textsf{Prover}, \textsf{Verifier}) $$ need about $$ (1.4, 1.2) $$ s for $$ |A'| = 1 $$ and $$ (2.8, 2.4) $$ s for $$ |A'| = 2 $$ [Table 6].

Table 5

Time of scalar-multiplication and pairing

CurveComputationAverage (ms)(*2)
ECBN254a$$ \hat{G} \alpha $$$$ 0.30 $$
$$ \beta \check{G} $$1.60
$$ \hat{X} \cdot \check{Y} $$(*1)2.74
Table 6

Estimated time of Prvr and Vrfr: $$ |A'|=2 $$

CurveAlgorithmEstimation (s)
ECBN254aProver2.8
Verifier2.4

CONCLUSION

We propose a multi-show decentralized multi-authority abACS, dACS. One of the features in the security definitions is that corruption of authorities is introduced. As for the construction of our dACS, an attribute authority who issues a private secret key to an entity only has to sign the entity's identifier. Then the entity generates a proof of knowing credentials according to the "commit-to-identifier" principle. The generic construction actually employs the structure-preserving signature scheme and the Groth-Sahai non-interactive proof system in asymmetric bilinear groups. There the principle turns into a bundled language, which is simultaneous equations on the identifier, for verification of the structure-preserving signatures. Actually the bundled language works for preventing collusion attacks.

A negative aspect of our dACS is that the proof size is linear in the number of attribute credentials involved in a proof. Therefore, a construction with smaller asymptotic behavior, hopefully of constant size, should be our future work.

DECLARATIONS

Acknowledgments

The author would like to express his sincere thanks to the three anonymous reviewers as well as the associated editor for their helpful comments from their technical and editorial viewpoints. Part of this work was presented at Innovative Security Solutions for Information Technology and Communications - 13th International Conference, SecITC 2020 (Bucharest, Romania, November 19-20, 2020, pp.71-90)[34], and the sole author agrees to submit and publish it in this new article.

Authors' contributions

The author contributed solely to the article.

Availability of data and materials

Not applicable.

Financial support and sponsorship

This work was supported by JSPS KAKENHI Grant Number JP23K11106.

Conflicts of interest

The author declared that there are no conflicts of interest.

Ethical approval and consent to participate

Not applicable.

Consent for publication

Not applicable.

Copyright

© The Author (s) 2024.

REFERENCES

1. ISO/IEC 11578: 1996(en). Available from: https://www.iso.org/obp/ui/#iso:std:iso-iec:11578:ed-1:v1:en. [Last accessed on 6 Sep 2024].

2. Chaum D. Security without identification: transaction systems to make big brother obsolete. Commun ACM 1985;28:1030-44.

3. Camenisch J, Lysyanskaya A. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann B, editor. Advances in Cryptology - EUROCRYPT 2001. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2001. pp. 93-118.

4. Camenisch J, Lysyanskaya A. Signature schemes and anonymous credentials from bilinear maps. In: Advances in Cryptology - CRYPTO 2004. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2004. pp. 56-72.

5. Camenisch J, GroßT. Efficient attributes for anonymous credentials. In: CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. New York, NY, USA: ACM; 2008. pp. 345-56.

6. Sudarsono A, Nakanishi T, Funabiki N. Efficient proofs of attributes in pairing-based anonymous credential system. In: Fischer-Hübner S, Hopper N, editors. Privacy enhancing technologies. PETS 2011. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2011. pp. 246-63.

7. Brands SA. Rethinking public key infrastructures and digital certificates: building in privacy. 1st ed. Cambridge-London: MIT Press; 2000. Available from: http://www.credentica.com/the_mit_pressbook.html. [Last accessed on 6 Sep 2024].

8. Tan S, Groß T. MoniPoly - an expressive q-SDH-based anonymous attribute-based credential system. In: Moriai S, Wang H, editors. Advances in Cryptology - ASIACRYPT 2020. Lecture notes in computer science. Cham: Springer; 2020. pp. 498-526.

9. Chan KY, Yuen TH. Attribute-based anonymous credential: optimization for single-use and multi-use. In: Beresford AR, Patra A, Bellini E, editors. Cryptology and network security. CANS 2022. Lecture notes in computer science. Cham: Springer; 2022. pp. 89-121.

10. Garman C, Green M, Miers I. Decentralized anonymous credentials. Available from: https://www.ndss-symposium.org/ndss2014/decentralized-anonymous-credentials. [Last accessed on 6 Sep 2024].

11. Lewko A, Waters B. Decentralizing attribute-Based encryption. In: Paterson KG, editor. Advances in Cryptology - EUROCRYPT 2011. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2011. pp. 568-88.

12. Okamoto T, Takashima K. Decentralized attribute-based signatures. In: Kurosawa K, Hanaoka G, editors. Public-Key Cryptography - PKC 2013. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2013. pp. 125-42.

13. Sahai A, Waters B. Fuzzy identity-based encryption. In: Cramer R, editor. Advances in Cryptology - EUROCRYPT 2005. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2005. pp. 457-73.

14. Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data. In: CCS'06: Proceedings of the 13th ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery; 2006. pp. 89-98.

15. Chase M, Chow SSM. Improving privacy and security in multi-authority attribute-based encryption. In: CCS'09: Proceedings of the 2009 ACM Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery; 2009. pp. 121-30.

16. NIST. Digital signature standard (DSS). 2013. Available from: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf. [Last accessed on 6 Sep 2024].

17. Abe M, Hofheinz D, Nishimaki R, Ohkubo M, Pan J. Compact structure - preserving signatures with almost tight security. In: Katz J, Shacham H, editors. Advances in Cryptology - CRYPTO 2017. Lecture notes in computer science. Cham: Springer; 2017. pp. 548-80.

18. Groth J, Sahai A. Efficient non-interactive proof systems for bilinear groups. In: EUROCRYPT'08: Proceedings of the Theory and Applications of Cryptographic Techniques 27th Annual International Conference on Advances in Cryptology. Berlin, Heidelberg: Springer-Verlag; 2008. pp. 415-32. Available from: http://dl.acm.org/citation.cfm?id=1788414.1788438. [Last accessed on 6 Sep 2024].

19. Escala A, Groth J. Fine-tuning groth-Sahai Proofs. In: Krawczyk H, editor. Public-Key Cryptography - PKC 2014. Lecture notes in computer science. Berlin: Springer; 2014. pp. 630-49.

20. Galbraith SD, Paterson KG, Smart NP. Pairings for cryptographers. Discret Appl Math 2008;156:3113-21.

21. Camenisch J, Dubovitskaya M, Haralambiev K, Kohlweiss M. Composable and modular anonymous credentials: definitions and practical constructions. In: Iwata T, Cheon J, editors. Advances in Cryptology - ASIACRYPT 2015. Lecture notes in computer science. Berlin: Springer; 2015. pp. 262-88.

22. Canetti R. Universally composable security: a new paradigm for cryptographic protocols. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science; 2001 Oct 8-11; Newport Beach, CA, USA. IEEE; 2001. pp. 136-45.

23. Canetti R. Universally composable security. J ACM 2020;67:1-94.

24. Sadiah S, Nakanishi T, Begum N, Funabiki N. Accumulator for monotone formulas and its application to anonymous credential system. J Inf Process 2017;25:949-61.

25. Okishima R, Nakanishi T. An anonymous credential system with constant-size attribute proofs for CNF formulas with negations. In: Attrapadung N, Yagi T, editors. Advances in information and computer security. IWSEC 2019. Lecture notes in computer science. Cham: Springer; 2019. pp. 89-106.

26. Fuchsbauer G, Hanser C, Slamanig D. Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. J Cryptology 2019;32:498-546.

27. Resisting replay attacks efficiently in a permissioned and privacy-preserving blockchain network. US 20170149819 A1, United States Patent and Trademark Office. Available from: https://patents.google.com/patent/US20170149819A1/en. [Last accessed on 10 Sep 2024].

28. Limited AGH. System and method for detecting replay attack. US 20200128043 A1, United States Patent and Trademark Office. Available from: https://patents.google.com/patent/US20200128043A1/en. [Last accessed on 10 Sep 2024].

29. Nakamoto S. Bitcoin: a peer-to-peer electronic cash system. 2009. Available from: http://www.bitcoin.org/bitcoin.pdf. [Last accessed on 6 Sep 2024].

30. Au MH, Susilo W, Mu Y, Chow SSM. Constant-size dynamic K-times anonymous authentication. IEEE Syst J 2013;7:249-61.

31. Ma JPK, Chow SSM. SMART credentials in the multi-queue of slackness (or secure management of anonymous reputation traits without global halting). In: 2023 IEEE 8th European Symposium on Security and Privacy EuroS & P; 2023 Jul 3-7; Delft, Netherlands. IEEE; 2023. pp. 896-912.

32. Doerner J, Kondi Y, Lee E, Shelat A, Tyner L. Threshold BBS+ signatures for distributed anonymous credential issuance. In: 2023 IEEE Symposium on Security and Privacy SP; 2023 May 21-25; San Francisco, CA, USA. IEEE; 2023. pp. 773-89.

33. Wong HWH, Ma JPK, Chow SSM. Secure multiparty computation of threshold signatures made more efficient. Available from: https://www.ndss-symposium.org/wp-content/uploads/2024-601-paper.pdf. [Last accessed on 6 Sep 2024].

34. Anada H. Decentralized multi-authority anonymous credential system with bundled languages on identifiers. In: Maimut D, Oprina AG, Sauveron D, editors. Innovative security solutions for information technology and communications. SecITC 2020. Lecture notes in computer science. Cham: Springer; 2020. pp. 71-90.

35. Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure-preserving signatures and commitments to group elements. In: Rabin T, editor. Advances in Cryptology - CRYPTO 2010. Lecture notes in computer science. Berlin, Heidelberg: Springer; 2010. pp. 209-36.

36. Goldwasser S, Micali S, Rivest RL. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 1988;17:281-308.

37. Wikipedia. Commitment scheme. Available from: https://en.wikipedia.org/wiki/Commitment_scheme. [Last accessed on 6 Sep 2024].

38. Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M. Structure-preserving signatures and commitments to group elements. J Cryptol 2016;29:363-421.

39. TEPLA(University of Tsukuba Elliptic Curve and Pairing Library). (in Japanese) Available from: http://www.cipher.risk.tsukuba.ac.jp/tepla/doc/tepladoc2_0_0.pdf. [Last accessed on 6 Sep 2024].

Cite This Article

Research Article
Open Access
Decentralized multi-authority anonymous credential system with bundled languages on identifiers in bilinear groups
Hiroaki AnadaHiroaki Anada

How to Cite

Anada, H. Decentralized multi-authority anonymous credential system with bundled languages on identifiers in bilinear groups. J. Surveill. Secur. Saf. 2024, 5, 160-83. http://dx.doi.org/10.20517/jsss.2024.08

Download Citation

If you have the appropriate software installed, you can download article citation data to the citation manager of your choice. Simply select your manager software from the list below and click on download.

Export Citation File:

Type of Import

Tips on Downloading Citation

This feature enables you to download the bibliographic information (also called citation data, header data, or metadata) for the articles on our site.

Citation Manager File Format

Use the radio buttons to choose how to format the bibliographic data you're harvesting. Several citation manager formats are available, including EndNote and BibTex.

Type of Import

If you have citation management software installed on your computer your Web browser should be able to import metadata directly into your reference database.

Direct Import: When the Direct Import option is selected (the default state), a dialogue box will give you the option to Save or Open the downloaded citation data. Choosing Open will either launch your citation manager or give you a choice of applications with which to use the metadata. The Save option saves the file locally for later use.

Indirect Import: When the Indirect Import option is selected, the metadata is displayed and may be copied and pasted as needed.

About This Article

Special Issue

This article belongs to the Special Issue Key Management and Key Recovery
© The Author(s) 2024. Open Access This article is licensed under a Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, sharing, adaptation, distribution and reproduction in any medium or format, for any purpose, even commercially, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Data & Comments

Data

Views
72
Downloads
10
Citations
0
Comments
0
0

Comments

Comments must be written in English. Spam, offensive content, impersonation, and private information will not be permitted. If any comment is reported and identified as inappropriate content by OAE staff, the comment will be removed without notice. If you have any queries or need any help, please contact us at support@oaepublish.com.

0
Download PDF
Share This Article
Scan the QR code for reading!
See Updates
Contents
Figures
Related
Journal of Surveillance, Security and Safety
ISSN 2694-1015 (Online)
Follow Us

Portico

All published articles are preserved here permanently:

https://www.portico.org/publishers/oae/

Portico

All published articles are preserved here permanently:

https://www.portico.org/publishers/oae/