Pairing-Based Cryptography - Pairing 2009: Third International Conference Palo Alto, CA, USA, August...

Lecture Notes in Computer Science 5671Commenced Publication in 1973Founding and Former Series Editors:Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board

David HutchisonLancaster University, UK

Takeo KanadeCarnegie Mellon University, Pittsburgh, PA, USA

Josef KittlerUniversity of Surrey, Guildford, UK

Jon M. KleinbergCornell University, Ithaca, NY, USA

Alfred KobsaUniversity of California, Irvine, CA, USA

Friedemann MatternETH Zurich, Switzerland

John C. MitchellStanford University, CA, USA

Moni NaorWeizmann Institute of Science, Rehovot, Israel

Oscar NierstraszUniversity of Bern, Switzerland

C. Pandu RanganIndian Institute of Technology, Madras, India

Bernhard SteffenUniversity of Dortmund, Germany

Madhu SudanMicrosoft Research, Cambridge, MA, USA

Demetri TerzopoulosUniversity of California, Los Angeles, CA, USA

Doug TygarUniversity of California, Berkeley, CA, USA

Gerhard WeikumMax-Planck Institute of Computer Science, Saarbruecken, Germany

Hovav Shacham Brent Waters (Eds.)

Pairing-BasedCryptography –Pairing 2009

Third International ConferencePalo Alto, CA, USA, August 12-14, 2009Proceedings

13

Volume Editors

Hovav ShachamUniversity of California at San DiegoDepartment of Computer Science and Engineering9500 Gilman Drive, MC 0404La Jolla, CA 92093-0404, USAE-mail: [email protected]

Brent WatersUniversity of Texas at AustinDepartment of Computer Science1 University Station C0500, Taylor Hall 2.124Austin, TX 78712-1188, USAE-mail: [email protected]

Library of Congress Control Number: 2009930958

CR Subject Classification (1998): E.3, D.4.6, F.2.2, G.2, K.6.5

LNCS Sublibrary: SL 4 – Security and Cryptology

ISSN 0302-9743ISBN-10 3-642-03297-4 Springer Berlin Heidelberg New YorkISBN-13 978-3-642-03297-4 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material isconcerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,in its current version, and permission for use must always be obtained from Springer. Violations are liableto prosecution under the German Copyright Law.

springer.com

© Springer-Verlag Berlin Heidelberg 2009Printed in Germany

Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, IndiaPrinted on acid-free paper SPIN: 12723874 06/3180 5 4 3 2 1 0

Preface

Pairing 2009, the Third International Conference on Pairing-Based Cryptogra-phy, was held at Stanford University in Palo Alto during August 12–14, 2009.The conference was sponsored by Voltage Security and Microsoft Corporation.Terence Spies served as General Chair of the Conference and we had the privilegeof serving as Program Co-chairs.

The conference received 38 submissions. These were reviewed by a committeeof 23 members. The committee had a three-week individual review phase followedby three weeks of discussion. After careful deliberation, the committee chose16 papers for the Pairing 2009 conference. Detailed reviews were given to theauthors, and the authors were given three weeks to submit the final version.These final versions were not subject to external review and the authors bearfull responsibility for their contents.

We are delighted to have had three invited speakers for Pairing 2009. VictorMiller spoke on the origins of pairing-based cryptography. His talk was comple-mented by Tanja Lange’s, who covered the evolution of the mathematics behindpairings and shared recent results. Finally, Amit Sahai spoke on his work (withJens Groth and Rafi Ostrovksy) realizing non-interactive zero knowledge proofsfrom pairings. This work has been highly influential and multiple papers ac-cepted at this conference built upon it. In addition, there was a “Hot Topics”session at this conference where we asked several researchers to give 10-minutepresentations of recent results.

We would like to thank everyone who contributed to the conference. First,thanks to the members of our Program Committee for their excellent reviews, thedifficult decisions they made in a short time, and their conscientious, thoroughshepherding. Second, thanks to the Pairing Conference Steering Committee andthe Chairs of previous Pairing conferences and workshops. We would like toextend a particular thanks to Steven Galbraith and Kenny Paterson, ProgramChairs of Pairing 2008, whose experience and advice were invaluable to us in ourplanning of this conference. Third, we would like to thank Shai Halevi, whosewonderful Web Submission and Review Software we used and who hosted andadministered the submission and review site for us on the IACR’s servers. Fourth,we are grateful for Voltage Security and Microsoft for their generous support.Finally, we are especially indebted to Terence Spies for his service as GeneralChair. Without him the conference would not have been possible.

August 2009 Hovav ShachamBrent Waters

Pairing 2009

The Third International Conference on Pairing-Based Cryptography

Stanford, CaliforniaAugust 12–14, 2009

Sponsored by Voltage Security and Microsoft

General Chair

Terence Spies Voltage Security

Program Chairs

Hovav Shacham UC San Diego, USABrent Waters UT Austin, USA

Program Committee

Michel Abdalla Ecole Normale Superieure, FrancePaulo Barreto University of Sao Paulo, BrazilXavier Boyen Stanford, USAMelissa Chase Microsoft Research, USADavid Mandell Freeman CWI; Universiteit Leiden, The NetherlandsSteven Galbraith Royal Holloway, University of London, UKPierrick Gaudry CNRS, INRIA, Nancy Universite, FranceMatthew Green Johns Hopkins, USAJens Groth University College London, UKFlorian Hess TU Berlin, GermanyTanja Lange TU Eindhoven, The NetherlandsKristin Lauter Microsoft Research, USAGregory Neven IBM Zurich Research Laboratory, SwitzerlandTatsuaki Okamoto NTT, JapanDan Page University of Bristol, UKKenny Paterson Royal Holloway, University of London, UKMichael Scott Dublin City University, IrelandHovav Shacham UC San Diego, USAElaine Shi PARC, USANigel Smart University of Bristol, UKTsuyoshi Takagi Future University Hakodate, JapanFre Vercauteren KU Leuven, BelgiumBrent Waters UT Austin, USA

VIII Organization

External Reviewers

John BethencourtSebastien CanardScott E. CoullYuto KawaharaBenoıt LibertMark Manulis

Atsuko MiyajiPeter MontgomeryYasuyuki NogamiPascal PaillierEmily ShenMasaaki Shirase

Katsuyuki TakashimaDamien VergnaudAli Zandi

Table of Contents

Signature Security

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem . . . . . . . 1David Jao and Kayo Yoshida

Security of Verifiably Encrypted Signatures and a Construction withoutRandom Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Markus Ruckert and Dominique Schroder

Multisignatures as Secure as the Diffie-Hellman Problem in the PlainPublic-Key Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Duc-Phong Le, Alexis Bonnecaze, and Alban Gabillon

Curves

On the Security of Pairing-Friendly Abelian Varieties over Non-primeFields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Naomi Benger, Manuel Charlemagne, and David Mandell Freeman

Generating Pairing-Friendly Curves with the CM Equation ofDegree 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Hyang-Sook Lee and Cheol-Min Park

Pairing Computation

On the Final Exponentiation for Calculating Pairings on OrdinaryElliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Michael Scott, Naomi Benger, Manuel Charlemagne,Luis J. Dominguez Perez, and Ezekiel J. Kachisa

Faster Pairings on Special Weierstrass Curves . . . . . . . . . . . . . . . . . . . . . . . 89Craig Costello, Huseyin Hisil, Colin Boyd,Juan Gonzalez Nieto, and Kenneth Koon-Ho Wong

Fast Hashing to G2 on Pairing-Friendly Curves . . . . . . . . . . . . . . . . . . . . . . 102Michael Scott, Naomi Benger, Manuel Charlemagne,Luis J. Dominguez Perez, and Ezekiel J. Kachisa

NIZKs and Applications

Compact E-Cash and Simulatable VRFs Revisited . . . . . . . . . . . . . . . . . . . 114Mira Belenkiy, Melissa Chase, Markulf Kohlweiss, andAnna Lysyanskaya

X Table of Contents

Proofs on Encrypted Values in Bilinear Groups and an Application toAnonymity of Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Georg Fuchsbauer and David Pointcheval

Group Signatures

Identity Based Group Signatures from Hierarchical Identity-BasedEncryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Nigel P. Smart and Bogdan Warinschi

Forward-Secure Group Signatures from Pairings . . . . . . . . . . . . . . . . . . . . . 171Toru Nakanishi, Yuta Hira, and Nobuo Funabiki

Efficient Traceable Signatures in the Standard Model . . . . . . . . . . . . . . . . . 187Benoıt Libert and Moti Yung

Protocols

Strongly Secure Certificateless Key Agreement . . . . . . . . . . . . . . . . . . . . . . . 206Georg Lippold, Colin Boyd, and Juan Gonzalez Nieto

Universally Composable Adaptive Priced Oblivious Transfer . . . . . . . . . . . 231Alfredo Rial, Markulf Kohlweiss, and Bart Preneel

Conjunctive Broadcast and Attribute-Based Encryption . . . . . . . . . . . . . . 248Nuttapong Attrapadung and Hideki Imai

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Boneh-Boyen Signatures and the Strong

Diffie-Hellman Problem

David Jao and Kayo Yoshida�

Department of Combinatorics and OptimizationUniversity of Waterloo, Waterloo ON, N2L 3G1, Canada

{djao,k2yoshid}@ecc.math.uwaterloo.ca

Abstract. The Boneh-Boyen signature scheme is a pairing based shortsignature scheme which is provably secure in the standard model underthe q-Strong Diffie-Hellman assumption. In this paper, we prove the con-verse of this statement, and show that forging Boneh-Boyen signaturesis actually equivalent to solving the q-Strong Diffie-Hellman problem.Using this equivalence, we exhibit an algorithm which, on the vast ma-jority of pairing-friendly curves, recovers Boneh-Boyen private keys in

O(p25+ε) time, using O(p

15+ε) signature queries. We present implementa-

tion results comparing the performance of our algorithm and traditionaldiscrete logarithm algorithms such as Pollard’s lambda algorithm andPollard’s rho algorithm. We also discuss some possible countermeasuresand strategies for mitigating the impact of these findings.

1 Introduction

The q-SDH assumption was proposed by Boneh and Boyen [5,6] as a tool to assistin the security analysis of the Boneh-Boyen short signature scheme. Versions ofthis assumption are also used in Mitsunari et al. [19], Dodis and Yampolskiy [12],and in the Boneh-Boyen IBE scheme [4]. The survey article of Boyen [7] lists theq-SDH assumption as one of the first in a family of new assumptions that haveappeared in the context of pairing-based cryptography, and the first of these tobe analyzed in the generic group model.

Prior to this work, no equivalence was known between the security of the q-SDH assumption and the security of the Boneh-Boyen signature scheme. Bonehand Boyen [5,6] provide a security reduction with a running time of Θ(q2), but itonly goes in one direction: namely, if the q-SDH assumption holds, then Boneh-Boyen signatures are unforgeable. There are two reasons why one might desireto prove the converse result. One reason is practical: Cheon [10] has shownthat, in groups of size p, the q-SDH problem can be solved in O(

√p/d +

√d)

exponentiations, instead of the O(√p) operations required for discrete log, for

any divisor d ≤ q of p− 1 (a similar result holds for p+1). Knowing that q-SDHand Boneh-Boyen are equivalent thus allows one to forge Boneh-Boyen signaturesin faster than square root time; in our case this is possible via a known or chosen� The authors were partially supported by NSERC.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 1–16, 2009.c© Springer-Verlag Berlin Heidelberg 2009

2 D. Jao and K. Yoshida

message attack. Although the resulting algorithm remains exponential, a lowerexponent is still interesting in the context of a short signature scheme, especiallyfor extremely short signature lengths at the lower margins of security. A furthermotivation for proving equivalence is given by Koblitz and Menezes [14,15]. Theyargue that an equivalence result is preferable from a philosophical standpoint,since researchers have more incentive to solve the underlying hard problem (thatis, q-SDH) if such solutions lead immediately to cryptanalysis of a concretescheme.

In this paper, we present an algorithm for performing existential forgeriesof Boneh-Boyen signatures using a q-SDH oracle, whose running time is alsoΘ(q2). This shows that the security of Boneh-Boyen cannot be proved underany weaker assumption than SDH; in other words, the security of the Boneh-Boyen scheme is equivalent to the intractability of the q-SDH problem. Ourreduction holds for both the “basic” and “full” versions of the Boneh-Boyenscheme. Together with Cheon’s algorithm, our result allows a total break (i.e.recovery of the private key) of the full (resp., basic) Boneh-Boyen scheme intime O(p

25+ε), under a chosen (resp., known) message attack, whenever p ± 1

has a divisor of appropriate size (which in practice is almost always the case; seeSection 6.3). This running time is slightly higher than the generic group boundof Ω(p

13 ) given by Boneh and Boyen [5,6], because of the quadratic runtime

of our reduction. Nevertheless, it represents a significant improvement over theO(p

12+ε) time required to calculate discrete logarithms.

The techniques we use are not entirely new, although we did discover themindependently. A simplified version of Proposition 4.1 appears in Mitsunariet al. [19], a paper which is cited by Boneh and Boyen [5,6] and Cheon [10].However, we are quite confident that our overall result is new. For example,Cheon [10] applies his results to the cryptanalysis of several different cryp-tosystems, but omits the Boneh-Boyen scheme from such consideration, indicat-ing that no such cryptanalysis was available. In addition, the survey article ofBoyen [7] asserts that the MSDH assumption (which amounts to forging Boneh-Boyen signatures) is “an actually weaker statement” than q-SDH. This sentenceimplies that no equivalence between Boneh-Boyen and q-SDH was known at thetime of that writing.

We note here that the abovementioned generic group analysis already yieldsa bound of Ω(p

13 ) on the security of the q-SDH assumption for large q. Thus, it

would be reasonable for a conservative adopter to view the Boneh-Boyen schemeas having cube root security under large scale chosen message attacks, even in theabsence of any concrete algorithm that runs faster than discrete log. However,an explicit result showing that forging signatures reduces to the q-SDH problemis still useful, precisely because such a reduction yields concrete algorithms forforging signatures, and hence helps to validate the conservative viewpoint.

1.1 Organization of the Paper

The rest of this paper is organized as follows. Section 2 contains backgroundmaterial such as security definitions, bilinear pairings, and the q-SDH and related

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem 3

problems. Section 3 presents the basic and full versions of the Boneh-Boyen shortsignature scheme [5,6]. In Section 4, we give a security analysis of the signaturescheme, and show how to forge Boneh-Boyen signatures using a q-SDH oracle.In Section 5 we review Cheon’s algorithm [10] for solving the q-SDH problem,and describe how Cheon’s algorithm can be used to compute the private keyin the Boneh-Boyen scheme. Section 6 contains theoretical and experimentalruntime figures showing that a Boneh-Boyen private key can be computed inO(p

25+ε) time, given access to a signing oracle. We conclude with an analysis of

the proportion of curves for which a divisor of the suitable form exists, togetherwith a list of related open problems.

2 Preliminaries

2.1 Security Definitions

We begin by reviewing the two security definitions used in the proof of securityfor the Boneh-Boyen signature scheme [5,6].

Strong Existential Unforgeability. Strong existential unforgeability is defined viathe following game between a challenger and an adversary A.

1. The challenger generates a key pair (PK, SK) and gives PK to the adversary.2. The adversary A can adaptively make up to qS queries for signatures of mes-

sages m1, . . . ,mqS of its choice. The challenger must respond to the querieswith valid signatures σ1, . . . , σqS of the messages m1, . . . ,mqS .

3. Eventually, the adversary A outputs a pair (m∗, σ∗), and wins the game if(m∗, σ∗) �= (mi, σi) for i = 1, . . . , qS and Verify(m∗, σ∗,PK) = true.

The adversaryA’s advantage, denoted Adv Sig(A) is defined as the probabilitythat A wins the above game, where the probability is taken over the coin tossesmade by A and the challenger.

Definition 2.1. An adversary A is said to (t, qS , ε)-break a signature scheme ifA runs in time at most t, makes at most qS signature queries, and Adv Sig(A) ≥ε. We say that a signature scheme is (t, qS , ε)-existentially unforgeable under anadaptive chosen message attack if there is no adversary that (t, qS , ε)-breaks it.

Weak Existential Unforgeability. Weak existential unforgeability is defined viathe following game between a challenger and an adversary A.

1. The challenger generates a key pair (PK, SK).2. The adversary A chooses up to qS messages m1, . . . ,mqS and sends them to

the challenger.3. The challenger gives A the public key PK and valid signatures σ1, . . . , σqS

for the messages m1, . . . ,mqS .4. Eventually, the adversary A outputs a pair (m∗, σ∗), and wins the game ifm∗ �= mi for i = 1, . . . , qS and Verify(m∗, σ∗,PK) = true.


The adversary A’s advantage, denoted Adv Sig W(A), is defined as the prob-ability that A wins the above game, where the probability is taken over the cointosses made by A and the challenger.

Definition 2.2. An adversary A is said to (t, qS , ε)-weakly break a signaturescheme if A runs in time at most t, makes at most qS signature queries, andAdv Sig W(A) ≥ ε. We say that a signature scheme is (t, qS , ε)-existentiallyunforgeable under a weak chosen message attack if there is no adversary that(t, qS , ε)-weakly breaks it.

2.2 Bilinear Pairings

The Boneh-Boyen short signature scheme makes use of bilinear pairings. LetG1, G2, and GT be cyclic groups of prime order |G1| = |G2| = |GT | = p. Theoperations in G1, G2, and GT are written multiplicatively. Recall that a functione : G1×G2 → GT is called a bilinear pairing if it satisfies the following conditions:

– Bilinearity: For any u1, u2, u ∈ G1 and v1, v2, v ∈ G2,

e(u1u2, v) = e(u1, v) · e(u2, v), ande(u, v1v2) = e(u, v1) · e(u, v2).

– Non-degeneracy: There exists u ∈ G1 and v ∈ G2 such that e(u, v) �= 1.

We assume that the pairing function and the group operations are efficientlycomputable. The pair (G1,G2) is called a bilinear group pair.

2.3 SDH and Related Problems

The q-SDH problem and its variants provide the underlying basis for securityin several pairing-based protocols [4,5,6,7,12,19]. Throughout this section, let(G1,G2) be a bilinear group pair of prime order p, and let g1 and g2 be generatorsof G1 and G2, respectively.

q-SDH Problem. In the full version of the Boneh-Boyen paper [6], the q-StrongDiffie-Hellman (q-SDH) problem on the bilinear group pair (G1,G2) is definedas follows:

Given a (q+3)-tuple (g1, gx1 , . . . , g

xq

1 , g2, gx2 ) ∈ G

q+11 ×G

22 as input, output

(c, g1

x+c

1 ) for some c ∈ Zp such that x+ c �≡ 0 (mod p).

The advantage Adv q-SDH(A) of an algorithm A in solving the q-SDH prob-lem in (G1,G2) is defined as

Adv q-SDH(A) = Pr[A(g1, gx

1 , . . . , gxq

1 , g2, gx2 ) = (c, g

1x+c

1 )],

where the probability is taken over the random choices of generators g1 ∈ G1

and g2 ∈ G2, the random choice of x ∈ Z∗p, and the coin tosses made by A.


Definition 2.3. An algorithm A is said to (t, ε)-break the q-SDH problem in(G1,G2) if A runs in time t and Adv q-SDH(A) ≥ ε. We say that the (q, t, ε)-SDH assumption holds in (G1,G2) if there is no algorithm that (t, ε)-breaks theq-SDH problem in (G1,G2).

The definition of the q-SDH problem given in the original version of the Boneh-Boyen paper [5] is slightly different. The original version uses a (q + 2)-tuple(g1, g2, gx

2 , . . . , gxq

2 ) as input rather than (g1, gx1 , . . . , g

xq

1 , g2, gx2 ), and it also as-

sumes an efficiently computable isomorphism ψ : G2 → G1 is available. In thispaper, we adopt the definition given in the full version of the Boneh-Boyen paper.

Related Problems. A notable variation of the q-SDH problem for our purposesis the MSDH problem [7,8]. The Modified q-SDH or q-MSDH problem on agroup G is the following computational problem: given g, gx ∈ G, and a (q− 1)-

tuple (c1, g1

x+c1 ), . . . , (cq−1, g1

x+cq−1 ) where each ci ∈ Zp, output (c, g1

x+c ) forsome c ∈ Zp \ {c1, . . . , cq−1}. Over a group equipped with a type 1 pairing [13],solving the q-MSDH problem is equivalent to existential forgery of the Boneh-Boyen basic signature scheme under a known message attack using q signaturequeries. Boyen remarks in [7] that the MSDH assumption is weaker than SDH.Our results, however, imply that in groups with a type 1 pairing the q-MSDHproblem is equivalent to the q-SDH problem via a Θ(q2) reduction.

3 Boneh-Boyen Signature Scheme

Let G1, G2, and GT be cyclic groups of prime order p, and let e : G1×G2 → GT

be a bilinear pairing. In [5,6], Boneh and Boyen present two versions of theirsignature schemes, a basic scheme and a full scheme, with the former being usedto prove the security of the latter. The protocols in the original version [5] oftheir paper are slightly different from those in the full version [6]. Here we useonly the schemes from the full version of the paper [6].

The Basic Signature Scheme

– Key generation: KeyGen outputs random generators g1 and g2 of G1 andG2, respectively, and a random integer x ∈ Z∗

p. Let ζ ← e(g1, g2) ∈ GT . Thepublic key is PK = (g1, g2, gx

2 , ζ), and the private key is SK = (g1, x).– Signing: Given a message m ∈ Zp and a private key SK, Sign(m, SK)

outputs a signature σ ← g1

x+m

1 , where the exponent is calculated modulo p.In the unlikely event that x+m ≡ 0 (mod p), Sign(m, SK) outputs σ ← 1.

– Verification: Verify(m,σ,PK) = true if and only if e(σ, gx2 · gm

2 ) = ζ.

The Full Signature Scheme

– Key generation: KeyGen outputs random generators g1 and g2 of G1 andG2, respectively, and random integers x, y ∈ Z∗

p. Let ζ ← e(g1, g2) ∈ GT . Thepublic key is PK = (g1, g2, gx

2 , gy2 , ζ), and the private key is SK = (g1, x, y).


– Signing: Given a message m ∈ Zp and a private key SK, Sign(m, SK)randomly picks r ∈ Zp such that x + m + yr �≡ 0 (mod p), and calculates

σ ← g1

x+m+yr

1 . The signature is (σ, r).– Verification: Verify(m, (σ, r),PK) = true if and only if e(σ, gx

2 · gm2 ·

(gy2 )r) = ζ.

The element g1 can be omitted from the public key with no loss of function-ality. None of our proofs use g1, except for the proof of Theorem 4.3, and eventhis theorem can be modified to hold without g1 (see remarks at the end of theproof of Theorem 4.3).

4 Security Analysis of the Boneh-Boyen SignatureScheme

We present our equivalence results in this section. We begin with a partial frac-tion decomposition which refines and generalizes a formula given in [19].

Proposition 4.1. Let F be a field, and x ∈ F. Let d, k ∈ Z be such that d ≥ 1,k ≥ 0. Let mi for i = 1, . . . , d be distinct elements of F such that x + mi �= 0.Then,

xk

∏di=1(x+mi)

=

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

d∑

i=1

(−mi)k

(x+mi)∏

j�=i(mj −mi)for 0 ≤ k < d

1 +d∑

i=1

(−mi)d

(x+mi)∏

j�=i(mj −mi)for k = d

x+d∑

i=1

[

−mi +(−mi)d+1

(x+mi)∏

j�=i(mj −mi)

]

for k = d+ 1

Proof. By the principle of permanence of identity [1, p. 456], it suffices to provethat the equations hold when F = C, since they then form an algebraic identity.Thus, we let

f(x) =xk

(x+m1) · · · (x+md),

and treat f(x) as a complex function in x. We can write f(x) as a partial fractionof the form

f(x) = akx+ bk +c1

x+m1+

c2x+m2

+ · · ·+ cdx+md

where

ak =

{1 if k = d+ 1,0 otherwise,

bk =

⎧⎪⎨

⎪⎩

−∑di=1mi if k = d+ 1,

1 if k = d, and0 otherwise,


and each ci is a constant. By symmetry, we only need to prove c1 = (−m1)k

∏j �=1(mj−m1)

.

Note that f(x)− c1x+m1

= akx+bk + c2x+m2

+ · · ·+ cd

x+mdhas an analytic Taylor

series expansion about x = −m1. Thus c1 is the residue of f at the simple polex = −m1. If we write f(x) = φ(x)

x+m1where φ(x) = xk

(x+m2)···(x+md) , then φ(x) isanalytic and nonzero at x = −m1. A standard theorem in complex analysis (see[9, p. 234] or [2, p. 115]) gives

c1 = φ(−m1) =(−m1)k

∏j�=1(mj −m1)

as desired.Corollary 4.2. Let G be a cyclic group of order p, let g ∈ G be a generator,and let x ∈ Zp. Let mi for i = 1, . . . , d be distinct elements of Zp such thatx+mi �≡ 0 (mod p). Then,

gxk

∏di=1(x+mi) =

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

d∏

i=1

g(−mi)

k

(x+mi)∏

j �=i(mj−mi) for 0 ≤ k ≤ d− 1

g ·d∏

i=1

g(−mi)

d

(x+mi)∏

j �=i(mj−mi) for k = d

gx · g−∑ d

i=1 mi ·d∏

i=1

g(−mi)

d+1

(x+mi)∏

j �=i(mj−mi) for k = d+ 1

Assume that all the values mi and g1

x+mi are known. Furthermore, assume fork = d and k = d + 1 that g is known, and for k = d + 1 that gx is known.

Then calculating gxk

∏di=1(x+mi) for a single value of k takes Θ(dT + d2Tp) time,

where T is the maximum time needed for a single exponentiation in G, andTp is the maximum time needed for one operation in Zp. Calculating all of

g1∏d

i=1(x+mi) , gx∏d

i=1(x+mi) , . . . , gxd+1

∏di=1(x+mi) takes Θ(d2T ) time.

Proof. The proof of this Corollary is straightforward from Proposition 4.1.

4.1 Security of the Basic Signature Scheme

In this section, we analyze the security of the basic Boneh-Boyen signaturescheme. We show that existential forgery of the basic scheme under a weakchosen message attack (indeed, under a known message attack) reduces to theq-SDH problem. This result is the converse of [6, Lemma 9], and it also illustratesthe main idea behind the corresponding result for the full scheme (Theorem 4.4).

Theorem 4.3. If there is an algorithm that (t′, ε′)-breaks the q-SDH problem,then we can (t, qS , ε)-weakly break the Boneh-Boyen basic signature scheme pro-vided that

t ≥ t′ +Θ(q2T ), qS ≥ q, and ε ≤ p− 1− qp− 1

ε′,

where T is the maximum time needed for one exponentiation in G1.


Proof. Let A be an algorithm that (t′, ε′)-breaks the q-SDH problem. We showthat an adversary B can perform existential forgeries of the basic signaturescheme under a weak chosen message attack. In fact, it turns out that a listof valid message-signature pairs suffices. Accordingly, the adversary B receivesa public key (g1, g2, gx

2 , ζ) and a list of distinct messages m1, . . . ,mqS together

with their valid signatures (σ1, . . . , σqS ) = (g1/(x+m1)1 , . . . , g

1/(x+mqS)

1 ), whereqS ≥ q.

Let hk ← gxk

(x+m1)···(x+mq)

1 for each k = 0, . . . , q. The adversary B calculates(h0, h1, . . . , hq) using Corollary 4.2, and runs the algorithm A on the input

(h0, h1, . . . , hq, g2, gx2 ). With probability ε′, A returns (m∗, g

1(x+m1)···(x+mq)(x+m∗)

1 )for some m∗ ∈ Zp.

We claim that m∗ is not equal to any of the mi except with negligible prob-ability. To show this, observe that g1 is not disclosed to A and that g1 =

h(x+m1)···(x+mq)

xk

k for all k = 0, . . . , q. Thus, from the point of view of A, any combi-nation of m1, . . . ,mq is equally likely to give rise to a fixed input (h0, h1, . . . , hq).That is, A has no better than random chance of choosing an m∗ which coincideswith one of m1, . . . ,mq. Therefore, m∗ �= mi for all i = 1, . . . , q with probabilityat least p−1−q

p−1 . If m∗ = mi for some 1 ≤ i ≤ q, then B aborts. Otherwise, byProposition 4.1,

1(x+m1) · · · (x+mq)(x+m∗)

=1

(x+m∗)∏q

j=1(mj −m∗)

+q∑

i=1

1(x +mi)

∏j�=i(mj −mi)

.

Using this equation, B can calculate σ∗ = g1

x+m∗1 as follows:

σ∗ ←[

g1

(x+m1)···(x+mq)(x+m∗)

1 /

q∏

i=1

(σi)∏

j �=i1

mj−mi

]∏qj=1(mj−m∗)

= g1

x+m∗1 .

In this way B outputs (m∗, σ∗) which is a forgery for the basic signature scheme.The bounds for ε and qS are obvious from the above construction. The run-

ning time is bounded by the calculation of g1

(x+m1)···(x+mq)

1 , gx

(x+m1)···(x+mq)

1 , . . . ,

gxq

(x+m1)···(x+mq)

1 , which takes Θ(q2T ) time by Corollary 4.2, and the query of A,which takes time t′.

The above proof requires knowledge of the element g1. If g1 is not part of thepublic key, Theorem 4.3 remains valid, provided that q is replaced by q + 1in the inequalities. In this case B uses q + 1 signature queries, and calculates

h′k ← gxk

(x+m1)...(x+mq+1)

1 for k = 0, . . . , q, in place of h0, . . . , hq.


4.2 Security of the Full Signature Scheme

We now show that strong existential forgery of the full Boneh-Boyen signaturescheme under chosen message attack reduces to the q-SDH problem. This resultis the converse of [6, Theorem 8].

Theorem 4.4. If there is an algorithm that (t′, ε′)-breaks the q-SDH problem,then we can (t, qS , ε)-break the Boneh-Boyen full signature scheme provided that

t ≥ t′ +Θ(q2ST ), qS ≥ q + 1, and ε ≤ (p− 2− q) (p− 1− (

q2 + q)/2

)

(p− 1)2ε′,

where T is the maximum time needed for one exponentiation in G1.

Proof. Let A be an algorithm that (t′, ε′)-breaks the q-SDH problem. UsingA, we show that an adversary B can perform existential forgeries for the fullsignature scheme under a chosen message attack.

First, B receives the public key (g1, g2, gx2 , g

y2 , ζ) from the challenger. Next, B

randomly selects a message m∗ ∈ Zp, and queries the challenger for qS differentsignatures of m∗. Each time the challenger receives m∗, it sends back a validsignature (σi, ri) = (g1/(x+m∗+yri)

1 , ri) to B, where ri is chosen at random sothat x + m∗ + yri �≡ 0 mod p. In this way, B obtains qS valid (and hopefullydistinct) signatures (σ1, r1), . . . , (σqS , rqS ) of the message m∗. If {r1, . . . , rqS}does not contain q + 1 distinct elements of Zp, then B aborts. Otherwise, leth ← g

1/y1 and z ← x+m∗

y . Without loss of generality (reindexing if necessary),assume r1, r2, . . . , rq+1 are distinct. Then, for each i = 1, . . . , q + 1, we have

σi = g1

x+m∗+yri1 =

(g

1y

1

) 1x+m∗

y+ri = h

1z+ri .

Hence, for each k = 1, . . . , q, the adversary B can calculate

hzk

(z+r1)···(z+rq+1) =q+1∏

i=1

σ

(−ri)k

∏j �=i(rj−ri)

i

using Corollary 4.2, since B knows each σi and each ri. Also note that if welet g′2 ← gy

2 , then gx2g

m∗2 = g′2

z. When B runs the algorithm A on the input

(h1

(z+r1)···(z+rq+1) , hz

(z+r1)···(z+rq+1) , . . . , hzq

(z+r1)···(z+rq+1) , g′2, g′2z), the algorithm A

returns (r∗, h1

(z+r1)···(z+rq+1)(z+r∗) ) for some r∗ ∈ Zp with probability ε′. If r∗ =ri for some 1 ≤ i ≤ q + 1, then B aborts, but this event occurs with onlynegligible probability, by the same argument as in Theorem 4.3. Otherwise, byProposition 4.1,

1(z + r1) · · · (z + rq+1)(z + r∗)

=1

(z + r∗)q+1∏

j=1

(rj − r∗)+

q+1∑

i=1

1

(z + ri)∏

j�=i

(rj − ri)


and thus B can calculate

σ∗ ←[

h1

(z+r1)···(z+rq+1)(z+r∗) /

q+1∏

i=1

(σi)∏

j �=i1

rj−ri

]∏q+1j=1(rj−r∗)

= h1

z+r∗ = g1

x+m∗+yr∗1

In this way B outputs (m∗, (σ∗, r∗)) which, as indicated below, is with highprobability an existential forgery for the full signature scheme.

The bound for qS is obvious from the above construction. The running timeis determined by the time needed to calculate h

1(z+r1)···(z+rq+1) , h

z(z+r1)···(z+rq+1) ,

. . . , hzq

(z+r1)···(z+rq+1) , which is Θ(q2T ) by Corollary 4.2, and the query ofA, whichtakes time t′.

The probability that B succeeds is P1P2ε′ where P1 is the probability that the

sequence of random elements {r1, . . . , rqS} chosen by the signing oracle comprisesat least q + 1 distinct elements, and P2 is the probability that the r∗ returnedby A differs from the q+1 values ri used by B. We know that P2 ≥ p−2−q

p−1 usingthe argument from the proof of Theorem 4.3. Moreover, P1 ≥ 1−Q where Q isthe probability that among the original r1, . . . , rq+1 there exist 1 ≤ i < j ≤ q+1such that ri = rj . We have

Q ≤q+1∑

j=2

Pr (∃i < j such that ri = rj) ≤q+1∑

j=2

j − 1p− 1

=q(q + 1)2(p− 1)

so P1 ≥ 1−Q ≥ p−1−q(q+1)/2p−1 , which yields the bound for ε.

5 Cheon’s Algorithms

In [10], Cheon presents an algorithm which in certain cases computes the secretexponent x from the input of an instance of the q-SDH problem. Specifically,Cheon proves the following:

Theorem 5.1. Let G be a cyclic group of prime order p and let g be a generator.Let T denote the maximum time needed for one exponentiation in G.

1. Let d divide p − 1. Given the group elements g, gx, and gxd

, the value of xcan be recovered in time O((

√p/d+

√d)T ).

2. Let d divide p+1. Given the group elements g, gx, gx2, . . . , gx2d

, the value ofx can be recovered in time O((

√p/d+ d)T ).

Note that, if q ≥ d in the first case or q ≥ 2d in the second, then the algorithmin the theorem can solve the q-SDH problem; in fact, such an algorithm willreveal the secret exponent x. We show in this section that the algorithm can beapplied to find the secret exponent in the Boneh-Boyen signature scheme over abilinear group pair (G1,G2).


Theorem 5.2. (Basic scheme) Let T and Tp denote the maximum time neededto perform one group exponentiation in G1 and one modular multiplication modp, respectively.

1. Let d divide p − 1. Given d + 1 valid message-signature pairs, the privatekey x in the basic Boneh-Boyen signature scheme can be computed in timeO((

√p/d+ d)T + d2Tp).

2. Let d divide p + 1. Given 2d + 1 valid message-signature pairs, the privatekey x in the basic Boneh-Boyen signature scheme can be computed in timeO((

√p/d+ d2)T ).

If g1 is included in the public key, then d and 2d message-signature pairs aresufficient for the above two parts respectively.

Theorem 5.3. (Full scheme) Let T and Tp be as in Theorem 5.2.

1. Let d divide p− 1. Then the private key pair (x, y) of the full Boneh-Boyensignature scheme can be computed under a chosen message attack, using2d+2 signature queries, in time O((

√p/d+ d)T + d2Tp), with probability at

least(

p−1−d(d+1)/2p−1

)2

.2. Let d divide p+ 1. Then the private key pair (x, y) of the full Boneh-Boyen

signature scheme can be computed under a chosen message attack, using4d+ 2 signature queries, in time O((

√p/d+ d2)T ), with probability at least

(p−1−d(2d+1)

p−1

)2

.

Proof. The proofs of these two theorems are similar. We will give the proof forTheorem 5.3.

(1) Let d be a positive divisor of p−1. We will construct an algorithmA whichrecovers the private key of the signature scheme under a chosen message attack,using Cheon’s algorithm. Suppose A is given the public key (g1, g2, gx

2 , gy2 , ζ). The

algorithm A randomly selects a message ma ∈ Zp, and queries for signatures ofthis same message d+ 1 times. As a result, A obtains d+ 1 valid (and hopefully

distinct) signatures (σ1, r1), . . . , (σd+1, rd+1), where σi = g1

x+ma+yri1 for each i =

1, . . . , d+ 1. Let h← g1/y1 and za ← x+ma

y . Then, we have

σi =(g

1y

1

) 1x+ma

y+ri = h

1za+ri

for each i = 1, . . . , d+1. If the set {r1, . . . , rd+1} does not consist of distinct ele-ments, then A aborts. Otherwise, assume r1, . . . , rd+1 are distinct. Using Corol-lary 4.2, the algorithm A calculates

h1

(za+r1)···(za+rd+1) , hza

(za+r1)···(za+rd+1) , and hzd

a(za+r1)···(za+rd+1) .

Then, it runs Cheon’s algorithm in G1 with these inputs, and obtains za = x+ma

yas output.


Next, A repeats the above process with a different random message mb, andobtains zb = x+mb

y . Since A knows za, zb, ma, and mb, it can solve a linearsystem of equations to obtain the private exponents x and y.

Since calculating h1

(z+r1)···(z+rd+1) , hz

(z+r1)···(z+rd+1) , and hzd

(z+r1)···(z+rd+1) forz = za and zb takes time Θ(dT + d2Tp) and Cheon’s algorithm has a runningtime of Θ((

√p/d+

√d)T ), the overall runtime is Θ((

√p/d+ d)T + d2Tp). The

attack succeeds if the set {r1, . . . , rd+1} for ma consists of distinct elements (andlikewise for mb). Using an argument analogous to the one used in Theorem 4.4,

we see that a lower bound for this probability is(

p−1−d(d+1)/2p−1

)2

.(2) We now suppose d is a divisor of p+ 1. The proof here is similar, except

that A needs to calculate

h1

(z+r1)···(z+r2d+1) , hz

(z+r1)···(z+r2d+1) , . . . , hz2d

(z+r1)···(z+r2d+1) .

from the signatures h1

z+r1 , . . . , h1

z+r2d+1 , for each of z = za and zb. This takesΘ(d2T ) time, and Cheon’s algorithm takes Θ((

√p/d + d)T ) time, for a total

runtime of Θ((√p/d+ d2)T ). The attack succeeds if the set {r1, . . . , r2d+1} for

each of za and zb consists of distinct elements, and the probability of this is at

least(

p−1−d(2d+1)p−1

)2

.

6 Runtime Analysis

In this section we calculate, both theoretically and experimentally, the complex-ity of recovering a Boneh-Boyen private key using the algorithms of Theorems 5.2and 5.3, for various values of d. We also determine, both theoretically and ex-perimentally, the optimal values of d for a given p. To simplify the analysis, weonly consider divisors d of p− 1. In what follows, we refer to this algorithm asthe “SDH algorithm” and consider only the case of the basic scheme, where d+1valid signatures are required (assuming that g1 is not included in the public key).The running time and signature requirements for breaking the full scheme arealmost exactly twice as large as for the basic scheme.

6.1 Experimental Analysis

Using a 2.4 GHz Core 2 duo, we implemented the SDH algorithm on a collectionof 14 different Barreto-Naehrig curves [3] ranging in size from 32 bits to 60 bits,and compared its running time to that of Pollard’s lambda and Pollard’s rhoalgorithms for discrete logarithms1. We chose Barreto-Naehrig curves becausethey are highly suitable for pairing-based short signature schemes. For Cheon’s1 All comparisons took place over the base field, i.e., the group G1 in the pairing

e : G1 × G2 → GT . Such a comparison is valid even though the public key in theBoneh-Boyen scheme lies in G2, because given a single valid message-signature pairone can recover the secret key of the basic scheme using a discrete log in G1.


algorithm, we chose the Pollard’s lambda variant of Cheon’s algorithm insteadof the baby-step-giant-step variant or variants such as Kozaki et al. [16]; the useof the lambda variant saves memory and is also necessary in order to benefitfrom parallelization.

Implementing the SDH algorithm is straightforward. We wrote a small pro-gram based on the PBC library [17] to compute the products listed in Corol-lary 4.2. Our program is multithreaded and makes use of multiple processorcores, with parallelization being achieved by dividing the main product into sub-products and computing each subproduct separately. For Cheon’s algorithm, weused the existing sdhkangaroo program [20], which is also based on PBC. Theoriginal sdhkangaroo program maintains a list of distinguished points, definedas those for which the MD5 hash of the point ends in a sufficiently long string ofzeros. To improve performance, we modified this program to change the distin-guished points to those for which the x-coordinate itself ends in a long string ofzeros. For comparison purposes, we also conducted trials of Pollard’s lambda andPollard’s rho algorithms for discrete logarithms. Our implementation of Pollard’slambda algorithm was obtained by modifying the sdhkangaroo program, andfor Pollard’s rho algorithm we used the optimized implementation included inthe MAGMA Computer Algebra System [18], based on Teske’s work [21]. Allprograms, except for the MAGMA implementation of Pollard’s rho algorithm,supported multithreading and made use of both processor cores.

For each curve, we performed a number of trials of the SDH algorithm (at least50 for each curve), from which we determined empirically the optimal value ofthe divisor d to use in Cheon’s algorithm. In general, this optimal value does notcorrespond to an actual divisor of p− 1, but using nearby divisors we were ableto estimate the hypothetical performance of the SDH algorithm at the optimalchoice of d. (Note that, even when the optimal value of d does not divide p− 1,near-optimal divisors almost always exist, c.f. Section 6.3.) Figure 1 comparesthe measured performance of Pollard’s lambda and Pollard’s rho algorithmsagainst the empirically determined optimal runtime of the SDH algorithm foreach curve. Based on the best fit curves, we estimate that the SDH algorithmwith the optimal d outperforms Pollard’s lambda (resp., Pollard’s rho) algorithmfor curve sizes greater than 32.5 bits (resp., 50.8 bits).

6.2 Theoretical Analysis

We now calculate the theoretical cost of computing Boneh-Boyen private keysusing the SDH algorithm. The most optimized version of Pollard’s lambda algo-rithm requires ≈ 3.3

√p random walk steps [11]; our implementation, however,

averaged 7.9√p steps. Each step represents an elliptic curve scalar multiplica-

tion, and hence requires 1.5 log p elliptic curve operations if naive methods areused. Over a prime field, each elliptic curve operation takes roughly 15 fieldmultiplications [11]. Hence, our running time for Cheon’s algorithm is roughly7.9(√d+

√p/d)(1.5 log p) · 15Tp where Tp represents the cost of a field multipli-

cation. In addition, we also need to compute a triplet of the form g, gx, and gxd

.This requires three applications of Corollary 4.2, at a cost of ≈ 3d2Tp; however,


Pollard' s Λ

SDH algorithm

35 40 45 50 55 60size �bits�

10

100

1000

104time �sec�

Pollard' s Ρ

SDH algorithm

35 40 45 50 55 60size �bits�

10

100

1000

104time �sec�

Fig. 1. Log-log plots comparing the optimal running timeof the SDH algorithm to Pollard’s lambda (left) and Pol-lard’s rho (right) algorithms for discrete log, for Barreto-Naehrig curves of various bit sizes

curve size optimal d optimal d(bits) (predicted) (observed)32.95 1527 117334.68 1985 154537.20 2900 235140.03 4428 377342.05 5977 567643.98 7956 759946.24 11112 1072247.34 13066 1450849.81 18781 1987351.82 25202 2656454.23 35828 4379556.04 46668 5646957.95 61669 7157259.97 82715 98733

Fig. 2. Table comparingthe optimal values of dpredicted in Section 6.2vs. those observed inSection 6.1

since almost all of the multiplications in each computation are identical, the truecost is only ≈ d2Tp. (Note also that this step parallelizes linearly, since one cancompute subproducts of the outer product on different processors.) Thus thetotal cost t of the SDH algorithm is

t = (7.9(√d+

√p/d)(1.5 log p) · 15 + d2)Tp. (1)

This cost is minimized by taking d = Θ(p15 (log p)

25 ), yielding a corresponding

overall running time of Θ(p25 (log p)

45Tp) for the SDH algorithm. In Figure 2 we

compare the optimal values of d predicted by Equation (1) to those observedin Section 6.1. We remark that the asymptotic running time of Θ(p

25 (log p)

45 Tp)

for optimal d is independent of the precise assumptions used in derivingEquation (1).

6.3 Existence of Suitable Divisors

Other than increasing the key length, the most obvious defense against the aboveattack is to use a curve of order p for which p− 1 and p+ 1 admit no divisors ofsuitable size. We can estimate the prevalence of such curves using Equation (1).Examining the graph of this equation reveals that the curve is fairly flat for awide range of values surrounding the optimal value of d. Hence, most sufficientlylarge pairing-friendly curves admit a divisor d of p− 1 for which the SDH algo-rithm runs in nearly optimal time. As an experiment, we enumerated for eachof 280, 290, . . . , 2160 the 100 smallest Barreto-Naehrig curves having at least thatmany points. Out of these 900 curves, all curves except one (the curve with1461501641662054988059088728056207736278975404329 points) admit a divisorfor which the runtime predicted by Equation (1) is within a factor of 4 of theoptimal time. These results indicate that pairing-friendly curves are unlikely toresist the SDH algorithm unless specifically chosen with this property in mind.


7 Conclusion

In this paper, we show that the existential forgery of signatures for both thebasic and full versions of the Boneh-Boyen signature scheme can be reducedto the q-SDH problem via an algorithm which is quadratic in q. This resultestablishes the equivalence of the q-SDH assumption and the security of Boneh-Boyen signatures, thus resolving an open problem posed in [7,15]. Together withCheon’s solution to q-SDH, the reduction algorithm allows us to recover Boneh-Boyen private keys in time O(p

25 +ε) for groups of order p whenever p±1 satisfies

certain divisibility properties.It would be worthwhile to design a new short signature scheme whose security

can be proved in the standard model under a weaker assumption than q-SDH.Our proofs of equivalence rely on the fact that the denominator in the exponentof g

1x+m+yr is linear in both m and r. One natural starting point would be

to look for signature schemes with nonlinear denominators. One example ofsuch a signature scheme is given in [22], and another example is the scheme

σ ← (g1

x+mr+yr2

1 , r). We emphasize that we have not checked the security proofsfor any of these modified schemes, nor have we made any systematic effort toexamine the security assumptions underlying them.

References

1. Artin, M.: Algebra. Prentice Hall, United States (1991)2. Bak, J., Newman, D.J.: Complex Analysis, 2nd edn. Springer, Heidelberg (1996)3. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In:

Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer,Heidelberg (2006)

4. Boneh, D., Boyen, X.: Efficient selective-ID identity-based encryption without ran-dom oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS,vol. 3027, pp. 223–238. Springer, Heidelberg (2004)

5. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C.,Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer,Heidelberg (2004)

6. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH as-sumption in bilinear groups. Journal of Cryptology 21(2), 149–177 (2008)

7. Boyen, X.: The uber-assumption family – a unified complexity framework forbilinear groups. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS,vol. 5209, pp. 39–56. Springer, Heidelberg (2008),http://www.cs.stanford.edu/˜xb/pairing08/

8. Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group sig-natures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15.Springer, Heidelberg (2007)

9. Brown, J.W., Churchill, R.V.: Complex Variables and Applications, 7th edn.McGraw-Hill, New York (2004)

10. Cheon, J.H.: Security analysis of the Strong Diffie-Hellman problem. In: Vaude-nay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg(2006)


11. Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F.(eds.): Handbook of elliptic and hyperelliptic curve cryptography. Discrete Math-ematics and its Applications. Chapman & Hall/CRC, Boca Raton (2006)

12. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs andkeys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer,Heidelberg (2005)

13. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. DiscreteApplied Mathematics 156(16), 3113–3121 (2008)

14. Koblitz, N., Menezes, A.: Another look at generic groups. Advances in Mathematicsof Communications 1(1), 13–28 (2007)

15. Koblitz, N., Menezes, A.: Another look at non-standard discrete log and Diffie-Hellman problems. Journal of Mathematical Cryptology 2(4), 311–326 (2008)

16. Kozaki, S., Kutsuma, T., Matsuo, K.: Remarks on Cheon’s algorithms for pairing-related problems. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.)Pairing 2007. LNCS, vol. 4575, pp. 302–316. Springer, Heidelberg (2007)

17. Lynn, B.: The Pairing-Based Cryptography Library, version 0.4.18 (2008),http://crypto.stanford.edu/pbc/

18. MAGMA Computational Algebra System,http://magma.maths.usyd.edu.au/magma/

19. Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fun-damentals E85-A(2), 481–484 (2002)

20. Reardon, J.: Sdhkangaroo: A kangaroo attack against the strong Diffie Hellmanproblem (2007),http://www.cs.uwaterloo.ca/˜jreardon/programs.html

21. Teske, E.: On random walks for Pollard’s rho method. Math. Comp. 70(234), 809–825 (2001)

22. Wei, V.K., Yuen, T.H.: More short signatures without random oracles. CryptologyePrint Archive, Report 2005/463 (2005), http://eprint.iacr.org/2005/463

Security of Verifiably Encrypted Signatures and

a Construction without Random Oracles

Markus Ruckert� and Dominique Schroder��

TU Darmstadt, [email protected], [email protected]

Abstract. In a verifiably encrypted signature scheme, signers encrypttheir signature under the public key of a trusted third party and provethat they did so correctly. The security properties, due to Bonehet al. (Eurocrypt 2003), are unforgeability and opacity.

This paper proposes two novel fundamental requirements for verifiablyencrypted signatures, called extractability and abuse-freeness, and ana-lyzes its effects on the established security model. Extractability ensuresthat the trusted third party is always able to extract a valid signaturefrom a valid verifiably encrypted signature and abuse-freeness guaran-tees that a malicious signer, who cooperates with the trusted party, isnot able to forge a verifiably encrypted signature. We further show thatboth properties are not covered by the model of Boneh et al. The sec-ond main contribution of this paper is a verifiably encrypted signaturescheme, provably secure without random oracles, that is more efficientand greatly improves the public key size of the only other construction inthe standard model by Lu et al. (Eurocrypt 2006). Moreover, we presentstrengthened definitions for unforgeability and opacity in the spirit ofstrong unforgeability of digital signature schemes.

1 Introduction

The concept of verifiably encrypted signature (VES) schemes was proposed byBoneh, Gentry, Lynn, and Shacham [5]. There, a signer encrypts its signatureunder the public key a trusted third party, called the adjudicator, and thenattaches a proof about its content. The purpose of this proof is that verificationwill then confirm that the signer has truly signed a certain object. The necessityfor such verification can be exemplified by a popular application, namely onlinecontract signing, which is a type of optimistic fair exchange protocol [1,4,8].

Suppose Alice and Bob wish to sign the same contract. Both want to be surethat the other party will also produce a signature before revealing their own.Following the protocol, Alice and Bob exchange verifiably encrypted signatures.After they ascertained the correctness of the encrypted signature, they reveal thecorresponding ordinary signature. If, for example, Alice is not willing to disclose� This work was supported by CASED (www.cased.de).

�� Dominique Schroder was supported by the Emmy Noether Program Fi 940/2-1 ofthe German Research Foundation (DFG).


18 M. Ruckert and D. Schroder

her signature, then Bob can take her verifiably encrypted signature together withthe transcript to the adjudicator, who uncovers Alice’s ordinary signature. Thisfail-safe mechanism prevents Alice from misusing this one-sided commitment toa contract for purposes such as: legal actions, blackmail, or simply negotiatinga better deal elsewhere.

The security of verifiably encrypted signatures is defined via unforgeabilityand opacity [5]. Roughly speaking, unforgeability ensures that a malicious usercannot produce signatures on behalf of another party. Opacity guarantees thatonly the adjudicator and the signer can disclose an ordinary signature from averifiably encrypted signature.

Boneh et al. illustrated their concept with a first construction (BGLS), prov-ably secure in the random oracle model [5]. Later, Zhang et al. presented a moreefficient solution (ZSNS) [16], also in the random oracle model. As the uninstan-tiability result of Canetti, Goldreich, and Halevi [7] disputes the soundness of therandom oracle methodology, it has inspired many researchers to find secure andefficient schemes outside the random oracle model. To the best of our knowledge,Lu et al. [13] presented the first verifiably encrypted signature scheme (LOSSW),which is secure in the standard model, at Eurocrypt 2006. Their scheme is basedon the Waters signature scheme [15] and its major drawback is that they needa large public key (approximately 160 group elements).

OurContribution. Surprisingly, the original securitymodel for verifiably encryptedsignature schemes does not guarantee that the adjudicator is always able to extracta valid signature from a valid verifiably encrypted signature. Considering again aprotocol based on VES for optimistic fair exchange. We show that every VES caneasily be turned into a scheme which remains secure, but where a malicious signercan output a verifiably encrypted signature such that the ordinary signature is hid-den irrecoverably. This implies that a VES that does not support extractability isnot suitable for such protocols. Thus, as our first result, we extend the model of[5] to ensure extractability. Subsequently, we study the effect of extractability onBoneh et al.’s security model. Though no explicit proof of extractability exists forprevious constructions, they already support the property due to a close similarityof the signature verification algorithm and the verification algorithm for encryptedsignatures. Extractability of the BGLS and of the LOSSW scheme can be provenanalogously to the proof of Theorem 6.

Furthermore, we propose a definition of abuse-freeness in the VES context.Basically, an abuse-free VES guarantees that an adversary who colludes withthe adjudicator is not able to derive a verifiably encrypted signature on behalfof another signer. We show that for a “natural” class of VES schemes, abuse-freeness is already implied. Since the instantiation of [5] and [13] fall into thisclass, our results give more confidence about the security of their schemes.

As a round-up of the model discussion, we introduce strengthened definitionsfor unforgeability and opacity, namely strong unforgeability and strong opacity,which is closely related to the need for strong unforgeability in digital signatureschemes. It prevents eavesdroppers from replaying the fair exchange protocolwith re-randomized verifiably encrypted signatures.

Security of Verifiably Encrypted Signatures 19

Note that neither BGLS nor LOSSW satisfy these stronger notions, as onecan re-randomize the encrypted signature. We show how a slight modificationof our construction in Section 6 yields a scheme that is provably secure in thestronger model.

As our second result, we present a new verifiably encrypted signature schemebased on the Boneh-Boyen signature [3]. This scheme greatly improves the keysize and efficiency of LOSSW, while achieving the same signature size. Table 1compares our work with previous schemes. Note that the construction in Section6 involves a public key size of four group elements (in comparison to the LOSSWinstantiation, our scheme reduces the key size by a factor of 40), and only needstwo pairing computations for the verification (rather than three in LOSSW).

Another extension to the security model is to give the adversary access to theadjudication oracle for different users as proposed by Hess [12]. Here, however,we follow the model of Boneh et al. concerning only the two user setting.

Organization. We start out by introducing our notation and some basic defi-nitions in Section 2. In Section 3, we recall the model for verifiably encryptedsignatures, along with the corresponding security definitions. Subsequently, inSection 4 and Section 5, we introduce extractability and abuse-freeness therebyextending the model due to Boneh et al., and we argue why these notions arenecessary. The stronger security model, with strong unforgeability and strongopacity is described in Appendix C. Our verifiably encrypted signature schemeis presented in Section 6, along with the security proofs. We show in the fullversion of this paper that a modified version of the construction satisfies thestronger model [14].

Table 1. Comparison between the different verifiably encrypted signature schemes. Thecolumn “ROM” states whether security is proven in the random oracle model. Thecolumn “Strongly Secure” determines whether the scheme is secure in our strongermodel. Let ham(m) be the hamming weight of a bit string m, I an inversion, M amultiplication, and E an exponentiation. Let P be the cost for a pairing evaluation.Since pairings dominate the computational costs, other operations were omitted inthe “Verification” column. We instantiate the schemes using Barreto-Naehrig curves[6] with a 160-bit point representation. (∗) This value is taken from [13]. They needapproximately 160 group elements.

Scheme ROMStronglysecure

Key size (sk/pk)Signature

sizeVES creation Vf

BGLS Yes No 160 / 160 bits 320 bits 2E +1M 3P

LOSSW No No 160 bits / 10 KB (∗) 480 bits4E +

(ham(m) + 3) M3P

Section 6 No No 320 / 640 bits 480 bits 1 I+3E+1 M 2P

Full version [14] No Yes 640 / 960 bits 800 bits 2 I+4E+1 M 3P


2 Notation and Basic Definitions

Bilinear Maps. Let (G1, ∗), (G2, ∗), and (GT, ∗) denote three groups of prime or-der p with the following properties: all group actions can be computed efficiently;g1 is a generator of G1 and g2 is a generator of G2; ψ is a group homomorphismfrom G2 to G1, with ψ(g2) = g1; e : G1 × G2 → GT is an efficiently com-putable map. e is bilinear and non-degenerate, i.e. ∀u ∈ G1 ∀v ∈ G2 ∀a, b ∈ Z:e

(ua, vb

)= e (u, v)ab and z = e (g1, g2) �= 1 generates GT.

We assume that G1,G2,GT, p, g1, g2, e, and z are fixed and public param-eters. By a1‖ . . . ‖a� we denote the encoding of a1, . . . , a� such that a1, . . . , a�

are uniquely recoverable. With x$← X we denote choosing x uniformly at ran-

dom from the finite set X . {xi}q1 is the set of x1, . . . , xq. Furthermore, n alwaysdenotes the security parameter.

Secure Signature Schemes. Security of signature schemes DSig = (Kg, Sign,Vf)is proven against existential forgery under chosen message attacks (EU-CMA)[10]. In this model, an adversary adaptively invokes a signing oracle and is suc-cessful if it outputs a signature on a new message. A stronger notion is strongunforgeability under chosen message attacks (SU-CMA), where it is sufficientfor an adversary to output a new message-signature pair.

Boneh-Boyen Signature Scheme. We recall the strongly unforgeable Boneh-Boyen (BB) signature scheme. Key Generation: Kg(1n) selects x, y $← Z∗

p, com-putes u← gx

2 and v ← gy2 . The public key is spk← (u, v) and the private key is

ssk← (x, y); Signing: Sign(ssk,m) takes as input the secret key (x, y) as well as

a message m ∈ Zp. It picks r $← Zp\{−x+my } and computes σ ← g

1/(x+m+y r)1 ,

where 1/(x+m+ y r) is computed modulo p. The output is (r, σ); SignatureVerification: Vf(spk, (r, σ),m) returns 1 iff e (σ, u gm

2 vr) = z, otherwise returns 0.

3 Verifiably Encrypted Signatures

According to [5] verifiably encrypted signature schemes are defined as VES =(Kg,AdjKg, Sign,Vf,Create,VesVf,Adj) with the following specification and se-curity model:

Key Generation: Kg(1n) outputs a private signing key sk and a public verifica-tion key pk; Signing Sign(sk,m) outputs a signature σ under sk on a message mchosen from the message spaceM; Verification: Vf(pk, σ,m) outputs 1 iff σ is avalid signature on m under pk; Adjudicator Key Generation: AdjKg(1n) outputsa key pair (ask, apk), where ask is the private key and apk the correspondingpublic key of the adjudicator; VES Creation: Create(sk, apk,m) receives a secretkey sk, the adjudicator’s public key apk, and a message m ∈ M. It returns a ver-ifiably encrypted signature ω on m; VES Verification: VesVf(apk, pk, ω,m) getsthe adjudicator’s public key apk, a public key pk, a verifiably encrypted signatureω, and a message m. It returns a bit, indicating the validity of ω; Adjudication:Adj(ask, apk, pk, ω,m) accepts as input the key pair (ask, apk) of the adjudicator,


the public key pk of a signer, a verifiably encrypted signature ω, and a messagem. If ω is valid, it extracts an ordinary signature1 σ on m and returns σ.

A scheme VES is complete2 if for all adjudication key pairs (ask, apk) ←AdjKg(1n) and for all signature key pairs (sk, pk)← Kg(1n) the following holds:VesVf(apk, pk,Create(sk, apk,m),m) = 1 and Vf(pk,Adj(ask, apk, pk,Create(sk,apk,m)),m) = 1 for all m ∈M.

Security Model. The security of verifiably encrypted signatures is defined byunforgeability and opacity [5]. Unforgeability requires that it is hard to forgea verifiably encrypted signature and opacity implies that it is hard to extractordinary signatures.

Both intuitions are formalized in experiments, where the adversary A is giventhe public keys of the signer and the adjudicator. Moreover, A has access to twooracles: a verifiably-encrypted-signature creation oracle C that, upon input ofa message m, returns a corresponding verifiably encrypted signature ω; and anadjudication oracle A that extracts and returns a signature σ when queried witha message/verifiably encrypted signature pair (m,ω).

Definition 1. A scheme VES is secure if the following holds:

Unforgeability: For any efficient algorithm A, the probability that the follow-ing experiment evaluates to 1 is negligible (as a function of n).

Experiment VesForgeVESA (n)

(ask, apk)← AdjKg(1n)(sk, pk)← Kg(1n)(m∗, ω∗)← AC(sk,apk,·),A(ask,apk,pk,·,·)(pk, apk)Return 1 iff VesVf(apk, pk, ω∗,m∗) = 1 andA has never queried C(sk, apk, ·) or A(ask, apk, pk, ·, ·) about m∗.

Opacity: For any efficient algorithm A, the probability that the following ex-periment evaluates to 1 is negligible (as a function of n).

Experiment OpacVESA (n)

(ask, apk)← AdjKg(1n)(sk, pk)← Kg(1n)(m∗, σ∗)← AC(sk,apk,·),A(ask,apk,pk,·,·)(pk, apk)Return 1 iff Vf(pk, σ∗,m∗) = 1 andA has never queried A(ask, apk, pk, ·, ·) about m∗.

A scheme is called (t, qC, qA, ε)-unforgeable (-opaque), if no adversary, running intime at most t, making at most qC verifiably-encrypted-signature oracle queries C,and at most qA queries to the adjudication oracle A, can succeed with probabilityat least ε in the VesForge (respectively Opac) experiment.

1 Not necessarily the same signature, cf. [13].2 Note that in [5] this condition is called validity.


Simplification. As a first modification of this security model, we state and provethat it is possible to remove a redundant restriction from the definition of un-forgeability. One might think that an adversary can succeed by modifying some“ciphertext” ω such that the adjudicator extracts a fresh signature that can beencrypted once again to obtain a fresh ω∗. We prove that the constraint that theadversary is not allowed to output a forgery for a message m∗ already queriedto A, without having queried m∗ to C before, is unnecessary. In other words, Adoes not help to forge verifiably encrypted signatures.

Let VesForge′ be the unforgeability experiment, in which an adversary is al-lowed to query everything to A, even its final output m∗. The idea is that aforger which is able to invoke the oracle A with a fresh tuple (m,ω), i.e. withouthaving queried m to C beforehand, can already be used to break unforgeability.

Theorem 1. VES is unforgeable w.r.t. to VesForge′ if and only if it is unforge-able w.r.t. to VesForge.

Proof. The first step is to prove that an adversary which breaks unforgeabilityin VesForge can be used to break unforgeability in VesForge′. Since this directionfollows easily, we omit it. In the second part of the proof, consider an adver-sary A that succeeds in the unforgeability experiment VesForge′ with noticeableprobability ε(n). We then construct an algorithm B against unforgeability inVesForge, which runs A as a black-box. Algorithm B answers all oracle querieswith its own oracles, i.e, it relays the entire communication between A and theoracles. Whenever A invokes the adjudication oracle A on a “fresh” and validpair (m∗, ω∗) (i.e., the adversary has not queried m∗ to C before), then B stops,outputting this pair as its forgery. Otherwise, if A never performs such queries,B forwards the final output of A.

For the analysis, observe that A may query the adjudication oracle on a“fresh” and valid pair (m∗, ω∗). On the one hand, the adversary A would stillsucceed in experiment VesForge′, outputting a verifiably encrypted signature ω∗

onm∗, but on the other hand,A cannot succeed in VesForge as VesForge does notallow A to query the adjudication oracle about the final output of A. But if Ais in position to perform a query consisting of a “fresh” and valid pair (m∗, ω∗),then B directly outputs this tuple as its successful forgery. This tuple is a validforgery, because B never actually queried A about (m∗, ω∗). Additionally, notethat B is efficient as A runs in polynomial time and B can handle all queriesefficiently. The following two sections justify the need for two additional security require-ments, namely extractability and abuse-freeness.

4 The Need for Extractability

In the following, we formalize what should be a fundamental requirement forverifiably encrypted signatures, namely extractability. This property entails thatif a verifiably encrypted signature ω is valid, then the adjudicator is able toextract a valid signature σ with overwhelming probability.


Definition 2 (Extractability). A verifiably encrypted signature scheme VESis extractable if for any efficient algorithm A, the probability that the followingexperiment evaluates to 1 is negligible (as a function of n).

Experiment ExtractVESA (n)

(ask, apk)← AdjKg(1n)(m∗, ω∗, pk∗)← AA(ask,apk,·,·,·)(apk)Let σ∗ ← Adj(ask, apk, pk∗, ω∗,m∗)Return 1 iff VesVf(apk, pk∗, ω∗,m∗) = 1 and Vf(pk∗, σ∗,m∗) = 0.

Observe that, in this case, the adjudication oracle A takes as input the adjudica-tor key pair (ask, apk), to which A attaches tuples (pk∗, ω∗,m∗) which consist of:a public key pk∗, a verifiably encrypted signature ω∗, and a message m∗. Thus,extractability as defined above must hold for all pairs (m∗, ω∗), even for thosenot properly generated (i.e. ω∗ was not created for m∗) and even in case pk∗ isnot chosen honestly. Note that pk∗ serves as A’s public key and that A may nothave a corresponding secret key sk∗.

If we do not allow the adversary to choose its public key dishonestly, wemay still consider a model similar to the one above and we call the corre-sponding property weak-extractability. Note that a scheme that satisfies weak-extractability can always be turned into an extractable scheme by having thesigner prove the correct form of its public key to the (universally trusted) adju-dicator. This could be done, for example, by letting the signer hand its privatekey over to the trusted third party, using rewinding techniques, or using NIZKssuch as in [11]. The adjudicator may then sign the public key or otherwise vouchfor its validity. We motivate the need for extractability, showing that every ver-ifiably encrypted signature scheme, that is secure in the model of [5], can easilybe turned into one which is not extractable.

Theorem 2. If there exists a secure scheme VES in the sense of [5], then thereexists a scheme VES′ which is secure but not extractable.

The basic idea is that the verifiably encrypted signature may consist of twoindependent parts. The first part is used in the VesVf verification process andthe second part is an encryption of the signature. As the parts are indepen-dent, a malicious signer can easily set the second part to an empty string, whilecomputing the first part honestly.

Proof. We assume that the bit length of a verifiably encrypted signature isout(n). VES′ is defined as follows: Key Generation, Signing, Verification: Sameas in VES; VES Creation: Given a message m ∈ M, a signing key sk, and thepublic key of the adjudicator apk, Create′ computes ω′ ← Create(sk, apk,m) andoutputs (ω1‖ω2)← (ω′‖ω′) ∈ {0, 1}2out(n); VES Verification: Given a verifiablyencrypted signature ω1‖ω2 on m, algorithm VesVf′ outputs 1 iff VesVf(apk, pk,ω1,m) evaluates to 1 and 0 otherwise; Adjudication: Adj′(ask, apk, pk, ω1‖ω2,m)outputs σ ← Adj(ask, apk, pk, ω2,m).

Obviously, if VES is complete, unforgeable, and opaque, so is VES′. How-ever, now the following adversary A contradicts extractability, and even weak-extractability.


Setup: A receives the adjudicator’s public key apk and honestly generates(sk, pk)← Kg(1n).

VES Creation: When A signs a message m, it calls (ω1‖ω2)← Create′(sk, apk,m) and outputs (m∗, ω∗, pk∗)← (m,ω1‖0out(n), pk).

Since ω1 remains unchanged in Create′, VesVf′ always returns 1. The algorithmAdj′, however, cannot extract a valid (ordinary) signature out of the second partbecause it is 0out(n). Thus, A breaks extractability with probability 1. Observethat the adjudicator Adj′ does not fail because 0out(n) is “some” special string,but simply because 0out(n) �= ω1. Relation to the Security Model. In the following, we show a helpful implicationthat facilitates security proofs in our extended model that entails unforgeabil-ity, opaqueness, and extractability. We mainly rely on the verifiably encryptedsignature schemes having a common property, which we call key-independence.This property states that computing the encrypted signature can be performed,independently, by the following algorithms: one that computes the signature σas in DSig, and a second algorithm that computes ω, the verifiable encryptionof σ. In other words, one can use an oracle Sign(ssk, ·) and transform its outputinto a verifiably encrypted signature independently of ssk.

Definition 3 (Key-Independence). Let a signer’s private key sk consist oftwo independent elements sk = (kisk, ssk) and let pk = (kipk, spk) be the cor-responding public key pair. VES is key-independent if there exists an efficient(encryption) algorithm KI-Enc such that KI-Enc(apk, kipk, kisk, Sign(ssk,m),m)≡ Create(sk, apk,m) for all m ∈ M.

Note that the keys kisk and kipk are possibly the empty string, as in the case ofthe (key-independent) schemes of Boneh et al. [5] and of Lu et al. [13]. There,the algorithm KI-Enc is the encryption algorithm of the El Gamal public keyencryption scheme.

Theorem 3. Let VES be an extractable and key-independent verifiably encryptedsignature scheme. VES is unforgeable if and only if the underlying signaturescheme DSig is unforgeable.

Proof. We have to show two directions. We begin with the (interesting) direc-tion, showing that the existence of an algorithm A1 that successfully forgesa verifiably encrypted signature implies the existence of an adversary B thatsuccessfully breaks DSig. B gets as input the public key spk of the underlyingsignature scheme DSig and has access to a signing oracle Sign(ssk, ·), that uponinput a message m returns the corresponding signature. Subsequently, B picksa key pair for the simulation of the adjudicator (ask, apk) ← AdjKg(1n) and aVES key pair (sk, pk) ← Kg(1n). It then replaces the signature verification keyin pk with spk, i.e., pk = (kipk, spk), and runs A1 in a black-box simulationon input (apk, pk). During the simulation, A1 may invoke its creation oracle Con a message m. Algorithm B answers this query as follows. It first generatesthe signature σ ← Sign(ssk,m) with the help of its external signing oracle and


outputs ω ← KI-Enc(apk, kipk, kisk, σ,m). Whenever A1 invokes its adjudicationoracle A on a valid tuple (m,ω), B returns σ ← Adj(ask, apk, pk, ω,m). Eventu-ally, A1 stops, outputting a tuple (m∗, ω∗); then B computes σ∗ ← Adj(ask, apk,pk, ω∗,m∗) and outputs (m∗, σ∗) as its forged signature.

For the analysis, it is assumed that A1 succeeds with non-negligible prob-ability ε(n). Observe that B performs a perfect simulation from A1’s point ofview because VES is key-independent, i.e., B can choose the keys for KI-Encindependently of ssk.

Note that A1 succeeds if it outputs a “fresh” tuple (m∗, ω∗). Here, the fresh-ness condition means that A1 has neither queried its creation oracle nor theadjudication oracle about m∗. But if A1 has never sent m∗ to one of the oracles,then B has never queried its signing oracle about m∗. Since the scheme VES isextractable, B always outputs a valid message-signature pair (m∗, σ∗) wheneverA1 provides a valid verifiably encrypted signature. This, however, contradictsthe assumption that DSig is unforgeable.

The other direction shows how to break unforgeability of the verifiably en-crypted signature scheme with the help of an adversaryA2 that forges the under-lying signature scheme. The idea of the proof is to output the key-independentencryption (using KI-Enc) of the forgery obtained from A2.

5 The Need for Abuse-Freeness

Garay, Jakobsson, and MacKenzie already consider abuse-freeness for optimisticfair exchange [9]. Their definition demands that no single signer should be able toprove to any third party that he can determine the outcome of the protocol. SinceVES schemes are typically non-interactive, and since the verification equationensures that the contained signature is valid, this definition seems inapplicableto the VES scenario.

Intuitively, abuse-freeness means that an adversary who may covertly coop-erate with the adjudicator is unable to compute a verifiably encrypted signatureon behalf of another party. We model this in an experiment where the malicioussigner A receives the private key of an adjudicator and the public key of the hon-est signer which we model as oracle C. The adversary A succeeds if it outputs a“fresh” tuple (m∗, ω∗), i.e., a message m∗ and an encrypted signature ω∗ s.t. Ahas never queried m∗ to C. Observe that giving A access to an adjudicationoracle would be redundant, since A can be simulated with ask.

Definition 4 (Abuse-freeness). VES is abuse-free if for any efficient algo-rithm A the probability that experiment Abuse evaluates to 1 is negligible (as afunction of n), where

Experiment AbuseVESA (n)

(apk, ask)← AdjKg(1n)(sk, pk)← Kg(1n)(m∗, ω∗)← AC(sk,apk,·)(apk, ask, pk)Return 1 iff VesVf(apk, pk, ω∗,m∗) = 1 andA has never queried C(sk, apk, ·) about m∗.


This definition can be strengthened even further as A could be allowed to choosethe public key apk. We call schemes satisfying the stronger notion strongly abuse-free (see [14]).

Relation to the Security Model. We discuss the relation between abuse-freenessand the other security requirements. The interesting point is that for key-inde-pendent, extractable schemes, abuse-freeness is already guaranteed. In addition,we can separate abuse-free VES schemes from those satisfying the model of Bonehet al. For the separation, we need to recall the definition of public-key encryp-tion schemes. A public-key encryption scheme E is a tuple of efficient algorithms(Pk-Kg,Enc,Dec), where (pkE , skE) ← Pk-Kg(1n) is a key-generation algorithmthat outputs a public-encryption key pkE and a private-decryption key skE . Theencryption algorithm C ← Enc(pk,m) takes as input a message m from someunderlying plaintext space M and outputs a ciphertext C. The decryption al-gorithm m ← Dec(skE , C). upon input the private key skE and a ciphertext C,returns the plaintext m. It is assumed that Prob[Dec(skE ,Enc(pk,m)) = m] = 1(except for a negligible amount).

Definition 5 (CPA Indistinguishability). A public key encryption schemeE = (Pk-Kg,Enc,Dec) is indistinguishable under chosen plaintext attacks (IND-CPA) if for any efficient algorithm A the probability that the experiment INDCPAE

Aevaluates to 1 is negligibly close to 1/2, where

Experiment INDCPAEA(n)

(pkE , skE)← Pk-Kg(1n)b← {0, 1}b∗ ← AEnc(pkE ,b,·,·)(pkE) // Enc takes m0,m1 ∈ M, s.t. |m0| = |m1| as input.Return 1 iff b∗ = b.

Theorem 4. If an IND-CPA secure public-key encryption scheme E, and a se-cure verifiably encrypted signature scheme VES exist, then there is a securescheme VES′, which is not abuse-free.

Proof. We build the scheme VES′ out of VES, such that VES′ is unforgeableand opaque, but such that a malicious adjudicator is able to reveal the privatesigning key. VES′ is defined as:

Key Generation: Kg′ ≡ Kg. AdjKg′ calls (ask, apk)← AdjKg(1n) and (skE , pkE)← Pk-Kg(1n). It outputs (ask′, apk′)← ((ask, skE), (apk, pkE)).

VES Creation: Create′(sk, apk′,m) executes ω′ ← Create(sk, apk,m) and a ←Enc(pkE , sk). It returns ω′ ← (ω, a).

VES Verification: VesVf′(apk′, pk, ω′,m) outputs VesVf(apk, pk, ω,m).Adjudication: Adj′(ask′, apk′, pk, ω′,m) outputs the result of Adj(ask, pk, ω,m).

Completeness, unforgeability, and opacity of VES′ directly carry over from VES.Observe that the encryption scheme E is a IND-CPA secure public-key encryptionscheme, thus it does not reveal a single bit of the signing key. With the help ofa malicious adjudicator, however, this is indeed possible.


Concerning abuse-freeness, the adversary A gets an adjudication key pair(ask, apk) together with a public key pk. It selects two messages m1 and m2,and invokes the creation oracle C on m1, obtaining (ω′, a). Subsequently, Aextracts the private key sk ← Dec(skE , a) and uses the private key sk to forgeω∗ ← Create(sk, apk,m2). A straightforward analysis shows that A is efficientand always succeeds. In the following, we show that any key-independent, extractable verifiably en-crypted signature scheme is also abuse-free. Again, this result helps reduce theeffort of proving security.

Theorem 5. A key-independent, extractable, and secure scheme VES is abuse-free if the underlying signature scheme DSig is unforgeable.

Proof. Suppose that there exists an adversary A that successfully breaks abuse-freeness with noticeable probability. We then show that A can be used to forgeordinary signatures in DSig. The reduction B against the unforgeability of DSigreceives a public key spk. It generates (ask, apk)← AdjKg(1n), (sk, pk)← Kg(1n),replaces the public signature verification key for DSig in pk with spk (the resultingkey is pk′), and runs A(apk, ask, pk′) as a black-box. Whenever A queries m toC, B calls its signing oracle σ ← Sign(sk,m) and computes ω ← KI-Enc(apk, kipk,kisk, σ,m). Finally, A stops and outputs (m∗, ω∗). B extracts the correspondingsignature σ∗ ← Adj(ask, apk, pk′, ω∗,m∗) and returns (m∗, σ∗). Assuming thatA succeeds with noticeable probability ε(n), then A has not queried m∗ to C;as a consequence, B’s attack is legitimate and it simulates A’s environmentperfectly, because VES is key-independent. Furthermore, B is efficient, and asVES is extractable, B succeeds with the same probability ε(n) (except for anegligible part). This, however, is a contradiction.

6 An Efficient Instantiation

In this section, we present an efficient verifiably encrypted signature scheme thatis based on the Boneh-Boyen (BB) signature scheme. It is secure, extractable, andabuse-free in the standard model. For a simpler notation, we omit the generationof publicly known system parameters, and recall that z = e (g1, g2).

Construction 1. Our instantiation works as follows.

Adjudicator Key Generation: AdjKg(1n) returns apk← ua = gβ2 , and ask←

β, for β $← Z∗p.

Key Generation: Kg(1n) calls ((x, y), (u, v)) ← BB.Kg(1n), computes ρ1 ←(apk)x, ρ2 ← (apk)y, and returns the key pair ((x, y), (u, v, ρ1, ρ2)), wheresk = (x, y), pk = (u, v, ρ1, ρ2).

Signing, Verification: Defined as in the BB digital signature scheme.VES Creation: Create(sk, apk,m) parses sk = (x, y) and apk = ua. It computes

(r, σ) using BB.Sign((x, y),m), selects s $← Zp and sets μ ← ψ(g2)s, σ′ ←ψ(ua)s. Then, it encrypts σ as � = σ σ′ and returns (r,�, μ).


VES Verification: VesVf(apk, pk, ω,m) parses apk = ua, pk = (u, v, ρ1, ρ2),ω = (r,�, μ). It returns 1 iff e (�,u gm

2 vr)·e (μ, ρ1 ρr2 u

ma )−1 = z, e (g1, ρ1) =

e (ψ(ua), u), and e (g1, ρ2) = e (ψ(ua), v).Adjudication: Adj(ask, apk, pk, ω,m) parses ask=β, apk=ua, pk=(u, v, ρ1, ρ2),

and ω = (r,�, μ). If VesVf(apk, pk, ω,m)=1, then output σ ← �/μβ.

Note that Construction 1 is key-independent, because we use the El Gamalencryption. Furthermore, it is complete (see Appendix B).

A Word on Efficiency. Note that we create ρ1 and ρ2 in Kg, which is originallynot permitted by the model because Kg does not have access to apk. It is,however, reasonable to assume the existence of a unique adjudicator, whoseparameter are known and set before the initialization of the key generation.Otherwise, one could compute ρ1 and ρ2 in Create, which would be less efficientdue to larger computational costs and an increased output size. Similarly, weeliminate the need to check the soundness of ρ1 and ρ2 in VesVf by assumingthat all user keys are registered and that the universally trusted registrationauthority already verified them.

6.1 Proof of Security

For the following security proofs, let TAdjKg, TKg be cost functions for adjudica-tion and signature key generation, and let TCreate, TAdj be the cost functions forcreation and adjudication of verifiably encrypted signatures. The next theoremproves extractability, which implies unforgeability by Theorem 3.

Theorem 6. Construction 1 is extractable.

Proof. We show that if a verifiably encrypted signature ω verifies, then it isalways possible to extract a valid BB signature. From VesVf, we have

V1 e (�,u gm2 vr) · e (μ, ρ1 ρ

r2 u

ma )−1 = z;

V2 e (g1, ρ1) = e (ψ(ua), u) and e (g1, ρ2) = e (ψ(ua), v) .

After applying the adjudication algorithm on ω, Vf evaluates:

e(�/μβ , u gm

2 vr)

= e (�,u gm2 vr) · e (μ, u gm

2 vr)−β

V 1= e (μ, ρ1 ρr2 u

ma ) · z · e (μ, u gm

2 vr)−β

V 2= e(μ, uβ vrβ gβm

2

)· z · e (μ, u gm

2 vr)−β = z .

Corollary 1. If the BB signature scheme is (t+TAdjKg(n)+TKg(n)+qC TCreate(n)+(qA+1)TAdj(n), qC, ε)-unforgeable, then Construction 1 is (t, qS , qA, ε)-unforgeable.

Proof. The proof follows immediately from Theorem 3 in conjunction withTheorem 6.


The opacity of our verifiably encrypted signature scheme depends on the as-sumption that, given q tuples (ci, g

1/(x+ci)1 ), i = 2, . . . , q + 1, it is difficult to

extract the value g1/(x+c1)1 from an El Gamal encryption (c1, g

β s+1/(x+c1)1 ). It

is well known that the El Gamal encryption is provably one-way if the compu-tational Diffie-Hellman (CDH) problem is hard, and that the scheme is a CPAsecure encryption scheme if the decisional Diffie-Hellman (DDH) holds. Moreformally, we require that the following problem is computational infeasible:

Definition 6 (q-SDH Extraction Problem). In the q-SDH extraction prob-lem (SDHE), an adversary gets as input

(g1, g

s1, g2, g

β2 , g

x2 , g

βx2 ,

(c1, g

β s+1/(x+c1)1

),{(ci, g

1/(x+ci)1

)}q+1

i=2

)

and is required to compute(c1, g

1/(x+c1)1

).

Definition 7. The q-SDHE problem is (t, ε)-hard if no t-time algorithm Ahasadvantage at least ε in solving the q-SDHE problem, i.e., no such algorithm hasadvantage

Prob

[(c1, g

1/(x+c1)1

)← A

(g1, g

s1, g2, g

β2 , gx

2 , gβx2 ,

(c1, g

β s+1/(x+c1)1

),{(

ci, g1/(x+ci)1

)}q+1

i=2

)]≥ ε .

We assume that q-SDHE is (t, ε)-hard for any polynomial t in n and a negligibleε. Based on this assumption, we can now prove that Construction 1 is opaque.

Theorem 7. If the qC-SDHE extraction problem is (t+TKg(n)+ qC TCreate(n)+qA TAdj(n), ε/qC)-hard then our scheme is (t, qC, qA, ε)-opaque.

Proof. A natural observation is that there are two possibilities to break opacity.One is to directly forge the underlying signature scheme; the second one is toextract an ordinary signature. Since the case that the adversary forges the un-derlying BB signature is already covered, we concentrate on the second class, ofadversaries that “decrypt” a given verifiably encrypted signature. We show howto use such an adversary in order to refute the qC-SDHE assumption.

The proof follows [2, Lemma 10] in the way of simulating adaptive queries, butdiffers in the point that the adversary extracts a previously queried encryptedelement. We distinguish two classes of adversaries. We say that an algorithm Ais a

1. type-1 adversary, denoted A1, if it(a) makes a verifiably encryption query for a message m = −x, or(b) outputs an extraction (m∗, r∗, g1/(x+y r∗+m∗)

1 ),where m∗ + y r∗ �∈ {c1, . . . , cq+1}.

2. type-2 adversary, denoted A2, if it(a) never makes a verifiably encryption query for a message m = −x, and(b) outputs an extraction (m∗, r∗, g1/(x+y r∗+m∗)

1 ),where m∗ + y r∗ ∈ {c1, . . . , cq+1}.


Note that these types cover all possible adversaries, and observe that they areidentical to the partitions in [3]. As already pointed out by Boneh and Boyen, thetype-1 adversary directly leads to a forgery of the underlying signature scheme,thus we omit this part of the proof and refer the reader to [3].

Now we show how to solve the qC-SDHE problem by giving a reduction B2

black-box access to a type-2 adversary A2. The idea of the proof is that we usethe technique of Boneh and Boyen in order to answer the queries adaptively. Weguess which answer of C that A2 will decrypt and inject the SDHE challenge(c1, g

β s+1/(x+c1)1 ).

Type-2 adversary. We describe the simulator B2 interacting with a type-2 ad-versary, denoted by A2, in order to solve qC-SDHE.

Setup: The algorithm B2 gets as input g1, gs1, g2, g

β2 , g

x2 , g

βx2 , together with the

values(c1, g

β s+1/(x+c1)1

),{(ci, g

1/(x+ci)1

)}qC+1

i=2. It selects y $← Zp and sets

u← gx2 , v ← gy

2 , ρ1 ← gβx2 , ρ2 ← gβy

2 . Furthermore, B2 picks a random index

– the guess j $← {1, . . . , qC + 1} – and initializes a counter ← 1 togetherwith a list Q← ∅. It runs A2 on input (apk, pk)← (ψ(gβ

2 ), (u, v, ρ1, ρ2)).VES Queries: Whenever A2 queries m to C, B2 increments ← + 1. Case 1

( = j): B2 sets: r� ← (c1 −m)/y, μ� ← gs1, and � ← g

βs+1/(x+c1)1 . Case

2 ( �= j): B2 selects s�$← Zp, sets: μ� ← gs�

1 and r� ← (c� − m)/y, andcomputes � ← gβs�

1 g1/(x+c�)1 . B2 stores (m� ← m, r�, g

1/(x+c�)1 ) in Q. In

either case, B2 returns (r�, ��, μ�).Adjudication Queries: Whenever A2 queries a tuple (m, (r,�, μ)) to A, B2

checks that the tuple is valid and returns fail if this is not the case. Let’sassume that (m, (r,�, μ)) is valid. According to Theorem 1 we know thatalgorithm A2 must have queried m to C. If i = j, then B2 aborts. Otherwise,if i �= j, let i ∈ {1, . . . , |Q|} be the corresponding index of the query. Then,B2 returns (r�, g

1/(x+c�)1 ).

Output: Finally, A2 stops, outputting a tuple (m∗, r∗, g1/(x+m∗+yr∗)1 ). B2 sets

c∗ ← m∗ + yr∗. It aborts if c1 �= c∗, and otherwise stops, outputting(c∗, g1/(x+c∗)

1 ).

Analysis. Algorithm B2 performs a perfect simulation of C. Note that r� isuniformly distributed over Zp\{−x+m�

y } and that for the oracle answers of C,we have:

e (��, u gm�2 vr�) · e (μ�, ρ1 ρ

r�2 um�

a )−1 =

e(σ� g

β s�

1 , u gm�+y r�

2

)· e

(μ�, u

β gβ(y+m� r)2

)−1

= z .

B2 also simulates the oracle A perfectly (for i �= j) because for its output (r�, σ�),we have

e (σ�, u gm�2 vrj ) = e

(σ�, u g

m�+y rj

2

)= e

(σ�, u g

cj

2

)= z .


Observe that A2 can never query the adjudication oracle A without having in-voked C before due to Theorem 1, i.e. qA ≤ qC. The same argument is applicableif A2 sends valid tuple (m, (r,�, μ)) to A, such that m is in the query list Q, butwith a different value r. Both cases would contradict the strong unforgeabilityof the BB signature scheme.

Assuming A2 succeeds with non-negligible probability ε(n). According to thepartition of adversaries, we know that A2 “decrypts” a given � obtained fromC. Since B2 guesses the index of the corresponding query, its success probabilityis lessened by a factor of 1/qC. However, it still succeeds with non-negligibleprobability ε(n)/qC in the qC-SDHE problem — a contradiction. Corollary 2. If the BB signature scheme is unforgeable, then Construction 1 isabuse-free.

Proof. The proof follows immediately from Theorem 6 and Theorem 5.

Acknowledgments

We thank Heike Busch, Marc Fischlin, Cristina Onete, Michael Schneider, andthe anonymous reviewers for their valuable comments.

References

1. Asokan, N., Shoup, V., Waidner, M.: Optimistic Fair Exchange of Digital Signa-tures. IEEE Journal on Selected Areas in Communications 18(4), 593–610 (2000)

2. Boneh, D., Boyen, X.: Short Signatures Without Random Oracles. In: Cachin, C.,Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer,Heidelberg (2004)

3. Boneh, D., Boyen, X.: Short Signatures Without Random Oracles and the SDHAssumption in Bilinear Groups. Journal of Cryptology 21(2), 149–177 (2008)

4. Bao, Deng, Mao: Effcient and Practical Fair Exchange Protocols with Off-LineTTP. In: RSP: 19th IEEE Computer Society Symposium on Research in Securityand Privacy. IEEE Computer Society Press, Los Alamitos (1998)

5. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verifiably EncryptedSignatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS,vol. 2656, pp. 416–432. Springer, Heidelberg (2003)

6. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In:Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer,Heidelberg (2006)

7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited.J. ACM 51(4), 557–594 (2004)

8. Dodis, Y., Lee, P.J., Yum, D.H.: Optimistic fair exchange in a multi-user setting. In:Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 118–133. Springer,Heidelberg (2007)

9. Garay, J.A., Jakobsson, M., MacKenzie, P.D.: Abuse-Free Optimistic ContractSigning. In: Wiener, M. (ed.) CRYPTO 1999, vol. 1666, pp. 449–466. Springer,Heidelberg (1999)


10. Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure AgainstAdaptive Chosen-Message Attacks. SIAM J. Comput. 17(2), 281–308 (1988)

11. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP.In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer,Heidelberg (2006)

12. Hess, F.: On the Security of the verifiably-encrypted signature scheme of Boneh,Gentry, Lynn and Shacham. Information Processing Letters 89(3), 111–114 (2004)

13. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregatesignatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EU-ROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006)

14. Ruckert, M., Schroder, D.: Security of Verifiably Encrypted Signatures and aConstruction Without Random Oracles (Extended Version). Number 2009/027 inCryptology eprint archive (2009), eprint.iacr.org

15. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer,R. (ed.) EUROCRYPT 2005, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)

16. Zhang, F., Safavi-Naini, R., Susilo, W.: Efficient verifiably encrypted signature andpartially blind signature from bilinear pairings. In: Johansson, T., Maitra, S. (eds.)INDOCRYPT 2003, vol. 2904, pp. 191–204. Springer, Heidelberg (2003)

A Secure Signature Schemes

Recall that a digital signature scheme DSig is defined as:

Definition 8. A signature scheme consists of a triple of efficient algorithmsDSig = (Kg, Sign,Vf), where:

Key Generation: Kg(1n) outputs a private signing key sk and a public verifi-cation key pk.

Signature Generation: Sign(ssk,m) outputs a signature σ under ssk, on amessage m chosen from the message space M.

Signature Verification: The algorithm Vf(spk, σ,m) outputs 1 iff σ is a validsignature on m under spk.

Signature schemes are complete if for any (ssk, spk) ← Kg(1n), any messagem ∈M, and any σ ← Sign(ssk,m), we have: Vf(spk, σ,m) = 1.

The security of signature schemes is proven against existential forgery underadaptive chosen message attacks (EU-CMA) [10]. In this model, an adversaryadaptively invokes a signing oracle and is successful if it outputs a signature ona fresh message. In the following, we use a slightly stronger notion, known asstrong unforgeability (SU-CMA). Here, the adversary also succeeds if it computesa fresh message-signature pair.

Definition 9. A signature scheme DSig is strongly unforgeable under adaptivechosen message attacks (SU-CMA) if for any efficient algorithm A the probabilitythat the experiment sForgeDSig

A evaluates to 1 is negligible (as a function of n).


Experiment sForgeDSigA (n)

(ssk, spk)← Kg(1n)(m∗, σ∗)← ASign(ssk,·)(pk)let (mi, σi) be the answer returned by Sign(ssk, ·) on input mi, for i=1, . . . , k.Return 1 iff Vf(spk,m∗, σ∗) = 1 and (m∗, σ∗) �∈ {(m1, σ1), . . . , (mk, σk)}.

A signature scheme DSig is (t, qS , ε)-secure if no adversary running in time atmost t, invoking the signing oracle at most qS times, outputs a valid forgery(m∗, σ∗) with probability larger than ε.

B Completeness in Section 6

Concerning completeness, we prove the following proposition.

Proposition 1. Construction 1 is complete.

Proof. We show that for all honestly generated key pairs, for all messages m ∈M, and for any verifiably encrypted signature generated by the Create algorithm,the VesVf algorithm returns 1. We have:

e (�,u gm2 vr) · e (μ, ρ1 ρ

r2 u

ma )−1 =

= e(g

1x+m+yr

1 ψ(ua)s, u gm2 vr

)· e

(μ, ux

a uyra gβ m

2

)−1

= e(g

1x+m+yr

1 , gx2 g

m2 gyr

2

)· e (ψ(ua)s, u gm

2 vr) · e(μ, g

β(x+m+yr)2

)−1

= e (g1, g2)x+m+yrx+m+yr · e (

μβ , u gm2 vr

) · e (μβ , u gm

2 vr)−1

= z .

We further show that if the adjudicator extracts a signature σ, then σ can beverified as a valid BB signature, i.e., running the BB verification algorithm yields:

e(�/μβ, u gm

2 vr)

= e (σ ψ(ua)s, u gm2 vr) · e (μ, u gm

2 vr)−β

= e(σ, gx+m+yr

2

) · e (ψ(ua)s, u gm2 vr) · e (

μβ, u gm2 vr

)−1

= e (g1, g2)x+m+yrx+m+yr · e (

μβ , u gm2 vr

) · e (μβ , u gm

2 vr)−1

= z .

C A Stronger VES Model

In the following, we discuss how the security definition of VES schemes can bestrengthened even further. We apply the idea of strong unforgeability in thedigital signature context to the definitions of unforgeability and opacity in theVES context. We show in the full version of this paper that the new model isstrictly stronger and give a first instantiation.


Definition 10. A verifiably encrypted signature scheme VES is called stronglyunforgeable if for any efficient algorithm A, the probability that the followingexperiment evaluates to 1 is negligible (as a function of n).

Experiment VesSForgeVESA (n)

(sk, pk)← Kg(1n)(ask, apk)← AdjKg(1n)(m∗, ω∗)← AC(sk,apk,·),A(ask,apk,pk,·,·)(pk, apk)Let C = {(mC1 , ωC1), . . . , (mCk

, ωCk)} be the query-answer pairs of C.

Return 1 iff VesVf(apk, pk, ω∗,m∗) = 1 and (m∗, ω∗) �∈ C.

The main difference to unforgeability is that the adversary is allowed to outputa forgery ω∗ for a message m∗ that has already been sent to C, as long as theforged verifiably encrypted signature is different from the corresponding answerof C. This last condition ensures that verifiably encrypted signatures cannot bereused by simply re-randomizing them.

Moreover, the adversary is allowed to query A on m∗ in order to obtain anordinary signature σ∗. In this scenario, however, we require that reusing ordinarysignatures as verifiably encrypted signatures without having knowing some secretinformation should be hard.

Definition 11. A verifiably encrypted signature scheme VES is called stronglyopaque if for any efficient algorithm A, the probability that the following exper-iment evaluates to 1 is negligible (as a function of n).

Experiment SOpacVESA (n)

(sk, pk)← Kg(1n)(ask, apk)← AdjKg(1n)(m∗, σ∗)← AC(sk,apk,·),A(ask,apk,pk,·,·)(pk, apk)Let A = {(mA1 , σA1), . . . , (mA�

, σA�)} be the query-answer pairs of A.

Return 1 iff Vf(apk, σ∗,m∗) = 1 and (m∗, σ∗) �∈ A.

Here again, as opposed to opacity, the adversary is allowed to query the oracleson the message it is about to output as a forgery. The forgery, however, must bedifferent from what the adversary obtained from A on that message.

Definition 12 (Strong Security of VES). A verifiably encrypted signaturescheme VES is called strongly secure if it is strongly unforgeable and stronglyopaque.

We show in the full version of this paper that a modification of our constructionsatisfies the stronger notion.

Multisignatures as Secure as the Diffie-Hellman

Problem in the Plain Public-Key Model

Duc-Phong Le1, Alexis Bonnecaze2, and Alban Gabillon3

1 Laboratoire LIUPPA, Universite de Pau et des Pays de l’Adour,64013 Pau Cedex, [email protected]

2 Laboratoire IML, Universite de Mediteranee, 13288 Marseille cedex 09 [email protected]

3 Laboratoire GePaSud, Universite de la Polynesie Francaise,98702 FAA’A - Tahiti - Polynesie francaise

[email protected]

Abstract. A multisignature scheme allows a group of signers to cooper-ate to generate a compact signature on a common document. The lengthof the multisignature depends only on the security parameters of thesignature schemes and not on the number of signers involved. The exist-ing state-of-the-art multisignature schemes suffer either from impracticalkey setup assumptions, from loose security reductions, or from inefficientsignature verification. In this paper, we present two new multisignatureschemes that address all of these issues, i.e., they have efficient signatureverification, they are provably secure in the plain public-key model, andtheir security is tightly related to the computation and decisional Diffie-Hellman problems in the random oracle model. Our construction derivesfrom variants of EDL signatures.

1 Introduction

A multisignature scheme enables multiple signers to jointly authenticate a docu-ment producing a fixed length of digital signature. The goal of a multisignatureis to prove that each member of the stated group signed the message. Multisig-natures can be applied to provide efficient batch verification of several signaturesof the same message under different public keys, e.g. applications concerning themulti-cast communication: IP Multi-cast, Peer-to-Peer file sharing, mobile adhoc networks, etc.

The notion of multisignatures was first introduced by Itakura and Nakamurain [12], and has been followed by many other research works [7, 18]. Those initialschemes were not very efficient and in particular there was no formal notion ofsecurity. In fact, some effective attacks on multisignature schemes , like the roguekey attack, have succeeded due to some weaknesses in the key setup protocol.A rogue key attack attack can be realized whenever an adversary is allowed tochoose his public key as he wishes. Typically, the adversary chooses his publickey as a function of public keys of honest user, allowing him to produce forgerieseasily.


36 D.-P. Le, A. Bonnecaze, and A. Gabillon

The first formal security model for multisignatures was formalized by Micaliet al. in [16]. They showed how to avoid such rogue key attacks under so-called“Knowledge of Secret Key” (KOSK) assumption, which requires the adversaryto essentially provide a secret key for every public key it chooses. Their schemeimplemented the KOSK assumption via an interactive pre-processing protocolinvolving all potential signers. This make their scheme impractical. Another wayto realize the KOSK assumption is to employ so-called Key Registration Model(KR) for Public Key Infrastructure (PKI), introduced in the context of multisig-natures by Ristenpart and Yilek [19]. In the KR model, a Certification Authority(CA) can certify a public key only if its owner passes a special key registra-tion procedure, called a proof of possession of the secret key (POP). The KRmodel thus shifts the proof verification overhead from multisignature verifiers tothe CA’s. This imposes a limitation on the use of those multisignatures. Then,Bagherzandi and Jarecki [1] removed this limitation by considering an alterna-tive mode of PKI operation which we call the Key Verification (KV) Model. Inthe KV model each private key owner also produces a (POP) string, but insteadof handing it to the CA during the key registration process she attaches it toher key (or a PKI certificate on the key). This POP message is then verifiedby a multisignature receiver instead of by the CA, for example together withverification of PKI certificates on that key [1].

Plain public key model. In setting for multisignature schemes, the set ofpotential users should be dynamic. Users can choose their public key as theywish and may register keys at any time. In [4], Bellare and Neven discuss thedrawbacks of KOSK assumption in detail and show that it is possible to dispensewith this assumption. They presented a multisignature scheme which is provablysecure against rogue-key attacks in the plain public-key model, meaning that keyregistration with a Certification Authority (CA) requires nothing more than thateach signer has a (certified) public key. Their model allows users to register keysat any time, concurrently with other users.

Tight reduction. As Micali and Reyzin [17] put it, if the reduction is efficientand hence the relative hardness of forging and that of breaking the underlyingcomputational assumption is close, we call the reduction tight. If the reduction isless efficient, we call it close, and if it is significantly less efficient, we call it loose.Intuitively, a tight reduction means that the underlying cryptographic problemis almost as hard to solve as the scheme to break.

Our contribution. In this paper, we propose two multisignature schemeswhich are interactive and their security is tightly related in the random oraclemodel (ROM) to, respectively, the CDH and DDH problems. In particular, ourschemes are secure in the plain public-key model. In the same model, comparedto the BN scheme [4], the cost of multisignature verifications of our schemesis higher than that in BN scheme. On the other hand, our schemes have tightreductions from CDH/DDH problems while the security reduction of [4] encoun-ters a security degradation due to the use of the forking lemma. In compar-ison with the BNN/BGLS scheme [3, 5], our schemes have constant number

Multisignatures as Secure as the Diffie-Hellman Problem 37

Table 1. MS scheme comparisons. For each scheme (the two last are ours) we showthe assumption used to prove security, the security degradation, the protocol rounds,the type of key setup, the computational cost of verification of a multi-signature, thecomputational cost of signing (per signer), and the size of a multi-signature. Signaturelength is measured in bits, where n is the number of signers, κ is the security parameterin the BJ scheme, |G| is the number of bits required to represent elements in group G,q is the group order, and G1 and G2 are two groups of points on an elliptic curve withasymmetrical bilinear maps e : G1 × G2 �→ GT . We assume we work over a 160-bitelliptic-curve (EC) group for the DL-based schemes. For example κ = 80, |G| = |q| =|G1| = 160 and |G2| = 6 · 160. By “exp” we mean an exponentiation. (Some of theexponentiations are actually multi-exponentiations, but these have the same cost assingle exponentiations.) By “pr” we mean a pairing, whose cost estimate is five 512-bitexponentiations [2].

MS Scheme Assump Degradation Protocol Key Verify Sign Signaturein Security Rounds Setup Length

RY+Bo [19] GDH 1/qs 1 POP 2 pr 1 exp |G1|RY+LOSSW[19] GDH 1/qs 1 POP 2 pr 3 exp |G1|+ |G2|MOR [16] DL 1/qsq

2h 2 POP 1 exp 1 exp 2|q|

BN [4] DL 1/qh 3 Plain 1 exp 1 exp |G|+ |q|BNN+BGLS [3] GDH 1/qs 1 Plain n pr 1 exp |G1|BNN+BGLS [3] GDH tight 1 Plain n pr 1 exp |G1| + n bitsBJ-CDH [1] CDH tight 3 POP 1 exp 1 exp |G|+ 2|q| + 2κBJ-DDH [1] DDH tight 3 POP 1 exp 1 exp 2|q|OCDH GDH tight 3 Plain 1 exp+2 pr 1 exp 2|G1|+ |q|ODDH DDH tight 3 Plain 2 exp 2 exp 2|G|+ |q|

of multi-exponentiations and pairings, while the multisignature verification ofBNN/BGLS scheme make O(n) pairing operations.

Table 1 summarizes the comparison between ours and previous multisignatureschemes.

Organization. The rest of the paper is organized as follows. Section 2 pro-vides some preliminaries about bilinear maps, Diffie-Hellman problems and thesecurity model for multisignatures. In Section 3, we briefly recall the notion ofmultisignatures and their security. Section 4 presents our construction based onCDH problem and we analyze its security in Section 5. We present our multisig-nature scheme based on DDH problem in Section 6. Finally, we conclude thepaper in Section 7.

2 Preliminary

2.1 Bilinear Map

Our first multisignature scheme uses a bilinear map, which is often called a pair-ing, to implement a decision procedure for the Diffie-Hellman problem. Typically,the pairing used is a modified Weil or Tate pairing. In this section, we brieflyreview the necessary facts about bilinear maps.


Let G, GT be cyclic groups of prime order p. A map e : G×G→ GT is calledan admissible pairing if it satisfies the following properties:

1. bilinearity: for all g1, g2 ∈ G and a, b ∈ Z, e(ga1 , gb

2) = e(g1, g2)ab;2. non-degeneracy: if g is a generator of G, then e(g, g) is a generator of GT ;3. computable: there exists an efficient algorithm to compute e(g1, g2) for all

g1, g2 ∈ G.

While pairing computation is expensive, on-going algorithmic advances andhardware implementations may bring this cost down. Readers can see [6, 14] fora more detailed discussion about bilinear maps and bilinear groups.

2.2 Computational Assumptions

The security of our schemes is based on the hardness of the Diffie-Hellmanproblems. Let G be a cyclic group of prime order p and let g be a generatorof G.

Computational Diffie-Hellman. Informally, the CDH problem is to find gab,given (ga, gb) ∈ G as inputs, where a, b

$← Z∗p. An algorithm A has an advantage

ε in solving the CDH problem in G if

Pr[A(g, ga, gb) = gab : g

R← G ; a, bR← Z

∗p

]

is at least ε. We say that the CDH problem is (t, ε) − hard in G if there existsno algorithm A which running in time at most t have advantage ε in solving theCDH problem in G.

Decisional Diffie-Hellman. The DDH problem is informally to distinguishbetween tuples of the form (ga, gb, gab) (called DDH triples or DDH tuples),where a, b

R← Z∗p and tuples of the form (ga, gb, gc), where a, b, c

R← Z∗p.

A distinguishing algorithm A has an advantage ε in solving the DDH problemin G if

∣∣∣Pr[A(ga, gb, gab) = 1

]− Pr[A(ga, gb, gc) = 1

]: a, b, c

R← Z∗p

∣∣∣

is at least ε. We say that the DDH problem is (t, ε) − hard in G if there existsno distinguishing algorithm A which running in time at most t have advantageε in solving the DDH problem in G.

The DDH assumption is stronger than the CDH assumption, that is, if theCDH problem is efficiently solved in G then the DDH problem is also solvedefficiently in G. The inverse of these statements is not believed to be true ingeneral. Indeed, Joux and Nguyen [14] showed that there are groups (called gapDiffie-Hellman (GDH) groups) for which the DDH is easy by using an efficientlycomputable bilinear map e, yet the CDH in the group is still believed to be hard.


3 Multisignature Scheme and Its Security Model

3.1 Multisignature Scheme

Formally, a multisignature scheme consists of four algorithms MS = Setup, KGen,MSign, Vrfy.

- params→ Setup(1k). A central authority, on input the security parameter k,runs the algorithm Setup to produces the global information params. Algo-rithm Setup is probabilistic.

- (sk, pk) ← KGen, executed by each signer on input params, generates thissigner’s secret key sk, the corresponding public key pk. Algorithm KGen isprobabilistic.

- The multi-signing algorithm MSign might be a probabilistic algorithm which,given a message m, the global information params and a list of signers Lalong with their public and secret keys, produces a multisignature σ. Themulti-signing can be interactive or non-interactive.

- {0, 1} ← Vrfy(params, m, L, σ) verifies whether σ is a valid multisignature onthe message m with respect to L. This algorithm is deterministic.

3.2 Multisignature Security in Plain Public-Key Model

The attacks of an adversary A against multisignature schemes are to forge agroup of signers L and a multisignature of some message such that the lat-ter is accepted by a verifier whereas some signers of the group L did not signthe message. We give the adversary the power to request the private key onall but one signer and its goal is to frame this honest signer. The adversarycan choose their public keys arbitrarily, even as a function of the public key ofthe honest signer. The adversary A is given the global information params, achallenging public key pk∗ corresponding to the honest signer and signing andhash oracles. His goal is to output a forged message-group-multisignature tuple(m, L, σ), such that the honest signer, who did not complete the multisignaturegeneration protocol on the input message m, is in L and MS.Vrfy(params, m, L,σ) = 1.

Let A be an adversary against the multisignature scheme, which consists offour algorithms Setup, KGen, MSign, and Vrfy. As in the previous works onmultisignatures, e.g. [1, 16], we define multisignature security as Universal Un-forgeability (UU) under a Chosen Message Attack (CMA) against a single honestplayer. Namely, we define Advuu−cma

MS (A) to be the probability that experimentExpuu−cma

MS (A) described in Table 2 outputs 1. A multisignature scheme is saidto be (t, qS , qH , N, ε)-secure in the random oracle model if Advuu−cma

MS (A) ≤ εfor every adversary A that runs in time at most t, makes at most qS sign-ing queries with the honest signer, at most qH random oracle queries, and thenumber of signers in L involved in any signing query or in the forgery is atmost N .


Table 2. Chosen Message Attack against Multisignature in the Plain public-key model

Experiment Expuu−cmaMS (A) :

params← Setup(1k); (sk∗, pk∗)← KGen(params); List← ∅;RunA(params, pk∗), and for every signature query m made by A do the following:

1. List← List∪{(m, L)}, where L is the list of users participating in signingthe message m;

2. Execute protocol MSign on behalf of an honest player on inputs(params, m, sk∗, L), forwarding messages to and from A.

When A halt; parse its outputs as (m, L, σ).If (m,L) /∈ List, pk1 = pk∗ and Vrfy(params, m, L, σ) = 1 then return 1. Other-

wise return 0.

4 A Multisignature Scheme Based on the CDH Problem

4.1 The Chevallier-Mames Signature Scheme

In order to give some intuition into our scheme, we briefly recall the variant ofEDL signature scheme presented in [9].

Let G be a cyclic group of prime order p, g be a generator of G and let H,G betwo collision-resistant hash functions. To sign a message m, a signer U , havingprivate/public key pair (x, y), does as follows:

– chooses k ∈ Zp at random;– computes u = gk, h = H(u), z = hx and v = hk;– queries c = G(m, g, h, y, z, u, v) and computes s = k + cx;– outputs σ = (z, s, c) ∈ G× Z2

p as the signature of m.

To verify a signature σ = (z, s, c) for m, one computes u′ = gsy−c, h′ = H(u′)and v′ = h′sz−c. The signature σ is accepted iff c = G(m, g, h′, y, z, u′, v′).

The Chevallier-Mames signature scheme [9] is the most efficient in variants ofEDL scheme [8, 10, 11, 13, 15] under CDH assumption.

4.2 Our Multisignature Scheme

In our multisignature generation protocol, each signer computes and uses an in-dependent challenge ci = G(yi, L, u, m, g, h) in the proofs of knowledge of equal-ity of discrete logarithms. This way pointed out by Bellare and Neven [4], allowsus to avoid KOSK and KR models. Thus, we first modify the Chevallier-Mamessignatures as follows: let a signature of a message m under public key y ∈ G bea quadruplet (u, v, z, s) ∈ G3 × Zp such that gs = uyc and hs = vzc, whereh = H(u) and c = G(m, g, h, y, z, u, v). In order to aggregate individual signaturesof a common message m, (ui, vi, zi, si), for 1 ≤ i ≤ n under public keys PK ={y1, y2, · · · , yn}, we may let a multisignature be a tuple (u, v, s, {zi}ni=1) such that:


gs = u ·∏ni=1 yci

i and hs = v ·∏ni=1 zci

i , where u =∏n

i=1 ui, v =∏n

i=1 vi ands =

∑ni=1 si. Because challenges ci are different, we cannot aggregate individual

shares zi. The size of the multisignature thereby grows linearly with the numberof signers. To solve this problem, we propose to use a pairing. A multisignaturemay be a triple (u, z, s) ∈ G2 × Zp such that: gs = u ·∏n

i=1 yci

i and e(z, g) =e(h,

∏ni=1 yi), where h = H(u), ci = G(yi, L, u, m, g, h). The values of u, z (and

s) are typically computed as the product (the sum resp.) of individual shares ofui, zi (of si resp.) contributed by each signer.

In describing the scheme, we assume the signers directly send and receivemessages to each other over a point-to-point network. Like in [4], to avoid us-ing the rewinding technique in security proof, our scheme requires an additionalcommunication round between signers, in which each signer first makes an ad-ditional random oracle query on its individual share u and then sends thischallenge to every other signer before sending u. This prevents the forger toknow the value of individual share u before the simulator does. The simulatorthereby could imitate the oracle so as to produce commitments and challengessimultaneously.

Let G, GT be cyclic groups of prime order p in which G provides admissibleparings, let k be a security parameter. Three cryptographic hash functions: H0 :G → {0, 1}l0,H1 : G → G and G : {0, 1}∗ → Zp. We remark that H0, H1 andG will be viewed as random oracles in our security proof. The multisignaturescheme MS = Setup, KGen, MSign, Vrfy works as follows:

Parameter generation (Setup): A trusted center generates a random gener-ator g ∈ G∗ and publishes params = (G, GT , e, g,H0,H1,G) as system wideparameters.

Key generation (KGen): On input 1k, each signer picks a random numberx

R← Zp as his private key. The corresponding public key is y = gx.Signing (MSign): Suppose that L = {P1, P2, . . . , Pn} is a group of n signers

that wish to sign a common message m, each having as input its own publicand secret key as well as a multiset of public keys Pk = {y1, y2, . . . , yn} ofthe other signers. We also stress that the signers P1, . . . , Pn are merely localreferences to co-signers, defined by one signer within one protocol instance.The signing process, which is interactive, consists of three rounds:Round 1. Each signer Pi ∈ L:

- picks a random number ri ∈ Zp;- computes its individual commitment ui = gri ;- queries H0 to compute the challenge hi = H0(ui);- sends hi to every other signer.

Round 2. Each signer Pi ∈ L:- receives hj from signer j, for 1 ≤ j ≤ n, j �= i;- sends ui to signer j.

Round 3. Each signer Pi ∈ L:- receives uj from signer j, for 1 ≤ j ≤ n, j �= i;- checks whether hj = H0(uj) for all 1 ≤ j ≤ n, j �= i. If not, abort

the protocol. Otherwise,- computes u =

∏ni=1 ui, h = H1(u) and zi = hxi .


- queries ci = G(yi, u, Pk, m, g, h) and computes si = ri + xici mod p.- sends to signer j: zi, si, for 1 ≤ j ≤ n, j �= i.

After receiving zj , sj from signer j, for 1 ≤ j ≤ n, j �= i, each signer Pi ∈ L:- computes z =

∏ni=1 zi, s =

∑ni=1 si mod p;

- outputs the signature σ = (u, z, s);Verification (Vrfy): To verify a signature σ of a message m of a group L, whose

public keys is the multiset Pk = {y1, . . . , yn}, one does as follows:- Compute h = H1(u);- Compute ci = G(yi, u, Pk, m, g, h) for all 1 ≤ i ≤ n;- Check whether:

gs = u ·n∏

i=1

yci

i and e(z, g) = e(h,

n∏i=1

yi).

5 Security Analysis

In this section, we reduce the security of the proposed multisignature scheme tothe CDH problem in the group G with bilinear map e. The main technique used toobtain a tight proof of security is to prove equality of discrete logarithms (see [11]for a discussion more details). Let N be the maximum number of signers whichparticipate in signing in one protocol instance, the following theorem impliesthat the proposed multisignature scheme is secure if the CDH assumption isheld in G.

Theorem 1. The proposed multisignature scheme is (t, qH , qS , N, ε)-unforgeableif the CDH problem is (t′, ε′)-unforgeable in G, where

ε′ ≥ ε− (qH + NqS + 1)2

2l0− qS((N + 1)qH + 2qS)

q,

andt′ ≤ t + 6qStexp + O((qS + qH)(1 + qH + NqS)),

where texp is the time of an exponentiation in G.

Proof. We are given a group G and a CDH challenge (g, gx, ga). Let A be apolynomial time forger that (t, qH , qS , ε)-breaks the proposed scheme. We needto construct an algorithm B which, by interacting with the adversary A, (t′, ε′)-breaks this challenge, i.e. to find gax. The forger A, after qH hash queries torandom oracles (H0, H1 and G) and qS signature queries, is able to produce amultisignature forgery with probability ε within time t.

Assume that A is trying to attack the honest signer P ∗. B runs the forger Aon input system parameters and target public key y∗ = gx. Like [4], we makeuse of a list T which assigns a unique index 1 ≤ i ≤ qH + NqS to each publickey y occurring either as a cosigner’s public key in one of A’s signature queries,or as the first item in the argument of one of A’s queries to G and a table G[· , ·]which is used to simulate the random oracle G. Algorithm B uses a counter ctrindicating the current index of this list, initially set to zero. B assigns T[y∗]← 0.It responds to A’s oracle queries, essentially, at random as follows:


Queries to H0. In response to a query H0(ui), B first checks if the output ofH0 on this input has been previously defined. If so, B returns the previ-ously assigned value. Otherwise, B returns with a value chosen uniformly atrandom from {0, 1}l0. All queries ui are stored in a called list H.

Queries to H1. In response to a query from the forger A to H1(u), algorithmB generates a random number d ∈ Zp, and returns (ga)gd. All queries u arestored in a list called U.

Queries to G. In response to a query G, we first parse the argument of thequery into two portions as y and Q. If T[y] is undefined then B increasesctr and sets T[y]← ctr. If G[ctr, Q] has not yet been defined, then B assignsG[i, Q], for all 1 ≤ i ≤ qH +NqS with random numbers, and picks in advanceat random e1, . . . , eqH+qS ∈ Zp to assign for G[0, Q].

Signing query on m with group of users L: Signature queries to the hon-est signer P ∗ consists of three rounds. First, the adversary provides m, Lto P ∗ and receives the individual challenge h∗ from P ∗ in response. Second,playing the role of rest signer, the adversary A provides the challenges hi toP ∗ and receives u∗ from P ∗ in response. Third, the adversary provides thecommitments ui to P ∗ and receives z∗, s∗ from P ∗ in response. Note that inthe simulation, rewinding is not required since the joint commitment u is notprovided to the simulator by the adversary. In detail, answering signaturequeries works as follows:

First, B checks whether P ∗ /∈ L, if so algorithm B returns ⊥ to A. If not,it parses the public keys of signers in L as Pk = {y1 = y∗, y2, . . . , yn}.Then, B checks whether T[yi], for i ∈ {2, . . . , n}, has already been defined.If not, it increases ctr and sets T[yi] ← ctr. Then, B sets c1 at random ase1, . . . , eqH+qS in advance. B generates (γ, s1) ∈ Z2

p at random, computesu1 = gs1y−c1 . It sets h1 = H0(u1) and sends it to all signers.

After receiving h2, · · · , hn from the adversary A, B looks up in the list Hfor values uj such that hi = H0(uj). If multiple such values are found forsome i, the algorithm B stops (Event 1). If no such value was found forsome i then it sets alert ← true and sends u1 to all co-signers; otherwise,B computes u =

∏ni=1 ui. If H1(u) is already set, algorithm B fails and

stops (Event 2). Else, algorithm B sets h = H1(u) = gγ and computesz1 = yγ

1 = (gx)γ = hx, remark that DLg(y) = DLh(z)(= x). Then, B checkswhether G[0, Q] has already been defined for Q = 〈u, Pk, m, g, h〉. If so, itfails and stops (Event 3). If not, it sets G(y1, u, Pk, m, g, h) = G[0, Q] = c1,randomly chooses G[i, Q] R← Zp for all 1 ≤ i ≤ qH + NqS and sends u1 to allco-signers.

After receiving u2, . . . , un from A, B verifies that hi = H0(ui) for all1 ≤ i ≤ n. If not, it returns ⊥ to A. If alert = true, B fails and stops(Event 4). Else, it sends (z1, s1) to all co-signers.

After receiving (z2, s2), · · · , (zn, sn) from co-signers (A), B computes z =∏ni=1 zi and s =

∑ni=1 si and returns the valid signature (u, z, s). All u’s

computed during signature queries are stored in a list called Y.


As we can see, this simulator is valid, except for some events:

– Event 1: In this case, there exist two values ui �= u′i such that hi = H0(ui) =

H0(u′i) for some i, i.e, there is at least one collision occurred in H0. As

outputs of H0 are chosen at random from {0, 1}l0 and since there are atmost qH0 + NqS queries to H0, the probability that at least one collision

occurs is upper bounded by (qH0+NqS)(qH0+NqS+1)/2

2l0 ≤ (qH0+NqS+1)2

2l0+1 .– Event 2: As u is a random element in G, the probability that the H1(u) is

already set is less than qH1+qS

p , for one signature query. For qS signature

queries, the failure probability is thus upper bounded by qS(qH1+qS)

p .– Event 3: Algorithm B only aborts at event 3 if it has run into an input

string 〈0, u, Pk, m, g, h〉 = 〈0, u, Pk, m, g, gγ〉 on which G has been alreadyqueried, for γ ∈ Z∗

q . But as Event 2 did not happened, H1(u) have notyet been defined, and so γ is absolutely unknown for the adversary. Then,the probability that G(0, u, Pk, m, g, h) is already set is less than qG+qS

p , forone signature query. For qS signature queries, the failure probability is thusupper bounded by qS(qG+qS)

p .– Event 4: In this case, A must have predicted the value of H0(ui) for at

least one 1 ≤ i ≤ n, which it can do with probability at most N/2l0, forone signature query. For qS signature queries, the failure probability is thusupper bounded by qSN/2l0 .

As a conclusion, except with a failure probability:

δstop =(qH0 + NqS + 1)2

2l0+1+

qS(qH1 + qS)p

+qS(qG + qS)

p+

qSN

2l0

≤ (qH0 + NqS + 1)2

2l0+

qS(qH1 + qG + 2qS)p

,

the simulation is successful.Eventually, A halts and outputs an attempted forgery σ = (u, z, s) on some

message m along with L = {P ∗, P2, · · · , Pn}. It must not previously have re-quested a signature on m with L. In addition, it outputs the private keys(x2, · · · , xn) for all secret keys except the key x of the challenge P ∗. Algo-rithm B first computes additional random oracle queries G1(yi, u, Pk, m, g, h)for 1 ≤ i ≤ n, thereby making sure that T[yi] is defined.

We divide into two cases : either u belongs to the list U or u belongs to thelist Y.

In the first case, the algorithm B first computes h = H1(u), and then z1 =z/

∏ni=2 hxi . If A’s forgery is valid, the algorithm B returns (u, z, s, h, z1). We

argue that, with all but negligible probability, z1 = hx; if so, say z1 is good.Indeed, if z1 is not good then for any A, B there is at most one possible valueof c for which there exists an s satisfying A = gsyc and B = hszc

1 (lemma 1 in[11]). If z1 is not good, then, for any hash query G(y1, u, Pk, m, g, h) made byB the probability that the query returns a c for which there exists an s as above is


at most 1/p. It follows that the probability that B outputs a valid forgery wherez1 is not good is at most qG/p. Otherwise, the problem CDH is solved as follows:

z1

yd1

=hx1

yd1

=(gagd)x

(gx)d= gax,

As a conclusion, in the first case, except with a failure probability δ1 = qGp ,

the forgery will be used to successfully solve the CDH problem.In the second case, u is a member of Y. This case can happen, as there is no

message in the input of H1, and so we can imagine that the attacker reuses a uthat corresponds to a u of a signature given by the signature oracle. Then, thealgorithm B can recover from its log files all quantities that correspond to thisu = u, i.e., (h, {(zi, si, ci)}i=1..n, m).

At this moment, we can see that we have u = gs∏n

i=1 y−ci

i = u = gs∏n

i=1 y−ci

i .It is exactly the kind of hypothesis that is used by the forking lemma to prove a(loose) security. But here, this equality is not obtained by restarting the attacker(as it is done in the forking lemma), but just by construction. More precisely,we can recover easily the private key x, as far as ci �= ci mod p.

As the message-list of signer pair (P k, m) is new, ci �= ci for 1 ≤ i ≤ n or acollision on G function happened, between a G returned the signature simulationand a G returned by a direct G query, which occurs with a probability smallerthan NqS ·qG

p . Hence, except an error with a probability smaller than δ2 = NqS ·qGp ,

we have ci �= ci, and so we can recover the private key x. Equation s−∑ni=1 xici =

s−∑ni=1 xici (mod p) gives x = x1 = s−s

c1−c1−∑n

i=2 xici−ci

c1−c1mod p. We can see

that this second case gives not only the solution to the CDH challenge, but alsothe solution to the discrete logarithm.

Summing the probabilities, we can see that in both cases, the algorithm B canuse the forgery given by the adversary to solve the CDH. The success probabilityε′ satisfies ε′ ≥ ε− δstop −max(δ1, δ2). Thus,

ε′ ≥ ε− (qH0 + NqS + 1)2

2l0− qS(qH1 + qG + 2qS)

q−max(

qGq

,NqS · qG

q)

≥ ε− (qH0 + NqS + 1)2

2l0− qS(qH1 + (N + 1)qG + 2qS)

q

≥ ε− (qH + NqS + 1)2

2l0− qS((N + 1)qH + 2qS)

q,

and the running time t′ satisfies

t′ ≤ t + 6qStexp + O((qS + qH)(1 + qH + NqS)),

where qH = qH0 + qH1 + qG , texp is the time of an exponentiation in G.

6 A Multisignature Scheme Based on the DDH Problem

In the previous scheme, our scheme makes use of GDH groups. In this section,we present a more efficient multisignature scheme which relies on decisional


Diffie-Hellman problem, stronger than CDH assumption, in non-pairing groups.Our construction is based on Katz-Wang signature scheme [15] that works asfollows:

Let G be a cyclic group of prime order p, g be a generator of G, h ∈ G

chosen randomly and let H : {0, 1}∗ → {0, 1}l0 be a hash function. A Katz-Wang signature of a message m under public keys (y1, y2) is a triplet (A, B, s),such that gs = Ayc

1 and hs = Byc2, where A = gr, B = hr and c = H(A, B, m).

We slightly modify the Katz-Wang signature [15] scheme for easily extending itto multisignatures. The idea of using the Katz-Wang signatures for constructingmultisignatures was first suggested by Bellare and Neven in section 6 of [4] asfurther results.

6.1 Our Multisignature Scheme

As before, we assume that G, GT be cyclic groups of prime order p, k be asecurity parameter. Two cryptographic hash functions: H : G → {0, 1}l0 andG : {0, 1}∗ → Zp. Our second scheme is defined as follows:

Parameter generation. A trusted center chooses a generator g ∈ G∗ andh ∈ G at random. It then publishes params = (G, e, g, h,H,G) as systemwide parameters.

Key generation. On input 1k, each signer picks a random number xiR← Zp

as his private key. The corresponding public keys are PKi = (yi, zi)(=(gxi , hxi)).

Signing. Suppose that L = {P1, P2, . . . , Pn} is a group of n signers that wishto sign a common message m, each having as input its own public and secretkey as well as a multiset of public keys Pk = {PK1, . . . , PKn} of the othersigners. We also stress that the signers P1, . . . , Pn are merely local referencesto co-signers, defined by one signer within one protocol instance. The signingprocess, which is interactive, consists of four rounds, where in each roundsigners send (and receive) a message to (from resp.) each other signer.Round 1. Each signer Pi ∈ L:

- picks a random number ri ∈ Zp;- computes its individual commitments ui = gri and vi = hri , then

queries H to compute challenges hi = H(ui) and ti = H(vi);- sends hi, ti to every other signer.

Round 2. Each signer Pi ∈ L:- receives hj , tj from signer j, for 1 ≤ j ≤ n, j �= i;- sends ui, vi to signer j.

Round 3. Each signer Pi ∈ L:- receives uj , vj from signer j, for 1 ≤ j ≤ n, j �= i;- checks whether hj = H(uj) and tj = H(vj) for all 1 ≤ j ≤ n, j �= i.

If not, abort the protocol. Otherwise, computes u =∏n

i=1 ui andv =

∏ni=1 vi.

- queries ci = G(PKi, u, v, Pk, m, g, h) and computes si = ri + xici

mod p.- sends to signer j: si.


After receiving sj from signer j, each signer Pi ∈ L:- computes s =

∑ni=1 si mod p;

- outputs the signature σ = (u, v, s);Verification. Given the valid signature σ, list of group of users L and message

m, the verifier computes ci = G(PKi, u, v, Pk, m, g, h) for all 1 ≤ i ≤ n andtests whether: gs = u ·∏n

i=1 yci

i and hs = v ·∏ni=1 zci

i .

6.2 Security

Theorem 2. The proposed multisignature scheme is (t, qH , qS , N, ε)-unforgeableif the DDH problem is (t′, ε′)-unforgeable in G, where

ε′ ≥ ε− (qH + NqS + 1)2

2l0− 2qS(qH + NqS) + qG + 1

p

andt′ ≤ t + O(qStexp).

The proof of this theorem is found in Appendix A.

7 Conclusion

At CCS’06, Bellare and Neven introduced the first multisignature scheme prov-ably secure against rogue-key attacks in the plain public-key model. Their schemeis, however, loosely related to the CDH problem in the random-oracle model; thesecurity proof was relied on the general forking lemma.

In this paper, we have presented two efficient multisignature schemes that areproven secure against rogue-key attack in the plain public-key model. Their secu-rity is also tightly related to either the CDH or the DDH problem in the random-oracle model. This means that they are almost as secure as Diffie-Hellmanproblems. Our signatures are the first to provide exact security while assuringsecurity against rogue-key attacks in the plain public-key model.

Acknowledgments

The authors thank Gregory Neven for his detailed and helpful comments on themanuscript, and the anonymous referees for valuable feedback. This work wassupported by Conseil General des Landes and the French Ministry for Researchunder Project ANR-07-SESU-FLUOR.

References

1. Bagherzandi, A., Jarecki, S.: Multisignatures using proofs of secret key possession,as secure as the diffie-hellman problem. In: Ostrovsky, R., De Prisco, R., Visconti,I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 218–235. Springer, Heidelberg (2008)


2. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp.354–368. Springer, Heidelberg (2002)

3. Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In:Arge, L., Cachin, C., Jurdzinski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS,vol. 4596, pp. 411–422. Springer, Heidelberg (2007)

4. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a generalforking lemma. In: CCS 2006: Proceedings of the 13th ACM conference on Com-puter and communications security, pp. 390–399. ACM Press, New York (2006)

5. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encryptedsignatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS,vol. 2656, pp. 416–432. Springer, Heidelberg (2003)

6. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In:Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Hei-delberg (2001)

7. Boyd, C.: Digital multisignatures. In: Cryptography and Coding, pp. 241–246.Oxford University Press, Oxford (1989)

8. Chaum, D., Pedersen, T.P.: Wallet Databases with Observers. In: Brickell, E.F.(ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)

9. Chevallier-Mames, B.: An Efficient CDH-Based Signature Scheme with a TightSecurity Reduction. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 511–526. Springer, Heidelberg (2005)

10. Goh, E.-J., Jarecki, S.: A signature scheme as secure as the Diffie-Hellman problem.In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer,Heidelberg (2003)

11. Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tightsecurity reductions to the diffie-hellman problems. Journal of Cryptology 20(4),493–514 (2007)

12. Itakura, K., Nakamura, K.: A public key cryptosystem suitable for digital multisig-natures. NEC Research and Development 71, 1–8 (1983)

13. Jakobsson, M., Schnorr, C.-P.: Efficient Oblivious Proofs of Correct Exponentia-tion. In: CMS 1999: Communications and Multimedia Security. IFIP ConferenceProceedings, vol. 152, pp. 71–86. Kluwer, Dordrecht (1999)

14. Joux, A., Nguyen, K.: Separating Decision Diffie-Hellman from ComputationalDiffie-Hellman in cryptographic groups. J. Cryptology 16(4), 239–247 (2003)

15. Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight se-curity reductions. In: CCS 2003: Proceedings of the 10th ACM Conference onComputer and Communications Security, pp. 155–164 (2003)

16. Micali, S., Ohta, K., Reyzin, L.: Accountable-subgroup multisignatures. In: CCS2001: Proceedings of the 8th ACM conference on Computer and CommunicationsSecurity, pp. 245–254. ACM Press, New York (2001)

17. Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes.J. Cryptology 15(1), 1–18 (2002)

18. Okamoto, T.: A digital multisignature scheme using bijective public-key cryptosys-tems. ACM Trans. Comput. Syst. 6(4), 432–441 (1988)

19. Ristenpart, T., Yilek, S.: The power of proofs-of-possession: Securing multipartysignatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007.LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007)


A Proof of Theorem 2

Proof. Assume we have a polynomial time forger that runs in time at most t,makes at most qH hash queries and at most qS signature queries and outputsa valid multisignature with probability at least ε. We need to construct an al-gorithm B which, by interacting with the forger A, solves DDH problem withprobability ε′ within time t′.

Informally, the aim of Algorithm B is to determine whether a tuple (g, h, y1, z1)is a random tuple or a DH tuple. Assume that A is trying to attack the honestsigner P ∗ who have the public keys PK∗ = (y1, z1). B sets PK1 = (y1, z1) andruns A on input PK∗. Algorithm B simulates the signing and hash oracle for Aas follows:

First, algorithm B maintains initially empty associative lists H and G which areused to simulate random oracles H,G, respectively. We also make use of a listT which assigns a unique index 1 ≤ i ≤ qH + NqS to each public key PKoccurring either as a cosigner’s public key in one of A’s signature queries, or asthe first item in the argument of one of A’s queries to G. Algorithm B uses acounter ctr indicating the current index of this list, initially set to zero. B assignsT[PK∗]← 0. It responds to A’s oracle queries, essentially, at random as follows:

Queries to H. In response to a query H(ui) or H(vi), B first checks if theoutput of H on this input has been previously defined. If so, B returnsthe previously assigned value. Otherwise, B returns with a value chosenuniformly at random from {0, 1}l0. All queries ui, vi are stored in the list H.

Queries to G. In response to a query G, we first parse the argument of the queryinto two portions as PK and Q. If T[PK] is undefined then B increases ctrand sets T[PK] ← ctr. If G[ctr, Q] is undefined, then B assigns G[i, Q], forall 1 ≤ i ≤ qH +NqS with random numbers, and picks in advance at randome1, . . . , eqH+qS ∈ Zp to assign for G[0, Q].

Signing query on m with group of users L. Signature queries to the hon-est signer P ∗ consists of three rounds. First, the adversary provides m, L toP ∗ and receives the individual challenge h∗, t∗ from P ∗ in response. Second,playing the role of rest signer, the adversary A provides the challenges hi, tito P ∗ and receives u∗, v∗ from P ∗ in response. Third, the adversary providesthe commitments ui, vi to P ∗ and receives s∗ from P ∗ in response. As statedabove, in the simulation, it is not the adversary providing the joint com-mitment u, v to simulator, we do not thus need to use rewinding. In detail,answering signature queries works as follows:

First, B checks whether P ∗ /∈ L, if so algorithm B returns ⊥ to A. If not, itparses the public keys of signers in L as Pk = {PK1 = PK∗, PK2, . . . , PKn}.Then, B checks whether T[PKi], for i ∈ {2, . . . , n}, has already been defined.If not, it increases ctr and sets T[PKi] ← ctr. Then, B sets c1 at random


as e1, . . . , eqH+qS in advance. B generates (γ, s1) ∈ Z2p at random, computes

u1 = gs1y−c11 and v1 = hs1z−c1

1 . It sets h1 = H(u1), v1 = H(v1) and sendsto all signers.

After receiving h2, · · · , hn and t2, · · · , tn from the adversaryA, B looks upin the list H for values uj , vj such that hi = H(uj) and ti = H(vj). If multiplesuch values are found for some i, the algorithm B stops (Event 1). If nosuch value was found for some i then it sets alert← true and sends u1, v1 toall cosigners; otherwise, B computes u =

∏ni=1 ui and v =

∏ni=1 vi. Then, B

checks whether G[0, Q] has already been defined for Q = 〈u, v, Pk, m, g, h〉.If so, it fails and stops (Event 2). If not, it sets G(PK1, u, v, Pk, m, g, h) =G[0, Q] = c1, randomly chooses G[i, Q] R← Zp for all 1 ≤ i ≤ qH + NqS andsends u1, v1 to all cosigners.

After receiving u2, v2, . . . , un, vn from A, B verifies that hi = H(ui) andti = H(vi) for all 1 ≤ i ≤ n. If not, it returns ⊥ to A. If alert = true, B failsand stops (Event 3). Else, it sends s1 to all cosigners.

After receiving s2, · · · , sn from cosigners (A), B computes s =∑n

i=1 si

and returns the valid signature (u, v, s).

As we can see, this simulator is valid, except for some events:

– Event 1: In this case, there exist two values ui �= u′i or vi �= v′i such that

hi = H(ui) = H(u′i) or ti = H(vi) = H(v′i) for some i, i.e, there is at least one

collision occurred in H. As outputs of H are chosen at random from {0, 1}l0and since there are at most qH + NqS queries to H, the probability thatat least one collision occurs is upper bounded by (qH+NqS)(qH+NqS+1)/2

2l0 ≤(qH+NqS+1)2

2l0+1 .– Event 2: Algorithm B only aborts at event 2 if it has run into an input

string 〈0, u, v, Pk, m, g, h〉 on which G has been already queried. We distin-guish between the case that H(u1) and H(v1) were previously queried bythe forger, and the case that they were not. In the first case, A probablyknows u, v and may have deliberately queried G(PK, u, v, Pk, m, g, h) forsome PK. But since u1, v1 was chosen by B independently from A’s view atthe beginning of the signing protocol, the probability that A queried H(u1)and H(v1) is at most qH+NqS

p , for one signature query. In the second case,A’s view is completely independent of u1 and v1, and hence of u and v. Theprobability that u and v occurred by chance in a previous query to G orwas set by B in one of the i − 1 previous signature simulations is at mostqG+qS

p , for one signature query. For qS signature queries, the failure probabil-

ity is thus upper bounded by qS((qH+NqS)+(qG+qS))p ≤ qS(qH+(N+1)qS)

p , whereqH = qH + qG .

– Event 3: In this case, A must have predicted the value of H(ui) or H(vi)for at least one 1 ≤ i ≤ n, which it can do with probability at most N

2l0 , forone signature query. For qS signature queries, the failure probability is thusupper bounded by qSN

2l0 .


As a conclusion, except with a failure probability:

δstop =(qH + NqS + 1)2

2l0+1+

qS(qH + (N + 1)qS)p

+qSN

2l0

≤ (qH + NqS + 1)2

2l0+

qS(qH + (N + 1)qS)p

,

the simulation is successful.Eventually, A halts and outputs an attempted forgery σ = (u, v, s, {si}i=2..n))

on some message m along with L = {P ∗, P2, · · · , Pn}. It must not previouslyhave requested a signature on m with L. In addition, it outputs the private keys(x2, · · · , xn) for all secret keys except the key x of the challenge P ∗. AlgorithmB first computes additional random oracle queries G1(PKi, u, v, Pk, m, g, h) for1 ≤ i ≤ n, thereby making sure that T[PKi] is defined.

If A’s forgery is valid, i.e. g, h, y, z, where y =∏n

i=1 yi and z =∏n

i=1 zi

and (g, h, yi, zi) for each Pi are Diffie-Hellman tuples, and then (g, h, y1, z1) is aDiffie-Hellman tuple, the algorithm B outputs 1 with the probability ε − δstop;otherwise it outputs 0.

On the other hand, if (g, h, y, z) is a random tuple, then it is not a Diffie-Hellman tuple with probability 1− 1/p. In this case, for any u, v and any queryG(PK1, u, v, Pk, m, g, h) made by A then there is at most one possible value ofc for which there exists an s satisfying u = gsyc

1 and v = hsyc2 (lemma 1 in [11]).

Thus, A outputs a forgery (and hence B outputs 1) with probability at most1p + qG

p ≤ qG+1p .

Summing the probabilities, we see that:

|Pr [B(g, gx, gy, gxy) = 1]− Pr [B(g, gx, gy, gz) = 1] : x, y, z ← Zp|≥ ε− δstop − qG + 1

p

≥ ε− (qH + NqS + 1)2

2l0− qS(qH + (N + 1)qS)

p− (qG + 1)

p

≥ ε− (qH + NqS + 1)2

2l0− qS(qH + (N + 1)qS) + qG + 1

p

and the running time t′ satisfies

t′ ≤ t + O(qStexp),

where texp is the time of an exponentiation in G.

On the Security of Pairing-Friendly Abelian

Varieties over Non-prime Fields

Naomi Benger1, Manuel Charlemagne1, and David Mandell Freeman2

1 School of Computing, Dublin City University, Ireland{nbenger,mcharlemagne}@computing.dcu.ie2 CWI and Universiteit Leiden, Netherlands

[email protected]

Abstract. Let A be an abelian variety defined over a non-prime finitefield Fq that has embedding degree k with respect to a subgroup of primeorder r. In this paper we give explicit conditions on q, k, and r that implythat the minimal embedding field of A with respect to r is Fqk . Whenthese conditions hold, the embedding degree k is a good measure of thesecurity level of a pairing-based cryptosystem that uses A.

We apply our theorem to supersingular elliptic curves and to super-singular genus 2 curves, in each case computing a maximum ρ-valuefor which the minimal embedding field must be Fqk . Our results are inmost cases stronger (i.e., give larger allowable ρ-values) than previouslyknown results for supersingular varieties, and our theorem holds for gen-eral abelian varieties, not only supersingular ones.

1 Introduction

Suppose we wish to implement a pairing-based cryptosystem using the Weil orTate pairing on an abelian variety A defined over a finite field Fq of q elements.For our implementation to be both efficient and secure, we need (1) the groupA(Fq) to contain a subgroup of large prime order r, and (2) the group of rthroots of unity μr ⊂ Fq to be contained in an extension field Fqk that is bothlarge enough for the discrete logarithm problem in F

∗qk to be computationally

infeasible and small enough for the pairing to be computed efficiently. The degreek of this extension is known as the embedding degree of A (with respect to r).

The embedding degree of A is commonly used as a measure of the securitylevel of our pairing-based cryptosystem. However, Rubin and Silverberg [15]and Hitt [10] observed that when the field size q is not prime, the rth rootsof unity may be contained in a proper subfield F ⊂ Fqk . If F has cardinalityqk′

, where k′ is rational and k′ ≤ k, it follows that the security level is moreaccurately determined by k′ than k. Thus when given an abelian variety A/Fq

with embedding degree k and q not prime, to determine the security level ofcryptosystems using A one must check whether the smallest F ⊂ Fqk containingμr — known as the minimal embedding field of A (with respect to r) — is infact Fqk .


On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields 53

The purpose of this paper is to answer the following question: given an abelianvariety A/Fq that has embedding degree k with respect to r, how can we guar-antee that the minimal embedding field of A with respect to r is Fqk?

Rubin and Silverberg [16] have given an answer to this question in the casewhere A is supersingular by demonstrating a lower bound on r that guaranteesthat the minimal embedding field is Fqk . Their bound depends on q and on thedimension g of the supersingular abelian variety, but does not depend on k.

The main result of this paper is to give explicit conditions on q, r, and k thatguarantee that the minimal embedding field of an abelian variety A/Fq — super-singular or not — that has embedding degree k with respect to r is in fact Fqk .The conditions lead to a lower bound on r that depends on q and k, but not onthe dimension g. When A is a supersingular elliptic curve or abelian surface, ourbound improves on the result of Rubin and Silverberg in most of the cases relevantto cryptography. Our result thus guarantees more abelian varieties are suitable foruse in pairing-based cryptography than any previous result had done.

Our main theorem appears in Section 2. In Section 3 we apply our maintheorem to the case of supersingular elliptic curves, which are known to haveembedding degree k ∈ {1, 2, 3, 4, 6}. We conclude that when k is even and eitherthe group order r is sufficiently large or the extension degree m is prime, then theminimal embedding field is Fqk . In particular, we deduce that the observation ofHitt and Rubin and Silverberg has no effect on the supersingular elliptic curvesin characteristic 2 or 3 that are preferred for the implementation of pairing-based cryptosystems. When k is odd and r is sufficiently large we show thatthe minimal embedding field is either Fqk or Fqk/2 , depending on the sign of thetrace of Frobenius. (In this case q is necessarily a square.)

Section 4 gives analogous results for some supersingular abelian varieties ofdimension g ≥ 2. Finally, in Section 5 we present some open problems relatedto this work.

2 A Framework for Analyzing the Minimal EmbeddingField

In this section we set up the framework for our analysis of the minimal embeddingfield of abelian varieties. After giving formal definitions, we discuss the resultsof Hitt [10] and Rubin and Silverberg [15], and then state our main theorem.

We first recall some standard terminology and notation. If K is a field then Kdenotes an algebraic closure of K. If q is a prime power then Fq denotes a field of qelements. We assume that we have fixed in advance a model of each finite field Fq

(e.g. [2]) as well as embeddings Fq ↪→ Fqd for every positive integer d. An abelianvariety is a smooth, projective, geometrically integral group variety. If A is anabelian variety defined over a field K, we denote by A(K) the group of K-rationalpoints of A. An elliptic curve is a one-dimensional abelian variety. An ellipticcurve E over a field K of characteristic p is supersingular if E(K) has no p-torsionpoints. A general abelian variety is supersingular if it is isogenous (over K)

54 N. Benger, M. Charlemagne, and D.M. Freeman

to a product of supersingular elliptic curves. An abelian variety A defined over Kis simple if it is not isogenous over K to a product of lower-dimensional abelianvarieties.

Definition 2.1. Let A be an abelian variety defined over Fq, where q = pm

for some prime p and integer m. Let r �= p be a prime dividing #A(Fq). Theembedding degree of A with respect to r is the smallest integer k such that rdivides qk − 1.

Definition 2.2. Let A, q, and r be as above. The minimal embedding field of Awith respect to r is the smallest extension of Fp containing the rth roots of unityμr ⊂ Fp.

If A/Fq has embedding degree k with respect to r, then Fqk is the smallestextension of Fq containing the rth roots of unity. In particular, the r-Weil pairing([17, §III.8] and [14, §16]) and the r-Tate pairing [4] take values in a subgroupand a quotient group of F

∗qk , respectively. The key observation made by Rubin

and Silverberg [15] and Hitt [10] is that these pairings actually take values inthe minimal embedding field and that this field may be a proper subfield of Fqk .This observation, found in different forms in each paper, is expressed by Hitt asfollows:

Lemma 2.3 ([10, Lemma 1]). Let q = pm for some prime p and positiveinteger m, let r �= p be a prime, and let k be the smallest integer such that rdivides qk − 1. Then

k =ordr(p)

gcd(ordr(p), m),

where ordr(p) is the order of p in (Z/rZ)∗.

A result of this lemma is that the minimal embedding field of an abelian varietyA/Fq is Fqk′ , where k′ = ordr(p)/m ∈ Q, which is not necessarily the same asFqk . Since the security of a pairing-based cryptosystem using A is determined byk′, this result implies that such a cryptosystem could be significantly less securethan previously believed. Indeed, Hitt gives examples of abelian varieties wherek/k′ = m, which is the largest possible ratio for these parameters [10, §4]. Itis important to note that when the abelian variety is defined over a prime field(i.e., when m = 1) Hitt’s lemma has no effect, as the minimal embedding fieldis always Fqk .

A natural question following from Lemma 2.3 is in what cases the embeddingdegree k is an accurate indicator of security. More precisely, we have:

Question 2.4. Let A be an abelian variety over Fq that has embedding degreek with respect to r. Is the minimal embedding field of A with respect to r equalto Fqk?

Our goal is to give explicit conditions on q, r, and k such that the answer toQuestion 2.4 is yes.


In the case where A/Fq is supersingular and elementary (i.e., isogenous overFq to a power of a simple abelian variety), Rubin and Silverberg have givenconditions on q, r, and k that imply an affirmative answer to Question 2.4.Their theorem is phrased in terms of the cryptographic exponent cA, which isdefined only for supersingular varieties. When A has embedding degree k withrespect to a prime r and r � 2k, the cryptographic exponent is the smallest half-integer cA such that r divides qcA − 1. Thus cA is equal to either k or k/2; thelatter can only occur when q is a square and k is odd [16, Definition 4.1 andTheorem 6.1].

Theorem 2.5 ([15, Theorem 7] and [16, Theorem 6.3]). Suppose A is anelementary supersingular abelian variety of dimension g over Fq, q = pm, r �= pis a prime divisor of #A(Fq), and s is the multiplicative order of p mod r. LetFA(x) ∈ Z[x] be the characteristic polynomial of Frobenius for A, and let f be theunique integer such that FA(x)1/f is irreducible in Z[x]. If q is a square, assumer > (1 + p)mg/2f . If q is not a square, assume r > (1 +

√p)2mg/3f and r > 7.

Then ps = qcA,q , so FqcA,q is the smallest extension of Fp whose multiplicativegroup has a subgroup of order r.

We now turn our attention to proving our own bounds, which will apply to allabelian varieties, not just supersingular ones, and will improve on the bounds inTheorem 2.5 in many cases.

Our theorem depends crucially on some results about cyclotomic polynomials.For k ∈ N, the kth cyclotomic polynomial Φk ∈ Z[x] is the minimal polynomialof a primitive kth root of unity in Q. The following lemma demonstrates therelevance of these polynomials to our problem.

Lemma 2.6. Let q = pm be a prime power, and A/Fq be an abelian variety.Let r �= p be a prime dividing #A(Fq), and let k, s be integers not divisible by r.Then

1. A has embedding degree k with respect to r if and only if r | Φk(q).2. The minimal embedding field of A with respect to r is Fps if and only if

r | Φs(p).

Proof. The first statement appears e.g. as [5, Proposition 2.4]; we observe thatthe same proof applies to the second statement. Lemma 2.6 allows us to rephrase Question 2.4 as follows: given that r dividesΦk(pm), does r divide Φkm(p)? To answer the question in this form we will usethe following properties of cyclotomic polynomials, which appear in or can beeasily derived from the discussion of [12, §VI.3].

Fact 2.7. Let Φk(x) denote the kth cyclotomic polynomial. Then

1. xk − 1 =∏

d|k Φd(x).2. The degree of Φk(x) is ϕ(k) := #{e ∈ Z : 1 ≤ e ≤ k and gcd(e, k) = 1}.


3. If � is a prime not dividing k, then Φk(x�) = Φk�(x)Φk(x).4. If � is a prime dividing k, then Φk(x�) = Φk�(x).

We will also use the following lemma, an alternative proof of which can be foundin [16, Lemma 5.2].

Lemma 2.8. If k and m are coprime, then

Φk(xm) =∏

d|mΦkd(x). (2.1)

Proof. We first compare the degrees of the polynomials on each side of (2.1).Clearly the left hand side has degree mϕ(k). Now for any coprime numbers xand y we have ϕ(xy) = ϕ(x)ϕ(y). Since (k, m) = 1 by assumption it is also truethat (k, d) = 1 for all d | m. It follows that the degree of the right hand side of(2.1) is ϕ(k)

∑d|m ϕ(d), which by Fact 2.7 (1) and (2) is equal to mϕ(k).

We next compare the roots of the two polynomials. First, we observe that byFact 2.7 (1) the right hand side divides xkm − 1 and thus has only simple roots.Now suppose ζ is a root of Φkd(x) for some d | m. Since ζ is a primitive kdth rootof unity, ζd is a primitive kth root of unity. Write m = de. Since gcd(k, e) = 1,it follows that (ζd)e = ζm is also a primitive kth root of unity, so ζ is also a rootof Φk(xm).

Since the two polynomials in (2.1) are both monic and have the same degree,and furthermore all roots of the right hand side are simple and are also roots ofthe left hand side, we conclude that the two polynomials are equal. We are now prepared to give our main theorem, which we state as a fact aboutcyclotomic polynomials only, without reference to abelian varieties.

Theorem 2.9. Let k be a positive integer, pm a prime power, and r a prime.Write m = αβ, where every prime dividing α also divides k and gcd(k, β) =1. (This factorization is unique.) Denote by e the smallest prime factor of β.Suppose r | Φk(pm) and that one of the following holds:

1. m = α (and β = 1);2. β is prime and r > Φkα(p);3. r > pkm/e; or4. 4 | m or 2 | k, and r > pkm/2e + 1.

Then r | Φkm(p).

Proof. We first note that Fact 2.7 (4) implies

Φk(pm) = Φkα(pβ). (2.2)

Since kα and β are coprime, Lemma 2.8 implies that Φk(pm) has Φkm(p) as afactor. Our strategy in each case is to show that the remaining factors of Φk(pm)are all smaller than r. Since r is prime, it then follows that if r divides Φk(pm)then r divides Φkm(p).


We now consider each case separately:

1. Since m = α it follows immediately that Φk(pm) = Φkm(p).2. Since β is a prime not dividing kα, equation (2.2) and Fact 2.7 (3) imply

thatΦk(pm) = Φkαβ(p)Φkα(p) = Φkm(p)Φkα(p).

Since r > Φkα(p), it follows that r | Φkm(p).3. By equation (2.2) and Lemma 2.8 we have

Φk(pm) =∏

d|βΦkdα(p) =

∏

d|βΦkm/d(p). (2.3)

By assumption we have r > pkm/d for all d | β except for d = 1, and by Fact2.7 (1) we have pkm/d > Φkm/d(p) for all such d. It follows that r | Φkm(p).

4. Given the factorization of Φk(pm) as in (2.3), the same analysis as in Case3 shows that r > Φkm/d(p) for all d | β with d ≥ 2e. Since e is the smallestprime dividing β, if d | β and 1 < d < 2e then d is prime, so it suffices toshow that r > Φkm/d(p) for all primes d dividing β. Let d be such a prime.The assumption 4 | m or 2 | k then implies that km/d is even. In this casewe have xkm/d−1 = (xkm/2d +1)(xkm/2d−1), and Φkm/d(x) must divide thefirst factor by Fact 2.7 (1). Since d ≥ e, if r > pkm/2e +1 then r > Φkm/d(p).

Using Lemma 2.6 to interpret Theorem 2.9 in the context of abelian varieties,we obtain the following corollary:

Corollary 2.10. Let A be an abelian variety over Fq, where q = pm with pprime. Let r �= p be a prime dividing #A(Fq), and suppose A has embeddingdegree k with respect to r. Assume that r � km. If q, k, and r satisfy any of theconditions (1)–(4) of Theorem 2.9, then the minimal embedding field of A withrespect to r is Fpkm .

We note that the case where m is prime, which is usually recommended forcryptographic applications in order to prevent Weil descent attacks (e.g., [8,9]),we usually have r ≈ pmg (where g = dimA) and m � k, so we are in case (2)of Theorem 2.9. If p is small (p = 2 and p = 3 are common choices) then in thissituation the bound on r given by the theorem is very weak; i.e., A will haveminimal embedding field Fpkm with respect to any r that is even remotely closeto cryptographic size.

Ideally we would also like to apply Theorem 2.9 to abelian varieties over finitefields that are not pairing-friendly. Specifically, if A/Fq is an abelian varietychosen for a non-pairing-based cryptographic protocol, one wants to make surethat the discrete logarithm problem in A(Fq)[r] cannot be reduced to a moretractable discrete logarithm problem in a finite field. Thus one must ensure notonly that the embedding degree k is sufficiently large, but also that the minimalembedding field is sufficiently large. However, if k � m and the dimension gis small then none of the conditions of Theorem 2.9 can be expected to hold:condition (1) is very unlikely and conditions (2)–(4) would require r � qg, whichis impossible.


Remark 2.11. If k is odd and m is even then Φk(xm) = Φk(xm/2)Φ2k(xm/2).Since ϕ(k) = ϕ(2k) for odd k, these two factors have the same degree andwe cannot use the above techniques to show that r divides Φkm(p) and doesnot divide Φkm/2(p). Applying Theorem 2.9 recursively to each factor allows usto determine conditions on q, k, and r guaranteeing that r divides one of thetwo expressions Φkm(p) and Φkm/2(p), but additional information is needed todetermine which one. In the context of pairing-friendly curves, this situationrarely occurs as even embedding degrees are preferred as are prime values form. However, see Propositions 3.6 and 3.8 below for some specific cases where itdoes occur.

3 Supersingular Elliptic Curves over Non-prime Fields

In this section we focus on supersingular elliptic curves, which are the most wellknown pairing-friendly abelian varieties defined over non-prime fields. If E isan elliptic curve defined over the finite field Fq, then the number of Fq-rationalpoints is given by #E(Fq) = q + 1 − t, where t is the trace of the q-powerFrobenius endomorphism. A theorem of Hasse (the “Hasse-Weil bound”) saysthat |t| ≤ 2

√q [17, Theorem V.1.1]. An elliptic curve E is supersingular if and

only if gcd(t, q) > 1 [17, Ex. 5.10].Menezes, Okamoto and Vanstone [13] gave a complete classification of super-

singular elliptic curves over finite fields Fq, with q = pm. They showed that fivepossible embedding degrees k can occur, corresponding to five possible absolutevalues of the trace of Frobenius t:

k t #E(Fq) p, m

1 ±2√

q q ∓ 2√

q + 1 any p, m even2 0 q + 1 any p, any m3 ±√

q q ∓√q + 1 p ≡ 2 mod 3, m even

4 ±√2q q ∓√

2q + 1 p = 2, m odd6 ±√

3q q ∓√3q + 1 p = 3, m odd

When comparing the sizes of r and q as in Theorem 2.5, it is useful to introducea parameter ρ, which roughly approximates the ratio of the bit size of the entiregroup A(Fq) to the bit size of r.

Definition 3.1. Let A be a g-dimensional abelian variety over Fq, and supposer divides #A(Fq). The ρ-value of A (with respect to r), denoted ρ(A), is g log q

log r .

Since the speed of computations on A(Fq) is, to an extent, determined by#A(Fq) ≈ qg but security is determined by the size of r, for fast implemen-tations one usually wishes to choose an A with r as close to #A(Fq) as possible;that is, with ρ-value as close to 1 as possible. In practice one must also take intoaccount the required balance of security required for a fixed k [5, Table 1.1] aswell as the cost of arithmetic and pairing operations on the elliptic curves underconsideration.


We first consider the families of supersingular elliptic curves with embeddingdegrees 4 and 6, in characteristic 2 and 3 respectively. These families are oftenproposed for use in pairing-based cryptography as their embedding degrees arethe maximum possible for supersingular elliptic curves, it is easy to generatecurves of near-prime order, and there has been much work on optimizing curvearithmetic in small characteristic (e.g., [3, §13.3]). We conclude in both cases thatif either m is prime or r is sufficiently large (though not necessarily close to q),then the minimal embedding field is Fqk . In actual pairing-based cryptosystemsat least one of these conditions always holds, so we deduce that the observationof Hitt (Lemma 2.3) and Rubin and Silverberg has no effect in practice.

Proposition 3.2 (k = 4). Let q = 2m with m odd, and let E be a supersingularelliptic curve over Fq that has embedding degree 4 with respect to a prime r � 2m.If either

– ρ <32

(

1 − 1log2 r

)

, or

– m is prime and r > 5,

then E has minimal embedding field Fq4 .

Proof. If we write m = αβ as in Theorem 2.9, then the smallest prime dividingβ must be at least 3. Thus if r > q2/3 + 1 then condition (4) of Theorem 2.9 issatisfied. If m is prime and r > 5 = Φ4(2) then condition (2) of Theorem 2.9 issatisfied. In both cases, by Corollary 2.10 E has minimal embedding field Fq4 .An easy calculation shows that if ρ < 3

2 (1 − 1log2 r ) then r > q2/3 + 1.

Proposition 3.3 (k = 6). Let q = 3m with m odd, and let E be a supersingularelliptic curve over Fq that has embedding degree 6 with respect to a prime r � 6m.If either

– ρ <53

(

1 − 1log2 r

)

, or



Proof. The proof is entirely analogous to that of Proposition 3.2. Remark 3.4. In both of the above cases the cryptographic exponent cA,q de-fined by Rubin and Silverberg is equal to k. Rubin and Silverberg’s result (The-orem 2.5) thus implies that when k = 4, the conclusion of Proposition 3.2 holdswhenever ρ < 3 log 2

2 log(1+√

2)≈ 1.18, and that when k = 6, the conclusion of Propo-

sition 3.3 holds whenever ρ < 3 log 3

2 log(1+√

3)≈ 1.64. Thus in both cases our result

is stronger (i.e., requires a weaker upper bound on ρ) for sufficiently large r. Inparticular, since ρ ≈ 3/2 is recommended for k = 4 curves to achieve a secu-rity level equivalent to an 80-bit symmetric-key system [5, Table 1.1], our resultshows that supersingular k = 4 curves are appropriate for this security level forany extension degree m.


For some implementations one may wish to use supersingular elliptic curves withvery small embedding degrees. We thus continue our analysis by investigatingthe cases 1 ≤ k ≤ 3. The case k = 2 is the most straightforward.

Proposition 3.5 (k = 2). Let q = pm, and let E be a supersingular ellipticcurve over Fq that has embedding degree 2 with respect to a prime r � 2m. Ifeither

– ρ < 3(

1 − 1log2 r

)

, or

– m is prime and r > p + 1,


Proof. The proof is entirely analogous to that of Proposition 3.2. Rubin and Silverberg’s result (Theorem 2.5) says that the conclusion of Propo-sition 3.5 holds whenever ρ < 2− ε when m is even and whenever ρ < 3− ε whenm is odd, with ε → 0 as p → ∞. Thus our result is stronger when m is even.

The cases k = 1 and k = 3 are more subtle, as we cannot avoid the possibilitythat the minimal embedding field is Fpk/2 even when r is very large. However, ifwe know the sign of the trace we can apply Theorem 2.9 to determine when theminimal embedding field is Fpk or Fpk/2 .

Proposition 3.6 (k = 1). Let q = pm with m even, and let E be a supersingularelliptic curve over Fq that has embedding degree 1 with respect to a prime r � m.If E has trace −2pm/2 and ρ < 6(1− 1

log2 r ), then E has minimal embedding fieldFq. If E has trace 2pm/2 and ρ < 4, then E has minimal embedding field Fq1/2 .

Proof. Let m′ = m/2. Suppose E has trace −2pm′. Then #E(Fq) = (pm′

+ 1)2,so r divides Φ2(pm′

). We now apply Theorem 2.9 with k = 2 and m = m′.If we write m′ = αβ as in the theorem, then the smallest prime dividing theβ of Theorem 2.9 must be at least 3. Thus if r > pm′/3 + 1 = q1/6 + 1 thencondition (4) of the theorem is satisfied, so by Corollary 2.10 E has minimalembedding field Fp2m′ = Fq. An easy calculation shows that if ρ < 6(1 − 1

log2 r )then r > q1/6 + 1.

Now suppose E has trace 2pm′. Then #E(Fq) = (pm′ − 1)2, so r divides

Φ1(pm′). We now apply Theorem 2.9 with k = 1 and m = m′. If r > pm′/2 = q1/4

(or equivalently, if ρ < 4) then condition (3) of the theorem is satisfied, so byCorollary 2.10 E has minimal embedding field Fpm′ = Fq1/2 . When k = 1, Rubin and Silverberg’s cryptographic exponent cA is equal to 1when E has negative trace and 1/2 when E has positive trace; in both casesthe integer f of Theorem 2.5 is equal to 2. Thus Theorem 2.5 says that theconclusion of Proposition 3.6 holds whenever ρ < 4 − ε, with ε → 0 as p → ∞.Our result is stronger for the first case as well as for small p.

Remark 3.7. Proposition 3.6 demonstrates the somewhat surprising fact thatthe minimal embedding field of an elliptic curve E can be smaller than the


field of definition of E. In fact such a curve is easy to construct. Let p > 3 beprime, and let E/Fp be a supersingular elliptic curve over Fp. Let E′/Fp2 be aquadratic twist of E over Fp2 ; that is, a curve equipped with an isomorphismbetween (Weierstrass models of) E and E′ given by (x, y) �→ (ux, u3/2y) for somenon-square1 u ∈ F

∗p2 . Then #E′(Fp2) = (p − 1)2, and the minimal embedding

field of E′ with respect to any r | p − 1 is Fp.

Finally, we consider the case of embedding degree k = 3. As with k = 1, theminimal embedding field can be determined from the sign of the trace.

Proposition 3.8 (k = 3). Let q = pm with m even, and let E be a supersingularelliptic curve over Fq that has embedding degree 3 with respect to a prime r � 3m.If E has trace pm/2 and ρ < 10

3 (1 − 1log2 r ), then E has minimal embedding field

Fq3 . If E has trace −pm/2 and ρ < 4/3, then E has minimal embedding fieldFq3/2 .

Proof. The proof is entirely analogous to that of Proposition 3.6. When k = 3, Rubin and Silverberg’s cryptographic exponent cA is equal to 3when E has positive trace and 3/2 when E has negative trace. Thus Theorem2.5 says that the conclusion of Proposition 3.8 holds whenever ρ < 2 − ε, withε → 0 as p → ∞. Our result is stronger for the first case.

4 Higher-Dimensional Supersingular Abelian Varieties

In this section we briefly sketch the application of our main result to supersin-gular abelian varieties of dimension g ≥ 2 defined over non-prime fields. Suchvarieties have been proposed for use in pairing-based cryptography as they havethe potential to be more efficient than supersingular elliptic curves.

We first consider simple supersingular abelian varieties of dimension g = 2.Such varieties, known as abelian surfaces, can be described as Jacobians of genus2 curves. Cardona and Nart [1] give a detailed description of the possible grouporders and embedding degrees for simple supersingular abelian surfaces, analo-gous to the Menezes-Okamoto-Vanstone classification for elliptic curves.

Table 1 lists each isogeny class of simple supersingular abelian surfaces over Fq

(with q = pm) and its embedding degree k, as calculated by Cardona and Nart.The isogeny classes are described by a pair of integers (s, t), which correspondto the coefficients of the characteristic polynomial of Frobenius x4 + sx3 + tx2 +sqx + q2. An asterisk next to the embedding degree indicates that the minimalembedding field is Fqk/2 , not Fqk .

When the extension degree m is prime, as is most often the case in cryptogra-phy, Corollary 2.10 tells us that if r > Φk(p) then the minimal embedding fieldof a supersingular abelian surface with respect to r is Fpk . For the cases of smallcharacteristic most often proposed for cryptography, we have the following:1 If j(E) = 0 then u must also be a cube; if j(E) = 1728 then u must be a square but

not a fourth power.


Proposition 4.1. Let A be a simple supersingular abelian surface over Fq,where q = pm, p ∈ {2, 3, 5}, and m is prime. Suppose A has embedding de-gree k with respect to a prime r > m. If r > 781 then the minimal embeddingfield of A with respect to r is Fqk .

For more general situations, Table 1 gives two parameters for each isogeny classthat are related to the minimal embedding field. A value of a in the column“Cor. 2.10 max ρ” indicates that whenever r � km is prime and ρ < a, Corollary2.10 implies that an abelian variety in the isogeny class has minimal embeddingfield Fqk with respect to r (or Fqk/2 in the asterisked cases). When the value isa − ε one can take ε = a/ log2 r.

A value of b in the column “RS max ρ” indicates that whenever r is prime andρ < b, Rubin and Silverberg’s result (Theorem 2.5) implies that an abelian varietyin the isogeny class has minimal embedding field Fqk with respect to r (or Fqk/2

in the asterisked cases). When p is not fixed, the values b are limits as p → ∞.

Table 1. Maximal ρ-values guaranteeing a simple supersingular abelian surface overFq (q = pm) with embedding degree k has minimal embedding field Fqk (Fqk/2 in thecases marked with a *)

(s, t) conditions on p and m k Cor. 2.10 max ρ RS max ρ

(0,−2q) m odd 1 6 6(0, 2q) m even, p ≡ 1 (mod 4) 2 6 − ε 4

(2√

q, 3q) m even, p ≡ 1 (mod 3) 3* 8/3 4(−2

√q, 3q) m even, p ≡ 1 (mod 3) 3 20/3 − ε 4

(0, 0) m odd, p �= 2 4 3 − ε 3(0, 0) m even, p �≡ 1 (mod 8) 4 3 − ε 2(0, q) m odd 3 10/3 3

(0,−q) m odd, p �= 3 6 10/3 − ε 3(0,−q) m even, p �≡ 1 (mod 12) 6 10/3 − ε 2(√

q, q) m even, p �≡ 1 (mod 5) 5* 8/5 2(−√

q, q) m even, p �≡ 1 (mod 5) 5 12/5 − ε 2(±√

5q, 3q) m odd, p = 5 5 6/5 2.06(±√

2q, q) m odd, p = 2 12 5/3 − ε 1.18

We conclude our analysis by applying our main result to a particularly in-teresting case of a supersingular abelian variety in dimension g = 4. Rubin andSilverberg [15, §5.1] show that if q = 3m and E is a supersingular elliptic curveover Fq with embedding degree 6, then there is a simple 4-dimensional abelianvariety A/Fq with embedding degree k = 30. This A can be constructed as asubvariety of the restriction of scalars ResFq5/Fq

E. The ratio k/g = 7.5 is thelargest known for a supersingular abelian variety, which makes the variety ap-pealing for practical use as it allows for higher security levels using fewer bitsthan a k = 6 elliptic curve or a k = 12 abelian surface.


Proposition 4.2. Let q = 3m with m odd, and let A be a simple supersingular4-dimensional abelian variety over Fq that has embedding degree 30 with respectto a prime r � 30m. If either

– ρ <2815

(

1 − 1log2 r

)

, or


then A has minimal embedding field Fq30 .

Proof. The proof is entirely analogous to that of Proposition 3.2. We note that if A is an abelian variety as in Proposition 4.2, Rubin and Sil-verberg’s result (Theorem 2.5) shows that the result holds whenever r > (1 +√

3)8m/3, or ρ � 1.64. Thus our result (ρ � 1.87) is stronger.

5 Conclusion

Given an abelian variety A defined over a finite field Fq such that A has em-bedding degree k with respect to a subgroup of prime order r, we consider thequestion of whether the minimal embedding field of A with respect to r is Fqk .A positive answer to this question implies that the embedding degree k is a goodmeasure of the security level of a pairing-based cryptosystem that uses A.

Our main results, Theorem 2.9 and Corollary 2.10, give explicit conditionson the field size q, the embedding degree k, and the subgroup order r thatimply an affirmative answer to our question. We have applied our theorem tosupersingular elliptic curves (Section 3) and to supersingular genus 2 curves(Section 4), in each case computing a maximum ρ-value for which the minimalembedding field must be Fqk . Our results are in most cases stronger (i.e., givelarger allowable ρ-values) than the corresponding result of Rubin and Silverberg(Theorem 2.5). Our result thus guarantees more abelian varieties are suitablefor use in pairing-based cryptography than any previous result had done.

Our theorem holds for general abelian varieties, not only supersingular ones.There are several results demonstrating the existence of non-supersingular abelianvarieties over non-prime fields with small embedding degree [7,10], but at presentthere is only a single explicit construction of such varieties. This construction, dueto Hitt O’Connor et al. [11, Algorithm 3], produces abelian surfaces over Fp2 withp-rank 1 (i.e., neither ordinary nor supersingular) and ρ ≈ 16. These ρ-values arefar too large both for practical use and for Corollary 2.10 to provide a useful result.

It is thus an open problem to construct non-supersingular abelian varieties— including elliptic curves — over non-prime fields with small embedding de-gree and ρ < 16. Such a construction would not only expand our library ofpairing-friendly abelian varieties but could potentially lead to improvement inthe performance of pairing-based protocols, in the same way that elliptic curvesover non-prime fields can lead to performance improvements for standard ellip-tic curve cryptography [6]. Once such varieties are constructed, our results canbe used to determine whether the embedding degree also describes the minimalembedding field of these varieties.


Acknowledgments

The authors thank Mike Scott for advice and support and Rob Granger, LauraHitt O’Connor, Gary McGuire, and the anonymous referees for helpful commentson earlier versions of this work. The first and second authors are supported byScience Foundation Ireland under Grant No. 07/RFP/CMSF428. The third au-thor is supported by a National Science Foundation International Research Fel-lowship, with additional support from the Office of Multidisciplinary Activitiesin the NSF Directorate for Mathematical and Physical Sciences.

References

1. Cardona, G., Nart, E.: Zeta function and cryptographic exponent of supersingularcurves of genus 2. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.)Pairing 2007. LNCS, vol. 4575, pp. 132–151. Springer, Heidelberg (2007)

2. de Smit, B., Lenstra, H.W.: Standard models for finite fields. Lecture notes (2008),http://www.math.leidenuniv.nl/~desmit/papers/standard_models.pdf

3. Doche, C., Lange, T.: Arithmetic of elliptic curves. In: Handbook of Elliptic andHyperelliptic Curve Cryptography, pp. 267–302. Chapman & Hall/CRC, Boca Ra-ton (2006)

4. Duquesne, S., Frey, G.: Background on pairings. In: Handbook of Elliptic and Hy-perelliptic Curve Cryptography, pp. 115–124. Chapman & Hall/CRC, Boca Raton(2006)

5. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves.To appear in Journal of Cryptology (preprint, 2009),http://eprint.iacr.org/2006/372

6. Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptog-raphy on a large class of curves. In: EUROCRYPT 2009. LNCS, vol. 5479, pp.518–535. Springer, Heidelberg (2009)

7. Galbraith, S., McKee, J., Valenca, P.: Ordinary abelian varieties having small em-bedding degree. Finite Fields and their Applications 13, 800–814 (2007)

8. Gaudry, P.: Index calculus for abelian varieties and the elliptic curve discrete log-arithm problem. To appear in J. Symbolic Computation. Preprint,http://www.loria.fr/~gaudry/publis/indexcalc.pdf

9. Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weildescent on elliptic curves. J. Cryptology 15, 19–46 (2002)

10. Hitt, L.: On the minimal embedding field. In: Takagi, T., Okamoto, T., Okamoto,E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 294–301. Springer,Heidelberg (2007)

11. Hitt O’Connor, L., McGuire, G., Naehrig, M., Streng, M.: CM construction ofgenus 2 curves with p-rank 1. Cryptology ePrint Archive, Report 2008/491 (2008),http://eprint.iacr.org/2008/491

12. Lang, S.: Algebra, revised third edn. Graduate Texts in Mathematics, vol. 211.Springer, New York (2002)

13. Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms tologarithms in a finite field. IEEE Transactions on Information Theory 39, 1639–1646 (1993)


14. Milne, J.S.: Abelian varieties. In: Gornell, G., Silverman, J. (eds.) Arithmetic Ge-ometry, pp. 103–150. Springer, New York (1986)

15. Rubin, K., Silverberg, A.: Supersingular abelian varieties in cryptology. In: Yung,M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 336–353. Springer, Heidelberg (2002)

16. Rubin, K., Silverberg, A.: Using abelian varieties to improve pairing-based cryp-tography. Journal of Cryptology 22, 330–364 (2009)

17. Silverman, J.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics,vol. 106. Springer, New York (1986)

Generating Pairing-Friendly Curves with the

CM Equation of Degree 1

Hyang-Sook Lee and Cheol-Min Park�

Department of Mathematics, Ewha Womans University,Seoul 120-750, S. Korea{hsl,mpcm}@ewha.ac.kr

Abstract. Refinements of the Brezing-Weng method have provided

families of pairing-friendly curves with improved ρ-values by using non-cyclotomic polynomials that define cyclotomic fields. We revisit thesemethods via a change-of-basis matrix and completely classify a basis fora cyclotomic field to produce a family of pairing-friendly curves with aCM equation of degree 1. Using this classification, we propose a newalgorithm to construct Brezing-Weng-like elliptic curves having the CMequation of degree 1, and we present new families of curves with largerdiscriminants.

1 Introduction

Research on pairing-based cryptography has been getting a great deal of atten-tion over the past few years. Since 2000, a number of new protocols have beenproposed based on the cryptographic pairings, such as identity-based key ex-change [17], one-round tripartite key agreement [11], identity-based encryption[4], and short digital signature [5].

For the practical realization of these protocols, they must be implementedusing some special curves, so called pairing-friendly curves with a large primeorder subgroup whose embedding degree is small enough that computations inthe finite field are feasible. One approach using pairing-friendly curves relies onsupersingular elliptic curves. Over these curves, however, the embedding degreesare limited to {1, 2, 3, 4, 6}. Another approach is to use the ordinary ellipticcurves with small embedding degree. However, since these curves are rare, ac-cording to the result of Balasubramania and Koblitz [2], it is necessary to developalgorithms to construct suitable pairing-friendly curves. Many algorithms havebeen proposed to construct pairing-friendly ordinary elliptic curves. One gen-eral method is the Brezing and Weng method [6], which generates polynomialfamilies of curves by using a defining polynomial r(x) of a cyclotomic field orits extension field. Usually, the defining polynomial of cyclotomic field Q(ζk) fora primitive kth root of unity ζk is the kth cyclotomic polynomial Φk(x). But if

� This work was supported by the Korea Research Foundation Grant funded by the Ko-rean Government(MOEHRD,Basic Research Promotion Fund)(KRF-2008-1645-1-1).


Generating Pairing-Friendly Curves with the CM Equation of Degree 1 67

we use an irreducible factor of Φk(u(x)) for some u(x) ∈ Q[x], we can obtain adifferent defining polynomial of the cyclotomic field Q(ζk) or its extension field.Using this idea, Galbraith, Mckee, and Valenca demonstrated the existence ofordinary abelian varieties of dimension 2 having small embedding degrees [10].Building on this work, Barreto and Naehrig [3], and Freeman [8] constructedpairing-friendly elliptic curves of prime order. If we choose an irreducible fac-tor r(x) of Φk(u(x)) such that the degree of r(x) is ϕ(k), r(x) will define thesame cyclotomic field Q(ζk). But in some cyclotomic fields, a careful choice ofr(x) can produce a pairing-friendly curve with better ρ-values than curves con-structed from Φk(x). Working from this idea, Kachisa, Schaefer and Scott [13]developed a method for constructing pairing-friendly elliptic curves with betterρ-values.

In a method that uses the factorization of Φk(u(x)), the difficult part is howto choose a u(x) that will produce an irreducible factor of Φk(u(x)). Lemma1 in Galbraith, Mckee and Valenca [10] offers one solution to this problem byproviding the criterion for u(x) to give a factorization of Φk(u(x)). Anothersolution is provided by Tanaka and Nakamula [18]. They proposed a method offinding u(x) such that Φk(u(x)) has an irreducible factor of degree ϕ(k), reducingthe problem of finding an appropriate u(x) to solving a system of multivariatepolynomial equations for the coefficients of u(x) using a matrix.

We observe that Tanaka and Nakamula’s method can be also described viaa change-of-basis matrix, because finding an irreducible factor of Φk(u(x)) withdegree ϕ(k) is equivalent to finding a basis for Q(ζk). Based on this idea, wecompletely classify a basis for Q(ζk) which gives pairing-friendly elliptic curveswith the CM equation of degree 1. From this classification, we can avoid theexhaustive search to find u(x) such that Φk(u(x)) has an irreducible factor ofdegree ϕ(k) and the CM equation of curves constructed from u(x) has degree1. Using a change-of-basis matrix and this classification of a basis for Q(ζk),we propose a new algorithm to construct Brezing-Weng-like elliptic curves withthe CM equation of degree 1. Unlike the previous Brezing-Weng-like ellipticcurves with small discriminants, we present new families of curves with largerdiscriminants which are less than 1010.

The paper is organized as follows: Section 2 reviews the basic definitionsrelated to pairing-friendly curves and methods involved in the construction ofthe curves. Section 3 reviews the method that uses the factorization of Φk(u(x))via a change-of-basis matrix. Section 4 presents the complete classification of abasis for Q(ζk) which gives pairing-friendly elliptic curves with the CM equationof degree 1 and also gives an algorithm and examples. Section 5 discusses furtherworks regarding our results and offers a conclusion.

2 Pairing-Friendly Elliptic Curves

In this section, we briefly review the definitions and methods involved in theconstruction of pairing-friendly curves. For a good survey, see [9].

68 H.-S. Lee and C.-M. Park

Let E be an elliptic curve defined over a prime finite field Fq. Let r be a largeprime factor of #E(Fq), and let k be the smallest integer such that r|(qk − 1);such a k is called the embedding degree with respect to r. A pairing-friendly curveis formally defined as follows [9].

Definition 1. We say that E is pairing-friendly if the following two conditionshold:(1) there is a prime r ≥ √

q dividing #E(Fq), and(2) the embedding degree of E with respect to r is less than log2(r)/8.

There are a number of methods for constructing pairing-friendly elliptic curveswith the prescribed embedding degree k. These methods all have the followingessential steps:

(1) Look for suitable values of the parameters, including the embedding degree,k; the cardinality of the finite field, q; the trace of the Frobenius endomor-phism of the curve, t; the prime order of the subgroup, r.

(2) Use the Complex Multiplication(CM) method to find the equation of thecurve [1].

Like Proposition 2.4 in [9], if we assume k � r, the definition of the embeddingdegree k with respect to r is equivalent to

Φk(q) ≡ 0 (mod r)

where Φk(x) is the kth cyclotomic polynomial. Since r is a factor of #E(Fq) =q + 1 − t, it is also equivalent to

Φk(t − 1) ≡ 0 (mod r).

For the step (2), we need an additional parameter, the CM discriminant which isdefined as the square-free part D of the nonnegative integer 4q−t2. For practicalreasons, D must be less than 1013 by recent work of Sutherland [16].

Brezing and Weng constructed a family of pairing-friendly curves using poly-nomials to represent the parameters q, t and r. To describe this method, we firstneed the following definitions.

Definition 2. ([9]) Let f(x) be a polynomial with rational coefficients.We say f represent primes if the following conditions are satisfied:(1) f(x) is non-constant.(2) f(x) has positive leading coefficients.(3) f(x) is irreducible.(4) f(x) ∈ Z for some x ∈ Z.(5) gcd{f(x)|x, f(x) ∈ Z} = 1.

Definition 3. ([9]). Let t(x), r(x), q(x) be polynomials with rational coefficients.For a given positive integer k and positive square-free integer D, the triple (t, r, q)represents a family of elliptic curves with embedding degree k and discriminantD if the following conditions are satisfied:


(1) q(x) = p(x)d for some d ≥ 1 and p(x) that represents primes.(2) r(x) = c · r(x), where r(x) represents primes and c ∈ N is a constant.(3) q(x) = h(x)r(x) − 1 + t(x) for some h(x) ∈ Q[x].(4) r(x) divides Φk(t(x) − 1), where Φk is the kth cyclotomic polynomial.(5) The equation Dy2 = 4q(x)−t(x)2 has infinitely many integer solutions (x, y).

The equation in condition (5) is called the CM equation. Note that since q(x) +1 − t(x) = h(x)r(x), the CM equation is equivalent to

Dy2 = f(x) = 4h(x)r(x) − (t(x) − 2)2.

If c and h(x) are equal to 1 in conditions (2) and (3), respectively, the ellipticcurve group has prime order. This is the ideal case for security and efficiency.The ρ-value that represents how close a given family of curves is to the idealcurve is defined as follow:

Definition 4. ([9]) Let t(x), r(x), q(x) ∈ Q[x], and suppose that (t(x), r(x), q(x))represents a family of elliptic curves with embedding degree k. The ρ-value of thefamily represented by (t(x), r(x), q(x)) is:

ρ = limx→∞

log(q(x))log(r(x))

=deg q(x)deg r(x)

.

The Brezing-Weng method [6,9] is summarized below as Algorithm 1.

Algorithm 1. The Brezing-Weng methodINPUT: embedding degree k, CM discriminant D.OUTPUT: t(x), r(x), q(x)

1: Choose a number field K containing√−D and a primitive kth root of unity ζk.

2: Find an irreducible polynomial r(x) ∈ Z[x] such that Q[x]/(r(x)) ∼= K.3: Let t(x) ∈ Q[x] be a polynomial mapping to ζk + 1 ∈ K.4: Let y(x) ∈ Q[x] be a polynomial mapping to (ζk − 1)/

√−D ∈ K.5: Let q(x) = (t(x)2 + Dy(x)2)/4. If q(x) and r(x) represent primes,6: then output t(x), r(x), q(x).

3 A Change-of-Basis Matrix in Q(ζk)

Since the work of Brezing and Weng, a number of algorithms have been proposedfor the construction of a family of pairing-friendly curves using factorization ofcyclotomic polynomials [10,3,8,13,18]. These methods rely on using a polynomialr(x) that defines a cyclotomic field but is not a cyclotomic polynomial. In thissection, we revisit the method in [18] via a change-of-basis matrix in Q(ζk).Throughout the paper, we will consider two sets, Bθ and Bζk

, defined as:

Bθ = {1, θ, θ2, . . . , θϕ(k)−1}, Bζk= {1, ζk, ζ2

k , . . . , ζϕ(k)−1k }

where ζk is a primitive kth root of unity and θ is an element of Q(ζk). We alsoassume that k is greater than or equal to 3.


Lemma 1. Let ζk be a primitive kth root of unity and Q(ζk) be the kth cyclo-tomic field. Let u(x) be a polynomial with rational coefficients. Then u(x) = ζk

has a solution in Q(ζk) if and only if Φk(u(x)) has an irreducible factor r(x) ∈Q[x] of degree ϕ(k).

Proof. Refer to Lemma 5.1 in [10].

Lemma 2. Let u(x) be a polynomial with rational coefficients. Then the follow-ing statements are equivalent.(1) Φk(u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k) for u(x).(2) Q(ζk) has a basis Bθ such that ζk = u(θ).

Proof. Let θ be the root of r(x). Since Φk(u(θ)) = 0 and r(x) has degree ϕ(k),we have

u(θ) = ζk and Q(θ) = Q(ζk).

Hence Bθ become a basis for Q(ζk). Conversely, if Bθ is a basis for Q(ζk), ζk canbe written as c0 + c1θ + · · ·+ cϕ(k)−1θ

ϕ(k)−1 for some c0, . . . , cϕ(k)−1 ∈ Q and sou(x) = c0 + c1x + · · · + cϕ(k)−1x

ϕ(k)−1 = ζk has a solution in Q(ζk). Then (1)follows from Lemma 1. ��Therefore, to find u(x) satisfying the condition of Lemma 1 is equivalent tofinding a basis Bθ for Q(ζk) and a representation of ζk by elements in Bθ.To find a basis for Q(ζk), let θ be a01 + a1ζk + · · · + aϕ(k)−1ζ

ϕ(k)−1k for some

a0, . . . , aϕ(k)−1 ∈ Q. We have θj−1 =∑ϕ(k)

i=1 Pijζik for j = 1, . . . , ϕ(k) where Pij

is a polynomial of a0, a1, . . . , aϕ(k)−1. We consider the ϕ(k) × ϕ(k) matrix Pwhose i, j entry is Pij . It is easy to see that a necessary and sufficient conditionfor Bθ to be a basis for Q(ζk) is that the determinant of P is nonzero.

Definition 5. A matrix P that is constructed as above will be referred as atransition matrix from Bθ to Bζk

. If Bθ is a basis for Q(ζk), then P is alsoreferred as a change-of-basis matrix [14].

Definition 6. Let B = {v1, v2, . . . , vn} be an ordered basis for Q(ζk) and let xbe an element in Q(ζk) such that

x = c1v1 + c2v2 + · · · + cnvn.

The coordinate vector of x relative to B is

(c1, c2, . . . , cn).

and we will denote it by [x]B . We will also use the notation vT to refer to thetranspose of a vector v.

Then Lemma 2 can be restated as follows.

Lemma 3. Φk(u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k) foru(x) ∈ Q[x] if and only if there exist a set Bθ in Q(ζk) such that det(P ) �= 0 andthe coefficient vector of u(x) is P−1 · [ζk]TBζk

where P is the transition matrixfrom Bθ to Bζk

.


Proof. This follows directly from Theorem 4.20 in [14], along with Lemma 1 andLemma 2.

Remark 1. (1) Since [ζk]Bζk= (0, 1, 0, . . . , 0), the coefficient vector of u(x) is the

second column vector of P−1.(2) In general, Lemma 1 also holds under the condition of u(x) = ζl

k for somel ∈ (Z/kZ)∗. Hence Φk(u(x)) has an irreducible factor r(x) ∈ Q[x] of degreeϕ(k) for u(x) ∈ Q[x] with a coefficient vector P−1 · [ζl

k]TBζk.

4 New Families of Pairing-Friendly Curves with the CMEquation of Degree 1

Proposition 1. Let θ = a0 − 2a1ζlk + a1ζ

2lk for some a0, a1(�= 0) ∈ Q and

l ∈ (Z/kZ)∗. Let Pl be the transition matrix from Bθ to Bζk. Then

(1) Bθ is a basis for Q(ζk).(2) For u(x) with a coefficient vector P−1

l · [ζlk]TBζk

, Φk(u(x)) has an irreduciblefactor r(x) ∈ Q[x] of degree ϕ(k).(3) Let d(x) be −(u(x)−1)2 (mod r(x)). Then d(x) = (−1/a1)x− (a1 −a0)/a1.(4) Let t(x) be u(x) + 1 and q(x) be (t(x)2 + d(x))/4. If q(x) and r(x) repre-sent primes, then (t(x), r(x), q(x)) represents a family of elliptic curves with anembedding degree k and the CM equation 4q(x) − t(x)2 = d(x).

Proof. (1) Consider the Galois group of Q(ζk) over Q, AutQQ(ζk). Then σi(ζk) =ζik for σi ∈ AutQQ(ζk) and i ∈ (Z/kZ)∗ by Theorem 8.1 in [12]. Since θ =

a1(ζlk − 1)2 + a0 − a1 and (σi(ζl

k) − 1)2 �= (σj(ζlk) − 1)2 for i �= j ∈ (Z/kZ)∗, we

have σi(θ) �= σj(θ). Thus, if g(x) is a minimal polynomial of θ, g(x) must haveat least ϕ(k) roots. Hence Q(ζk) = Q(θ) and Bθ is a basis for Q(ζk).(2) This follows from (1) and Lemma 3.(3) Let d(x) = b0 + b1x + · · · + bϕ(k)−1x

ϕ(k)−1. Since u(θ) = ζlk and r(θ) = 0 by

(2), d(θ) = −(ζlk − 1)2. From the condition on θ, we have

(1/a1)θ + (a1 − a0)/a1 = (ζlk − 1)2.

Since the representation of (ζlk − 1)2 by Bθ is unique,

b0 = −(a1 − a0)/a1, b1 = −1/a1, b2 = · · · = bϕ(k)−1 = 0.

(4) This follows from [6].

The converse of Proposition 1 also holds.

Proposition 2. Suppose Φk(u(x)) has an irreducible factor r(x) ∈ Q[x] of de-gree ϕ(k) for some u(x) ∈ Q[x]. Let t(x) = u(x)+1 and q(x) = r(x)·h(x)+t(x)−1for some h(x) ∈ Q[x]. If d(x) = 4q(x) − t(x)2 has degree 1, then there exists abasis Bθ for Q(ζk) such that θ = a0 − 2a1ζ

lk + a1ζ

2lk for some a0, a1(�= 0) ∈ Q

and l ∈ (Z/kZ)∗


Proof. Since q(x) = r(x)·h(x)+t(x)−1, we have d(x) = 4r(x)·h(x)−(u(x)−1)2 .Let θ be the root of r(x) in Q(ζk) and d(x) = b0 + b1x ∈ Q[x]. Then Bθ is abasis for Q(ζk). Since Φk(u(θ)) = 0, u(θ) = ζl

k for some l ∈ Z∗k. Hence we have

b0 + b1θ = d(θ) = −(ζlk − 1)2. If we set a0 = −(1 + b0)/b1, a1 = −1/b1, this

finishes the proof.

Remark 2. (1) Since σl(a0 − 2a1ζk + a1ζ2k) = a0 − 2a1ζ

lk + a1ζ

2lk for σl ∈

AutQQ(ζk),P−1

1 · [ζk]TBζk= P−1

l · [ζlk]TBζk

.

Therefore, we obtain the same u(x) in each case of l ∈ (Z/kZ)∗. This means thatwe only have to consider the case of l = 1 in the condition for θ.(2) Since a1θ + a0 = −(ζk − 1)2 for some a0, a1(�= 0) ∈ Q, two θ and θ′ obtainedby changing a0, a1 have the following relation:

θ′ = b1θ + b0 for b0, b1(�= 0) ∈ Q.

Therefore, changing a0, a1 will correspond to applying an affine change of vari-able to the polynomials (q(x), r(x), t(x)), thus not produce anything new.

Algorithm 2INPUT: embedding degree k, primitive kth root of unity ζk.OUTPUT: t(x), r(x), q(x)

1: Choose random numbers a0, a1 ∈ Q with a1 �= 0.2: θ ← a0 − 2a1ζk + a1ζ

2k.

3: Construct a transition matrix P from Bθ = {1, θ, θ2, . . . , θϕ(k)−1} to

Bζk= {1, ζk, ζ2

k, . . . , ζϕ(k)−1k }.

4: v ← P−1 · [ζk]TBζk.

5: u(x)← (1, x, . . . , xϕ(k)−1)� v. (� means dot product)6: Find an irreducible (but not necessarily monic) polynomial r(x) ∈ Z[x] such that

r(θ) = 0.7: t(x)← u(x) + 1, d(x)← −(u(x)− 1)2 (mod r(x)).8: q(x)← (t(x)2 + d(x))/4.9: If q(x) is irreducible and q(x0) is an integer for some x0 ∈ Z,

10: then output t(x), r(x), q(x).

4.1 Remark on Algorithm 2

For any rational numbers a0, a1 where a1 is nonzero, Algorithm 2 defines apotential family of pairing-friendly curves with the CM equation of degree 1.But the problem is that in many cases, q(x) in the step 8 is not an integer-valued polynomial. There are two ways to obtain a q(x) that is an integer-valuedpolynomial. The first is to set a0 and a1 to be variables instead of random chosenrational numbers. Then the coefficients of q(x) are rational functions in twovariables a0, a1. We can solve a system of multivariate polynomial equations fora0, a1 to obtain integer coefficients of q(x). The second approach is to use themethod of Kachisa, Schaefer, and Scott [13]:


1 Find the smallest positive integer n ∈ Z, such that n · q(x) ∈ Z[x].2 Find the smallest factor m of n and the residue classes b modulo m such

that q(x) ∈ Z[x] for x ≡ b mod m.3 Find the subset of those residue classes for which t(x) ∈ Z for x ≡ b mod

m. (If a0 and a1 are selected such that d(x) ∈ Z[x], then this step is notnecessary.)

4 Let r(mx+ b) = cr(mx+ b) for some constant c. If r(mx+ b) and q(mx+ b)represent primes, then output t(mx + b), r(mx + b), q(mx + b).

To construct curves using the CM method, we need the CM discriminant D,which must be less than about 1013 for practical reasons. Since our methodproduces a family of pairing-friendly curves with the CM equation of degree 1,we can obtain D from the square-free part of the CM equation:

If Algorithm 2 outputs a pairing-friendly curves with embedding degree ksuch that ϕ(k) is greater than or equal to 6, then r(x) has a degree of at least6. Since the size r of the subgroup of elliptic curve must be around 160 bitsto ensure security, we must find a prime q(x0) and r(x0) for the parameter x0

that is around 227 ∼ 108. Since the CM equation in our example is linear inx, it is also about 108. For a 256-bit prime r(x0), the parameter x0 is around243 ∼ 1012. Therefore, from the square-free part of the CM equation, we canobtain a discriminant D less than 1013.

Since the degree of the CM equation is fixed by 1 in our method, the size ofx that we can choose for a 160-bit prime r(x) decreases as the degree of r(x)increases. This does not mean, however, that Algorithm 2 can produce morepairing-friendly curves with higher embedding degrees. As the size of x decreases,the probability that r(x) and q(x) are primes also decreases. Therefore, whensearching for curves with higher embedding degrees and a 160-bit prime r(x),the square-free part of the CM equation can be larger than 1013 even if the CMequation has degree 1.

There is an another approach to obtain the proper CM discriminant D. Sinceour curves have the CM equation d(x) = ax + b, we choose some D and makethe substitution x → Dx2−b

a in (q(x), r(x), t(x)). Then the the CM equationbecome d(x) = Dx2. After this substitution, if q(x) represents prime, then (q, r, t)represents a family of pairing-friendly curves with the discriminant D.

4.2 Examples

We implemented Algorithm 2 in Magma [7] and found some new families ofpairing-friendly curves. All the examples have d(x) = 4q(x) − t(x)2 = x − 2.This is because we choose a0 = 1, a1 = −1 in step 1 of Algorithm 2. This CMequation also provides an efficient pairing computation:Let Ti be q(x)i (mod r(x)) for 0 < i < k. Since 4q(x) − t(x)2 = x − 2 andq(x) ≡ t(x) − 1 (mod r(x)), we have

x − 2 ≡ 4q(x) − t(x)2 (mod r(x))≡ −(t(x) − 1)2 + 2(t(x) − 1) − 1 (mod r(x))≡ −T2 + 2T1 − 1 (mod r(x)).


Since x − 2 and −T2 + 2T1 − 1 have degree strictly less than r(x), we obtain

T2 = 2T1 − x + 1. (1)

Therefore, by equation (1), the R-ate pairing [15] attains the lower boundlog2 r/ϕ(k) of the loop length in Miller’s algorithm.

Example 1. k = 5

r = x4 − 3x3 + 4x2 − 12x + 41q = (x6 + 2x5 + 39x4 + 78x3 + 401x2 + 3785x− 5650)/12100t = (x3 + x2 + 19x + 20)/55ρ = 1.5

When x ≡ −3 mod 220, t(x) represents integers, q(x) and r(x) = r(x)/275represent primes. For x0 = 220 ·103905194262−3, we find a 252-bit prime q(x0),a 169-bit prime r(x0) and a 9-digit discriminant D.

Example 2. k = 7

r = x6 − 5x5 + 11x4 − 13x3 + 23x2 − 129x + 239q = (2304x10 − 9888x9 + 35569x8 − 32248x7 + 383212x6 − 572200x5 + 1818280x4

+2146496x3 + 14573512x2 + 83076033x− 151555486)/304781764t = (48x5 − 103x4 + 260x3 + 222x2 + 3764x + 914)/8729ρ = 1.67

When x ≡ 93 mod 34916, t(x) represents integers, q(x) and r(x) = r(x)/61103represent primes. For x0 = 34916 · 44124 + 93, we find a 288-bit prime q(x0), a167-bit prime r(x0) and a 8-digit discriminant D.

Example 3. k = 9

r = x6 − 6x5 + 9x4 + 11x3 − 6x2 − 135x + 199q = (25x10 − 170x9 + 309x8 + 552x7 − 414x6 − 8418x5 + 14448x4 + 19788x3

−7647x2 − 69455x + 26782)/116964t = (5x5 − 17x4 + 2x3 + 62x2 + 169x− 292)/171ρ = 1.67

When x ≡ 5 mod 228, t(x) represents integers, q(x) and r(x) = r(x)/3249 repre-sent primes. For x0 = 228 · 2112858+ 5, we find a 276-bit prime q(x0), a 161-bitprime r(x0) and a 7-digit discriminant D.

Example 4. k = 14

r = x6 − 9x5 + 39x4 − 113x3 + 247x2 − 361x + 239q = (112896x10 − 1512672x9 + 10413433x8 − 49081848x7 + 177965900x6

−509878376x5 + 1154173284x4 − 2058571856x3 + 2820840912x2

−2614606087x+ 1154058254)/16957924


t = (336x5 − 2251x4 + 7956x3 − 19738x2 + 38404x− 34096)/2059ρ = 1.67

When x ≡ −4103 mod 8236, t(x) represents integers, q(x) and r(x) = r(x)/2059represent primes. For x0 = 8236 · 64315− 4103, we find a 282-bit prime q(x0), a162-bit prime r(x0) and a 7-digit discriminant D.

Example 5. k = 18

r = x6 − 6x5 + 21x4 − 53x3 + 114x2 − 219x + 199q = (874225x10 − 6662810x9 + 34936749x8 − 128600664x7 + 416829522x6

−1120371430x5 + 2498783092x4 − 4623410524x3 + 7114427969x2

−9203489499x+ 6261741218)/343805764t = (935x5 − 3563x4 + 11894x3 − 23446x2 + 57907x− 80210)/9271ρ = 1.67

When x ≡ −299 mod 37084, t(x) represents integers, q(x) and r(x) = r(x)/9271represent primes. For x0 = 37084 · 33364− 299, we find a 293-bit prime q(x0), a168-bit prime r(x0) and a 7-digit discriminant D.

Example 6. k = 20

r = x8 − 6x7 + 13x6 − 20x5 + 26x4 + 10x3 + 152x2 − 812x + 841q = 1/40174756782736 (92708070400x14−714143833920x13+2255402671569x12

−5210892379116x11 + 10022557272354x10 − 8342884990396x9

+35392168251935x8 − 204576745286458x7 + 415829812712022x6

−683623117562634x5 + 927144884880025x4 + 408959682852398x3

+2182740233494449x2 − 14256792204764844x+ 13847701403612408)t = (304480x7 − 1172727x6 + 1445274x5 − 2990457x4

+1510380x3 + 6311911x2 + 60575089x− 117761576)/3169178ρ = 1.75

When x≡134125 mod 6338356, t(x) represents integers, q(x) and r(x)= r(x)45953081

represent primes. For x0 = 6338356 · 136400 + 134125, we find a 546-bit primeq(x0), a 291-bit prime r(x0) and a 10-digit discriminant D.

We have tried searching for pairing-friendly curves with embedding degree k ∈{8, 10, 12, 15, 16, 24, 30} and the CM equation of degree 1. But we can’t find aninteger-valued polynomial q(x).

5 Conclusion

We have completely classified a basis for Q(ζk) used to produce a family ofpairing-friendly curves with the CM equation of degree 1. Using a change-of-basis matrix and this classification of a basis for Q(ζk), we have proposed a new


algorithm that can be used to construct a family of pairing-friendly curves withthe CM equation of degree 1, and we present new families of curves with largerdiscriminants. An obvious next step is to study construction of curves with theCM equation of degree 2 and the curves of prime order. In this case, however,it seems to be difficult to determine what conditions should be for a basis forQ(ζk). We leave this as an open problem.

Acknowledgement. We thank anonymous referees for their helpful comments.

References

1. Avanzi, R.M., Cohen, H., Doche, C., Frey, G., Lange, T., Nguyen, K., Vercauteren,F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman &Hall/CRC, Sydney (2006)

2. Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve hassubexponential discrete log problem under the Menezes-Okamoto-Vanstone algo-rithm. Journal of Cryptology 11, 141–145 (1998)


4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kil-ian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg(2001)

5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In:Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Hei-delberg (2001)

6. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography.Designs, Codes and Cryptography 37, 133–141 (2005)

7. Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The userlanguage. J. Symbolic Comput. 24(3-4), 235–265 (1997)

8. Freeman, D.: Constructing Pairing-Friendly Elliptic Curves with Embedding De-gree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp.452–465. Springer, Heidelberg (2006)

9. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves(2006) (preprint), http://eprint.iacr.org/2006/372

10. Galbraith, S., McKee, J., Valenca, P.: Ordinary abelian varieties having small em-bedding degree. Finite Fields and Applications 13, 800–814 (2007)

11. Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.)ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)

12. Hungerford, T.W.: Algera. Graduate Texts in Mathematics, vol. 73. Springer, Hei-delberg (1996)

13. Kachisa, E., Schaefer, E., Scott, M.: Constructing Brezing-Weng pairing friendlyelliptic curves using elements in the cyclotomic elements. In: Galbraith, S.D., Pater-son, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg(2008)

14. Larson, R., Edwards, H., Falvo, C.: Elementary linear algebra, 5th edn. HoughtonMifflin Company (2004)


15. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and Generalized Pairing Computationon Abelian Varieties. IEEE Transactions on Information Theory 55(4) (2009)

16. Sutherland, A.V.: Computing Hilbert class polynomials with the Chinese Remain-der Theorem. preprint: arXiv:0903.2785v1

17. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The2000 Symposium on Cryptography and Information Security(SCIS 2000) (2000)

18. Tanaka, S., Nakamula, K.: Constructing pairing-friendly elliptic curves using fac-torization of cyclotomic polynomials. In: Galbraith, S.D., Paterson, K.G. (eds.)Pairing 2008. LNCS, vol. 5209, pp. 136–145. Springer, Heidelberg (2008)

On the Final Exponentiation for Calculating

Pairings on Ordinary Elliptic Curves

Michael Scott�, Naomi Benger, Manuel Charlemagne,Luis J. Dominguez Perez��, and Ezekiel J. Kachisa

School of ComputingDublin City University

Ballymun, Dublin 9, [email protected]

Abstract. When performing a Tate pairing (or a derivative thereof)on an ordinary pairing-friendly elliptic curve, the computation can belooked at as having two stages, the Miller loop and the so-called finalexponentiation. As a result of good progress being made to reduce theMiller loop component of the algorithm (particularly with the discoveryof “truncated loop” pairings like the R-ate pairing [18]), the finalexponentiation has become a more significant component of the overallcalculation. Here we exploit the structure of pairing-friendly ellipticcurves to reduce to a minimum the computation required for the finalexponentiation.

Keywords: Tate pairing, addition sequences, addition chains.

1 Introduction

The most significant parameter of a pairing-friendly elliptic curve is its embeddingdegree. For an elliptic curve over a field Fq, q = pm, p prime, there must exist alarge subgroup of points on the curve of prime order r, such that k is the smallestinteger for which r | qk − 1. This integer k is then the embedding degree withrespect to r, and to be considered useful it should be in the range 2-50 [13]. In fact,this condition can be simplified to k being the smallest integer such that r | Φk(q)[2], where Φk(.) is the kth cyclotomic polynomial. We will restrict our attention tothe case of even embedding degrees, which are more useful and practical, as theysupport the important denominator elimination optimization [2].

The Tate pairing e(P, Q) (and its variants) takes as parameters two linearlyindependent points P and Q, at least one of which must be of order r, on E(Fqk),and the pairing e(P, Q) evaluates as an element of order r in the multiplicativegroup of the extension field Fqk . In many cases the points P and Q can be oversmaller extension fields, and at least one of them can be defined over Fq [4], [5].� Research supported by the Claude Shannon Institute, Science Foundation Ireland

Grant 06/MI/006.�� This author acknowledges support from the Consejo Nacional de Ciencia y

Tecnologıa.


On the Final Exponentiation for Calculating Pairings 79

Pairing based cryptography on elliptic curves depends on the existence ofpairing-friendly curves. Two basic choices are available, the supersingular curvesover any finite field, and ordinary pairing-friendly elliptic curves over Fp. In theformer case we are strictly limited in terms of the available embedding degree; amaximum of k = 6 is possible, but only on curves over fields of characteristic 3.

Note that the embedding degree relates the two types of “hard problem” whichsupport the security of pairing based cryptography. We need both the ellipticcurve discrete logarithm problem (ECDLP) in the subgroup of size r and the finitefield discrete logarithm problem (DLP) in the multiplicative group of the exten-sion field Fqk to be equivalently hard. There exist subexponential algorithms tosolve the DLP, but only square root algorithms to solve the ECDLP, so to achieve80-bit level of security (defined as requiring an attacker to perform at least 280

operations to break), we need r ≈ 160 bits and qk ≈ 1024 bits. For an efficientimplementation we would like k = 6 ≈ 1024/160, the maximum possible for su-persingular elliptic curves; but this level of security is already being questioned. Athigher levels of security, a larger value of k would be desirable. Indeed, at the stan-dard 128-bit level of security, it has been suggested that pairing-friendly curveswith an embedding degree of k = 12 would be ideal [9], [15].

Fortunately, ordinary pairing-friendly elliptic curves also exist, for which (con-trary to the supersingular curves) we have an unlimited choice of k. Given thatwe can construct pairing-friendly elliptic curves with any embedding degree,it seems that the long term viability of pairing-based cryptosystems is largelydependent on the efficient use of these curves.

2 Ordinary Pairing-Friendly Elliptic Curves

One of the first suggested methods for the construction of non-supersingularpairing-friendly elliptic curves E(Fp) was by Cocks and Pinch [6]. Their methodeasily generates curves of any embedding degree k, but with one major disad-vantage – the ratio ρ = lg(p)/ lg(r) is approximately 2. This ρ-value is a usefulyardstick for pairing-friendly curves, and we would prefer it to be closer to 1, asthis results in faster implementations. It is normal to choose one of the parame-ters of the pairing to be a point on the base field E(Fp), and we would thereforelike p to be as small as possible in relation to r. With a Cocks-Pinch curve, how-ever, p will have twice as many bits as necessary to support a pairing-friendlygroup of order r.

If we exclude the Cocks-Pinch curves, we are left with numerous “families” ofpairing-friendly curves which have been discovered, each of which has a ρ-valueusually much closer to 1 than to 2. Many such families of ordinary pairing-friendly elliptic curves have been suggested – see the Freeman, Scott and Tesketaxonomy for details [13]. These families have one striking feature in common– the prime characteristic p and the group r are described as rather simplepolynomials with relatively small integer coefficients. It is our aim to exploit

80 M. Scott et al.

this simple form in a systematic way to speed up the final exponentiation for allfamilies of non-supersingular pairing-friendly elliptic curves.

3 The Final Exponentiation

After the main Miller loop – with which we are not concerned here, see [10] fordetails – the Tate pairing (and its variants) must all carry out an extra step toensure a unique result of the pairing. To this end the output of the Miller loop mmust be raised to be power of (pk − 1)/r to obtain a result of order r. Note thatthis exponent is determined by fixed system parameters, and therefore methodsof exponentiation optimised for fixed exponents are applicable here.

This final exponent can be broken down into three components. Let d = k/2.Then

(pk − 1)/r = (pd − 1) · [(pd + 1)/Φk(p)] · [Φk(p)/r].

For example if k = 12 the final exponent becomes

(p12 − 1)/r = (p6 − 1) · (p2 + 1) · [(p4 − p2 + 1)/r].

The first two parts of the exponentiation are “easy” as raising to the powerof p is an almost free application of the Frobenius operator, as p is the fieldcharacteristic. The first part of the exponentiation is not only cheap (althoughit does require an extension field division), it also simplifies the rest of the finalexponentiation. After raising to the power of (pd − 1) the field element becomes“unitary” [24], that is, an element α with norm NF

pk/Fpd

(α) = 1. This has impor-tant implications, as squaring of unitary elements is significantly cheaper thansquaring of non-unitary elements, and any future inversions can be implementedby simple conjugation [25], [24], [15], [21].

This brings us to the “hard part” of the final exponentiation, raising to thepower of Φk(p)/r. The usual continuation is to express this exponent to the basep as λn−1 · pn−1 + ... + λ1 · p + λ0, where n = φ(k), and φ(.) is the Euler Totientfunction. If the value to be exponentiated is m, then we need to calculate

mλn−1·pn−1....mλ1·p ·mλ0 ,

which is the same as

(mpn−1)λn−1.....(mp)λ1 ·mλ0 .

The mpi

can be calculated using the Frobenius, and the hard part of the finalexponentiation can be calculated using a fast multi-exponentiation algorithm[16], [14], [19].

These methods, however, do not exploit the polynomial description of p andr. It is our intention to do so, and hence obtain a faster hard-part of the fi-nal exponentiation. Each family is different in detail, so we will proceed on acase-by-case basis.


4 The MNT Curves

The MNT pairing-friendly elliptic curves were reported by Miyaji et al. [20]. Forthe k = 6 case the prime p and the group order r parameters are expressed as:

p(x) = x2 + 1;r(x) = x2 − x + 1;t(x) = x + 1.

In this case the hard part of the final exponentiation is to the power of (p2 −p + 1)/r. Substituting from the above one might anticipate an exponentiationto the power of (x4 + x2 + 1)/(x2 − x + 1) = x2 + x + 1. Expressing this to thebase p, it becomes simply (p + x). So the hard part of the final exponentiationis mp.mx – an application of the Frobenius and a simple exponentiation to thepower of x. The advantage of deriving the hard part of the exponentiation interms of the family parameter x is clearly illustrated.

5 The BN Curves

The BN family of pairing-friendly curves [5] has an embedding degree of 12, andis parameterised as follows:

p(x) = 36x4 + 36x3 + 24x2 + 6x + 1;r(x) = 36x4 + 36x3 + 18x2 + 6x + 1;t(x) = 6x2 + 1.

In this case the hard part of the final exponentiation is to the power of (p4 −p2 + 1)/r. After substituting the polynomials for p and r this can be expressedto the base p as

λ3.p3 + λ2.p

2 + λ1.p + λ0,

where

λ3(x) = 1;λ2(x) = 6x2 + 1;λ1(x) = −36x3 − 18x2 − 12x + 1;λ0(x) = −36x3 − 30x2 − 18x− 2.

Now we take a new approach. BN curves are very plentiful, and it alreadyhelps the Miller loop if we choose x to have a low Hamming weight. In factNogami et al. [22] have suggested the nice choice of x = −408000000000000116

for a curve appropriate for the 128-bit level of security. Next we compute mx,mx2

= (mx)x and mx3= (mx2

)x. These are simple exponentiations, and the lowHamming weight of x ensures that each requires a minimum of multiplicationswhen using a simple square-and-multiply algorithm. We next calculate mp,mp2

, mp3, (mx)p, (mx2

)p, (mx3)p and (mx2

)p2using the Frobenius. Now group

the elements of the exponentiation together, and the expression becomes:

82 M. Scott et al.

[mp·mp2 ·mp3]·[1/m]2 ·[(mx2

)p2]6·[(mx)p]12 ·[mx/((mx2

)p)]18 ·[1/mx2]30 ·[mx3 ·(mx3

)p]36.

The individual components between the square brackets are then calcu-lated with just 4 multiplications (recalling that division costs the same asa multiplication, as inversion is just a conjugation), and we end up with acalculation of the form:

y0 · y12 · y2

6 · y312 · y4

18 · y530 · y6

36.

Note that the exponents here are simply the coefficients that arise in the λi

equations above. Now how best to evaluate this expression?In fact there is a well known algorithm to evaluate expressions of this form, whichminimizes the number of required multiplications. See Olivos [23], and also [1,Section 9.2] for a nice worked example. The starting point is to find an additionsequence: an addition chain which includes within it the elements of the set ofintegers which occur as exponents. In this case it is not hard to see that an optimaladdition sequence (the shortest sequence containing all values) is given by:

{1, 2, 3, 6, 12, 18, 30, 36}.Note that 3 is the only member of the addition chain which is not a memberof the set of exponents. This is certainly serendipitous, as it means less workto do the evaluation. Observe here that an addition-subtraction chain is alsoa possibility (as divisions are as cheap as multiplications as a consequence ofthe unitary property). But we don’t require one here. Application of the Olivosalgorithm results in the following vectorial addition chain:

(1 0 0 0 0 0 0)(0 1 0 0 0 0 0)(0 0 1 0 0 0 0)(0 0 0 1 0 0 0)(0 0 0 0 1 0 0)(0 0 0 0 0 1 0)(0 0 0 0 0 0 1)(2 0 0 0 0 0 0)(2 0 1 0 0 0 0)(2 1 1 0 0 0 0)(0 1 0 1 0 0 0)(2 2 1 1 0 0 0)(2 1 1 0 1 0 0)(4 4 2 2 0 0 0)(6 5 3 2 1 0 0)

(12 10 6 4 2 0 0)(12 10 6 4 2 1 0)(12 10 6 4 2 0 1)(24 20 12 8 4 2 0)(36 30 18 12 6 2 1)


which in turn allows us to evaluate the expression as follows, using just twotemporary variables:

T0 ← (y6)2

T0 ← T0 · y4

T0 ← T0 · y5

T1 ← y3 · y5

T1 ← T1 · T0

T0 ← T0 · y2

T1 ← (T1)2

T1 ← T1 · T0

T1 ← (T1)2

T0 ← T1 · y1

T1 ← T1 · y0

T0 ← (T0)2

T0 ← T0 · T1

The final result is in T0. This part of the calculation requires only 9 multipli-cations and 4 squarings. We find this approach to the hard part of the finalexponentiation for the BN curves to be about 4% faster than the rather ad hocmethod proposed by Devegili et al. [9] (7156 modular multiplications/squaringsover Fp compared to 7426 for the choice of x suggested above). Moreover ourmore general method is applicable to all families of pairing-friendly curves.

6 Freeman Curves

In [12] a construction is suggested for pairing-friendly elliptic curves of embed-ding degree 10. The parameters for this family are as follows:

p(x) = 25x4 + 25x3 + 25x2 + 10x + 3;r(x) = 25x4 + 25x3 + 15x2 + 5x + 1;t(x) = 10x2 + 5x + 3.

These curves are much rarer than the BN curves, and unfortunately it is notfeasible to choose x to have a particularly small Hamming weight. Neverthelessproceeding as above we find:

λ3(x) = 1;λ2(x) = 10x2 + 5x + 5;λ1(x) = −5x2 − 5x− 3;λ0(x) = −25x3 − 15x2 − 15x− 2.

84 M. Scott et al.

In this case the coefficients form a perfect addition chain:

{1, 2, 3, 5, 10, 15, 25}.

The optimal vectorial addition chain in this case requires 10 multiplicationsand 2 squarings.

7 KSS Curves

Recently Kachisa et al. [17] described a new method for generating pairing-friendly elliptic curves.

7.1 The k = 8 Family of Curves

Here are the parameters for the family of k = 8 KSS curves:

p(x) = (x6 + 2x5 − 3x4 + 8x3 − 15x2 − 82x + 125)/180;r(x) = (x4 − 8x2 + 25)/450;t(x) = (2x3 − 11x + 15)/15.

For these curves ρ = 3/2. As in the case of the BN curves, x can be chosen tohave a low Hamming weight. Proceeding as above we find:

λ3(x) = (15x2 + 30x + 75)/6;λ2(x) = (2x5 + 4x4 − x3 + 26x2 − 55x− 144)/6;λ1(x) = (−5x4 − 10x3 − 5x2 − 80x + 100)/6;λ0(x) = (x5 + 2x4 + 7x3 + 28x2 + 10x + 108)/6.

A minor difficulty arises due to the common denominator of 6 which occurshere. We suggest a simple solution – since 6 is co-prime to r – evaluate insteadthe sixth power of the pairing. This does not affect the important propertiesof the pairing when r is of cryptographic size, and now we can simply ignorethe denominator. We find by brute-force computer search that we can constructthe following optimal addition sequence which contains all the exponents in theabove equations:

{1, 2, 4, 5, 7, 10, 15, 25, 26, 28, 30, 36, 50, 55, 75, 80, 100, 108, 144}.

The underlined numbers are the extra numbers added in order to completethe sequence. Proceeding as in the BN case we find that the vectorial additionchain derived from this addition sequence requires just 27 multiplications and 6squarings to complete the calculation of the hard part of the final exponentiation.




p(x) = (x8 + 5x7 + 7x6 + 37x5 + 188x4 + 259x3 + 343x2 + 1763x + 2401)/21;r(x) = (x6 + 37x3 + 343)/343;t(x) = (x4 + 16x + 7)/7.

In this case ρ = 4/3 but nonetheless this curve might make a good choice fora pairing at the 192-bit level of security. Again, as for the case of the BNcurves, x can in practise be chosen with a low Hamming weight, for examplex = 15000001502A042AA16, although we are somewhat constrained here in ourchoice by the extra requirement that p(x), r(x) and t(x) evaluate as integers andx ≡ 14 mod 42 [17]. Proceeding again as above, we find:

λ5(x) = (49x2 + 245x + 343)/3;λ4(x) = (7x6 + 35x5 + 49x4 + 112x3 + 581x2 + 784x)/3;λ3(x) = (−5x7 − 25x6 − 35x5 − 87x4 − 450x3 − 609x2 + 54)/3;λ2(x) = (−49x5 − 245x4 − 343x3 − 931x2 − 4802x− 6517)/3;λ1(x) = (14x6 + 70x5 + 98x4 + 273x3 + 1407x2 + 1911x)/3;λ0(x) = (−3x7 − 15x6 − 21x5 − 62x4 − 319x3 − 434x2 + 3)/3.

Using the same argument as in the KSS k = 8 curves case, we evaluate thecube of the pairing to remove the awkward denominator of 3. In this case thecoefficients again “nearly” form a natural addition chain. Our best attempt tofind an addition sequence containing all of the exponents in the above, is:

{1,2,3,4,5,7,8,14,15,16,21,25,28,35,42,49,54,62,70,87,98,112,147,245,273,294,319,343,392,434,450,581,609,784,931,1162,1407,1862,1911,3724,4655,4802,6517}.

Proceeding as in the BN case we find that the vectorial chain derived fromthis addition sequence requires just 56 multiplications and 14 squarings to com-plete the calculation of the hard part of the final exponentiation. In fact wedid eventually find (by partial computer search) an addition sequence one el-ement shorter than the above, but as it required 61 multiplications and only7 squarings, we prefer to use the solution above as the computations are per-formed over an extension field and squarings are therefore notably cheaper thanmultiplications.

8 Discussion

Here we make a few general observations. First, it seems that the proposedmethod results in surprisingly compact addition sequences. We note also thatthe coefficients in the λi tend to be “smooth” numbers, having only relativelysmall factors. This may facilitate the construction of addition sequences. Other

86 M. Scott et al.

intriguing patterns emerge – observe for example that for the KSS k = 18 curvesthe three most significant coefficients of the λi are all in the same ratio 1:5:7.Coefficients also appear to follow the same kind of distribution as numbers in atypical addition chain.

We have also used the proposed method for other families of pairing-friendlycurves, and have observed that for example for the k = 8, ρ = 5/4 curve proposedby Brezing and Weng [8], and the k = 12, ρ = 3/2 curve found by Barreto et al.[3], the resulting addition sequence is often as easy as:

{1, 2, 3}.Since squarings are significantly faster than multiplications (as our computa-

tions are over extension fields) it may, as we have seen, be sometimes preferableto select a slightly longer addition sequence which trades additions for dou-blings. Addition-subtraction sequences may also be an attractive alternative inother cases.

Finding the shortest addition sequence is an NP-complete problem [11] butsince the values we obtained in each set are relatively small, and the sets them-selves already contained some addition ‘subchains,’ it was not too difficult togenerate, either with a computer or manually, addition sequences containingthe specific entries with length close to the lower bound given for the length ofaddition chains [7]. Should a particular curve result in larger or more numer-ous coefficients to be constructed into a sequence, Bos and Coster suggest analgorithm for that scenario in [7].

9 Conclusions

We have suggested a general method for the implementation of the hard partof the final exponentiation in the calculation of the Tate pairing and its vari-ants, which is faster, generally applicable, and which requires less memory thanpreviously described methods. The most efficient variant of the Tate pairing iscurrently the R-ate pairing [18]. An intriguing possibility is that, given onlythe polynomial equations defining a pairing-friendly family of elliptic curves, itshould now be possible, and indeed appropriate, to write a computer programwhich would automatically generate very efficient R-ate pairing code.

Acknowledgement

We would like to acknowledge the anonymous referees for their suggestions.

References

1. Avanzi, R., Cohen, H., Doche, D., Frey, G., Lange, T., Nguyen, K., Vercauteren,F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman andHall/CRC, Boca Raton (2006)



3. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribedembedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS,vol. 2576, pp. 257–267. Springer, Heidelberg (2003)

4. Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups.In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25.Springer, Heidelberg (2004)


6. Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography,vol. 2. Cambridge University Press, Cambridge (2005)

7. Bos, J., Coster, M.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO1989. LNCS, vol. 435, pp. 400–407. Springer, Heidelberg (1990)

8. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography.Designs, Codes and Cryptology 37, 133–141 (2005)

9. Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings overBarreto-Naehrig curves. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T.(eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007)

10. Doche, C., Lange, T.: Arithmetic of elliptic curves. In: Handbook of Elliptic andHyperelliptic Curve Cryptography, pp. 267–302. Chapman & Hall/CRC, Boca Ra-ton (2006)

11. Downey, L., Sethi: Computing sequences with addition chains. Siam Journal ofComputing 3, 638–696 (1981)

12. Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp.452–465. Springer, Heidelberg (2006)

13. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing friendly elliptic curves.Cryptology ePrint Archive, Report 2006/372 (2006),http://eprint.iacr.org/2006/372

14. Granger, R., Page, D., Smart, N.P.: High security pairing-based cryptography re-visited. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp.480–494. Springer, Heidelberg (2006)

15. Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. CACRTechnical Report (2008), http://www.cacr.math.uwaterloo.ca/

16. Hei, L., Dong, J., Pei, D.: Implementation of cryptosystems based on Tate pairing.J. Comput. Sci. & Technology 20(2), 264–269 (2005)

17. Kachisa, E., Schaefer, E., Scott, M.: Constructing Brezing-Weng pairing-friendlyelliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Pater-son, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg(2008)

18. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation onabelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008),http://eprint.iacr.org/2008/040

19. Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of applied cryptography.CRC Press, Boca Raton (1996), http://cacr.math.uwaterloo.ca/hac

20. Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curvetraces for FR-reduction. IEICE Transactions on Fundamentals E84-A(5), 1234–1243 (2001)

88 M. Scott et al.

21. Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and theircomputation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp.371–388. Springer, Heidelberg (2008)

22. Nogami, Y., Akane, M., Sakemi, Y., Kato, H., Morikawa, Y.: Integer variable X-based ate pairing. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS,vol. 5209, pp. 178–191. Springer, Heidelberg (2008)

23. Olivos, J.: On vectorial addition chains. Journal of Algorithms 2, 13–21 (1981)24. Scott, M., Barreto, P.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004.

LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004),http://eprint.iacr.org/2004/032/

25. Stam, M., Lenstra, A.K.: Efficient subgroup exponentiation in quadratic and sixthdegree extensions. In: Kaliski Jr., B.S., Koc, C.K., Paar, C. (eds.) CHES 2002.LNCS, vol. 2523, pp. 318–332. Springer, Heidelberg (2003)

Faster Pairings on Special Weierstrass Curves

Craig Costello�, Huseyin Hisil, Colin Boyd, Juan Gonzalez Nieto,and Kenneth Koon-Ho Wong

Information Security Institute,Queensland University of Technology,

GPO Box 2434, Brisbane QLD 4001, Australia

{craig.costello,h.hisil,c.boyd,j.gonzaleznieto,kk.wong}@qut.edu.au

Abstract. This paper presents efficient formulas for computing crypto-graphic pairings on the curve y2 = cx3 + 1 over fields of large character-istic. We provide examples of pairing-friendly elliptic curves of this formwhich are of interest for efficient pairing implementations.

Keywords: Tate pairing, Miller’s algorithm, elliptic curves.

1 Introduction

Bilinear pairings have found many applications in cryptography, such as theidentity-based encryption scheme of Boneh and Franklin [11], the one-round tri-partite key agreement scheme of Joux [18] and the short signature scheme ofBoneh, Lynn and Shacham [12]. To implement pairing-based protocols in prac-tice, it is necessary to match curves which are pairing-friendly with an efficientpairing algorithm. The most efficient method of computing pairings is Miller’salgorithm [23]. Each iteration of this process requires three significant computa-tions: (i) point operations, i.e. point doubling and/or point addition; (ii) Millerline function computations and (iii) updating the Miller function value. In thispaper we explore the j-invariant zero curve y2 = cx3 + 1 and provide newformulas that facilitate a faster pairing computation on this curve by decreas-ing the number of computationally expensive field operations encountered instage (ii).

For pairing computations with even embedding degree k, the curve y2 =cx3+1 allows the Miller doubling stage to be computed in (k+3)m+5s+1M+1S,where m and s denote the costs of multiplication and squaring in the base fieldwhile M and S denote the costs of multiplication and squaring in the extensionfield of degree k. For the more general j-invariant zero curve y2 = x3 + b, thefastest Miller doubling operation count recorded to date is (k+3)m+8s+1M+1S[1], meaning that the special curve y2 = cx3 + 1 offers an advantage of 3s at thedoubling stage.

We provide practically useful examples of the curve y2 = cx3 + 1 for dif-ferent embedding degrees. For the majority of embedding degrees k ≤ 50, the� This author acknowledges funding from the Queensland Government Smart State

PhD Scholarship.


90 C. Costello et al.

curve generation technique we adopt achieves ρ-values similar to the best val-ues presented in [14]. We draw comparisons between the curve we employ andother special curves and discuss where this curve model would be optimal inpractice.

The remainder of this paper is organised as follows. §2 gives a brief overview ofpairings. §3 explains our search for a faster Weierstrass model and efficient groupoperations. §4 presents the optimization of the new formulas for the computationof the Tate pairing. §5 discusses curve generation and provides some practicalexamples and §6 summarizes our contributions and compares them with theliterature. In the appendices, we share our scripts that verify the main claims of§3 and §4. The appendices also provide more intrinsic details on the realizationof the proposed formulas.

2 Background on Pairings

This section gives a brief background on pairings. Galbraith gives a more com-prehensive survey [15].

Let Fq be a finite field with q = pn elements where p ≥ 5 is prime and let Ebe an elliptic curve defined over Fq. Let O denote the identity on E. Let r be alarge prime that is coprime to q such that r|#E(Fq) and let k be the embeddingdegree of E with respect to r. For practical purposes we assume that k > 1. Wecall Fq the base field and Fqk the extension field. Let fi,P ∈ Fq(E) be a functionwith divisor div(fi,P ) = i(P ) − ([i]P ) − (i − 1)(O).

The Tate pairing. Choose a point P ∈ E(Fq)[r], this implies div(fr,P ) = r(P )−r(O). Let Q ∈ E(Fqk)/rE(Fqk ) and let μr denote the group of r-th roots ofunity in F

∗qk . The reduced Tate pairing er [4] is defined as

er : (P, Q) �→ fr,P (Q)(qk−1)/r ∈ μr.

Algorithm 1. Miller’s algorithmInput: P ∈ E(Fqk)[r], Q ∈ E(Fqk), r = (rm−1 . . . r1r0)2 with rm−1 = 1.Output: fr,P (Q)← fvar.

1: R← P , fvar ← 1.2: for i = m− 2 down to 0 do3: Compute lines ldbl and vdbl for doubling R.4: R← [2]R.5: fvar ← f2

var · ldbl(Q)/vdbl(Q).6: if ri = 1 then7: Compute lines ladd and vadd for adding R and P .8: R← R + P .9: fvar ← fvar · ladd(Q)/vadd(Q).

10: end if11: end for12: return fvar.

Faster Pairings on Special Weierstrass Curves 91

Miller’s algorithm [23] computes the paired value iteratively by taking advan-tage of the fact that fi+j,P can be written as fi+j,P = fi · fj · l/v, where l andv are the lines used in the computation of [i]P + [j]P = [i + j]P . That is, l isthe line that intersects E at [i]P , [j]P and −[i + j]P , and v is the vertical linethat intersects E at both [i+ j]P and −[i+ j]P . This enables us to compute thefunction f2i,P from fi,P directly by evaluating the lines that are used in pointdoubling of P . Similarly, we can compute the function fi+1,P from fi,P so thatfr,P can be computed in log2 r steps, as summarised in Algorithm 1.

There are many other optimizations which speed up the computation of theMiller loop in certain settings, including the denominator elimination technique[4], uses of efficiently computable endomorphisms [27], [16], and loop shorteningtechniques [2], [17], [3], [22], [30], [21], [29].

3 Choice of Curve

In this section we specify the choice of curve that facilitates an efficient iterationof the Miller loop.

Let E be a Weierstrass form elliptic curve y2 = x3 + ax + b. Let (x1, y1) be apoint in E(Fq)−{O}. We then have (x1, y1)+(x1,−y1) = O. Further let (x2, y2)be a point in E(Fq) − {O} such that y2 �= 0 and (x2, y2) �= (x1,−y1). We thenhave (x1, y1) + (x2, y2) = (x3, y3) where

x3 = λ2 − x1 − x2, (1)

y3 = λ(x1 − x3)− y1 (2)

withλ =

{(y1 − y2)/(x1 − x2) if (x1, y1) �= (x2, y2)(3x2

1 + a)/(2y1) if (x1, y1) = (x2, y2).

In the literature, addition using (1) and (2) in the case (x1, y1) = (x2, y2)is named point doubling. Similarly the case (x1, y1) �= (x2, y2) is named pointaddition. We shall follow the same nomenclature.

In our experiments we have observed that it is possible to rewrite the doublingformulas as follows provided that b �= 0 is a square in Fq such that c2 = b. Wehave [2](x1, y1) = (x3, y3) where

x3 = x1(μ− μ2) + aσ, (3)

y3 = (y1 − c)μ3 + aδ − c (4)

with μ = (y1 + 3c)/(2y1), σ = (a − 3x21)/(2y1)2, δ = (3x1(y1 − 3c)(y1 + 3c) −

a(9x21 +a))/(2y1)3. Computer aided proofs of the correctness of formulas (3) and

(4) are provided in Appendix A.In the derivation of these formulas we have consulted [24]. The new point

doubling formulas strike us with an interesting property: the total degrees1 of x3

and y3 are lower than those of the original point doubling formulas. Furthermorethe total degrees of the new formulas are minimal. This can be verified using1 The total degree is defined as the sum of the degrees of the numerator and denomi-

nator of a rational function.


Algorithm 2 of [24, §4]. In particular, the total degree of x3 and y3 drops from6 to 5 and from 9 to 7, respectively.

The evaluation of lower degree functions often requires less field operations.However, it seems that the original point doubling formulas still win in affinecoordinates. On the other hand, we will eventually be forced to switch to homo-geneous projective or Jacobian coordinates in order to prevent costly inversions.Therefore it is worthwhile to check operation counts on these coordinates. Wewill delay the details until §4.

If we work on the elliptic curve y2 = x3 + c2, i.e. a = 0, the formulas (3) and(4) become much simpler. In addition, in order to prevent the computationaldisadvantage of field operations with c in doubling formulas we prefer to workwith another representation of the same curve given by y2 = cx3 +1. This curveis isomorphic over Fq to the Weierstrass curve v2 = u3 + c2. The isomorphismfrom y2 = cx3 + 1 to v2 = u3 + c2 is given by σ : (x, y) �→ (u, v) = (cx, cy) withthe inverse σ−1 : (u, v) �→ (x, y) = (u/c, v/c).

Again, we denote the identity on y2 = cx3 + 1 by O and point negationis performed by negating the y coordinate. Using the same notation as in theoriginal formulas, we have [2](x1, y1) = (x3, y3) where

x3 = x1(μ− μ2), (5)

y3 = (y1 − 1)μ3 − 1 (6)

with μ = (y1 + 3)/(2y1) and we have (x1, y1) + (x2, y2) = (x3, y3) where

x3 = c−1λ2 − x1 − x2, (7)

y3 = λ(x1 − x3)− y1 (8)

with λ = (y1−y2)/(x1−x2). The point (0, 1) is of order 3. Computer aided proofsof the correctness of formulas (5), (6), (7), and (8) are provided in Appendix B.

4 Tate Pairing Computation on y2 = cx3 + 1

In this section we further investigate the arithmetic of y2 = cx3 + 1 to assistefficient computation of the Tate pairing. We first derive suitable line equationsto compute the Miller value at both the doubling and addition stages. We theneliminate unnecessary computations before converting all computations to pro-jective representation to avoid inversions. We provide several appendices thatverify our claims.

Barreto et al. [6] show that it is possible to eliminate costly operations inMiller’s algorithm provided the point where the Miller function is evaluated ischosen suitably. In the Tate pairing, the vertical line functions v (vdbl and vadd)in Algorithm 1 are evaluated at the point Q = (xQ, yQ). These vertical linefunctions take the form v = xR − xQ, where R = (xR, yR) is the intermediatepoint in Algorithm 1. The computations in Miller’s algorithm can be simplifiedif v takes a value in a proper subfield Fqd ⊂ Fqk . When computing the Tatepairing on curves with even embedding degrees k = 2d, we choose Q to enablethis simplification by choosing a point Q′ on the quadratic twist E′ of E and


mapping Q′ to Q under the twisting isomorphism, meaning that xQ ∈ Fqd andyQ = yQ

√ν, where yQ ∈ Fqd and ν is some quadratic non-residue in Fqd .

The Miller values. If we derive the line equations arising from the addition of(x1, y1) and (x2, y2) we obtain

gadd = cλ(x2 − xQ)− y2 + yQ

c(x1 + x2 + xQ)− λ2(9)

where λ = (y1 − y2)/(x1 − x2) and gadd = ladd(Q)/vadd(Q) (refer to Line 9of Algorithm 1). This formula shares several common subexpressions with (7)and (8).

For the case (x1, y1) = (x2, y2), we propose a new formula for the line com-putation which uses several shared common subexpressions with the new pointdoubling formulas (5) and (6). The new formula is given by

gdbl =2cy1(x1 − xQ)2

x21(3cxQ)− y2

1 + 3 + 2y1yQ, (10)

where gdbl = ldbl(Q)/vdbl(Q) (refer to Line 5 of Algorithm 1). Furthermore, if(x1, y1) = −(x2, y2) we have

gvert = −c(x1 − xQ). (11)

Computer aided proofs of the correctness of our formulas are provided in Ap-pendix C.

Irrelevant factors. We now focus on eliminating the terms in equations (9) and(10) by adopting the denominator elimination technique [7]. Recall that yQ isthe only element that appears in the formulas above2 that is in the full extensionfield Fqk . We immediately notice that the denominator of gadd in equation (9)is completely contained in Fqd and can therefore be eliminated, to give

g′add = (y1 − y2)(x2 − xQ)− (x1 − x2)(y2 − yQ). (12)

With identical reasoning we can omit the numerator of gdbl in equation (10).These eliminations are standard. Now, observe that since yQ is of the form yQ =yQ

√ν, we can write the denominator as 1/(t1 + t2

√ν) where t1 = x2

1(3cxQ) −y21 + 3 and t2 = 2y1yQ. If the Miller value is computed in this fashion there will

be an inversion at the end of the Miller loop. Even worse, both the numeratorand the denominator of fvar would have to be updated at each iteration of theMiller loop since the addition step produces a non-trivial numerator. To preventthis we multiply the numerator and the denominator of 1/(t1 + t2

√ν) by the

conjugate expression t1−t2√

ν to give (t1−t2√

ν)/(t21−t22ν). Since t21−t22ν ∈ Fqd

we can simply omit the denominator to give

g′dbl = x2

1(3cxQ)− y21 + 3− 2y1yQ. (13)

2 The point (x2, y2) represents P ∈ E(Fq) and the point (x1, y1) represents R ∈ E(Fq)in Algorithm 1, a multiple of P , so that x1, x2, y1, y2 ∈ Fq.


It also follows that if (x1, y1) = −(x2, y2) we have g′vert = 1. If r is odd, theMiller loop always finishes in this fashion so we ignore the point addition in thefinal iteration.

We next present point doubling and point addition formulas together withtheir associated line formulas in homogeneous projective coordinates. Our ex-periments gave the best results in homogeneous coordinates rather than Jaco-bian coordinates for doubling and additions. While additions generally favourprojective coordinates it is interesting to note that also doublings on this curveare faster in projective coordinates. In particular the number of field operationsfor the doubling is 4m + 3s while the best known doubling speeds so far are2m + 5s but in Jacobian coordinates. So this representation achieves the bestaddition speed and the best doubling speed (up to some m/s tradeoffs) in thesame coordinate system.

Homogeneous projective coordinates. In homogeneous projective coordinates eachpoint (x, y) is represented by the triplet (X : Y : Z) which satisfies the projec-tive equation Y 2Z = cX3 + Z3 and corresponds to the affine point (X/Z, Y/Z)with Z �= 0. The identity element is represented by (0 : 1 : 0). The negative of(X : Y : Z) is (X : − Y : Z).

Point doubling with line computation. Given (X1 : Y1 : Z1) with Z1 �= 0 the pointdoubling can be performed as [2](X1 : Y1 : Z1) = (X3 : Y3 : Z3) where

X3 = 2X1Y1(Y21 − 9Z2

1 ),

Y3 = (Y1 − Z1)(Y1 + 3Z1)3 − 8Y 3

1 Z1, (14)

Z3 = 8Y 31 Z1.

These formulas are derived from (5) and (6) in Section 3. Point doubling withoutline computation needs 4m + 3s using the following sequence of operations.

A = Y 21 , B = Z2

1 , C = (Y1 + Z1)2 −A−B, Z3 = 4A · C,

X3 = 2X1 · Y1 · (A− 9B), Y3 = (A− 3B + C) · (A + 9B + 3C) − Z3.

The line formula derived from (13) is given by

g′′dbl = X2

1 (3cxQ)− Y 21 + 3Z2

1 − 2Y1Z1yQ (15)

= E · (3cxQ)− A + 3B − 2C · yQ

where E = X21 .

Assume that 3cxQ is precomputed. If Q is chosen according to the discussionat the start of this section, then multiplication with 3cxQ or with yQ counts as(k/2)m.

The point doubling with line computation needs (k +3)m+5s if k is even. Inthis operation count we have further exploited an additional m/s tradeoff whencalculating 2X1Y1 in the point doubling formulas, which can now be computedas (X1 + Y1)2 − E − A.

See Appendix D for furter justifications and details on the operationscheduling.


Point addition with line computation. Given (X1 : Y1 : Z1) and (X2 : Y2 : Z2)with Z1 �= 0 and Z2 �= 0 and (X1 : Y1 : Z1) �= (X2 : Y2 : Z2), an addition can beperformed as (X1 : Y1 : Z1) + (X2 : Y2 : Z2) = (X3 : Y3 : Z3) where

X3 = (X1Z2 − Z1X2)(Z1Z2(Y1Z2 − Z1Y2)2 − c(X1Z2 + Z1X2)(X1Z2 − Z1X2)

2),

Y3 = (Y1Z2 − Z1Y2)(c(2X1Z2 + Z1X2)(X1Z2 − Z1X2)2 − Z1Z2(Y1Z2 − Z1Y2)

2)−cY1Z2(X1Z2 − Z1X2)

3, (16)

Z3 = cZ1Z2(X1Z2 − Z1X2)3.

These formulas are derived from (1) and (2) in Section 3. Point addition withoutline computation needs 12m + 2s + 1c if Z2 is arbitrary and 9m + 2s + 1c ifZ2 = 1. Note that c stands for a multiplication with c.

The line formula derived from (12) is given by

g′′add = (Y1Z2 − Z1Y2)(X2 − xQZ2)−

(X1Z2 − Z1X2)Y2 + (X1Z2 − Z1X2)Z2yQ. (17)

Assuming that Q is chosen according to the discussion at the start of this section,multiplication with (X2 − xQZ2) or with Z2yQ counts as (k/2)m each. Assumethat Z2 = 1. Point addition with line computation needs (k + 10)m + 2s + 1c ifk is even. Assume that Z2 is arbitrary. Assume that (X2 − xQZ2) and Z2yQ areprecomputed. The point addition with line computation needs (k+13)m+2s+1cif k is even.

The algorithm that we use for the point addition part is a slightly modifiedversion of Cohen/Miyaji/Ono algorithm [13]. We omit details here and refer toAppendix D for justifications and details on the operation scheduling.

5 Curve Generation

This section discusses generating pairing-friendly curves of the form y2 = cx3+1.We also point out a minor adjustment to be made to the pairing definition whenemploying this curve in the supersingular setting.

Implementing the Tate pairing on the curve y2 = cx3 + 1 requires the con-struction of the j-invariant zero curve y2 = x3 + b where b = c2 for c ∈ Fq.All j-invariant zero curves have a special endomorphism ring and such curveshave CM discriminant D = 3. In Construction 6.6 of [14], Freeman et al. ex-tend on the results of Barreto et al. [5] and Brezing and Weng [10] to efficientlyconstruct D = 3 curves for all values of k where 18 � k. Freeman et al. discussthat this construction achieves the best ρ-value curve families for the majorityof embedding degrees k ≤ 50.

Our experiments showed that for most embedding degrees this method ofconstruction will efficiently produce a curve of the desired form with the bestρ-value, however the extra condition we impose on the curve constant (being aquadratic residue) is restrictive. For instance, we were unable to obtain a k = 8curve with b as a square using this construction. For k = 12, constructing thecurve y2 = cx3 + 1 gives ρ ≈ 3/2, which is significantly larger than what can


be obtained for BN curves [10] where b is non-square, for which D is also 3 butwhich have the optimal ρ-value of ρ = 1.

Nevertheless, there is a wide range of useful embedding degrees that wouldwelcome the speedups offered on the curve y2 = cx3 +1. We present two pairing-friendly examples of the curve using Construction 6.6 of [14].

k = 12, ρ ≈ 3/2, c = 1,

q = 0x55555583E6AAB5415B22F364648CF7D4A1A9716C687F053\39126A5FC2A09 (239 bits),

r = 0x10000005D24000CB530E5C544B4E84E5B34F41BD1 (161 bits),

t = 0x1000000174A (41bits).

k = 24, ρ ≈ 5/4, c = 3,

q = 0x577380D96AF284FCF9200C2CC966EC756D86B4CBF2A3AAD\3C1 (199 bits),

r = 0x105121CA61CB6CAF9EF3A835A4442784FFF816AF1 (161 bits),

t = 0x100A0F (21 bits).

Supersingular curves. When the characteristic of the underlying field is p ≡2 mod 3, the curve y2 = cx3 + 1 is supersingular with k = 2. We would usuallydefine the symmetric pairing as e : G×G → GT where e(P, Q) = e(P, φ(Q)) andφ is the distortion map φ(x, y) = (ξx, y) for some non-trivial cube root of unityξ ∈ Fp2 . However, using the distortion map in this manner would not allow theuse of the formulas derived in §4, since these formulas were derived under theassumption that it was the y-coordinate of the second argument in the pairingthat was in the extension field. Instead, we follow Scott’s technique [26] anddefine the supersingular pairing as e : G × G → GT where e(P, Q) = e(P, θ(Q))and θ is defined as θ(Q) = φ(Q) − πp(φ(Q)), where πp is the p-power Frobeniusendomorphism. For Q = (xQ, yQ), we have that πp(φ(Q)) = πp(ξxQ, yQ) =(ξ2xQ, yQ) so that θ(Q) becomes θ(xQ, yQ) = (ξxQ, yQ)−(ξ2xQ, yQ). The map θis an isomorphism from the base field subgroup to the trace zero subgroup, wherethe x-coordinates lie in the base field and the y-coordinates are in the extensionfield so that we can apply the formulas from §4 [26]. The inverse map from thetrace zero subgroup to the base field subgroup is defined as θ−1(Q) = Tr(φ(Q)),where Tr is the trace map.

6 Comparison and Conclusion

We have studied pairing computations on a non-standard Weierstrass curve ofthe form y2 = cx3 + 1. This is the most specific curve model studied so far sincethere are only 3 isomorphism classes of curves for this shape in the general casewhere p ≡ 1 mod 3. The main contribution of this paper is a faster computationof the Tate pairing on this special curve. Practical examples of such curves can beachieved using Construction 6.6 of [14]. There are many examples of embedding


degrees for which this construction gives the best known ρ-value [14], howeverit remains an open question to find suitable curves of this form having ρ-valuesvery close to 1 with practically interesting embedding degrees, e.g. k = 8.

The following table summarizes the advantage of employing this new curvein the Tate pairing by comparing our results with the fastest results achievedon other j-invariant zero curves documented prior to this work. The formulasgiven by Arene et al. [1] for j-invariant zero curves give an operation count thatimproves the operation count originally presented in [17], so we draw comparisonsagainst these improved formulas below. We follow the trend of presenting theoperation count for even k [20], since this is generally preferred in practice [4],[7]. We do not include the multiplications and squarings that take place in theextension field Fqk , since these are common to all operation counts (see lines 5and 9 of Algorithm 1).

Tate pairing DBL mADD ADDArene et al. [1] (k + 3)m + 8s (k + 6)m + 6s (k + 12)m + 5sThis work (k + 3)m + 5s (k + 10)m + 2s + 1c (k + 13)m + 2s + 1c

As k gets large in the Tate pairing, the overall speed up that is achieved throughusing the curve y2 = cx3 + 1 becomes less, since the more difficult operations inFqk consume more computation relative to those operations in the base field.

Lastly, we note that the EFD [9] reports 2m + 5s point doubling formulas inJacobian coordinates for j-invariant zero curves. Therefore a protocol requiringscalar multiplications should use Jacobian coordinates and should only switchto our proposal when the pairing is being computed. This conversion comesat the cost of 2m + 1s + 1c by taking (X : Y : Z) in Jacobian coordinates to(XZ : Y : cZ3) in homogeneous projective coordinates on the curve y2 = cx3 +1.

Acknowledgements

The authors wish to thank Tanja Lange and the anonymous referees for helpfulcomments and corrections.

References

1. Arene, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster pairing computation.Cryptology ePrint Archive, Report 2009/155 (2009),http://eprint.iacr.org/2009/155

2. Barreto, P.S.L.M., Galbraith, S.D., O’ Heigeartaigh, C., Scott, M.: Efficient pairingcomputation on supersingular Abelian varieties. Cryptology ePrint Archive, Report2004/375 (2004), http://eprint.iacr.org/2004/375

3. Barreto, P.S.L.M., Galbraith, S.D., O’ Heigeartaigh, C., Scott, M.: Efficient pairingcomputation on supersingular Abelian varieties. Des. Codes Cryptography 42(3),239–271 (2007)



5. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribedembedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS,vol. 2576, pp. 257–267. Springer, Heidelberg (2003)

6. Barreto, P.S.L.M., Lynn, B., Scott, M.: Efficient implementation of pairing-basedcryptosystems. Journal of Cryptology 17(4), 321–334 (2004)

7. Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups.In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25.Springer, Heidelberg (2004)

8. Barreto, P.S., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Pre-neel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer,Heidelberg (2006)

9. Bernstein, D.J., Lange, T.: Explicit-formulas database,http://www.hyperelliptic.org/EFD

10. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des.Codes Cryptography 37(1), 133–141 (2005)

11. Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. SIAMJ. Comput. 32(3), 586–615 (2003)

12. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. Journalof Cryptology 17(4), 297–319 (2004)

13. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixedcoordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp.51–65. Springer, Heidelberg (1998)

14. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly el-liptic curves. Cryptology ePrint Archive, Report 2006/372 (2006),http://eprint.iacr.org/2006/372

15. Galbraith, S.D.: Pairings. London Mathematics Society Lecture Note Series,vol. 317, pp. 183–213. Cambridge University Press, Cambridge (2005)

16. Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using ho-momorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS,vol. 5209, pp. 211–224. Springer, Heidelberg (2008)

17. Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Transac-tions on Information Theory 52(10), 4595–4602 (2006)

18. Joux, A.: A one round protocol for tripartite Diffie-Hellman. Journal of Cryptol-ogy 17(4), 263–276 (2004)

19. Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D.,Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Hei-delberg (2008)

20. Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In:Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36.Springer, Heidelberg (2005)

21. Lee, E., Lee, H.S., Park, C.M.: Efficient and generalized pairing computation onAbelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008),http://eprint.iacr.org/2008/040

22. Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the Ateand twisted Ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007.LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007),http://eprint.iacr.org/2007/013

23. Miller, V.S.: The Weil pairing, and its efficient calculation. Journal of Cryptol-ogy 17(4), 235–261 (2004)


24. Monagan, M., Pearce, R.: Rational simplification modulo a polynomial ideal. In:ISSAC 2006, pp. 239–245. ACM, New York (2006)

25. Perez, L.J.D., Kachisa, E.J., Scott, M.: Implementing cryptographic pair-ings: a MAGMA tutorial. Cryptology ePrint Archive, Report 2009/072 (2009),http://eprint.iacr.org/2009/072

26. Scott, M.: Faster identity based encryption. Electronics Letters 40(14), 861–862(2004)

27. Scott, M.: Faster pairings using an elliptic curve with an efficient endomorphism.In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005.LNCS, vol. 3797, pp. 258–269. Springer, Heidelberg (2005)

28. Scott, M., Benger, N., Charlemagne, M., Perez, L.J.D., Kachisa, E.J.: Fast hashingto G2 on pairing friendly curves. Cryptology ePrint Archive, Report 2008/530(2008), http://eprint.iacr.org/2008/530

29. Vercauteren, F.: Optimal pairings. Cryptology ePrint Archive, Report 2008/096(2008), http://eprint.iacr.org/2008/096

30. Zhao, C.A., Zhang, F., Huang, J.: A note on the Ate pairing. Cryptology ePrintArchive, Report 2007/247 (2007), http://eprint.iacr.org/2007/247

A Appendix

This Maple script verifies that (3) and (4) commute with the original pointdoubling formulas.

b:=c^2: W:=(x,y)->y^2-(x^3+a*x+b): #The short Weierstrass curve, W.L:=(3*x1^2+a)/(2*y1): x3:=L^2-2*x1: y3:=L*(x1-x3)-y1: #Double on W.mu:=(y1+3*c)/(2*y1): sigma:=(a-3*x1^2)/(2*y1)^2: #Double on W with new formulas.delta:=(3*x1*(y1-3*c)*(y1+3*c)-a*(9*x1^2+a))/(2*y1)^3: #Double on W with new formulas.x3new:=x1*(mu-mu^2)+ a*sigma: y3new:=(y1-c)*mu^3+a*delta-c: #Double on W with new formulas.simplify(x3-x3new,[W(x1,y1)]); simplify(y3-y3new,[W(x1,y1)]); #Check.

B Appendix

This Maple script verifies that (5), (6), (7), and (8) commute with the originaldoubling and addition formulas.

Q:=(x,y)->y^2-(c*x^3+1): #The curve considered in this work, Q.W:=(u,v)->v^2-(u^3+c^2): #The short Weierstrass curve, W.QtoW:=(x,y)->c*x,(x,y)->c*y: #The map from Q to W.WtoQ:=(u,v)->u/c,(u,v)->v/c: #The map from W to Q.##Verify the correctness of point additon formulas.u1,v1:=QtoW(x1,y1): u2,v2:=QtoW(x2,y2): #Map the points (x1,y1) and (x2,y2) on Q to W.L:=(v1-v2)/(u1-u2): u3:=L^2-u1-u2: v3:=L*(u1-u3)-v1: #Add on W with the original formulas.x3,y3:=WtoQ(u3,v3): #Map the sum (u3,v3) on W to Q.simplify(W(u3,v3),[Q(x1,y1),Q(x2,y2)]); #Check.Lnew:=(y1-y2)/(x1-x2): x3new:=c^(-1)*Lnew^2-x1-x2: y3new:=Lnew*(x1-x3)-y1: ##Add on Q.simplify(x3-x3new,[Q(x1,y1),Q(x2,y2)]); simplify(y3-y3new,[Q(x1,y1),Q(x2,y2)]); #Check.unassign(’Lnew’,’L’,’u2’,’v2’,’u3’,’v3’,’x3’,’y3’,’x3new’,’y3new’);##Verify the correctness of point doubling formulas.L:=3*u1^2/(2*v1): u3:=L^2-2*u1: v3:=L*(u1-u3)-v1: #Double on W with the original formulas.x3,y3:=WtoQ(u3,v3): #Map the sum (u3,v3) on W to Q.simplify(W(u3,v3),[Q(x1,y1)]); #Check.mu:=(y1+3)/(2*y1): x3new:=x1*(mu-mu^2): y3new:=(y1-1)*mu^3-1: #Double on Q.simplify(x3-x3new,[Q(x1,y1)]); simplify(y3-y3new,[Q(x1,y1)]); #Check.


C Appendix

This Maple script verifies the correctness of (9), (10), and (11).

Q:=(x,y)->y^2-(c*x^3+1): #The curve considered in this work, Q.W:=(u,v)->v^2-(u^3+c^2): #The short Weierstrass curve, W.QtoW:=(x,y)->c*x,(x,y)->c*y: #The maps from Q to W.WtoQ:=(u,v)->u/c,(u,v)->v/c: #The maps from W to Q.##Verify the correctness of the line formulas for addition.u1,v1:=QtoW(x1,y1): u2,v2:=QtoW(x2,y2): uQ,vQ:=QtoW(xQ,yQ): ##(xi,yi) on Q to (ui,vi) on W.L:=(v1-v2)/(u1-u2): l:=L*(u1-uQ)+vQ-v1: v:=uQ-(L^2-u1-u2): #Compute the addition-line on W.Lnew:=(y1-y2)/(x1-x2): gadd:=c*(Lnew*(x2-xQ)-y2+yQ)/(c*(x1+x2+xQ)-Lnew^2): #New line on Q.simplify(l/v-gadd,[Q(x1,y1),Q(x2,y2),Q(xQ,yQ)]); #Check.##Verify the correctness of the line formulas for doubling.L:=3*u1^2/(2*v1): l:=L*(u1-uQ)+vQ-v1: v:=uQ-(L^2-2*u1): #Compute the doubling-line on W.gdbl:=2*c*y1*(x1-xQ)^2/(x1^2*(3*c*xQ)-y1^2+3+2*y1*yQ): #New line on Q.simplify(l/v-gdbl,[Q(x1,y1),Q(xQ,yQ)]); #Check.##Verify the correctness of the line formulas for the sum of negatives.l:=uQ-u1: v:=1: #The vertical line on W.gvert:=-c*(x1-xQ): #The new line on Q.simplify(l/v-gvert,[Q(x1,y1),Q(x2,y2),Q(xQ,yQ)]); #Check.

D Appendix

This Maple script verifies the correctness of (14) and (15).

Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): x1:=X1/Z1: y1:=Y1/Z1:x3:=x1*(y1^2-9)/(2*y1)^2: y3:=(y1-1)*(y1+3)^3/(2*y1)^3-1:Line:=x1^2*(3*c*xQ)-y1^2+3-2*y1*yQ:##Point doubling formulas in homogenous projective coordinates.X3:=2*X1*Y1*(Y1^2-9*Z1^2):Y3:=(Y1-Z1)*(Y1+3*Z1)^3-8*Z1*Y1^3:Z3:=(2*Y1*Z1)*(2*Y1)^2:gDBL:=X1^2*(3*c*xQ)-Y1^2+3*Z1^2-2*Y1*Z1*yQ: #Line formulas.simplify(x3-X3/Z3,[Q(X1,Y1,Z1)]); simplify(y3-Y3/Z3,[Q(X1,Y1,Z1)]); #Check.factor(Line-gDBL/Z1^2); #Check.

This Maple script shows how to schedule operations for (14). The point doublingwithout line computation needs 4m + 3s + 0c.

Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3):##Point doubling formulas with register allocations.X3:=2*X1: X3:=X3*Y1: Z3:=3*Z1: t1:=Y1+Z3: t1:=t1^2: Y3:=Y1^2: Z3:=Z3^2: t2:=Y3-Z3:t2:=3*t2: X3:=X3*t2: t2:=t2+Z3: t2:=t2+Z3: Z3:=Y3+Z3: Z3:=t1-Z3: t2:=t2+Z3: Z3:=Y3*Z3:Z3:=4*Z3: Y3:=t1*t2: Y3:=Y3-Z3:simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1)]); #Check.

This Maple script shows how to schedule operations for (14) and (15). Multipli-cation with c1 or with yQ counts as (k/2)m. Assume that c1 is precomputed.The point doubling with line computation needs 5m + 5s if k = 2 or moregenerally (k + 3)m + 5s if k is even.

Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3):Line:=X1^2*(3*c*xQ)-Y1^2+3*Z1^2-2*Y1*Z1*yQ:c1:=3*c*xQ: #Precomputed value.##Point doubling formulas and line computation with register allocations.t1:=X1+Y1: t2:=Y1+Z1: t1:=t1^2: t2:=t2^2: X3:=X1^2: Y3:=Y1^2: Z3:=Z1^2: t1:=t1-X3:t1:=t1-Y3: t2:=t2-Y3: t2:=t2-Z3: Z3:=3*Z3: t3:=Y3-Z3: gDBL:=X3*c1-t3-t2*yQ:t3:=t3+t2: t4:=3*Z3: X3:=Y3-t4: X3:=t1*X3: t1:=3*t2: t2:=t1+t2: Z3:=t2*Y3:Y3:=Y3+t4: t1:=t1+Y3: Y3:=t3*t1: Y3:=Y3-Z3:simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1)]); simplify(Line-gDBL); #Check.


This Maple script verifies the correctness of (16) and (17).

Q1:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): x1:=X1/Z1: y1:=Y1/Z1: x2:=X2/Z2: y2:=Y2/Z2:L:=(y1-y2)/(x1-x2): x3:=c^(-1)*L^2-x1-x2: y3:=L*(x1-x3)-y1:Line:=(y1-y2)*(x2-xQ)-(x1-x2)*(y2-yQ):##Point addition formulas in homogenous projective coordinates.X3:=(X1*Z2-Z1*X2)*(Z1*Z2*(Y1*Z2-Z1*Y2)^2-c*(X1*Z2+Z1*X2)*(X1*Z2-Z1*X2)^2):Y3:=(Y1*Z2-Z1*Y2)*(c*(2*X1*Z2+Z1*X2)*(X1*Z2-Z1*X2)^2-Z1*Z2*(Y1*Z2-Z1*Y2)^2) -

c*Y1*Z2*(X1*Z2-Z1*X2)^3:Z3:=c*Z1*Z2*(X1*Z2-Z1*X2)^3:gADD:=(Y1*Z2-Z1*Y2)*(X2-xQ*Z2)-(X1*Z2-Z1*X2)*Y2+(X1*Z2-Z1*X2)*Z2*yQ: #Line formulas.simplify(x3-X3/Z3,[Q1(X1,Y1,Z1),Q1(X2,Y2,Z2)]); #Check.simplify(y3-Y3/Z3,[Q1(X1,Y1,Z1),Q1(X2,Y2,Z2)]); factor(Line-gADD/Z1/Z2^2); #Check.

This Maple script shows how to schedule operations for (16) and (17) withZ2 = 1.

Z2:=1: Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3):Line:=(Y1*Z2-Z1*Y2)*(X2-xQ*Z2)-(X1*Z2-Z1*X2)*(Y2-yQ*Z2):c1:=X2-xQ: c2:=Y2-yQ: #Precomputed values.##Point addition formulas and line computation with register allocations.t1:=Z1*X2: t1:=X1-t1: t2:=Z1*Y2: t2:=Y1-t2: gADD:=c1*t2-t1*Y2+t1*yQ:t3:=t1^2: t3:=c*t3: X3:=t3*X1: t3:=t1*t3: t4:=t2^2: t4:=t4*Z1: t4:=t3+t4:t4:=t4-X3: t4:=t4-X3: X3:=X3-t4: t2:=t2*X3: Y3:=t3*Y1: Y3:=t2-Y3: X3:=t1*t4: Z3:=Z1*t3:simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1),Q(X2,Y2,Z2)]); simplify(Line-gADD); #Check.

This Maple script shows how to schedule operations for (16) and (17).

Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3):Line:=(Y1*Z2-Z1*Y2)*(X2-xQ*Z2)-(X1*Z2-Z1*X2)*(Y2-yQ*Z2):c1:=X2-xQ*Z2: c2:=Y2-yQ*Z2: #Precomputed values.##Point addition formulas and line computation with register allocations.t1:=Z1*X2: X3:=X1*Z2: t1:=X3-t1: t2:=Z1*Y2: Y3:=Y1*Z2: t2:=Y3-t2:gADD:=c1*t2-t1*Y2+t1*Z2*yQ:Z3:=Z1*Z2: t3:=t1^2: t3:=c*t3: X3:=t3*X3: t3:=t1*t3: t4:=t2^2: t4:=t4*Z3: t4:=t3+t4:t4:=t4-X3: t4:=t4-X3: X3:=X3-t4: t2:=t2*X3: Y3:=t3*Y3: Y3:=t2-Y3: X3:=t1*t4: Z3:=Z3*t3:simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1),Q(X2,Y2,Z2)]); simplify(Line-gADD); #Check.

Fast Hashing to G2 on Pairing-Friendly Curves

Michael Scott�, Naomi Benger, Manuel Charlemagne,Luis J. Dominguez Perez��, and Ezekiel J. Kachisa

School of ComputingDublin City University

Ballymun, Dublin 9, [email protected]

Abstract. Pairings on elliptic curves usually take as input a point in asubgroup G1 of an elliptic curve group E(Fp) and a point in a subgroupG2 of E′(Fpd) for some twist E′ of E. In this paper we consider theproblem of hashing to G2 when the group G2 has prime order. Thenaive approach requires multiplication in the group E′(Fpd) by a largecofactor. Our main result is to describe a fast method to compute thiscofactor multiplication; our method exploits an efficiently computablehomomorphism.

Keywords: Tate pairing, addition chains.

1 Introduction

When using ordinary elliptic curves to implement identity-based protocols, thereis often a need to hash identities to points on one or both of the two elliptic curvegroups involved in the pairing. The first group, denoted G1, consists of pointson a pairing-friendly elliptic curve E that are defined over the base field Fp.The second group, denoted G2, is instantiated as a group of points on a twistedcurve E′ that have coordinates in some extension field Fpd , where d divides theembedding degree k.

The Tate pairing and its variants only require one of the input points to be ofprime order, as it is sufficient for the other argument to be a coset representative.For the Weil pairing, both input points must have prime order. The most efficientpairings to date are the ate [10] and R-ate [12] pairings, both of which are variantsof the Tate pairing and which specifically require a point from G2 of prime order.

Whereas hashing to a point of prime order in G1 is relatively easy, hashingto a prime order point in G2 requires an additional multiplication by a largecofactor. In this paper we consider the problem of reducing the cost of hashing

� Research supported by the Claude Shannon Institute, Science Foundation IrelandGrant 06/MI/006.

�� This author acknowledges support from the Consejo Nacional de Ciencia yTecnologıa.


Fast Hashing to G2 on Pairing-Friendly Curves 103

to a point of prime order in G2. This step may be necessary to ensure efficientimplementations of protocols using Weil, ate or R-ate pairings.

Pairing-friendly ordinary elliptic curves can be constructed to have arbitraryembedding degree. This compares favourably with the case of supersingular el-liptic curves, which have a maximum embedding degree of 6. On a supersingularcurve, however, we have a distortion map, which in effect means that the twoarguments to a modified pairing can be linearly dependent and thus can both bepoints in G1 defined over the base field Fp. In contrast, on ordinary elliptic curveswe must be prepared to handle points in the potentially more cumbersome groupG2, defined over an extension field. In a recent paper, however, Galbraith andScott [8] observe that arithmetic in G2 is not as difficult as might be thought,as an efficient homomorphism can be exploited.

In this paper we extend the ideas of [8] to the related problem of cofactormultiplication in E′(Fpd), which is required to hash an identity to a point ofprime order in G2.

2 Elliptic Curves over Extension Fields

Let E be an elliptic curve defined over a finite field Fp that has embedding degreek > 1 with respect to a prime r. This means that r divides #E(Fp) and that kis the smallest positive integer such that r divides pk − 1. Let E′ be a twist ofE of such that r divides #E′(Fpd) for some d | k. If d < k we define G2 to bethe unique subgroup of order r on E′(Fpd) [10]. If d = k (in which case E ∼= E′)we define G2 to be the cyclic subgroup of E[r] on which the p-power Frobeniusof E acts as multiplication by p.

The degree d of the extension field can always be k/2 if k is even. In factwe prefer k to be even as it enables the important denominator eliminationoptimization in the pairing calculation [2]. Furthermore if the elliptic curve hasa complex multiplication (CM) discriminant of −3 and 6 | k, then we can choosed = k/6. Similarly if the curve has a CM discrimant of −4, and 4 | k, then wecan choose d = k/4. Clearly the smaller the degree of the extension field Fpd ,the easier it will be to manipulate points on G2.

It is well known that the number of points on an elliptic curve E satisfies#E(Fp) = p+1− t, where t is the trace of the Frobenius, which obeys the Hassebound | t |≤ 2

√p. Consider now points whose coordinates are defined over an

extension field Fpm , and the number of such points on the same elliptic curve[13]. It is well known for example, that

#E(Fp2) = p2 + 1− (t2 − 2p),#E(Fp3) = p3 + 1− (t3 − 3tp).

In the general case the number of points can be calculated by the followingsimple algorithm [13]:

104 M. Scott et al.

Algorithm 1. Returns #E(Fpm)Input: m, p, t: m a positive integer, p a prime, t the trace of Frobenius of an elliptic

curve E defined over Fp.Output: #E(Fpm).1: τ0 ← 22: τ1 ← t3: for i← 1 to m− 1 do4: τi+1 ← t · τi − p · τi−1

5: end for6: q ← pm

7: τ ← τm

8: return q + 1− τ

To represent the group G2 we like to use an isomorphic group on a twistedcurve over the smallest possible extension field. The number of points on thetwisted curve can also easily be determined from the output of Algorithm 1. Forexample the following formulæ are for quadratic, quartic and sextic twists:

quadratic: #E′(Fq) = q + 1 + τ ;quartic: #E′(Fq) = q + 1− f1 where f1 =

√4q − τ2;

sextic: #E′(Fq) = q + 1− (3f2 + τ)/2 where f2 =√

(4q − τ2)/3,

where q = pm and τ is the trace of the q-power Frobenius on E as calculated inAlgorithm 1. See [10] for more details.

To hash to a point in G2, the standard approach would be to first hash toa general point on E′(Fpd) and then multiply by the cofactor c = #E′(Fpd)/r.Consider now a pairing-friendly curve with k = 10, d = 5 and r ≈ p. In thiscase, using the quadratic twist, this cofactor c would be of a size in bits approx-imately the same as p4. This would be prohibitively slow. Here we will show,that the same outcome can be achieved in all cases with the equivalent work ofa multiplication by a value less than p, and in some cases much less than p.

3 A Fast Cofactor Multiplication Algorithm for G2

The issue of fast cofactor multiplication of points on E′(Fpd) was briefly consid-ered for the case of Barreto-Naehrig (BN) curves [3] by Galbraith and Scott [8,Section 8]. Here we generalise and extend their idea. In that paper the authorsintroduce the homomorphism ψ = φ−1πpφ, where φ : E′ → E is the isomor-phism which takes us from the twisted curve E′(Fpd) to the isomorphic groupon E(Fpk) as actually required by the pairing algorithm, and πp is the p-powerFrobenius map on E. Note that ψ(P ) can be calculated very quickly.

General points on E′(Fpd) obey the identity [7, Theorem 1]:

ψ2(P )− [t]ψ(P ) + [p]P = 0.


Our main idea is to first express the cofactor c to the base p

c = c0 + c1 · p+ c2 · p2...

and then use the identity

[p]P = [t]ψ(P )− ψ2(P ) (1)

repeatedly if necessary to reduce the cofactor multiplication to a form

[c0 + p(c1 + p(c2 + ...))]P = [g0]P + [g1]ψ(P ) + [g2]ψ2(P ) + ........ (2)

where all of the gi are less than p. Observe that [c1 ·p]P = [c1 ·t]ψ(P )−[c1]ψ2(P ),and that c1 ·t may be of a size in bits 50% larger than p (recall that t can be up tohalf the size of p as a consequence of the Hasse condition). Further applications ofthe homomorphism may therefore be necessary to effect a complete reduction.The end result is a recoding of c from a base p representation to a base ψ(·)representation, with all coefficients less than p. The number of terms in therepresentation increases with each application of the identity (1) so in somecircumstances we will also find the following identity to be useful:

Φk(ψ(P )) = 0, (3)

where Φk is the kth cyclotomic polynomial. This identity allows terms of degreegreater than or equal to ϕ(k) (the Euler totient function) to be replaced withterms of lower degree.

In the case that k = de and (d, e) = 1, we observe that the twisting isomor-phism φ defining a twist of degree e can be chosen so that the twisted curve E′

is actually defined over Fp (in this case φ is defined over Fpe). In this case, thecofactor c can be factored into h · c1, where c1 = #E′(Fp). The endomorphismπ′

p−1 (where π′p is the p-power Frobenius map on E′) projects into the subgroup

of #E′(Fpd) of order h · r, thus we only need to perform a multiplication by hto obtain a point of order r. In this case, our algorithm only needs to be appliedto the smaller factor h.

4 The Application to Ordinary Pairing-Friendly EllipticCurves

The most general method to construct a pairing-friendly elliptic curve is to usethe method of Cocks-Pinch [4]. These curves, however, suffer from a ρ ratio thatis close to 2, where ρ = lg(p)/ lg(r). It is more efficient to use the smallest possi-ble field which supports a pairing-friendly group, so we would prefer ρ to be closeto 1. It is therefore usually preferred to choose instead from one of the families ofpairing-friendly curves identifiedbynumerous authors, and collated together in thetaxonomy paper of Freeman et al. [6]. These often have a ρ value closer to 1, andmany are of the desirable low CM discriminant form. These families also share an-other feature – the prime modulus p, the group r and the trace t are all described as

106 M. Scott et al.

rather simple polynomials. It is our aim to exploit this simple form in a systematicway to further speed up the cofactor multiplication required for hashing to G2.

Before proceeding we need to formally describe the method of the previoussection as an algorithm for reducing the cofactor multiplication to the evaluationof a polynomial of the powers ψi(P ), with coefficients less than p. When p isitself expressed as a polynomial p(x), these coefficients can in turn be calculatedas polynomials in x, and this we choose to do as it leads to further optimiza-tions. In these cases the cofactor c itself can also be calculated and presentedas a polynomial in x. However we emphasise that the basic idea (with minormodifications) applies equally to non-parameterised Cocks-Pinch curves. See al-gorithm 2. For a step-by-step walk-through of the algorithm, see the section onMNT curves below.

Algorithm 2. Reduction of the cofactor c(x) to base ψ(·)Input: k, p(x), t(x), and c(x) : embedding degree k and polynomials p(x), t(x), c(x)

parameterising the field size, trace, and G2 cofactor of a pairing-friendly ellipticcurve, respectively.

Output: g0(x), g1(x).....gϕ(k)−1(x): deg gi(x) < deg p(x) will be coefficients of a baseψ(·) representation of the cofactor c(x).

1: f ← �deg(c(x))/deg(p(x))�2: ♦ First express c(x) to the base p3: for i← 0 to f do4: ci(x)← c(x) mod p(x)5: c(x)← c(x) div p(x)6: end for7: ♦ Make first pass to determine the coefficients gi of c(x) to the base ψ(·), using

equation (1).8: for j ← 0 to f do9: g2j ← 0, g2j+1 ← 0

10: for i← 0 to j do11: gj+i ← gj+i +

(ji

)t(x)j−i(−1)icj(x)

12: end for13: end for14: ♦ Make a second pass to finally force all coefficients to have degree < deg p15: g2f+1 ← 0, g2f+2 ← 016: for j ← 1 to 2f do17: w(x)← gj(x) div p(x)18: gj(x)← gj(x) mod p(x)19: gj+1(x)← gj+1(x) + t(x)w(x)20: gj+2(x)← gj+2(x)− w(x)21: end for22: ♦ Finally exploit equation (3); ai is the coefficient of xi in Φk(x)23: for j ← 2f + 2 downto ϕ(k) do24: for i← 1 to ϕ(k) do25: gj−i(x)← gj−i(x)− aϕ(k)−i · gj(x)26: end for27: gj(x)← 028: end for


4.1 Algorithm 2 Summary

Algorithm 2 takes the integer k, and the polynomials p(x), t(x) and c(x), wherep(x) and t(x) parameterise the field size of definition and trace respectively ofpairing-friendly curve with embedding degree k. The polynomial c(x) parame-terises the hard part of the multiplication to be performed to obtain a point oforder r on the twist of the elliptic curve. The first step is to recode c(x) to thebase p(x) (lines 3–6) then using this representation of c(x), recode c(x) to thebase ψ(·) (lines 8–13). The coefficients of the base ψ(·) representation are com-puted using the coefficients of the base p(x) representation and the appropriatecoefficients of the equation

[pl]P =l∑

i=0

(li

)t(x)l−i(−1)iψl+i(P ),

obtained by applying induction on equation (1). Once c(x) has been written tobase ψ(·), the coefficients gi(x) are checked. If deg gi(x) ≥ deg p(x) then theidentity [p]P = [t]ψ(P ) − ψ2(P ) is reapplied (lines 15–20). Finally the relation(3) is exploited to obtain a base ψ(·) representation of c(x) of degree < φ(k)(lines 22–27).

We now proceed to use this algorithm to find a faster way to perform thecofactor multiplication required to hash to a point of order r in G2. We proceedon a case-by-case basis for certain selected popular families of pairing-friendlyelliptic curves.

5 The MNT Curves

The MNT pairing-friendly elliptic curves were introduced by Miyaji et al. [14].MNT curves can have embedding degrees 3, 4 or 6 and ρ = 1. For the k = 6case the prime p, the group order r and the trace of Frobenius parameters areexpressed as:

p(x) = x2 + 1;r(x) = x2 − x+ 1;t(x) = x+ 1.

There exists no x such that the curve generated using these parameters has aCM discriminant of −3, so only a quadratic twist is possible. Here G2 is a groupof points of order r on E′(Fp3). The cofactor is c(x) = (p(x)3 + 1 + t(x)3 −3t(x)p(x))/r(x), which in this case works out to be

c(x) = x4 + x3 + 3x2.

Applying algorithm 2 step-by-step we first represent c(x) to the base p(x) (lines3–6 of algorithm 2):

c(x) = p2(x) + (x+ 1)p(x) + (−x− 2).

108 M. Scott et al.

Now apply equation (1) to each term involving a power of p(x), and use it toexpress [c(x)]P in base ψ(·) form (lines 8–13 of the algorithm).

[−x− 2]P + [x2 + 2x+ 1]ψ(P ) + [x2 + x]ψ2(P ) + [−2x− 2]ψ3(P ) + ψ4(P ).

As can be seen some of the coefficients are still of the same degree as p(x), soapply equation (1) again (lines 15–20) to get

[−x− 2]P + [2x]ψ(P ) + [2x]ψ2(P ) + [−x− 2]ψ3(P ).

All of the polynomial coefficients are now fully reduced modulo p(x). From equa-tion (3) we know that ψ2(P ) = ψ(P )−P , and by substituting this identity twicefor ψ2(P ) into the above (lines 22–27), we find that multiplication of a generalpoint P by c(x) can be completed by calculating the point

ψ(4xP )− 2xP,

which requires only one multiplication by x, two point doublings, one applicationof the homomorphism and a further point addition. The savings compared witha direct multiplication of P by c(x) are obvious.

We can do slightly better still. As discussed in Section (3), since k = 2 · 3 andgcd(2, 3) = 1 it is possible to choose the quadratic twist E′ to be defined over Fp.As such, there must be a subgroup of points of E′(Fp3) which are defined over Fp

(that is, the points of E′(Fp)). The number of points on E′(Fp3) must thereforehave as a factor p(x)+1+ t(x), and indeed in this case c(x) = (p(x)+1+ t(x)) ·x2. As explained in Section (3), the first part of the cofactor multiplication byp(x) + 1 + t(x) can be performed by using the Frobenius endomorphism on thetwisted curve

P ← π′(P )− P,leaving only a further multiplication by x2. Using our algorithm this can beevaluated as simply ψ(xP ).

6 The BN Curves

The BN family of pairing-friendly curves [3] has embedding degree 12, and isparameterised as follows:

p(x) = 36x4 + 36x3 + 24x2 + 6x+ 1;r(x) = 36x4 + 36x3 + 18x2 + 6x+ 1;t(x) = 6x2 + 1.

In this case the cofactor multiplication can be effected as [8]

ψ(6x2P ) + 6x2P + ψ(P )− ψ2(P ).

The major work here is the point multiplication by 6x2. Since BN curves areplentiful it is not hard to find a value of x with a very low Hamming weight


(as is already commonly done to optimize the main Miller loop of the pairingalgorithm), and this will further speed the calculation, as the point multiplicationwill consist largely of point doublings, which are significantly faster than pointadditions in most curve and point representations.

7 Freeman Curves

In [5] a construction is suggested for pairing-friendly elliptic curves of embeddingdegree 10.

p(x) = 25x4 + 25x3 + 25x2 + 10x+ 3;r(x) = 25x4 + 25x3 + 15x2 + 5x+ 1;t(x) = 10x2 + 5x+ 3.

These curves are much rarer than the BN curves, and unfortunately it is notfeasible to choose x to have a particularly small Hamming weight. Furthermoresince the embedding degree is 10, the best that can be done for G2 is to representit as a group of points on E′(Fp5). This is a particularly large and rather awkwardextension, and the cofactor multiplication threatens to be a large one. In factc(x) in this case works out as the rather intimidating polynomial:

c(x) = 390625x16 + 1562500x15 + 4062500x14 + 7421875x13 + 10750000x12

+ 12593750x11 + 12356250x10 + 10203125x9 + 7178125x8 + 4284375x7

+ 2171000x6 + 920250x5 + 322400x4 + 89875x3 + 19120x2 + 2740x+ 217.

Again this has p(x) + 1 + t(x) as a factor; if we use again the idea in Section (3)and choose the quadratic twist E′ to be defined over Fp then the multiplicationby p(x) + 1 + t(x) can be handled by the transformation P ← π′(P ) − P , andso the “hard-part” of the cofactor can be reduced to:

h(x) = 15625x12 + 46875x11 + 93750x10 + 128125x9 + 138125x8 + 116875x7

+ 80875x6 + 44875x5 + 20225x4 + 7075x3 + 1880x2 + 325x+ 31.

Applying our algorithm we find that multiplying P by h(x) can be expressed as:

[g0(x)]P + [g1(x)]ψ(P ) + [g2(x)]ψ2(P ) + [g3(x)]ψ3(P ),

where

g0(x) = −5x2 − 10x− 2;g1(x) = −25x3 − 20x2 − 10x− 4;g2(x) = 3;g3(x) = −25x3 − 10x2 − 5x.

110 M. Scott et al.

At this stage we could substitute for x and use a simultaneous multiple pointmultiplication algorithm [9]. A better idea is to instead calculate xP , x2P =x · xP , x3P = x · x2P , and then ψi(P ), ψi(xP ), ψi(x2P ) and ψi(x3P ) for i = 1to 3. Then the calculation becomes

[25](−ψ3(x3P )− ψ(x3P )) + [20](−ψ(x2P )) + [10](−ψ3(x2P )− ψ(xP )− xP )+[5](−ψ3(xP )− x2P ) + [4](−ψ(P )) + [3]ψ2(P ) + [2](−P ),

which can be considered as

25A+ 20B + 10C + 5D + 4E + 3F + 2G,

when A,B,C,D,E, F and G are calculated using just 4 extra point additions.The optimal way to proceed is to form the smallest addition sequence whichincludes all of the small multipliers in the above:

{1, 2, 3, 4, 5, 10, 20, 25}.In this case it is easily done – only a 1 needs to be added to the start. Nowwe apply the Olivos algorithm [15], (see also [1, Section 9.2]) to find the op-timal sequence of point additions and doublings to finally effect the cofactormultiplication.

T0 ← A+B

T1 ← A+D

T0 ← 2 · T0

T0 ← T0 + C

T0 ← 2 · T0

T1 ← T0 + T1

T0 ← T1 +E

T0 ← 2 · T0

T0 ← T0 +G

T0 ← T0 + F

T1 ← T1 + F

T0 ← 2 · T0

T0 ← T0 + T1.

The final result is in T0. This part of the calculation requires only 9 extra pointadditions and 4 point doublings.

8 KSS Curves

Kachisa et al. [11] described a new method for generating pairing-friendly ellipticcurves.




p(x) = (x6 + 2x5 − 3x4 + 8x3 − 15x2 − 82x+ 125)/180;r(x) = (x4 − 8x2 + 25)/450;t(x) = (2x3 − 11x+ 15)/15.

For these curves ρ = 3/2. As for BN curves, x can be chosen to have a lowHamming weight. Proceeding as above we find

g0(x) = (2x5 + 4x4 − x3 + 50x2 + 65x− 36)/6;g1(x) = (2x5 + 4x4 − x3 − 7x2 − 25x+ 75)/6;g2(x) = (−15x2 − 30x− 75)/6.

A minor difficulty arises due to the common denominator of 6 which occurshere. We suggest a simple solution – complete the hashing to G2 with the pointmultiplication [6 · c(x)]P ; this still results in a point of order r as 6 and r arecoprime. Now the denominator can be ignored. To complete the calculation weneed an addition sequence which includes all of the integer coefficients thatarise here:

{1, 2, 4, 5, 6, 7, 10, 15, 25, 30, 36, 50, 65, 75},where the underlined numbers are the extra numbers included to complete thesequence. Proceeding as for the Freeman curve case, the computation using thisaddition sequence can be completed with 18 point additions and 5 point doublings.



p(x) = (x8 + 5x7 + 7x6 + 37x5 + 188x4 + 259x3 + 343x2 + 1763x+ 2401)/21;r(x) = (x6 + 37x3 + 343)/343;t(x) = (x4 + 16x+ 7)/7.

For these curves ρ = 4/3 and again, as for the BN curves x can in practise bechosen with a low Hamming weight. Proceeding again as above we find

g0(x) = (−5x7 − 26x6 − 98x5 − 381x4 − 867x3 − 1911x2 − 5145x− 5774)/3;g1(x) = (−5x7 − 18x6 − 38x4 − 323x3 − 28x2 + 784x)/3;g2(x) = (−5x7 − 18x6 − 38x4 − 323x3 + 1029x+ 343)/3;g3(x) = (−11x6 − 70x5 − 98x4 − 176x3 − 1218x2 − 2058x− 686)/3;g4(x) = (28x2 + 245x+ 343)/3.

112 M. Scott et al.

Using the same reasoning as in the KSS k = 8 case, we actually evaluate[3 · c(x)]P to remove the awkward denominator of 3. In this case the bestaddition sequence we could find that includes all of the coefficients was:

{1, 2, 3, 5, 7, 8, 11, 18, 26, 28, 31, 38, 45, 69, 70, 78, 98, 176, 245, 253,323, 343, 381, 389, 686, 784, 829, 867, 1029, 1218, 1658, 1911, 2058, 4116, 5145,5774},

which can be used to complete the calculation in 51 point additions and5 point doublings.

9 Discussion

It may be sometimes preferable to select a slightly longer addition sequencewhich trades additions for doublings since in most cases (dependent on the curverepresentation and the projective coordinate method used) point doublings aresignificantly faster than point additions. The situation is complex, however, andrequires further study. For example, if doubling or adding a point on E′(Fp5) itis likely that affine coordinates will in fact be faster than any kind of projectivecoordinates, in which case, using the standard short Weierstrass representation,additions may actually be faster than doublings [9]. Addition-subtraction se-quences may also be an attractive alternative in other cases.

10 Conclusions

We have suggested a method for deriving a point in G2, a point on E′(Fpd)of order r, given an initial hashing to a general point on E′(Fpd), the twist ofan ordinary pairing-friendly elliptic curve. The proposed method is significantlyfaster than the naive approach which would require multiplication by a verylarge cofactor.

Acknowledgement

Thanks to Robert Granger and Steven Galbraith for suggestions and comments.We would also like to acknowledge the anonymous referees for their suggestions.We would especially like to thank David Freeman, whose support and guidanceis much appreciated.

References

1. Avanzi, R., Cohen, H., Doche, D., Frey, G., Lange, T., Nguyen, K., Vercauteren,F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman andHall/CRC, Boca Raton (2006)




4. Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in Elliptic Curve Cryptog-raphy, vol. 2. Cambridge University Press, Cambridge (2005)

5. Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp.452–465. Springer, Heidelberg (2006)

6. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing friendly elliptic curves.Cryptology ePrint Archive, Report 2006/372 (2006),http://eprint.iacr.org/2006/372

7. Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptog-raphy on a large class of curves. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS,vol. 5479, pp. 518–535. Springer, Heidelberg (2009)

8. Galbraith, S., Scott, M.: Exponentiation in pairing-friendly groups using homomor-phisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209,pp. 211–224. Springer, Heidelberg (2008)

9. Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curves Cryptography.Springer, Heidelberg (2004)

10. Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Transactionson Information Theory 52(10), 4595–4602 (2006)

11. Kachisa, E., Schaefer, E., Scott, M.: Constructing Brezing-Weng pairing-friendlyelliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Pater-son, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg(2008)

12. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation onabelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008),http://eprint.iacr.org/2008/040

13. Menezes, A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publish-ers, Dordrecht (1993)

14. Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curvetraces for FR-reduction. IEICE Transactions on Fundamentals E84-A(5), 1234–1243 (2001)

15. Olivos, J.: On vectorial addition chains. Journal of Algorithms 2, 13–21 (1981)

Compact E-Cash and Simulatable VRFs

Revisited

Mira Belenkiy1, Melissa Chase1, Markulf Kohlweiss2, and Anna Lysyanskaya3

1 Microsoft Research{mibelenk,melissac}@microsoft.com2 KU Leuven, ESAT-COSIC / IBBT

[email protected] Brown [email protected]

Abstract. Efficient non-interactive zero-knowledge proofs are a power-ful tool for solving many cryptographic problems. We apply the recentGroth-Sahai (GS) proof system for pairing product equations (Eurocrypt2008) to two related cryptographic problems: compact e-cash (Eurocrypt2005) and simulatable verifiable random functions (CRYPTO 2007). Wepresent the first efficient compact e-cash scheme that does not rely on arandom oracle. To this end we construct efficient GS proofs for signaturepossession, pseudo randomness and set membership. The GS proofs forpseudorandom functions give rise to a much cleaner and substantiallyfaster construction of simulatable verifiable random functions (sVRF)under a weaker number theoretic assumption. We obtain the first effi-cient fully simulatable sVRF with a polynomial sized output domain (inthe security parameter).

1 Introduction

Since their invention [BFM88] non-interactive zero-knowledge proofs played animportant role in obtaining feasibility results for many interesting cryptographicprimitives [BG90, GO92, Sah99], such as the first chosen ciphertext secure pub-lic key encryption scheme [BFM88, RS92, DDN91]. The inefficiency of theseconstructions often motivated independent practical instantiations that were ar-guably conceptually less elegant, but much more efficient ([CS98] for chosenciphertext security).

We revisit two important cryptographic results of pairing-based cryptography,compact e-cash [CHL05] and simulatable verifiable random functions [CL07],that have very elegant constructions based on non-interactive zero-knowledgeproof systems, but less elegant practical instantiations. Our results combine thebest of both worlds, a clean design and an efficient implementation.

Compact e-cash. Electronic cash (e-cash) was introduced by Chaum [Cha83]as an electronic analogue of physical money and has been a subject of ongoingresearch since then [CFN90, FY92, CP93, Bra93, SPC95, FTY96, Tsi97]. Theparticipants in an e-cash system are users who withdraw and spend e-cash; a


Compact E-Cash and Simulatable VRFs Revisited 115

bank that creates e-cash and accepts it for deposit, and merchants who offergoods and services in exchange for e-cash, and then deposit the e-cash to thebank. The main security requirements are (1) anonymity: even if the bank andthe merchant and all the remaining users collude with each other, they stillcannot distinguish Alice’s purchases from Bob’s; (2) unforgeability: even if allthe users and all the merchants collude against the bank, they still cannot depositmore money than they withdrew.

Unfortunately, it is easy to see that, as described above, e-cash is useless. Theproblem is that here money is represented by data, and it is possible to copydata. Unforgeability will guarantee that the bank will only honor at most oneof copy of a given coin for deposit and will reject the others. Anonymity willguarantee that there is no recourse against such a cheating Alice. So one of themerchants will be cheated. There are two known remedies against this double-spending behavior. The first remedy is on-line e-cash [Cha83], where the bankis asked to vet a coin before the spend protocol can terminate successfully. Thesecond remedy is off-line e-cash, introduced by Chaum, Fiat and Naor [CFN90].The additional requirement of an offline e-cash system is (informally) that nocoin can be double-spent without revealing the identity of the perpetrator.

A further development in the literature on e-cash was compact e-cash [CHL05].In compact e-cash, the user withdraws N coins in a withdrawal protocol whosecomplexity is O(log N) rather than O(N). Similarly, the resulting wallet requiresstorage size (log N) rather than O(N). The main idea is as follows: in the with-drawal protocol, a user obtains the Bank’s signature on (x, s, t), where s and tare random seeds of a pseudorandom function (PRF) F(·)(·) and x is the user’sidentifier. In the spend protocol, a serial number of the ith coin is computed asS = Fs(i), and a double spending equation is computed as T = x+RFt(i), whereR is a random challenge by the merchant. The coin itself consists of (S, T, R, π),where π is a non-interactive zero-knowledge proof of knowledge of the followingvalues: x, s, t, i, σ where σ is the Bank’s signature on (x, s, t), 1 ≤ i ≤ N ,S = Fs(i) and T = x + RFt(i) mod q. If g is a generator of a group G of orderq, and G is the range of the PRF F(·)(·), then the double-spending equationcan instead be computed as T = gxFt(i)R. It is easy to see that two double-spending equations for the same t, i but different R’s allow us to compute gx. Itwas shown that this approach yields a compact e-cash scheme [CHL05]. Later,this was extended to so-called e-tokens [CHK+06] that allow up to k anonymoustransactions per time period (for example, this would correspond to subscrip-tions to interactive game sites or anonymous sensor reports).

Thus, we see that compact e-cash and variants such as e-tokens can be ob-tained from a signature scheme, a pseudorandom function, and a non-interactivezero-knowledge (NIZK) proof system for the appropriate language. However, un-til now no efficient instantiations of the NIZK proofs could be given, and all prac-tical instantiations of compact e-cash had to derive the non-interactive proofsfrom interactive proofs via the Fiat-Shamir heuristic [FS87] which is known notto yield provably secure constructions [GK03]. It seemed that, perhaps, random

116 M. Belenkiy et al.

oracle based techniques were necessary to achieve such schemes efficiently. Weshow here that this is not the case.

Challenges and Techniques. Until the recent proof system of Groth and Sa-hai [GS07], there were no efficient NIZK proof systems for languages most heavilyused in cryptographic constructions (such as languages of true statements aboutdiscrete logarithm representations and bilinear pairings). However, constructingan efficient provably-secure compact e-cash scheme is not simply a matter of re-placing the Fiat-Shamir based NIZK proofs with the Groth-Sahai system. Thereare several issues that arise when we attempt to apply the Groth-Sahai proofs.First, recall that the Groth-Sahai system only works for proofs of particulartypes of statements. Thus, we must find a PRF and a signature scheme whereverification can be phrased in terms of such statements. In the case of the PRF,we use a modification of the Dodis-Yampolskiy VRF [DY05], which outputs el-ements of bilinear group G1. We show that this is secure under the assumptionthat DDHI holds in this group.1

For the signature scheme, we note that verification of Boneh-Boyen signatures[BB04b] can be phrased as a pairing product equation. However, as noted in Be-lenkiy et al. [BCKL08], because Groth-Sahai proofs are only partially extractable,we need a stronger unforgeability. Here we need that it be impossible to produceF (m), Signsk (m) for an unsigned message m, where F (m) is a value that can be ex-tracted from a commitment to m. Belenkiy et al. gave a construction which satisfiesthis definition, but only allows signatures on a single message. We need the bank tobe able to sign multiple message blocks, thus we extend that construction to con-struct a multi-block P-signature scheme. We also show that issuing can be done ef-ficiently using more recent techniques given in [BCC+09]. (The original [BCKL08]construction relied on general two party computation for arithmetic circuits.)

Wealso need to be able to prove that the coin value fallswithin a given range.Theoriginal Camenisch et al. construction uses a technique by [Bou00], which relies onthe fact that the underlying RSAgroup has unknown order. Groth-Sahai proofs, onthe other hand, rely on the cryptographic bilinear group model, and it is not knownhow to construct such groups with unknown order. Thus, we must use a differenttechnique for our range proofs. We follow the basic concept of [TS06, CCS08], andimplement the range proofs using the new P-signatures mentioned above.

Finally, while Groth and Sahai present a NIZK proof system for a large classof statements, their simpler witness indistinguishable proof system is much moreefficient. Thus, we specifically design our protocols to use NIZK proofs only whennecessary. As a result, we obtain a construction that is almost competitive inefficiency with the original Camenisch et al. construction.

E-cash construction. Our construction is in the common parameters modeland relies on several number-theoretic assumptions. Our first building block isa signature scheme and an unconditionally binding commitment scheme that

1 We note that the original Camenisch et al. [CHL05] construction used a similar PRFbased on DDHI in a standard prime order group (without a bilinear map). They thenproved correctness of each PRF output using the Fiat-Shamir heuristic.


allows for an efficient proof of knowledge of a signature on a set of commit-ted values, as well as for an efficient protocol for getting a committed valuesigned. This is done by extending the P-signature construction of Belenkiy etal. [BCKL08], which only allows to sign single values, and incorporating thetechniques from [BCC+09]. In our construction we will also use P-signatures,together with the techniques of [CCS08] (that relied on interactive proofs) toobtain efficient non-interactive interval proofs.

Our second building block is a pseudorandom function and an unconditionallybinding commitment scheme Com(., .) (the same as for the P-signature scheme)with an efficient proof system for the serial number S and the double spendingtag T .

Simulatable verifiable random functions. Our main observation is that theNIZK proof for a compact e-cash serial number, a proof of the languageLF = {S, Cy, Cs | ∃s, y, rs, ry such that S = Fs(y), Cy = Com(y, ry), Cs =Com(s, rs)} is a special case of a simulatable verifiable random function (sVRF),introduced by Chase and Lysyanskaya [CL07]. Chase and Lysyanskaya gave anefficient construction of a multi-theorem non-interactive zero-knowledge proofsystem for any language L from a single-theorem one for the same language(while other single-theorem to multi-theorem transformations required the Cook-Levin reduction [Coo71] to an NP-complete language first).

Chase and Lysyanskaya [CL07] gave two constructions for sVRFs. The firstis based on generic non-interactive zero-knowledge proofs and is therefore im-practical. The second construction is based on composite order bilinear pair-ings [BGN05, FST06], and has several shortcomings. In particular, its range iseither only logarithmic in the security parameter or it is only weakly simulat-able. Our fully simulatable construction is thus more efficient by a factor of thesecurity parameter; it is also designed in a way that is more modular and there-fore easier to understand (and improve). Finally, it relies on a somewhat weakerassumption. Therefore, we believe this result will be of independent interest.

Our contribution and outline of the paper. We present the first P-signaturescheme for multiple messages, the first fully simulatable VRF with polynomialsized output domain, and the first efficient compact e-cash scheme that does notrely on random oracles. (The security of conventional e-cash was, e.g., studiedin [JLO97, STS99, Tro05].) The rest of the paper is organized as follows. In Sec-tion 2 we discuss our assumptions and recall useful results about non-interactivezero-knowledge. In Section 3 we define and construct our new P-signature schemefor message blocks. Section 4 and Section 5 revisit simulatable verifiable randomfunctions and compact e-cash respectively.

2 Preliminaries

In this section we list our assumptions and recall some useful results about non-interactive zero-knowledge proofs (NIZK).


A function ν is negligible if, for every integer c, there exists an integer K suchthat for all k > K, |ν(k)| < 1/kc. A problem is said to be hard (or infeasible) ifthere exists no probabilistic polynomial time (p.p.t.) algorithm to solve it.

Bilinear Pairings. Let G1, G2, and GT be groups of prime order p. The mape : G1 ×G2 → GT must satisfy the following properties: (a) Bilinearity: a mape : G1 ×G2 → GT is bilinear if e(ax, by) = e(a, b)xy; (b) Non-degeneracy: for allgenerators g ∈ G1 and h ∈ G2, e(g, h) generates GT ; (c) Efficiency: There existsa p.p.t. algorithm BMGen(1k) that outputs (p, G1, G2, GT , e, g, h) to generatethe bilinear map and an efficient algorithm to compute e(a, b) for any a ∈ G1,b ∈ G2.

Assumptions. The security of our scheme is based on previously proposednumber-theoretic assumptions. The unforgeability of our P-signature construc-tion relies on the TDH [BCKL08] and the HSDH [BW07] assumptions; pseudo-randomness is based on the q-DDHI assumption [BB04a, CHL05]; and thezero-knowledge of the Groth-Sahai proof system rests on the XDH or DLINassumption [GS07].

Definition 1 (Triple DH). On input g, gx, gy ∈ G1, h, hx ∈ G2, and {ci,g1/(x+ci)}i=1...q for random x, y, and c1, . . . , cq, it is computationally infeasibleto output a tuple (hμx, gμy, gμxy) for μ �= 0.

Definition 2 (Hidden SDH). On input g, gx, u ∈ G1, h, hx ∈ G2 and{g1/(x+c�), hc� , uc�}�=1...q for random x and c1, . . . cq, it is computationally infea-sible to output a new tuple (g1/(x+c), hc, uc).

Definition 3 (q-DDHI). On input g, gα, gα2, . . . gαq ∈ G for a random α ←

Zp, it is computationally infeasible to distinguish g1α from a random element of

G with probability non-negligibly better than 1/2.

Our sVRF requires that the q-DDHI assumption holds either in G1 or G2. With-out loss of generality we fix this group to be G1. Note that this is slightly strongerthan the assumption used in [DY05] to construct an efficient VRF (there thechallenge is e(g, h)

1α or a random element of GT ). However, it is still weaker

than the BDHBI assumption used in the sVRF construction in [CL07].

Composable Non-Interactive Proofs. We review composable non-interactiveproof systems. Let R(·, ·) be any polynomial-time computable relation. A non-interactive proof system for an NP language allows a prover to convince a ver-ifier of the truth of the statement ∃x : R(y, x) about instance y using witnessx. Non-interactive proof systems use a common reference string params as out-put by Setup(1k) that is common input to both the π ← Prove(params , y, x) andaccept/reject ← Verify(params , x, π) algorithms. This notion can be generalizedfor a relation R(params , y, x) parameterized by params .

Informally, zero-knowledge captures the notion that a verifier learns nothingfrom the proof but the truth of the statement. Witness-indistinguishability isa weaker notion that guarantees that the verifier learns nothing about whichwitness was used in the proof.


In a composable (under the definition of Groth and Sahai [GS07]) non-interactive witness indistinguishable proof system there exists a SimSetup algo-rithm that outputs params together with a trapdoor sim , such that (1) paramsoutput by SimSetup are indistinguishable from those output by Setup; (2) theoutput of Prove using these parameters is perfectly witness-indistinguishable (inother words, even if there are two witnesses to a statement, they induce identicaldistributions on the proofs). Composable non-interactive zero-knowledge furthermeans that there exists an algorithm SimProve that outputs a simulated proofusing sim and the output of SimProve is distributed identically to that of Provewhen given the simulated parameters. The big advantage of a composable def-inition is that it is fairly simple and easy to work with, and yet it still impliesthe standard multi-theorem definitions.

Composable proofs about commitments. The prover and verifier frequently getsome set of commitments (C1, . . . , Cn) as common input. The prover wantsto show that a statement about instance y = (C1, . . . , Cn, Condition) holds.The witness to the statement is (x1, open1, . . . , xn, openn, z), where (xi, openi)is the opening of commitment Ci, while z is some value that has nothingto do with the commitments. The relation is R = {(params , y, x)|C1 =Com(params , x1, open1) ∧ . . . ∧ Cn = Com(params , xn, openn) ∧ Condition(params , x1, . . . , xn, z)}.Summary of Groth-Sahai proofs. Groth and Sahai [GS07] give a composablewitness-indistinguishable proof system that lets us efficiently prove statements inthe context of groups with bilinear maps. Let paramsBM = (p, G1, G2, GT , e, g, h)be the setup for pairing groups of prime order p.

In a Groth-Sahai proof, the prover and the verifier both know {aq}q=1...Q ∈G1, {bq}q=1...Q ∈ G2, t ∈ GT , and {αq,m}q=1...Q,m=1...M , {βq,n}q=1...Q,n=1...N ∈Zp. In addition, they both know commitments {Cm}m=1...M and {Dn}n=1...N tovalues in G1 and G2 respectively. For each commitment Cm and Dn the proverknows the opening information and the committed value xm ∈ G1 or yn ∈ G2

respectively (m = 1...M , n = 1...N).Groth-Sahai proofs prove that the values in these commitments fulfill the

pairing product equation∏Q

q=1 e(aq

∏Mm=1 x

αq,mm , bq

∏Nn=1 y

βq,nn ) = t.

Groth-Sahai commitments. Throughout the paper we will use Groth-Sahaicommitments (GSCom) in our constructions. Under the parameters output bySetup they are perfectly binding. We will sometimes make use of the fact thatthey are also extractable.

3 A Multi-block P-Signature Scheme

Belenkiy et al. [BCKL08] intruduced signatures with efficient non-interactiveproofs of signature possession. Their construction can only be used to sign asingle message block. In this section, we briefly review the definition of a P-signature scheme and construct a multi-block P-signature scheme.


Before defining and constructing P-signatures, we recall some particularsabout the way Belenkiy et al. use Groth Sahai proofs. In addition to the zero-knowledge or witness indistinguishability property they rely on the fact thatthey are partially extractable (f -extractable [BCKL08]) proofs of knowledgeabout committed values. By ‘x in C’ we denote that there exists open such thatC = Com(x, open). Following Camenisch and Stadler [CS97a] and Belenkiy et al.[BCKL08], we use the following notation to express an f -extractable NIPK for in-stance y = (C1, . . . , Cn, Condition) with witness w=(x1, open1, . . . , xn, openn, z):

π ← NIPK[x1 in C1, . . . , xn in Cn]{( f(params , (x1, open1, . . . , xn, openn, y) ) ) :Condition(params , x1, . . . , xn, z)}.

For such a proof there exists a polynomial-time extractor (ExtractSetup, Extract).ExtractSetup(1k) outputs (td , params ) where params is distributed identicallyto the output of Setup(1k). For all p.p.t. adversaries A, the probability thatA(1k, params ) outputs (y, π) such that Verify(params , y, π) = accept andExtract(td , y, π) fails to extract f(params , (x1, open1, . . . , xn, openn, z)), suchthat xi is the content of the commitment Ci, and Condition(params , x1, . . . ,xn, z) is satisfied is negligible in k.

Groth-Sahai proofs use commitments GSCom(x, open) that allow to extractthe value x but not the opening open. In short, Groth-Sahai proofs are f -extractable proofs of the following form

NIPK[{xm in Cm

}M

m=1,{yn in Dn

}N

n=1]{(x1, ..., xM , y1, ..., yN) :

Q∏

q=1

e(aq

M∏

m=1

xαq,mm , bq

N∏

n=1

yβq,nn )= t}.

In our P-signature scheme we will commit to a message m ∈ Zp as Com(m, (open1,open2))=(GSCom(hm, open1), GSCom(um, open2)). Such a commitment allows toextract F (m) = (hm, um).

3.1 Definition of Multi-block P-Signatures

A signature scheme consists of four algorithms: Setup, Keygen, Sign, andVerifySig. Setup(1k) generates the public parameters params . Keygen(params)generates a signing key pair (pk , sk). Sign(params , sk ,m) computes a signatureσ on m. VerifySig(params , pk ,m, σ) outputs accept if σ is a valid signature onm, reject otherwise. We extend this definition to support multi-block messagesm = (m1, . . .mn).

Definition 4 (F -Secure Signature Scheme [BCKL08]). Let F be an effi-ciently computable bijection. With not necessarily efficient inverse F−1. We saythat a signature scheme is F -secure (against adaptive chosen message attacks)if it has the following properties: (a) Correctness: VerifySig always accepts a


signature σ obtained using the Sign algorithm; (b) F -Unforgeability: no ad-versary should be able to output values (F1, . . . , Fn, σ) such that for m =(F−1(F1), . . . , F−1(Fn)) algorithm VerifySig(params , pk , m, σ) = accept unlesshe has previously obtained a signature on m.

Definition 5 (P-Signature Scheme [BCKL08]). A P-Signature schemecombines an F -secure signature scheme with a commitment scheme and threeprotocols:

1. An algorithm SigProve(params , pk , σ, m = (m1, . . . , mn)) that generates com-mitments (C1, . . . , Cn) and a NIZK proof π ← NIPK[m1 inC1, . . . , mn inCn]{(F (m1), . . . F (mn), σ) : VerifySig(params , pk , m, σ) = accept}, and the corre-sponding VerifyProof(params , pk , π, (C1, . . . , Cn)) algorithm.

2. A composable non-interactive zero-knowledge proof system for proving equal-ity of committed values, i.e., a proof of relation R = {(params , (x, y), (openx,openy)) |C = Com(params , x, openx)∧D = Com(params , y, openy)∧x = y}.

3. A secure two party computation [JS07] that lets a signer issue a signature on acommitted message vector m without learning any information about m. Theprotocol consists of interactive algorithms SigIssue(params , sk , C1, . . . Cn) andSigObtain(params , pk , m, open1, . . . , openn).

3.2 Construction of a Multi-block P-Signature Scheme

We first construct an F -secure multi-block signature scheme.

Setup(1k). Let (p, G1, G2, GT , e, g, h) ← BMGen(1k) be the parameters of a bi-linear map, let u be an additional generator for G1, and let paramsGS

be the parameters for the corresponding Groth-Sahai NIZK proof system(either in the XDH or the DLIN setup). Output parameters params =((q, G1, G2, GT , g, h), u, paramsGS , z = e(g, h)).

Keygen(params) picks random α, β1, . . . , βn ← Zp. The signer calculates v = hα,v = gα, wi = hβi , wi = gβi , 1 ≤ i ≤ n. The secret-key is sk = (α, β). Thepublic-key is pk = (v, w, v, w). The public key can be verified by checkingthat e(g, v) = e(v, h) and e(g, wi) = e(wi, h) for all i.

Sign(params , (α, β), m) chooses a random r ← Zp \{−(α+β1m1 + · · ·+βnmn)}and calculates σ1 = g1/(α+r+β1m1+···+βnmn), σ2 = hr, σ3 = ur. The signatureis (σ1, σ2, σ3).

VerifySig(params , (v, w, v, w),m , (σ1, σ2, σ3)) outputs accept ife(σ1, vσ2

∏ni=1 wmi

i ) = z and e(u, σ2) = e(σ3, h).

Theorem 1. Let F (m) = (hm , um). The above signature scheme is F -securegiven the HSDH and TDH assumptions. See the full version for the proof.

We need to augment the multi-block signature scheme with the three P-Signatureprotocols.


1. SigProve(params , (v, w, v, w), (σ1, σ2, σ3),m) is defined as follows: We useCom to commit to the mi as follows: Com(mi, (openi,1, openi,2)) = (GSCom(hmi , openi,1), GSCom(umi , openi,2)) = (Hi, Ui) = Ci; then we form theGroth-Sahai proof:

π ← NIZK[hm1 in Hi, um1 inU1, . . . , h

mn inHn, umn inUn]{(hm1 , um1, wm1

1 , . . . , hmn , umn , wmnn , σ1, σ2, σ3) :

e(σ1, vσ2

∏ni=1w

mi

i ) = z∧e(u, σ2)e(σ3, h

−1) =1∧ {e(wi, hmi)e(g−1, wmi

i ) =1∧e(u, hmi)e(umi , h−1) = 1}ni=1}

VerifyProof(params , pk , π, (C1, . . . , Cn)) simply verifies the proof π.

To see that the witness indistinguishable proof π is also zero-knowledge, thesimulation setup sets u = ga. The simulator can then pick s, m1, . . .mn ← Zp

and compute σ1 = g1/s. We implicitly set r = s − (α +∑n

i=1 miβi). Notethat the simulator does not know r and α. However, he can compute hr =hs/(v

∏ni=1 wmi

i ) and ur = us/(v∏n

i=1 wimi)a. Now he can use hm1, um1 ,

wm11 ,. . . , hmn , umn , wmn

n , σ1, σ2 = hr, σ3 = ur as a witness and constructthe proof π in the same way as the real Prove protocol. By the witnessindistinguishability, a proof using the faked witnesses is indistinguishablefrom a proof using a real witness. See also [BCKL08].

2. The second protocol is a proof of equality of committed values. It is of theform NIPK[x in C; y in D]{(x, y, hθ) : e(x/y, hθ) = 1 ∧ e(g, hθ) = e(g, h)}.

Groth and Sahai [GS07] show that such witness-indistinguishable proofsare also zero-knowledge. A simulator that knows the simulation trapdoorsim for the GS proof system can simulate the two conditions by setting θto 0 and 1 respectively. In this way he can fake the proofs for arbitrarycommitments.

3. The third protocol is a secure two-party computation for signing a commit-ted value. One could use the same technique as in Belenkiy et al. [BCKL08]to reduce computing a signature to computing an arithmetic circuit usingthe Jarecki and Shmatikov [JS07] secure two-party computation protocol.Alternatively, we suggest the use of a more efficient protocol based on ho-momorphic encryption as for example done in [BCC+09, CKW04].

Theorem 2. The above construction is a secure P-Signature scheme given theHSDH and TDH assumption, either the SXDH or DLIN assumption, and thesecurity of the two-party computation protocol.

The proof follows from the F -unforgeability of the multi-block signature schemeand the security of the Groth-Sahai proofs, which depend on either the SXDH orDLIN assumptions. The zero-knowledge simulations are done as sketched above.For details we refer to [GS07, BCKL08, BCC+09].


4 Strongly Simulatable Verifiable Random Functions

Here we present our new construction for sVRFs. Later, we will show that anextension of this construction (as described in sections 4.2 and 4.3) can be usedto construct provably secure e-cash.

At a high level, a sVRF is an extension of a pseudorandom function (PRF)(and also of a slightly weaker extension, called a VRF [MRV99]). It includesa key generation procedure that generates a seed for the PRF along with acorresponding public key. It also includes a proof system for proving that aparticular output is correct with respect to a given input and a given public key.We require fairly strong hiding properties from this proof system – in particular,we do not want it to interfere with the pseudorandomness properties of the PRF.For the full definition, see [CL07].

4.1 A New sVRF Construction

Our construction will be in the bilinear group setting where (p, G1, G2, GT , e, g,

h) ← BMGen(1k). We will use the function Fs(x) = g1

s+x to build an effi-cient Simulatable VRF.2 Note that the base function is similar to the Dodis-Yampolskiy VRF [DY05], which uses the function Fs(x) = e(g, h)

1s+x and thus

gives output in GT . Moving our function to output elements in G1 is the crucialstep which allows us to use the Groth-Sahai proof techniques.

Theorem 3. Let Dk ⊂ Z denote a family of domains of size polynomial ink. Let p, g, e, G1, G2, GT be as described above where |p| = k. If the DDHI as-sumption holds in G1, then the set {g 1

s+x }x∈Dkis indistinguishable from the set

{grx}x∈Dkwhere s, {rx}x∈Dk

are chosen at random from Zp. The proof is verysimilar to that in [DY05].

We will build an sVRF based on this function as follows:

Setup(1k). Let (p, G1, G2, GT , e, g, h) ← BMGen(1k) be the parameters of a bi-linear map and let paramsGS be the parameters for the corresponding Groth-Sahai NIZK proof system (either in the XDH or the DLIN setup). Outputparameters paramsVRF = ((p, G1, G2, GT , g, h), paramsGS ).

Keygen(paramsVRF ). Pick a random seed s ← Zp and random opening in-formation opens, and output secret key sk = (s, opens) and public keypk = GSCom(hs, opens).

Eval(paramsVRF , sk = (s, opens), x). Compute y = g1/(s+x).Prove(paramsVRF , sk = (s, opens), x). Compute y = g1/(s+x) and Cy = GSCom(

y, openy) from random opening openy. Next create the following two proofs:π1, a composable NIZK proof that Cy is a commitment to y; this is proofthat the value v committed to in Cy fulfills the pairing product equatione(v/y, hθ) = 1∧ e(g, hθ) = e(g, h) (see [GS07] for details); π2, a GS compos-able witness indistinguishable proof that Cy is a commitment to Y and pkis a commitment to S such that e(Y, Shx) = e(g, h). Output π = (C, π1, π2).

2 This function is also known as a Weak Boneh-Boyen signature [BB04b].


Verify(params , pk , x, y, π = (C, π1, π2)). Use the Groth-Sahai verification to Ver-ify π1, π2 with respect to C, x, pk , y.

Theorem 4. This construction with domain size p is a strong sVRF under theq-DDHI for G1 and under the assumption that the Groth-Sahai proof system issecure. For proof, consult the full version of the paper.

4.2 A NIZK Protocol for Pseudo-random Functions

In some applications, we need something stronger than an sVRF. In our e-cashapplication, we need to be certain that the proofs will reveal no informationabout which wallet was used, which means that they should completely hide theseed used. Furthermore, we do not want to reveal which coin in the wallet isbeing spent, thus we also want to hide the input x.

Thus, we will build a composable NIZK proof for the following language:

LS ={Cs, Cx, y|∃x, s, openx, opens such thatCs = Com(s, opens) ∧ Cx =Com(x, openx) ∧ y = Fs(x)}

Note that there are four points where an sVRF proof is weaker than a full NIZKproof. First, the sVRF public key is not guaranteed to hide the secret key, only tohide enough information to preserve the pseudorandomness of the output values.However, this is not a problem in the above construction, since our public key isformed as a commitment. Second, an sVRF has a fixed public key, while we wantto be able to compute unlinkable proofs for many different values of the PRF.This again is not relevant in the above construction: since we form our public keyusing a commitment scheme, we can easily use a different value in each proof.Third, in the sVRF proof, the input x is given in the clear. We can fix this fairlyeasily by replacing x by a commitment and proof. The final difference is that thesVRF proof need not be fully zero knowledge - the sVRF simulator is given thesecret key as input (in our construction, the opening of the commitment Cs).We resolve this last point by adding extra commitments C′

s, C′x (whose opening

the zero-knowledge simulator will know), and zero-knowledge proofs that theycommit to the same values as Cs, Cx.

On input (Cs, Cx, y) and (x, s, openx, opens) a NIZK proof of membershipin LS is done as follows: We first compute commitment C′

s to hs. Then wecompute Cy, π1 as in the sVRF Prove protocol, with pk = C′

s. Next we com-pute a commitment C′

x to hx, and a GS composable witness-indistinguishableproof π2 that Cy is a commitment to Y , C′

x is a commitment to X , andC′

s is a commitment to S such that e(Y, SX) = e(g, h). Finally, to makethe construction zero-knowledge, we add composable NIZK proofs πs and πx

that Cs and C′s, and Cx and C′

x are commitments to the same values. Let vbe s or x, respectively. Then each proof is a proof that the values v and v′

committed to in Cv and Cv fulfill the pairing product equation e(v/v′, hθ) =1∧ e(g, hθ) = e(g, h). See [GS07] for why this is zero-knowledge. The final proofis π = (C′

s, C′x, C′

y , π1, π2, πs, πx).


The proof is verified using the Groth-Sahai verification techniques to checkπ1, π2, π3, π4 with respect to Cs, Cx, y, C′

s, C′x, C′

y.

Theorem 5. The above proof system is a secure composable zero knowledgeproof system for the language LS(params), where params is output by Setup.For proof appears in the full version.

4.3 NIZK Proofs Doublespending Equations: A More ComplexLanguage

In our application, we use NIZKs about PRFs in two different places. The firstis to prove that a given serial number has been computed correctly as Fs(x)according to a committed seed s and committed input x. That can be doneusing the NIZK protocol described in the previous section. However, we alsoneed to be able to prove that the doublespending value T has been computedcorrectly. Thus, we also need a proof system for the following language:

LT ={Cs, Cx, Csk , tag, ch | ∃x, s, sk , openx, opens, opensk such thatCs = Com(s, opens) ∧ Cx = Com(x, openx)

∧ Csk =Com(sk , opensk ) ∧ tag = (gsk )chFs(x)}

We can generalize our above proof system to handle this as well. For the con-struction see the full version.

4.4 Efficiency Comparison with Previous sVRF Construction

As described above, our sVRF proof requires 1 commitment in G1, 1 Groth-Sahai proof, and one zero-knowledge proof of equality of values in G1. Thus, ifwe instantiate the proofs under the SXDH assumption, our construction requires14 elements of G1 and 14 elements of G2 to give a proof, and the sVRF outputsa random element of the group G1. Note that the group size is exponential inthe security parameter k, so this really produces k bits of pseudorandomness.

We compare this to the previous contruction of sVRFs given by Chase andLysyanskaya [CL07]. That construction was based on composite order bilineargroups. For the order of such groups to resist factorization they must be of a muchgreater size to achieve the same security as prime order groups. We assume a con-servative factor of 5 for this difference3. As pairing operations (and exponentia-tion) have cubic complexity, it is fair to assume that composite order pairings areat least two orders of magnitude slower than prime order pairings.

In addition, the basic construction of [CL07] is only weakly simulatable: foreach input value there was a certain restricted set of outputs for which the sim-ulator could output a simulated proof. Finally, the simulator also required sometrapdoor information about the desired output value (in the construction it was adiscrete logarithm). In order to obtain full simulatability, in which the simulator

3 http://www.keylength.com/en/3/


could produce a simulated proof for any output value in the range of the functionwith no additional information, this result applied an extractor to the output ofthe weak sVRF to extract a single bit. The simulator could then sample valuesfrom the simulatable range together with some trapdoor information, until ithad found one on which the extractor produced the appropriate bit. Clearly ex-tending this approach to achieve more than O(log k) bits of randomness wouldbe infeasible.

Each proof generated by this construction requires 3 elements of the compositeorder group G. Thus, in order to produce k bits of randomness, even if we assumethat we extended the construction to extract log k bits, we would need k/ log kproofs, for a total of 3 ∗ k/ log k elements of G.

5 New Compact E-Cash Scheme

We construct a compact e-cash scheme using our multi-block P-signatures andsVRF protocols. Compact e-cash as defined by Camenisch et al. [CHL05] lets auser withdraw multiple e-coins simultaneously. There are three types of players: abank B as well as many users U and merchantsM (though merchants are treatedas a special type of user). Please refer to [CHL05] for protocol specificationsand a definition of security.4 We now show how to construct compact e-cash.

CashSetup(1k). The setup runs SigSetup(1k) and returns the P-signature param-eters params . Our construction is non-blackbox: we reuse the GS NIPK proofsystem parameters paramsGS that are contained in params . The parametersparamsGS in turn contain the setup for a bilinear pairing paramsBM =(p, G1, G2, GT , e, g, h) for a paring e : G1 × G2 → GT for groups of primeorder p.

BankKG(params , n). The bank creates two P-signature key pairs, (pkw, skw)←SigKeygen(params) for issuing wallets and (pk c, skc) ← SigKeygen(params)for signing coin indices. Then the bank computes a P-signature on the ncoin indices Σ1, . . . , Σn, where Σi = SigSign(skc, i).5 The bank’s secret-keyis skB = (skw, skc) and the bank’s public-key is (pkw, pkc, Σ1, . . . , Σn).

UserKG(params). The user picks skU ← Z∗p and returns (pkU = e(g, h)skU , skU).

Merchants generate their keys in the same way but also have a publiclyknown identifier idM = f(pkM) associated with their public keys (f is somepublicly known mapping).

4 The original [CHL05] definition had an interactive Spend protocol, while we breakit up into two non-interactive protocols: SpendCoin(params ,W , pkM, info) andVerifyCoin(params , pkM, pkB, coin). The merchant sends the user a info, the userruns SpendCoin and gives the resulting e-coin for the merchant to verify usingVerifyCoin. We prefer to use a non-interactive spend protocol because often two-way communication is not available or impractical, e.g. when sending an e-coin byemail.

5 This will allow us to use the range proof approach from [TS06] and [CCS08], wherea user proves that a value (the coin index) is in a list (the list {1, . . . , N}) by provingknowledge of a signature on that value.


Withdraw(U(params , pkB, skU , n),B(params , pkU , skB, n)). The user withdrawsa wallet of coins from the bank.

1. The user picks s′, t′ ← Zp; computes commitments commsk = Com(skU ,openskU ), comms′ = Com(s′, opens′), and commt′ = Com(t′, opent′);and sends commsk , comms′ , and commt′ to the bank. The user provesin zero-knowledge that he knows the opening to these values, and thatcommsk corresponds to the secret key used for computing pkU .6

2. If the proofs verify, the bank sends the user random values s′′, t′′ ∈ Zp.3. The user picks random opens, opent, commits to comms = Com(s′ +

s′′, opens), and commt = Com(t′ + t′′, opent), sends comms and commt

to the bank, and proves that they are formed correctly. Let s = s′ + s′′

and t = t′ + t′′.4. The user and bank run SigObtain(params , pkw, (skU , s, t), (opensk , opens,

opent)) ↔ SigIssue(params , skw, (commsk , comms, commt)) respec-tively. The user obtains a P-signature σ on (skU , s, t). The user storesthe wallet W = (s, t, pkB, σ, n); the bank stores tracing informationTW = pkU .

SpendCoin(params , (s, t, pkB, σ, J), pkM, info). The user calculates a serial num-ber S = Fs(J) = g1/(s+J). The user needs to prove that he knows a signatureσ on (skU , s, t) and a signature ΣJ on J such that S = Fs(J). Next the userconstructs a double-spending equation T = (gidM‖info)skUFt(J).7 The userproves that T is correctly formed for the skU , t, J, signed in σ and ΣJ .

All these proofs need to be done non-interactively. We now give more de-tails. The user runs SigProve, first on σ and pkw to obtain commitments andproof ((Cid , Cs, Ct), π1) ← SigProve(params , pkw, σ, (skU , s, t)) for skU , s, trespectively and second on ΣJ and pkc to obtain commitment and proof(CJ , π2)← SigProve(params , pk c, ΣJ , J) for J .

Then the user constructs non-interactive zero-knowledge proofs that in-deed (S, T, Cid , Cs, Ct, CJ , idM‖info) are well formed. This is done by com-puting two proofs πF and πT : πF proves that (Cs, CJ , S) ∈ LS and iscomputed as described in Section 4.2, where LS is defined as:

LS = {Cs, Cx, y|∃x, s, openx, opens such thatCs = Com(s, opens) ∧ Cx = Com(x, openx) ∧ y = Fs(x)};

6 These and the rest of the proofs in the issue protocol can be done using efficientsigma protocols [CS97b, Dam02] and their zero-knowledge compilers [Dam00].

7 The merchant is responsible for assuring that info is locally unique. Coins whichhave the same serial number and the same idM‖info cannot be deposited and thedamage lies with the merchant. The dangers that users get cheated by verifiers thatdo not accept coins with correct info can be mitigated using techniques such asendorsed e-cash [CLM07].


πT proves that (Ct, CJ , Cid , T, (idM|info)) ∈ LT and is computed as de-scribed in Section 4.3, where LT is defined as:

LT = {Cs, Cx, Csk , tag , ch | ∃x, s, sk , openx, opens, opensk such thatCs = Com(s, opens) ∧Cx = Com(x, openx)∧Csk = Commit(sk , openxsk) ∧ tag = (gsk )chFs(x)} .

The user outputs a coin = (S, T, Cid , Cs, Ct, CJ , π1, π2, πS , πT , idM‖info).VerifyCoin(params , pkM, pkB, coin). To verify parses coin as (S, (T, Cid , Cs, Ct,

CJ , π1, π2, πS , πT ), idM′‖info) and checks that the following checks succeed:(1) Check that idM′ = f(pkM). (2) SigVerify(params , pkw, π1, (Cid , Cs, Ct))= accept. (3) SigVerify(params , pkc, π2, CJ) = accept. (4) VerifyLS

(paramsGS , (Cs, CJ , S), πS)=accept. (5) VerifyLT

(paramsGS , (Ct, CJ , Cid , T,(idM‖info)), πT ) = accept.

Note that the merchant is responsible for assuring that info is uniqueover all of his transactions. Otherwise his deposit might get rejected by thefollowing algorithm.

Deposit(params , pkB, pkM, coin , stateB). The algorithm parses the coin ascoin =(S, T, Cid , Cs, Ct, CJ , π1, π2, πS , πT , idM‖info) and performs the samechecks as VerifyCoin. The bank maintains a database stateB of all previ-ously accepted coins. The output of the algorithm is an updated databasestate ′

B = stateB ∪ {coin} and the flag result , that is computed as follows:

(i) If the coin verifies and if no coin with serial number S is stored in stateB,result = accept to indicate that the coin is correct and fresh. The bankdeposits the value of the e-coin into the merchant’s account and addscoin to stateB.

(ii) If the coin doesn’t verify or if there is a coin with the same serial numberand the same idM‖info already stored in stateB, result = merchant toindicate that the merchant cheated. The bank refuses to accept the e-coinbecause the merchant failed to properly verify it.

(iii) If the coin verifies but there is a coin with the same serial number Sbut different idM‖info in stateB, result = user to indicate that a userdoublespent. The bank pays the merchant (who accepted the e-coin ingood faith) and punishes the double-spending user.

Identify(params , pkB, coin1, coin2) allows the bank to identify a double-spender. Parse coin1 = (S, (T, Cid , Cs, Ct, CJ , π1, π2, πS , πT ), idM1‖info1)and coin2 =(S′, (T ′, C′

id , C′s, C

′t, C

′J , π′

1,π′

2, π′S , π′

T ), idM2‖info2).The algorithm aborts if one of the coins doesn’t verify, if S �= S′, or if

idM1‖info1 = idM2‖info2. Otherwise, the algorithm outputs TW = pkU =e((T/T ′)1/(idM1‖info1−idM2‖info2), h) , which the bank compares to the traceinformation it stores after each withdrawal transaction.


Theorem 6. This e-cash scheme is a secure compact e-cash scheme given thesecurity of the P-signature scheme, the PRF, and the Groth-Sahai NIZK proofsystem.

In the full version we provide a proof and a performance analysis of our scheme.

Acknowledgements. Belenkiy, Chase, and Lysyanskaya acknowledge the supportof NSF grants 0831293, 0627553, and 0347661. Markulf Kohlweiss was sup-ported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 ofthe Flemish Government, by the IAP Programme P6/26 BCRYPT of the Bel-gian State (Belgian Science Policy), and in part by the European Commissionthrough the ICT and IST programmes under the following contracts: ICT-216483PRIMELIFE, ICT-216676 ECRYPT II, and IST-015964 AEOLUS.

References

[BB04a] Boneh, D., Boyen, X.: Efficient selective id secure identity based encryptionwithout random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EURO-CRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)

[BB04b] Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin,C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)

[BCC+09] Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya,A., Shacham, H.: Delegatable anonymous credentials. In: Halevi, S. (ed.)CRYPTO 2009. LNCS. Springer, Heidelberg (2009)

[BCKL08] Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signaturesand noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008.LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)

[BFM88] Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and itsapplications (extended abstract). In: STOC 1988, Chicago, Illinois, May2-4, pp. 103–112 (1988)

[BG90] Bellare, M., Goldwasser, S.: New paradigms for digital signatures and mes-sage authentication based on non-interative zero knowledge. In: Brassard,G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg(1990)

[BGN05] Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-dnf formulas on cipher-texts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341.Springer, Heidelberg (2005)

[Bou00] Boudot, F.: Efficient proofs that a committed number lies in an interval.In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444.Springer, Heidelberg (2000)

[Bra93] Brands, S.: An efficient off-line electronic cash system based on the repre-sentation problem. Technical Report CS-R9323, CWI (April 1993)

[BW07] Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-sizegroup signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS,vol. 4450, pp. 1–15. Springer, Heidelberg (2007)

[CCS08] Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set mem-bership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS,vol. 5350, pp. 234–252. Springer, Heidelberg (2008)


[CFN90] Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Gold-wasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer,Heidelberg (1990)

[Cha83] Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D.,Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, pp. 199–203. PlenumPress, New York (1999)

[CHK+06] Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A.,Meyerovich, M.: How to win the clonewars: efficient periodic n-timesanonymous authentication. In: CCS 2006, pp. 201–210. ACM Press, NewYork (2006)

[CHL05] Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-cash. In:Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321.Springer, Heidelberg (2005)

[CKW04] Camenisch, J., Koprowski, M., Warinschi, B.: Efficient blind signatureswithout random oracles. In: Blundo, C., Cimato, S. (eds.) SCN 2004.LNCS, vol. 3352, pp. 134–148. Springer, Heidelberg (2005)

[CL07] Chase, M., Lysyanskaya, A.: Simulatable vrfs with applications to multi-theorem nizk. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp.303–322. Springer, Heidelberg (2007)

[CLM07] Camenisch, J., Lysyanskaya, A., Meyerovich, M.: Endorsed e-cash. In:IEEE Symposium on Security and Privacy, pp. 101–115 (2007)

[Coo71] Cook, S.A.: The complexity of theorem-proving procedures. In: STOC1971, pp. 151–158. ACM, New York (1971)

[CP93] Chaum, D., Pedersen, T.P.: Transferred cash grows in size. In: Rueppel,R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 390–407. Springer,Heidelberg (1993)

[CS97a] Camenisch, J., Stadler, M.: Efficient group signature schemes forlarge groups. In: Kaliski, B. (ed.) CRYPTO 1997. LNCS, vol. 1294,pp. 410–424. Springer, Heidelberg (1997)

[CS97b] Camenisch, J., Stadler, M.: Proof systems for general statements aboutdiscrete logarithms. Technical Report TR 260, Institute for TheoreticalComputer Science, ETH Zurich (March 1997)

[CS98] Cramer, R., Shoup, V.: A practical public key cryptosystem provably se-cure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.)CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)

[Dam00] Damgard, I.: Efficient concurrent zero-knowledge in the auxiliary stringmodel. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp.431–444. Springer, Heidelberg (2000)

[Dam02] Damgard, I.: On Σ-protocols (2002),http://www.daimi.au.dk/~ivan/Sigma.ps

[DDN91] Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extendedabstract). In: STOC 1991, pp. 542–552 (1991)

[DY05] Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofsand keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431.Springer, Heidelberg (2005)

[FS87] Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identi-fication and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986.LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)

[FST06] Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly ellipticcurves. Cryptology ePrint Archive, Report 2006/372 (2006),http://eprint.iacr.org/


[FTY96] Frankel, Y., Tsiounis, Y., Yung, M.: Indirect discourse proofs: Achievingefficient fair off-line E-cash. In: Kim, K.-c., Matsumoto, T. (eds.) ASI-ACRYPT 1996. LNCS, vol. 1163, pp. 286–300. Springer, Heidelberg (1996)

[FY92] Franklin, M., Yung, M.: Towards provably secure efficient electronic cash.Technical Report TR CUSC-018-92, Columbia University, Dept. of Com-puter Science (April 1992); Also in: Lingas, A., Carlsson, S., Karlsson, R.(eds.): ICALP 1993. LNCS, vol. 700. Springer, Heidelberg (1993)

[GK03] Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamirparadigm. In: FOCS 2003, pp. 102–115. IEEE Computer Society Press,Los Alamitos (2003)

[GO92] Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactivezero-knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993)

[GS07] Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilineargroups (2007), http://eprint.iacr.org/2007/155

[JLO97] Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures(extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS,vol. 1294, pp. 150–164. Springer, Heidelberg (1997)

[JS07] Jarecki, S., Shmatikov, V.: Efficient two-party secure computation on com-mitted inputs. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515,pp. 97–114. Springer, Heidelberg (2007)

[MRV99] Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: FOCS1999, pp. 120–130. IEEE Computer Society Press, Los Alamitos (1999)

[RS92] Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowl-edge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO1991, vol. 576, pp. 433–444. Springer, Heidelberg (1992)

[Sah99] Sahai, A.: Non-malleable non-interactive zero knowledge and adaptivechosen-ciphertext security. In: FOCS 1999, pp. 543–553. IEEE ComputerSociety Press, Los Alamitos (1999)

[SPC95] Stadler, M., Piveteau, J.-M., Camenisch, J.: Fair blind signatures. In: Guil-lou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp.209–219. Springer, Heidelberg (1995)

[STS99] Sander, T., Ta-Shma, A.: Auditable, anonymous electronic cash extendedabstract. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 555–572. Springer, Heidelberg (1999)

[Tro05] Trolin, M.: A universally composable scheme for electronic cash. In:Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT2005. LNCS, vol. 3797, pp. 347–360. Springer, Heidelberg (2005)

[TS06] Teranishi, I., Sako, K.: k-times anonymous authentication with a constantproving cost. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.)PKC 2006. LNCS, vol. 3958, pp. 525–542. Springer, Heidelberg (2006)

[Tsi97] Tsiounis, Y.S.: Efficient Electonic Cash: New Notions and Techniques.Ph.D thesis, Northeastern University, Boston, Massachusetts (1997)

Proofs on Encrypted Values in Bilinear Groups

and an Application to Anonymity of Signatures

Georg Fuchsbauer and David Pointcheval

Ecole normale superieure, LIENS -CNRS - INRIA, Paris, Francehttp://www.di.ens.fr/{~fuchsbau,~pointche}

Abstract. We give a generic methodology to unlinkably anonymizecryptographic schemes in bilinear groups using the Boneh-Goh-Nissimcryptosystem and nizk proofs in the line of Groth, Ostrovsky andSahai. We illustrate our techniques by presenting the first instantiationof anonymous proxy signatures (in the standard model), a recent primi-tive unifying the functionalities and strong security notions of group andproxy signatures. To construct our scheme, we introduce various efficientnizk and witness-indistinguishable proofs.

1 Introduction

One of the major concerns of modern cryptography is anonymity. Group sig-natures [CvH91] for example allow members to sign on behalf of a group whileremaining anonymous. Other concepts to which anonymity is central are hier-archical group signatures [TW05], identity escrow [KP98] and anonymous cre-dentials [Cha85], to mention only a few. The main issue of these concepts isto demonstrate that a user is entitled to perform a certain task, while not re-vealing anything about his identity. Zero-knowledge proofs provide the means todo so: prove something without leaking any further information. In particular,non-interactive zero-knowledge (nizk) proofs [BFM88] have enjoyed numerousapplications to achieve anonymity.

Substantial progress has been made in recent years in making nizk proofsefficient and thus applicable to practical schemes: Groth et al. [GOS06b] showhow to efficiently non-interactively prove that a bgn-ciphertext [BGN05] (cf.Sect. 2) encrypts 0 or 1. Although conceived for purely theoretical purposes,their techniques were used by Boyen and Waters in [BW06] to construct compactgroup signatures, which they improve in [BW07].

In a different line of research—which has been unified with the one based onbgn in [GS08]—, Groth et al. [GOS06a] based nizk proofs on a commitmentscheme building on linear encryption [BBS04]. The latter is an extension ofElGamal encryption to bilinear groups1 and is semantically secure under thedecisional linear assumption (dlin). Keys for gos-commitments are basicallylinear encryptions of either 0 or 1, with the encrypted value determining whether1 The decisional Diffie-Hellman assumption (ddh), on which ElGamal relies, does not

hold in symmetric bilinear groups.


Proofs on Encrypted Values in Bilinear Groups 133

the resulting commitments are perfectly hiding or perfectly binding. Since bothtypes of keys are indistinguishable by dlin, they inherit a computational versionof the other’s property from one another.

This scheme has given rise to a multitude of practical nizk proof systems (seee.g. the full version of [Gro06] for an impressive demonstration of its power),practical implementations of fully-secure group signatures [Gro07] without ran-dom oracles [BR93], as well as the introduction of new primitives such as non-interactive anonymous credentials in [BCKL08].

Our Contributions. All the above analyses required ad-hoc security proofs.When extending anonymity to more complex protocols, these proofs quicklybecome too intricate—unless one manages to provide a generic way to anonymizea large class of proofs. Such a generic anonymization is our first contribution; wegeneralize the ideas of [BW06, BW07] to bgn-encrypt proofs (and in particularsignatures) and prove validity of the encrypted values, for the following categoryof schemes: the relations checked by the verification algorithm are equationsconsisting exclusively of products of pairings. (Actually, this is the case for mostsignature schemes in bilinear groups such as Boneh-Boyen’s short signatures[BB04] or Waters’ scheme [Wat05].)

We give a methodology to construct proofs demonstrating that encryptedvalues satisfy certain relations, and show that these proofs do not leak informa-tion on the plaintexts, nor additional relations about the plaintexts—providingthus anonymity (unlinkability and untraceability). Moreover, given a set of ci-phertexts and a corresponding proof, then without knowledge of the plaintexts,one can re-encrypt (or re-randomize) the ciphertexts and adapt the proof to thenew encryptions. In particular, re-randomizations of two sets of ciphertexts andproofs are indistinguishable. This yields a generic method to anonymize schemesin an unlinkable way, such as group signatures (“full anonymity” of the schemesin [BW06] and [BW07] is an immediate consequence of our results), fair contractsigning [ASW00], or verifiable encryption [BGLS03], as shown in Sect. 3.2. Sincewe use encryption to achieve anonymity, the decryption key provides a trapdoorto revoke anonymity in case of abuse, as required by primitives such as groupsignatures.

In order to illustrate our methodology and to demonstrate its power, oursecond contribution is the first concrete implementation of anonymous proxysignatures in the standard model. This primitive was recently introduced byFuchsbauer and Pointcheval [FP08a], who while giving practical applicationsmerely prove theoretical feasibility. It merges group signatures with proxy signa-tures [MUO96], generalizing the strong security notions of both (in particular,[BMW03, BSZ05] for group signatures and [BPW03] for proxy signatures). Proxysignatures allow consecutive delegation of signing rights while publicly providingthe identities of the delegators and the signer with the signed document. Anony-mous proxy signatures require that these identities remain hidden: nobody cantell who actually signed or re-delegated, but still anyone can verify that the proxysigner was indeed entitled (via a chain of delegations) to do so. Traceability, i.e.the fact that an authority can revoke anonymity, deters from misuse.

134 G. Fuchsbauer and D. Pointcheval

We slightly simplify the model of [FP08a], in that we consider one generalopener (instead of having each user choose his own) and anonymity against ad-versaries without opening oracles (cpa-anonymity [BBS04], a common notion forpractical standard-model group signature schemes). Furthermore, we introducea maximal number of possible delegations. We emphasize that this variant stilldirectly yields dynamic hierarchical group signatures satisfying non-frameability(i.e., the group manager cannot produce signatures that open to a user), while[BW07] only consider the static and non-hierarchical case where the group man-ager knows every member’s secret key.

Overview. We recall some results from the literature on pairing-based cryp-tography in Sect. 2 and present our methodology in Sect. 3. Before presentingour full scheme in Sect. 5, we mainly focus on constructing a (non-anonymous)scheme for consecutive signature delegations (Sect. 4) to which our methodol-ogy can then readily be applied. Its main building block is a signature schemesecure against existential forgeability under chosen message attacks (euf-cma)[GMR88], capable of signing public keys for the scheme itself, and whose verifi-cation procedure falls in a certain class. The security of the scheme relies on anew assumption presented in Sect. 4.3. The scheme uses a zero-knowledge proofof knowledge [DP92], which we introduce in Sect. 4.2 and of which we sketchan instantiation in Sect. 6. In order to achieve the strong security notions, wedesign the proof system to satisfy weak simulation soundness, a relaxation of theconcept introduced by Sahai [Sah99].

2 Preliminaries

We briefly recapitulate the employed concepts from the literature and referto the cited works for more details. A (symmetric) bilinear group is a tuple(n, G, GT , e(·, ·), g) where G and GT are two cyclic groups of order n and g is agenerator of G. Furthermore, e(·, ·) is a non-degenerate bilinear map G × G →GT , i.e. ∀ u, v ∈ G ∀ a, b ∈ Z : e(ua, vb) = e(u, v)ab and e(g, g) is a generatorof GT .

The Subgroup Decision Assumption and BGN-Encryption [BGN05]Let the group order |G| = n = pq be a product of two primes p and q. Thesubgroup decision assumption (sd) states that no probabilistic polynomial-time(p.p.t.) adversary not knowing the factorization of n can with non-negligibleprobability distinguish a random element of G from a random element of Gq,the subgroup of order q.

The subgroup decision assumption implies semantic security of the followingencryption scheme: The public key is the bilinear group (not revealing the factorsof its order) and an element h ∈ Gq. The secret key is q, i.e. the factorizationof the group order. To encrypt a message m ∈ {0, . . . , T}, with T < p, chooser ← Zn and compute the ciphertext C := gmhr. Since h is of order q, we haveCq = (gmhr)q = (gq)m, so m can be recovered by computing loggq Cq = m.

The Decisional Linear Assumption and Linear Encryption [BBS04]Let (p, G, GT , e) be a bilinear group; let f, h, g be generators of G. We call a


triple (c1, c2, c3) ∈ G3 linear w.r.t. to the basis (f, h, g) iff there exist r, s ∈ Zp

such that c1 = f r, c2 = hs, c3 = gr+s. The decisional linear assumption (dlin)states that no p.p.t. adversary can distinguish random linear triples w.r.t. arandom basis from random triples; that is, given (g, gx, gy, gxr, gys) for randomx, y, r, s, it is hard to distinguish gr+s from a uniformly random element in G.

Assuming dlin, the following encryption scheme is secure: Choose a secretkey (x, y)← (Z∗

p)2 and publish pk := (f := gx, h := gy, g). To encrypt a message

m ∈ G, choose r, s← Zp and compute Enc(pk, m; (r, s)) := (f r, hs, mgr+s). Any(u, v, w) can be decrypted by computing u−x−1

v−y−1w = g−rg−smgr+s = m.

GOS-Commitments [GOS06a]. The following homomorphic commitmentscheme is based on linear encryption: The commitment key is a public key forlinear encryption (f, h, g) and a triple (u, v, w) which is an encryption of either1 or g (i.e., (f ru , hsv , gru+sv ) or (f ru , hsv , gru+sv+1) for random ru, sv ∈ Zp).The first leads to a perfectly hiding key, while the latter constitutes a perfectlybinding key. Now Com((f, h, g, u, v, w), m; (r, s)) := (umf r, vmhs, wmgr+s) is acommitment to m ∈ Zp for random r, s. Note that for perfectly hiding keys forany message m this is a random encryption of 0 while in the binding case, itencrypts gm.

3 The Leak-Tightness Lemma

In [BW07], Boyen and Waters use the following strategy to construct efficientgroup signatures without random oracles: First, they construct two-level hierar-chical signatures (a.k.a. certified signatures) that satisfy unforgeability (“trace-ability”), such that signatures consist of group elements only and can be verifiedby checking pairing-product equations (cf. Lemma 1). They then convert thescheme into a group signature scheme, obtaining anonymity by bgn-encryptingthe signature components and adding proofs for the plaintexts satisfying the ver-ification equations. Considerable effort is then dedicated to showing that theirspecific proofs do not leak information on the plaintexts.

In fact, as shown by the following lemma, proofs of this kind generally donot leak any additional information on the encrypted values. Thus, full anonym-ity of [BW06] and [BW07] follows immediately from the lemma. We first statethe—somewhat technical—results and clarify their relevance in the subsequentdiscussion.

Lemma 1 (Leak tightness). Let (n, G, GT , e, g) be a bilinear group, and letaj , bj ∈ G, δj,i, εj,i ∈ Zn for 1 ≤ j ≤ �, 1 ≤ i ≤ m. Let (Xi)m

i=1 ∈ Gm satisfy apairing-product equation E(aj ,bj)j

that is

E(aj ,bj)j(X1, . . . , Xm) :

∏�

j=1e(aj

∏mi=1X

δj,i

i , bj

∏mi=1X

εj,i

i

)= 1l .

1. Let H ∈ G, (ρi)mi=1 ∈ Z m

n . Then Xi := XiHρi for 1 ≤ i ≤ m satisfy

∏je(aj

∏iX

δj,i

i , bj

∏iX

εj,i

i

)= e

(H, PE

((Xi), (ρi)

)), (E)


where PE

((Xi), (ρi)

):=

∏j

((aj

∏iX

δj,i

i )∑

εj,iρi(bj

∏iX

εj,i

i )∑

δj,iρiH(∑

δj,iρi)(∑

εj,iρi))

.

2. Given (Xi) and (X ′i) both satisfying E, and (ρi), (ρ′i), s.t. for all 1 ≤ i ≤ m:

XiHρi = X ′

iHρ′

i , then

PE

((Xi), (ρi)

)= PE

((X ′

i), (ρ′i)

).

3. Let |G| = pq, let aj , bj, Xi ∈ Gp; cj, dj , Yi ∈ Gq for all i, j. If (Xi) satisfyE(aj ,bj)j

and (Yi) satisfy E(cj ,dj)j, then (XiYi) satisfy E(ajcj ,bjdj)j

.4. Let furthermore H ∈ Gq and θ ∈ N be such that θ ≡ 1 (mod p) and θ ≡ 0

(mod q). If (Xi) ∈ G satisfy E(ajcj ,bjdj)jfor some PE , then (Xθ

i ) satisfyE(aj ,bj)j

.

See the full version [FP08b] for the proof. We give a brief description of thelemma’s content: Let (Xi) be a vector of group elements satisfying relation E;think of the Xi’s as components of a digital signature and E being the verificationrelation. If H ∈ Gq then Xi as defined in (1) is a bgn-encryption of Xi usingrandomness ρi. Given (Xi), the element PE can be seen as a proof that theplaintexts in (Xi) satisfy E, which is verified by checking E.

While (1) states that every proof constructed as described passes verification,(4) ensures soundness: if there exists a PE such that (Xi) and PE satisfy E inG, then their projections (Xθ

i ) into Gp satisfy E in Gp. We will use this fact toreduce a forgery in an “anonymized” scheme in G to a forgery in an underlyingscheme in Gp; in [BW06] for example a forged group signature is translated toa forgery of a certified signature this way.

If we have equations E(aj ,bj)jin Gp and E(cj ,dj)j

in Gq, and values (Xi), (Yi)satisfying them respectively, then their products satisfy equation E(ajcj , bjdj)j

inG due to (3), which we will be useful in our simulations.

Now the main result is (2): Assume H ∈ G, rather than in Gq, which isindistinguishable by the subgroup decision (sd) assumption. In this case each Xi

is perfectly random: Given an “encryption” Xi, then for any potential plaintextXi, there exists randomness ρi := logH(Xi/Xi) leading to Xi. Now, (2) statesthat given (Xi), any vector of such pairs of plaintexts/randomness (Xi, ρi)m

i=1

“explaining” (Xi) leads to exactly the same proof PE , which means that theproof leaks no information on the plaintext.

Remark 1 (Unlinkably re-randomizing randomized values). Consider avector (Xi) satisfying E, but with right-hand side e(H, P ′) instead of 1l. Again,let Xi := XiH

ρi for all i. Then (Xi) satisfies E with e(H, P ′ · PE((Xi), (ρi))) asright-hand side. So, given a proof P for randomized (Xi) satisfying E, one canre-randomize the (Xi) using fresh ρ′i and adapt the proof (without knowledge ofthe plaintexts!) by setting Pnew := P · PE((X), (ρ′i)). If ((Xi), P ) and ((Yi), P ′)both satisfy E, then their re-randomizations are indistinguishable by sd andLemma 1(2).


3.1 The Waters Signature Scheme

We review the scheme from [Wat05] to sign messages M = (M1, . . . , Mm) ∈{0, 1}m, which will be used several times in the remainder of the paper.

Setup. Choose a bilinear group (n, G, GT , e, g). The parameters are g2 ← G∗

and a vector �u := (u0, u1, . . . , um) ← Gm+1. Choose a secret key x ← Zm,and define the public key as X := gx.For convenience, we define the following function F(M) :=

∏mi=1 uMi

i .

Signing. Choose r ← Zp and define the signature as σ := (gx2 (u0F(M))r , g−r).

Verification. A signature σ = (σ1, σ2) is accepted for a message M iff

e(σ1, g) e(u0F(M), σ2) = e(g2, X) .

Security. euf-cma follows from hardness of the computational Diffie-Hellmanassumption (cdh) in the underlying group.

3.2 Applying Lemma 1 to Construct Verifiable Encryption

To exemplify our techniques, we construct a verifiable-encryption scheme in thestandard model, which we only sketch due to space limitations. Suppose, wewant to encrypt a signature and prove that the plaintext satisfies the signatureverification relation. Lemma 1 lets us do so if the verification procedure consistsmerely of verifying pairing-product equations, as is the case for Waters’ scheme.Moreover, if the signatures are euf-cma then a similar property holds for en-cryption/proof pairs: Even after querying such pairs for messages of its choice,no adversary can produce a valid pair for a new message.

We construct a scheme ES for encrypted signatures: Given a plain signature inscheme S, independently bgn-encrypt all its components and add a proof PE foreach verification equation E, as defined in Lemma 1(1). Indistinguishability ofthe hidden elements follows from the sd assumption combined with (2): Replac-ing H ∈ Gq by a random element from the entire group G is indistinguishableby sd. Now the encryptions are perfectly random and the proofs do not revealany information either; every hypothesis (Xi) on the plaintexts of (Xi) leads tothe same proof.

Unforgeability of ES is inherited from scheme S defined in subgroup Gp:Lemma 1(3) allows us to simulate all oracle queries and (4) lets us transform aforgery in ES to a forgery in S; more precisely: Given an adversaryA against ESin G, we construct B against S in Gp as follows: After receiving the parametersof S, B produces parameters and the public key for a twin instance TS of S, butin subgroup Gq (knowing thus the secret key). Then B constructs scheme ES inG whose parameters are the products of those of S and TS.

Whenever A performs an oracle query, B splits all involved group elements(if any) into their components in Gp (by raising them to the θ-th power as in(4)) and their components in Gq by raising them to the power of θq, with θq ≡ 0(mod p) and θq ≡ 1 (mod q). The p-parts are submitted to B’s own oracle, while


the action on the q-parts can be performed by B itself. The two results are thencombined to a solution in G by multiplying them component-wise. (3) guaranteesvalidity as the products satisfy the equations in group G when both componentssatisfy the equations in their respective subgroups. Finally, a forgery returnedby A can be translated to one for S, again via (4), giving B the same successprobability as A.

To further illustrate our methodology, we give an instantiation of “anonymousproxy signatures”. We first construct a (non-anonymous) delegation schemewhose verification relations satisfy the requirements of Lemma 1. To instantiatethe generic concept of such a scheme, the most important tool is the following: aLemma-1-compatible euf-cma-secure signature scheme, where the messages tobe signed are vectors of public keys of the scheme itself.2 This is the main differ-ence to previous certified-signature schemes (on which group signatures build),where the certification and the signature itself are not based on the same mecha-nism, excluding thus consecutive delegation. In order to motivate our proceedingwe briefly review the notions from [FP08a] in the next section.

3.3 Definition and Security of Anonymous Proxy Signatures

In an anonymous proxy signature scheme, there are the following protagonists:The issuer enrolls users in the system, the users can delegate and sign on behalfof other users, and the opener is able to trace the hidden delegators and thesigner from a proxy signature in case of misuse.

The scheme consists of 7 algorithms: Setup produces the public parameters,the issuer’s secret key and the opening key. Algorithm UKGen is run by theusers in order to produce a key pair, the public key of which is registered bythe issuer running Enroll. A user can delegate her signing rights by producinga warrant with Dlg taking as input her secret key and the delegatee’s publickey. Dlg also provides the possibility to re-delegate when given a warrant asadditional argument. Now using a warrant, users can “proxy sign” messagesrunning PSig, whereas the resulting signatures are verifiable via PVer using thefirst (“original”) delegator’s public key only. Algorithm Open allows the openerholding the opening key to reveal the delegators and the signer.

We overview the required security notions and refer to the full version or[FP08a] for the rigorous definitions:

Anonymity. The experiment for anonymity is the following: Consider an ad-versary getting the issuer’s key and who in a first phase returns an original dele-gator’s public key, two pairs consisting of a warrant and a secret key each, and amessage. Now, flip a random bit and depending on the outcome give the adver-sary a signature produced using either the first or the second warrant/secret-keypair. Then as long as both warrants result from the same number of delegations

2 Note that we cannot simply hash the vector of messages and sign the hash value,as we will later encrypt the messages and prove that the signature is valid on theplaintexts.


and both lead to valid signatures, the adversary cannot decide the value of theflipped bit with probability more than a half.

Traceability. No adversary, after enrolling arbitrarily many users via an Enroll-oracle, can produce a signature which cannot be opened. Thus, every valid sig-nature can be traced to registered users.

Non-Frameability. No adversary, even when colluding with the issuer andthe opener, can frame honest users. More precisely, give the adversary all keysreturned by Setup, and oracles to create honest users and ask delegations andsignatures of them—or adaptively corrupt them by asking their secret key. Thenthe adversary is not able to produce a valid signature whose opening yields anhonest user for a delegation or a signing he has not been queried for.

Remark 2. Remark 1 hints that our scheme actually achieves a stronger notionof anonymity where even to a delegatee the preceding delegators are anonymous.

4 A Consecutive Signature-Delegation Scheme

4.1 Overview

A Generic Construction. The issuer and each user create a key pair for aneuf-cma-secure signature scheme. To enroll a user, the issuer signs her publickey, creating thus a certificate sent to the user. If user U1 wants to delegateU2, she sends him a signature on her own and U2’s public key, called warrant.To re-delegate to U3, U2 sends her his certificate cert2 received from the is-suer, the warrant warr1→2 received from U1, and warr1→2→3, a signature on(pk1, pk2, pk3), the user’s public keys. Now to sign a message M on behalf of U1,U3 produces a signature σ on (pk1, pk2, pk3, M). The (non-anonymous) proxysignature is Σ := (warr1→2, pk2, cert2, warr1→2→3, pk3, cert3, σ).

Remark 3 (Delegating for specific tasks only). The scheme can easily beextended, so that delegation of signing rights can be done for specific tasks only—as proposed by [FP08a]—as follows: When delegating, sign (pk1, . . . ,pki, task)rather than the public keys only; likewise for proxy signing. The verificationprocedure takes the task tag as additional argument and the verification relationsare adapted respectively.

Instantiation. We instantiate the generic scheme by choosing Waters’ signaturescheme (cf. Sect. 3.1) as euf-cma-secure scheme, which supports the hierarchicalnature of the messages to be signed. Unfortunately, at the same time, this limitsus to a fixed maximal number of delegations.

The messages in the Waters scheme are bit-strings, while we need to signvectors of public keys (i.e., group elements) for the scheme itself. We solve thisshortcoming as follows: Instead of signing public keys, we sign the bits of theprivate keys—which the signer should obviously not learn. We take thus advan-tage of the fact that Waters signatures can be computed and verified without


knowledge of the message if its hash value F = F(M) =∏m

i=1 uMi

i is given in-stead. On the other hand, the assumption we introduce in Sect. 4.3 implies thatthe hash value hides enough information about the secret key. In particular, itstates that the public key and the secret key’s hash look unrelated.

The private key’s hash value can be precomputed by its owner and thenbe used directly by the delegator to produce a signature. We define thus thefollowing two functions:3

FSig(x, F ) := (gx2 (u0F )r, g−r) for random r ← Zp ,

FVer(X, F, (σ1, σ2)) = 1 iff e(σ1, g) e(u0F, σ2) = e(g2, X) .

Now we need to add a nizk proof of consistency of the hash with the corre-sponding public key, which we discuss in the next section. Anticipating, we notethat the secret key must be extractable from such a proof, so we can reduceunforgeability of delegations (i.e., non-frameability) of our scheme to security ofWaters signatures. We emphasize the fact that verifying the nizk proof mustexclusively consist of checking pairing-product equations to be compatible withthe Leak-Tightness Lemma.

4.2 ZK Proof of Equality of Logarithm and Hash Preimage

As mentioned above, in order to prove consistency of a public key X = gx

with the hash value of its private key F = F(x), in Sect. 6 we construct azero-knowledge proof system ΠX↔F for np-relation

RX↔F :={((X, F ), x)

∣∣ X = gx, F = F(x)}

.

The np-language LX↔F defined by it is then indistinguishable from G2 by thexf-assumption given in the next section. We require ΠX↔F to have the followingproperties:

– Verification of a proof consists of checking pairing-product equations.– The proof is a proof of knowledge at the same time, i.e., we can extract

witness x. Furthermore, extraction must be efficient and consequently cannotrely on rewinding techniques.

– We can simulate proofs for any (possibly false) statements (gx1 ,F(x2)) with-out knowledge of (x1, x2)

– Even after seeing a simulated proof of a random (not necessarily true) state-ment, no adversary can produce a proof for a false statement; in addition,from every valid proof, the witness can still be extracted. This property, de-fined below, is a relaxation of the standard notion of simulation soundnesswhere it is the adversary that chooses the statement to be simulated.

3 Note that FSig, FVer do not constitute a secure signature scheme on their own; asuccessful forgery must include the message’s bits (Mi)

mi=1 s.t. F = F(. . . , Mi, . . .)

in order to be reducible to cdh.


A nizk proof of knowledge is a tuple (K, P, V, Sim1, Sim2, Ext), where K generatesthe common reference string (crs) crs and P produces proofs that are verifiedvia V. Simulator Sim1 outputs a crs, a trapdoor tr which allows Sim2 to simulateproofs, and an extraction key ek, used by Ext to extract the witness.

Definition 2. A proof of knowledge Π = (K, P, V, Sim1, Sim2, Ext) for np- lan-guage L is weakly simulation sound if for every p.p.t. A the following prob-ability is negligible in the security parameter λ:

Pr[(crs, tr, ek)← Sim1(1λ); y ← L∪ L; π ← Sim2(tr, y);

(y∗, π∗)← A(crs, (y, π)); w∗ ← Ext(ek, (y∗, π∗)) :

y∗ = y ∧ (y∗, w∗) /∈ RL ∧ V(crs, y∗, π∗) = 1]

Weak simulation soundness (wss) is implied by the following strengthening ofzero-knowledge, where the adversary trying to distinguish between a real and asimulated proof is now provided with an extraction oracle.

Definition 3. A proof of knowledge Π = (K, P, V, Sim1, Sim2, Ext) is extrac-tion zero knowledge if for every p.p.t. adversary A = (A1,A2) we have:

∣∣ Pr[Expzk

Π,A(λ) = 1] − Pr[Expzk-S

Π,A(λ) = 1]∣∣ = negl(λ) ,

with ExpzkΠ,A(λ)

(crs, ek)← K(1λ)

(y, w, st)← A1(crs : Ext(ek, ·, ·))π ← P(crs, y, w)

b← A2(st, π : Ext(ek, ·, ·))

Expzk-SΠ,A(λ)

(crs, ek, tr)← Sim1(1λ)

(y, w, st)← A1(crs : Ext(ek, ·, ·))π ← Sim2(crs, tr, y)

b← A2(st, π : Ext(ek, ·, ·))

Claim 1 (ezk implies wss). Let L be a language which no p.p.t. adversarycan decide with non-negligible probability; let Π be an extraction-zero-knowledgeproof of knowledge for L. Then Π is weakly simulation sound.

Proof. Consider the following game:

Game 0 (crs, ek)← K(1λ); (y, w)← RL; π ← P(crs, y, w);(y∗, π∗)← A(crs, (y, π)); w∗ ← Ext(ek, (y∗, π∗));return 1 iff y∗ = y ∧ (y∗, w∗) /∈ RL ∧ V(crs, y∗, π∗) = 1

Soundness of Π implies that A can win Game 0 with at most negligible prob-ability. Now define Game 1 replacing K and P by Sim1 and Sim2, respectively.Games 0 and 1 are indistinguishable by ezk, since a distinguisher can perfectlysimulate the games because of its extraction oracle. Finally, a distinguisher be-tween Game 1 and the wss game would contradict the assumption on L (neithergame uses the witness w). ��


4.3 The XF-Assumption

The xf-assumption basically states that for someone seeing a public key X = gx

without knowing the secret key x, the hash F(x) of the latter looks random.We will utilize this when reducing non-frameability of our delegation schemeto unforgeability of Waters signatures, where we will have to produce hashescorresponding to unknown secret keys. Proof system ΠX↔F allows us to simulatethe consistency proofs, but however, replacing an element of LX↔F by one outsidethe language must be indistinguishable to guarantee simulation.

Moreover, having to simulate hash values for all delegation levels (cf. Sect. 4.4for the details), we will generalize our assumption: Given X = gx0 and Λ hashvalues Fi = Fi(xi), for different hash functions Fi, it is hard to tell whether allxi’s are equal. Intuitively, the assumption states that values Fi do not revealmore information about x than X .

Definition 4. Let Λ, m ∈ N, (n, G, GT , e, g) ← G(1λ) be a bilinear group, let((ui,j)m

j=1)Λi=1 ∈ GΛ×m. We define the ith hash of (x1, . . . , xm) ∈ {0, 1}m:

Fi(x1, . . . , xm) :=∏m

j=1 uxj

i,j

We say the (Λ, m)–XF-Assumption holds for G if it is difficult to distinguishthe np-language

LX↔F :={(X, (Fi)Λ

i=1) ∈ GΛ+1∣∣ ∃ x := (x1, . . . , xm) ∈ {0, 1}m :

X = g∑

xi2i−1∧

∧Λ

i=1Fi = Fi(x)

}

from GΛ+1, that is, for all p.p.t. adversaries A, the following function is negli-gible in λ:

∣∣ Pr[(n, G, GT , e, g)← G(1λ); �u← G

Λ×m; x← {0, 1}m :

A(n, G, GT , e, g, �u, g

∑xi2

i−1,∏

uxi

1,i, . . . ,∏

uxi

Λ,i

)= 1

]

− Pr[(n, G, GT , e, g)← G(1λ); �u← G

Λ×m; X, F1, . . . , FΛ ← G :

A(n, G, GT , e, g, �u, X, F1, . . . , FΛ

)= 1

] ∣∣

Note that the assumption satisfies Naor’s falsifiability criterion [Nao03]. We givesome more intuition on the assumption.

Comparison to DDH and DLIN. Consider the (1, m)–xf-Assumption ina group G with 2λ−1 ≤ |G| < 2λ, and m = λ − 1: Given (g, u1, . . . , um, X, F ),decide whether there exist xi ∈ S := {0, 1}, s.t. X = g

∑xi2

i−1and F =

∏uxi

i .If we set m = 1 and S = Z2λ , we get ddh—which is easy in bilinear groups.

However, case m = 2, S = Z2λ/2 (i.e., X = gx1+x22λ/2 ?⇒ F = ux1

1 ux22 ) can

already be considered hard, since it is implied by a variant of dlin, where r, sare randomly chosen from a smaller set S: An instance (Y = gy, Z = gz, R =gyr, S = gzs, T ∈ {gr+s, gt}) of dlin with r, s ∈ S can be decided by runningthe xf-decider on (u1 = Y, u2 = Z, X = T, F = R · S2λ/2

).


Now, if we continue the process of increasing m while at the same time re-ducing the set of possible values for xi, we end up with the xf-assumption.

Relation to the DL Problem with Auxiliary Information. Considerthe problem of computing x = log X on input (X, F ) ∈ Lu, i.e., in addition toinstance X , a hash value F = Fu(x) :=

∏uxi

i of the logarithm is given. Suppose,there exists an algorithm A that on input (�u, X, F ) decides whether F =

∏uxi

i

for x := log X , thus breaking the xf-assumption. Then we can construct analgorithm B that given (X, F ) ∈ Lu computes x = log X : For 1 ≤ i ≤ m, chooserandom u∗

i and runA on(Ui := (u1, . . . , ui−1, u

∗i , ui+1, . . . , um), X, F

). If xi = 0,

then (X, F ) ∈ LUi , whereas this is only the case with negligible probability ifxi = 1. B can thus extract x bit-by-bit.

4.4 Implementation of the Delegation Scheme DSBased on the ideas from Sect. 4.1, we give implementations of the algorithmsintroduced in Sect. 3.3 in Fig. 1 (where λ is the security parameter and Λ − 1is the maximum delegation “depth”, that is, the number of possible delegationsfrom the original delegator to the proxy signer).

Claim 2. Scheme DS is non-frameable

We give an overview of the proof and refer to [FP08b] for the quite technical proof.Our strategy is to reduce a “framing” proxy signature to a forgery of a Waterssignature: An euf-cma adversary B against Waters’ scheme receives a public keyX from its environment and sets out to simulate the non-frameability game foradversaryA againstDS, setting X as the public key of a random honest user U∗.Now to do so, without knowledge of the secret key, it must simulate the hash values(Fi) corresponding to X . We define thus a sequence of indistinguishable games:The first game is the original non-frameability game. In the next one, we simulatethe zk-proofs (Pi) in the public key of U∗. In the third game, relying on the xfassumption, we substitute the (Fi) by random values. Now the last game can besimulated by B, given the fact that the signatures required to answer Dlg and PSigqueries can be forwarded to B’s own signing oracle. IfA wins the non-frameabilitygame by framing U∗, then the signature output by A contains a Waters forgery.

However, to win the euf-cma game, B is required to return the bits of themessage rather than its hash value—in fact, B’s oracle queries also require mes-sages. This is why we need ΠX↔F to be an extractable proof system; moreover,extraction must be possible even after having simulated proofs—which is thereason for ΠX↔F to be weakly simulation sound.

Claim 3. Scheme DS is traceable

Proof. The claim follows by a reduction to unforgeability of the Waters signaturescheme for messages of length Λ ·m using the following fact:

Let 0i denote a string of i·m zeroes. Then for any x ∈ {0, 1}m and anyi∗, a signature on (0i∗−1 ‖x‖0Λ−i∗) w.r.t. parameters ((ui,j)m

j=1)Λi=1 is a

signature on x w.r.t. parameters (ui∗,j)Λj=1.


Setup(1λ, Λ) – Choose a bilinear group gPar := (p,G, GT , e, g)← G(1λ).

– Define m, the maximal length of messages to be signed, as m := λ− 1.

– Choose Waters parameters to sign messages consisting of Λ ·m bits:sPar := (g2, u0, (ui,1, . . . , ui,m)Λ

i=1)← GΛm+2

– For 1 ≤ i ≤ Λ, choose crsi, a common reference string for ΠX↔F for parameters(ui,j)

mj=1.

The issuer chooses an issuing key ik := ω ← Zp and defines Ω := gω. The publicparameters are

pp :=(gPar, sPar, (crsi)

Λi=1, Ω

).

UKGen(pp) Choose a random x ← Z2m and set X := gx. Define the public keypk := (X, (Fi, Pi)

Λi=1), where Fi := Fi(x), is the ith hash (cf. Def. 4) and Pi :=

PX↔F(crsi, (X, Fi), x) is a proof for X and Fi containing the same x.

Enroll(pp, ik, pk) Parse pk as (X, (Fi, Pi)Λi=1).

1. Check all proofs Pi; if one is invalid, return ⊥.

2. certi := FSig(ω,Fi) for 1 ≤ i ≤ Λ.

3. Add (X, (Fi, Pi, certi)Λi=1) to UList and return (certi)

Λi=1.

The user defines her secret key as sk := (X, (Fi, Pi, certi)Λi=1, x).

Dlg(pp, ski, [warr→i], pki+1) Let the user holding ski be the ith delegator.

1. Parse ski as (Xi, (Fi,j , Pi,j , certi,j)Λj=1, xi),

pki+1 as (Xi+1, (Fi+1,j , Pi+1,j)Λj=1)

and warr→i as((Xj , Fj,j , Pj,j , certj,j , σj)

i−1j=1, (X

′i, F

′i,i, P

′i,i)

),

in case i = 1, define warr→1 := (X1, F1,1, P1,1)

2. If one of the proofs in warr→i or pki+1 is invalid or if(X ′

i , F′i,i, P

′i,i) �= (Xi, Fi,i, Pi,i) then return ⊥.

3. Define σi ← FSig(xi, F1,1 · · ·Fi,i · Fi+1,i+1).Return warr→i+1 := warr→i ‖(certi,i, σi, (Xi+1, Fi+1,i+1, Pi+1,i+1)).

PSig(pp, ski, warr→i, M) Let the user holding ski be the (i− 1)st delegatee.

1. and 2. as for Dlg (but ignoring the commands for pki+1).

3. Define σi := FSig(xi, F1,1 · · ·Fi,i · FΛ(M)). The proxy signature is

Σ :=(σ1, (Xj , Fj,j , Pj,j , certj,j , σj)

ij=2

).

PVer(pp, pk, M, Σ) Let pk = (X1, F1,1, P1,1, . .), Σ =(σ1, (Xi, Fi,i, Pi,i, certi,i, σi)

ki=2

).

Return 0 if any of the following returns 0, otherwise return 1.

1. VX↔F(crsi, (Xi, Fi,i), Pi,i), for 1 ≤ i ≤ k,

2. FVer(Ω, Fi,i, certi,i), for 2 ≤ i ≤ k,

3. FVer(Xi, F1,1 · · ·Fi+1,i+1, σi), for 1 ≤ i < k,FVer(Xk, F1,1 · · ·Fk,k · FΛ(M), σk).

Open(pp, pk, M, Σ, UList)If Σ is valid, parse it as

(σ1, (Xi, Fi,i, Pi,i, certi,i, σi)

ki=2

). If for all i, Xi ∈ UList,

return (X2, . . . , Xk), otherwise return ⊥.

Fig. 1. Implementation of the Delegation Scheme DS


The simulator sets Ω to the public key it is challenged on and deals withEnroll(X, (Fi, Pi)) queries as follows: If one of the Pi is invalid, return ⊥, oth-erwise extract x from one of them. To produce certi, query a signature on themessage (0i−1 ‖ x ‖ 0Λ−i). Open the signature returned by the adversary toX2, . . . , Xk. If Xi /∈ UList for some i, return certi from the signature, togetherwith the extracted bits. ��

5 The Anonymous Delegation Scheme

Now using the techniques derived from the Leak Tightness Lemma as discussedin Sect. 3, we can convert the scheme DS in Fig. 1 into an anonymous proxysignature scheme APS. We give the necessary modifications to DS:

Setup(1λ, Λ) Choose a bilinear group of composite order (p, q, G, GT , e, g) ←Gc(1λ) and define gPar := (n = pq, G, GT , e, g). Add H ← Gq, a subgroupelement for bgn-encryptions, to pp and additionally output the opening keyok := q.

Enroll(pp, ik, (X, . . .)) The opener approves4 a new public key by verifying thatXq = (X ′)q for all X ′ ∈ UList before adding X to UList.

PSig(pp, skk, warr→k, M) After producing Σ =(σ1, (Xi, Fi,i, Pi,i, certi,i, σi)k

i=2

),

blind Σ by bgn-encrypting all elements of Σ under H and adding one proofπ (cf. Lemma 1) per pairing-product equation to be satisfied in PVer. Denotethe result as Σ :=

(σ1, (Xi, Fi,i, Pi,i, certi,i, σi)k

i=2, (πi)).

PVer(pp, pk, M, Σ) Instead of verifying the pairing-product equations directly,verify the proofs (πi) on the encrypted values.

Open(pp, ok, M, Σ, UList) If Σ passes verification, do the following for 2 ≤ i ≤Λ: if Xq

i = (X ′)q for some X ′ ∈ UList, then set Xi := X ′, otherwise return⊥. Finally, return (X2, . . . , Xk).

Anonymity. Consider two “plain” proxy signatures Σ1 and Σ2, both validunder the same public key and resulting from the same number of delegations(and consequently of the same size). If we blind both signatures and add proofs(πi), then they are indistinguishable: replacing H by a random element in G

is indistinguishable by sd. Now the signature components are perfectly blindedand the πi’s do not leak any information on the cleartexts besides validity byLemma 1(2). As a consequence, APS satisfies anonymity as defined in Sect. 3.3.

Traceability and Non-Frameability. Traceability and non-frameability bothfollow from a reduction to the respective notions for DS in the subgroup Gp usingthe techniques of Lemma 1. Given an adversary A against APS, we construct B4 If Xq = (X ′)q then the sets of ciphertexts of X and X ′ coincide, making correct

tracing impossible. Note that for random keys this is very improbable. It occurs ifX was maliciously set to X ′Hρ for some ρ, which makes the key useless anyway, asto compute the corresponding secret key one would have to know logg H .


against DS: After receiving ppDS , B defines ppAPS by first creating parameterspp′, ik′ for a new instance ofDS in group Gq, and then multiplying all parametersfrom ppDS with the new ones, resulting thus in correctly distributed parametersin G, e.g., g ∈ pp and g′ ∈ pp′ yield g := gg′ ∈ G. Finally, B adds H ∈ Gq toppAPS . A’s oracle queries are dealt with in the following way:

PK queries. Run the PK oracle for DS to get pk := (X, (Fi, Pi)), then choosea secret key x′ ∈ {0, 1}m and compute X ′ := (g′)x′

and F ′i :=

∏(u′

i,j)x′

j for1 ≤ i ≤ Λ, as well as the corresponding proofs w.r.t. parameters pp′. Let theresult be pk′ and define (X, (F i, P i)) by multiplying all components of pkwith the respective ones of pk′.

First, note that due to Lemma 1(3), all proofs P i satisfy all pairing-product equations of VX↔F. Second, (X, (F i)) is indistinguishable from anhonestly computed one by the xf-assumption in G, Gp and Gq.5

Enroll, Dlg, PSig queries. Answering these queries basically consists of simu-lating FSig(y, F1 · · ·Fk) for some y, F1, . . . , Fk. Define θp, θq such that θp ≡p

1, θp ≡q 0, θq ≡p 0, θq ≡q 1. If F =∏m

i=1(uiu′i)

xi , then F θp =∏

uxi

i ∈ Gp

and F θq =∏

(u′i)

xi ∈ Gq. Now, B submits F1θp · · ·Fk

θp to its own oracleto get σ and—knowing all secret keys for the q-components—computes σ′

in Gq on its own. Finally, B returns σ = σ ·σ′ which is a valid signatureaccording to Lemma 1(3).

When A eventually returns (pk, M, Σ), B “translates” the result back to Gp byraising everything to the power of θp and outputs it. It follows from Lemma 1(4)that B’s output passes verification. If A wins its game then so does B:

Traceability. If A wins the game then for some i we have: ∀X ′ ∈ UListAPS :Xq

i = (X ′)q, which implies Xθp

i = (X ′)θp . On the other hand we haveUListDS = {Xθp |X ∈ UListAPS}. Together, this means X

θp

i /∈ UListDS ,the condition for B winning the game.

Non-frameability. Analogously:A wins the game if in the returned signature,there is one delegation step it has not queried. Since we compare “openings”of the signature and the warrants, the argument works as for traceability.

6 The Proof of Equality of Exponent and Hash Preimage

In order to construct ΠX↔F, introduced in Sect. 4.2, we will use the followingproof systems, for the details of which we refer to [FP08b].

5 An element(gx, (Fi(x))

) ∈ LG is indistinguishable from a random element in GΛ+1

by the xf-Assumption in G. Now the latter is indistinguishable from elements(gx ·(g′)x′

1 , (Fi(x)·(g′)x′2)

in LGp·GΛ+1q by the xf-Assumption in Gp, whereas the

one in Gq guarantees indistinguishability of LGp·GΛ+1q from LGp ·LGq .


Π1L A perfect wi (witness indistinguishable) proof system similar to the onefrom [GOS06a]: Given two triples, it proves that at least one of them is linearw.r.t. a given basis. We generalize their method, in that the bases for eachtriple are not necessarily the same.

Πb,eq From Π1L we directly derive a proof of the following: Given a gos-commitment to some x and a linear encryption of some gy, prove thatx, y ∈ {0, 1} and x = y.

ΠcX Given a vector of gos-commitments to bits (ci)mi=1 and X ∈ G, ΠcX is a

nizk proof for the committed values being the bits of log X .ΠcF Given a vector of commitments to bits (ci)m

i=1 and F ∈ G, ΠcF is a nizkproof for the committed values being a hash preimage of F , i.e., if ci commitsto xi for all i, then F = F(x1, . . . , xm).

ΠG Given (pk, pk′, d, d′, ck, c, v), ΠG is a wi proof for either d and d′ beinglinear encryptions of the same message under pk, pk′, resp., or c being acommitment to v under ck.

We will also use a one-time signature scheme Sots = (KGenots, Sigots, Verots) (cf.[Gro06] for an implementation). All verification procedures of the above systemsconsist exclusively of checking pairing-product equations. We give an overviewof our construction detailed in [FP08b].

Let ((X, F ), x) ∈ RX↔F, i.e., X = gx and F = F(x). Aiming for an ex-tractable proof, we first produce vectors of commitments �cX and �cF to the bitsof x and prove consistency with X and F via ΠcX and ΠcF, resp. The proofs canbe simulated by replacing the commitment keys for cX and cF by perfectly hid-ing keys. However, to achieve extraction-zero knowledge (ezk), we must extractfrom proofs queried to the oracle, even after replacing the crs by a simulatedone. We thus add linear encryptions d′i and d′′i under public keys pk′, pk′′ of thebits in cXi and cF i, resp., and prove that we did so via Πb,eq. At the same timethis proves that cXi, cF i are commitments to bits and that d′i, d

′′i are encryptions

of either g0 or g1.The latter enables us to ensure equality of the plaintexts in d′i and d′′i for

all i at once, by proving that d′P :=∏

(d′i)2i−1

and d′′P :=∏

(d′′i )2i−1

decryptto the same plaintext. However, this proof must contain some kind of trapdoor,because in the proof of ezk, d′i and d′′i might contain different plaintexts. To doso, we borrow a trick Groth uses to build rca-secure encryption in [Gro06]:

Add a commitment cG under key ckG of a signature verification key vkG

to the crs of ΠX↔F and require the prover to choose a one-time signaturekey pair (vk, sk), and to add vk and a signature on (X, F ) to the proof. Theproof of consistency of d′P and d′′P is a ΠG proof of (pk′, pk′′, d′P , d′′P , ckG, cG, vk).Now we can (one-time) simulate proofs by choosing vk := vkG and using thecorresponding signing key which is unknown to the adversary.

Acknowledgments

This work was supported in part by EADS, the French ANR-07-SESU-008-01PAMPA Project and the European Commission through Contract ICT-2007-216646 ECRYPT II.


References

[ASW00] Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digitalsignatures. IEEE J. Selected Areas in Comm. 18(4), 593–610 (2000)

[BCKL08] Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Non-interactiveanonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948,pp. 356–374. Springer, Heidelberg (2008)

[BMW03] Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signa-tures: Formal definitions, simplified requirements, and a construction basedon general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS,vol. 2656, pp. 614–629. Springer, Heidelberg (2003)

[BR93] Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm fordesigning efficient protocols. In: ACM Conference on Computer and Com-munications Security 1993, pp. 62–73. ACM, New York (1993)

[BSZ05] Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: The caseof dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376,pp. 136–153. Springer, Heidelberg (2005)

[BFM88] Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and itsapplications. In: STOC 1988, pp. 103–112. ACM, New York (1988)

[BPW03] Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemesfor delegation of signing rights. IACR ePrint Archive: Report 2003/096(2003)

[BB04] Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin,C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73.Springer, Heidelberg (2004)

[BBS04] Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin,M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg(2004)

[BGLS03] Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiablyencrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)

[BGN05] Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on cipher-texts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer,Heidelberg (2005)

[BW06] Boyen, X., Waters, B.: Compact group signatures without random oracles.In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444.Springer, Heidelberg (2006)

[BW07] Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-sizegroup signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS,vol. 4450, pp. 1–15. Springer, Heidelberg (2007)

[Cha85] Chaum, D.: Security without identification: transaction systems to makebig brother obsolete. Communications of the ACM 28(10), 1030–1044(1985)

[CvH91] Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EU-ROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

[DP92] De Santis, A., Persiano, G.: Zero-knowledge proofs of knowledge withoutinteraction. In: FOCS 1992, pp. 427–436. IEEE Computer Society, LosAlamitos (1992)

[FP08a] Fuchsbauer, G., Pointcheval, D.: Anonymous proxy signatures. In: Ostro-vsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp.201–217. Springer, Heidelberg (2008)


[FP08b] Fuchsbauer, G., Pointcheval, D.: Encrypting proofs on pairings and anapplication to anonymity of signatures (full version). Cryptology ePrintArchive, Report 2008/528 (2008), http://eprint.iacr.org/2008/528

[GMR88] Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme se-cure against adaptive chosen-message attacks. SIAM Journal on Comput-ing 17(2), 281–308 (1988)

[GOS06a] Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new tech-niques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp.97–111. Springer, Heidelberg (2006)

[GOS06b] Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledgefor NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp.339–358. Springer, Heidelberg (2006)

[Gro07] Groth, J.: Fully anonymous group signatures without random oracles. In:Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180.Springer, Heidelberg (2007)

[Gro06] Groth, J.: Simulation-sound NIZK proofs for a practical language and con-stant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006.LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)

[GS08] Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilineargroups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp.415–432. Springer, Heidelberg (2008)

[KP98] Kilian, J., Petrank, E.: Identity escrow. In: Krawczyk, H. (ed.) CRYPTO1998. LNCS, vol. 1462, pp. 169–185. Springer, Heidelberg (1998)

[MUO96] Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures for delegating sign-ing operation. In: Proceedings of the 3rd ACM Conference on Computerand Communications Security (CCS). ACM, New York (1996)

[Nao03] Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D.(ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg(2003)

[Sah99] Sahai, A.: Non-malleable non-interactive zero knowledge and adaptivechosen-ciphertext security. In: FOCS 1999, pp. 543–553. IEEE ComputerSociety, Los Alamitos (1999)

[TW05] Trolin, M., Wikstrom, D.: Hierarchical group signatures. In: Caires, L.,Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005.LNCS, vol. 3580, pp. 446–458. Springer, Heidelberg (2005)

[Wat05] Waters, B.: Efficient identity-based encryption without random oracles.In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127.Springer, Heidelberg (2005)

Identity Based Group Signatures from

Hierarchical Identity-Based Encryption

Nigel P. Smart and Bogdan Warinschi

Dept. Computer Science,University of Bristol,

Merchant Venturers Building,Woodland Road,Bristol, BS8 1UB,United Kingdom

{nigel,bogdan}@cs.bris.ac.uk

Abstract. A number of previous papers explored the notion of identity-based group signature. We present a generic construction of identity-basedgroup signatures. Our construction is based on the Naor transformationof a identity-based signature out of an identity-based encryption, adjustedto hierarchical identity-based encryption. We identify sufficient conditionson the underlying HIBE so that the scheme that results from our trans-formation meets our security definitions. Finally, we suggest a couple ofextensions enabled by our construction, one of which is to hierarchicalidentity-based group signatures.

1 Introduction

Identity-based cryptography as envisioned by Shamir [23] aims to ease the keydistribution problem associated to standard PKIs used for asymmetric cryp-tosystems. The key insight is that parties can use their identities as their pub-lic keys, which in turn makes secure repositories for public keys unnecessary.This idea had been thoroughly explored in the context of standard encryp-tion [4,6,11,13,20,21,22] and signature schemes [2,9,16] as well as in that of morecomplex primitives like traitor tracing [1].

In the context of group signatures, a primitive with multiple practical uses,a large proportion of the prior work did not consider the appropriate extensionof the primitive to the ID-based setting. Specifically, the schemes proposed inmany previous papers under the name of identity-based group signatures stilluse a standard public key for the group key. This is clearly a departure from theoriginal motivation for identity based cryptography, does not properly extendidentity-based signature schemes, and suffers from the standard PKI relateddifficulties. The reason for the name of the primitive was that the identity ofgroup members was allowed to be an unstructured identity. Examples of suchproposals include [12,17,18,19,25].

In [27] a more correct syntax and security definition is given in which identifierstrings are used for both the users, and the group names themselves. Recall that


Identity Based Group Signatures from HIBE 151

in a group signature, multiple signers can produce signatures on behalf of thegroup without revealing information about the origin of the signature. Only adesignated opener can later link these signatures to their authors using a specialsecret key, whereas a group manager is in charge of adding users to the group. In[27] these two functionalities are seperated, in our work we simplify the modelsomewhat by requiring the opener and the group manager to be the same.

Our contributions. We provide the following results on identity-based groupsignatures.Security and Syntax of the primitives. We provide a simplified identity-based group signature model, which is a subset of the model in [27]. Since wework in the ID-based setting we consider a trusted authority that generatessystem-wide parameters. We model and explore the realistic scenario where thesame set of system parameters is shared by multiple groups of signers. Userscan join existent groups, and we allow for the same user can belong to multiplegroups. Our security models are those of full-anonymity and full-traceability.Full-anonymity captures the idea that the identity of the signers is not revealedby signatures, and full-traceability says that the group manager can determinewho created a given valid signature.

In this paper we model a simple setting where the roles of the group managerand signature openers are merged (very much like in [3]). Also in our modelusers do not have public keys (or independent identity based keys) and thereforeno secrets, hence the group manager (opener) can always add users to groupsand produce signatures on their behalf, undetected. Our simplified definitionfacilitates our direct HIBE based construction, which itself then can be easilyseen to extend to a construction which enables hierarchies of groups. It is thisHIBE based construction and its extension which is the most novel part of ourwork.

Generic construction based on HIBE. Clearly, one can construct an ID-based group signature schemes by appending certificates for the group publickey to each signature in a standard group signature scheme. Our models canbe used to analyze such constructions. However, the flexibility afforded by oursyntax may lead to more efficient and/or schemes with enhanced functionality.One interesting example is schemes with group hierarchies alluded to above, anddiscussed further below.

We provide a generic construction based on hierarchical identity-based encryp-tion (HIBE) [14]. The transformation that we present adapts the Naor transfor-mation of an identity-based encryption scheme into an identity-based signaturescheme and shares ideas with the Boyen-Waters construction of a standard groupsignature scheme out of a HIBE. Next, we sketch our construction and providefurther details on the transformation that we designed.

Recall that in HIBEs users at the lower levels of the hierarchy can computethe decryption keys for users at the higher levels. The idea behind our construc-tion is to set up a 4-level HIBE: on the first level we place group identities, onthe second level user identities, on the third level the messages to be signed, and

152 N.P. Smart and B. Warinschi

the fourth level is reserved for some sort of randomizers. A new group is cre-ated by extracting the key associated to the identity grpID which is then givento the group manager. To add user userID to group grpID, the manager ex-tracts the key associated to identity (grpID, userID) which becomes the signingkey of user userID for group grpID. One tempting way to produce a signatureon a message m using this key, is to extract the secret key associated to hier-archical identity (grpID, userID, m). This is essentially the approach taken bythe construction of [7] which encrypts the resulting signature under the publickey and uses (efficient) non-interactive zero-knowledge proofs to ensure that theconstruction followed the prescribed recipe. Notice that encrypting the signa-ture is indeed needed, as the signature may leak information about userID (forexample when the extraction algorithm is deterministic.) To hide the identityof the signer we use a different approach based on properties that we observein existent HIBE constructions. Specifically, to produce a signature on messagem on behalf of group grpID, a user userID extracts the secret key d associatedto (grpID, userID, m, rID), for a randomly chosen randomizer rID. We observethat for existent constructions the resulting decryption key hides all informationabout the hierarchical identity to which it corresponds (provided that rID is froma big enough space). A remaining problem is that in order to verify the signature,one needs to first encrypt a message under the identity (grpID, userID, m, rID)and then test that the decryption with d succeeds. Clearly, this verification pro-cedure leaks information about userID. Instead, we observe that the encryptionprocess of HIBEs usually compute an encryption key e associated to the hierar-chical identity which is then used in an encryption algorithm. We can thereforelet (e, d) play the role of a signature, provided they indeed do not reveal infor-mation about userID. We call this property that we identify and demand fromthe underlying HIBE random identity hiding. It is worth noting that all of theexistent HIBE constructions, Boneh-Boyen [4], Waters [26] and Boneh-Boyen-Goh [5] satisfy this property. In addition to (e, d) a signature also contains anencryption of userID under grpID and a non-interactive proof that all of theparts fit together. We analyze a construction where this proof is obtained viathe Fiat–Shamir transform, and therefore our construction is under the randomoracle model.Instantiation based on the Boneh-Boyen-Goh HIBE. We use the Boneh-Boyen-Goh HIBE to instantiate our construction. We show that our theoreticalconstruction yields in this case an explicit identity-based group signature schemewhich has a signature of fixed length, irrespective of the size of the group towhich the signature is attached. Furthermore, the signature is relatively short,and computationally very efficient.Extensions. Finally, we sketch a couple of variants of our basic construction.First, we note that by eliminating the first level of the HIBE (the level thatcontains group identities) we obtain a standard group signature with a stan-dard public key as the verification key. A more interesting extension is that to ahierarchical identity-based group signatures. For standard group signatures theextension to hierarchical group managers has been investigated by Trolin and


Wikstrom[24]. The analogous extension for the case of identity-based group sig-natures is beyond the goals of this paper. We sketch however how to extend ourconstruction as to meet the intuitive goals of such an extension. The idea is tointroduce additional group identity levels. Group managers can then add usersto any of the subgroups of the group he manages, users can sign on behalf ofany of the groups to which they belong, and signatures can be opened by themanagers of these groups, or indeed any other levels in the hierarchy.On the use of the random oracle. We end the introduction with a note onthe usage of the random oracles in our construction. In our construction we usenon-interactive zero-knowledge proofs obtained via the Fiat–Shamir heuristicfrom Σ-protocols, and thus our construction is in the random oracle model.An alternative that would yield schemes secure in the standard model couldemploy standard model NIZKPOKs (based on a common random string whichcan be placed in the system parameters), such as those in [15]. However, whilstsuch NIZKPOKs run in polynomial time, their performance is not very efficientwhen compared to constructions obtained from Σ-protocols via the Fiat–Shamirheuristic. Indeed, we have chosen to carry out our work in the random oraclemodel to be able to obtain the efficient implementation based on BBG, whichitself requires the random oracle model to obtain non-selective ID security.

2 Preliminaries

Sigma protocols. A Σ-protocol (P ,V) for an NP-language L is a three-move,public coin interactive proof. We typically write (r, c, s) for a transcript of theconversation between the prover and the verifier, where r and s are the messagessent by the prover and c is the message sent by the verifier. We call r thecommitment message, c the challenge message, and s the response. We writeCommitSpace for the space to which r belongs, ChallSpace for the space fromwhere c is drawn. We call a transcript accepting for x if the verification algorithmemployed by the verifier, V((r, c, s), x) returns 1. Notice that we abuse notationand write V for both the verifier and its verification algorithm.

In this paper we use Σ-protocols that satisfy special-soundness: we requirethat there exists an extraction algorithm E which given two accepting tran-scripts (r, c, s) and (r, c′, s′) for x returns a witness w that x ∈ L. Furthermore,we require that the protocol be special-zero-knowledge, that is: there exists asimulator S which on input x and challenge c outputs (r, s) such that (r, c, s)is an accepting transcript for x. If c is selected at random from ChallSpace then(r, c, s) is distributed as true transcripts.

In addition, we also require that (P ,V) have perfect completeness: for anywitness w that x ∈ L the interaction (P(x, w),V(x)) is accepting.

The Fiat–Shamir transform. The Fiat–Shamir transform is a heuristic thattransforms a three move public coin into a signature. The heuristic can be used tocreate “signatures of knowledge” [10]: constructs which in addition to being sig-natures on messages, also prove knowledge of a certain secret. Essentially, given


a Σ protocol (P ,V) for some language L and a hash function H one can build asignature of knowledge scheme as follows. Given an element x ∈ L and a corre-sponding witness w, one can produce a signature of knowledge FSH

P((w, x))(m)by running locally the interactive proof that x ∈ L, using c← H(r||x||m) as chal-lenge. Here r is the first message produced by the prover. A bit more formally, wedefine FSH

P((w, x), m) as the algorithm: (r, state) ← P(w)(x); c ← H(r||x||m),s ← P(state, c)(x); output (r, s). To verify that (r, s) is a signature of knowl-edge on message m given public information x, one runs V(r, H(r||x||m), s) andaccepts if the output is 11. We do not formalize the properties signatures ofknowledge satisfy. Instead, when we use them in constructions, we reduce thesecurity of the constructions to the properties of the underlying Σ-protocol. Inparticular, in order for the Fiat–Shamir heuristic to work, we further requirefrom the Σ-protocol that it has high-entropy commitments, and high-entropychallenges. Since the challenge is selected at random from the challenge space,the second condition is satisfied whenever this space is sufficiently large. We sim-plify the first requirement and ask that the commitment space to also be large,and that commitments are randomly distributed over this space.

3 Hierarchical Identity Based Encryption (HIBE)

In this section we recall the notion of HIBE, and introduce its variant thatconcerns us. Throughout the remainder of the paper we assume a set of basicidentities IdSp ⊆ {0, 1}∗. We call ID ∈ IdSpl an l-level hierarchical identity. Forclarity we denote elements of IdSp by lower case variables (e.g., id, id′, id1, id2, . . .)and hierarchical identities by upper-case variables (e.g. ID, ID′, ID1, ID2, . . .).Hierarchical Identity Based Encryption (HIBE). A HIBE consists offour polynomial time algorithms (Setup, Extract, Encrypt, Decrypt):

– Setup(1k, L). The setup algorithm, on input a security parameter k anda maximal number of levels L generates a master public/private key pair(mpk, msk) and a message space descriptionM for an L-level HIBE.

– Extract(mpk, ID, dID′). The secret key extraction algorithm takes as input anidentity ID and the secret key associated to a parent ID′ of ID and derives asecret key dID for ID. By convention, we let d() (the key associated to identity′′()′′) to be msk.

– Encrypt(mpk, ID, m; r). The randomized encryption algorithm, on input themaster public key mpk, a hierarchical identity ID, and message m outputsan encryption enc of the message m for identity ID using randomness r.

– Decrypt(dID, c). The decryption algorithm takes as input a secret key dID

that corresponds to some hierarchical identity ID, and a ciphertext enc andreturns the underlying plaintext (assuming that the ciphertext was encryptedusing some identity ID′ to which ID is a parent).

1 Notice that throught the paper we avoid cluttered notation by assuming that thestatement to be verified is an implicit input to the verifier.


Notice that the extraction algorithm works with the secret key of any parent ofthe target identity (and not only with the master secret key). For correctnesswe require that ciphertexts created using some identity can be decrypted usinga secret key associated to the identity of any of its parents, i.e.

Decrypt(Extract(mpk, ID2, dID1), Encrypt(mpk, ID3, m; r)) = m

whenever ID1 is a parent of ID2 which in turn is a parent of ID3 and dID1 is asecret key associated to ID1.

In the variant of HIBE that we introduce we would like to allow partiesto encrypt messages for identities which he does not know. We enable thisproperty by making the assumption that the Encrypt(mpk, ID, m; r) algorithmworks in two phases. First the encryptor obtains an encryption key eID outof the identity ID and the master public key and then the ciphertext is ob-tained using an underlying encryption algorithm. More precisely, we assume thatEncrypt(mpk, ID, m; r) = Encr(Distill(mpk, ID), m; r) for some algorithm Distill fordistilling keys out of identities, and some underlying encryption algorithm Encr.To define a HIBE, it is therefore required to give two algorithms Distill, Encrinstead of the single Encrypt. We call schemes defined this way canonical.

The BBG HIBE [5] will be used as our example throughout since it is veryefficient, and thus results in a highly efficient identity-based group signaturescheme.

3.1 Security Notions

Our construction for ID-based group signatures is based on a HIBE which satis-fies two security properties. In addition to the standard notion of indistinguisha-bility against chosen-plaintext/chosen-ciphertext, the scheme should also hidethe identity of a random identity. We first recall the former notion and thenformalise the latter.

Definition 1 (Indistinguishability under CPA and CCA). Indis-tinguishability under chosen-plaintext, and chosen-ciphertext attacks of aHIBE scheme Π, are security notions defined through the experimentsExpind-id-cpa−b

Π,A (k) and Expind-id-cca−bΠ,A (k) that we describe below. The experi-

ments depend on an adversary A, and are parametrised by a bit b. In a firstphase, the adversary is given as input the master public key mpk of a freshlygenerated key pair (mpk, msk) $← Setup(1k, L) as input. In a chosen-plaintextattack (IND-ID-CPA), the adversary is given access to a key derivation or-acle that on input of an identity ID = (id1, . . . , id�), returns the secret key

dID$← Extract(msk, ID) corresponding to identity ID. In a chosen-ciphertext at-

tack (IND-ID-CCA), the adversary is additionally given access to a decryptionoracle that for a given identity ID = (id1, . . . , id�) and a given ciphertext encreturns the decryption

m← Decrypt(Extract(msk, ID), c).


At the end of the first phase, the adversary outputs a challenge messages m∗ ∈{0, 1}∗ and a challenge identity ID∗ = (id∗1, . . . , id

∗�∗), where 0 ≤ �∗ ≤ L. Both

experiments then generate a challenge ciphertext c∗ $← Encrypt(mpk, ID∗, m∗b ; r),

where b is the parameter bit, m∗0 = 0|m

∗| and m∗1 = m∗, and gives c∗ as input

to the adversary for the second phase.2 In the second phase the adversary hasaccess to the same oracles and has to output a bit d. The experiment outputsthe d. We require that in both experiment the adversary never queries the keyderivation oracle on a parent identity of ID∗, and that in the CCA experimentthe pair (ID∗, c∗) is never sent to the decryption oracle. The advantage of theadversary is defined by:

Advind-id-xxxΠ,A (k) = Pr

[Expind-id-xxx−1

Π,A (k) = 1]− Pr

[Expind-id-xxx−0

Π,A (k) = 1]

for xxx ∈ {cpa, cca}.We say that Π is IND-ID-CCA secure (respectively IND-ID-CPAsecure) if for

all p.p.t. adversaries its advantage Advind-id-ccaΠ,A (k) (respectively Advind-id-cpa

Π,A (k))is negligible.

Random-Identity Hiding. Informally, the notion of random identity hiding re-quires that the key distilled from a hierarchical identity ID = (id1, id2, . . . , idl) to-gether with an associated decryption key, does not reveal any information aboutID, as long as at least one of the basic identities idi is chosen at random. The for-malisation of this notion uses patterns. An l-level pattern is simply element of theset (IdSp∪{�})l, i.e. a hierarchical identity where some components are replacedby �. We call a pattern non-trivial if it contains � on at least one position. For apattern P we write P for the set P = {ID | ID ∈ IdSpl, Pi �= �⇒ Pi = IDi} of hi-erarchical identities that coincide with the entries in the pattern on all positionsthat are not � in P .

The security game that defines random identity hiding is as follows. Theadversary selects a non-trivial patterns P of level l ≤ L. The adversary is thengiven the pair

(dID, eID) = (Extract(mpk, ID, ()), Distill(mpk, ID))

for either a random identity ID of level l, or an identity ID ∈ P . The task ofthe adversary is to determine whether its input has been obtained from thegiven pattern, or a truly random identity. In his game, the adversary has accessto essentially all the information in the system (i.e. the master secret key mskgrants access to the secret key of any identity), except to the randomness usedto obtain ID.

Definition 2 (Random identity hiding). Consider the following experimentfor a L-level HIBE scheme Π = (Setup, Distill, Extr, Encr, Decrypt) and adversaryA:2 The definition that we use asks the adversary to tell apart encryptions of the message

from the encryptions of the all-0 string of the same length. This notion is equivalentto the one in the literature.


ExpRIdH−bΠ,A (1k)

(mpk, msk) $← Setup(1k.L)(P, St)← A(mpk, msk)b← {0, 1}If b = 0 then ID∗ $← P ;

else ID∗ $← IdSpl where P is an l-level pattern.e∗ ← Distill(mpk, ID∗)d∗ ← Extract(mpk, ID∗, d())b′ ← A(St, e∗, d∗)Return b′

We insist that the pattern P output by the adversary has at least one � in it.We say that the scheme Π is random identity hiding if for any probabilistic

polynomial time adversary A its advantage:

AdvRIdHΠ,A(1k) = Pr

[ExpRIdH−1

Π,A (1k) = 1]− Pr

[ExpRIdH−0

Π,A (1k) = 1]

is negligible.

An important observation related to the generality of our results is that most ofthe existing HIBE constructions (e.g. BB [4],BBG [5] and Waters [26]) are bothcanonical and random identity hiding. We prove this for our running example ofthe BBG HIBE (the proof is in the full version of the paper).

Theorem 1. The Boneh-Boyen-Goh HIBE is random identity hiding.

4 Identity Based Group Signatures

As discussed in the introduction much prior work on ID-Based group signatureshas looked at the case where group members are given by “unstructured” identi-ties, but the verification key used by the group is still a public key in the classicalsense of the word. In this section we present a concept of group signatures in theID-based setting, our security models and syntax are a subset of those of Wei etal [27]. We concentrate on the two security notions full-anonymity (the identityof the signer is hidden) and full-traceability (a signer can be identified by thegroup manager). We model a setting where the same set of public parameters(generated by a trusted centre) is used to setup multiple groups of signers (fordifferent group identities).

Syntax. An ID-based group signature scheme consists of six polynomial timealgorithms:

(Setup, GrpSetUp, Join, Sign, Verify, Open),

– Setup(1k). This generates a master public/private key pair (mpk, msk).– GrpSetUp(grpID, msk). This algorithm on input of a string, which identifies

the group; outputs a group secret key gsk. This secret key is then given tothe group manager.


– Join(userID, gsk). This algorithm executed by the group manager outputs auser secret key usk, which is passed to the group member. We assume thatthe group manager keeps a list of the member identities (say be adding theminto gsk).

– Sign(m, usk). This algorithm produces a signature σ on the message m fromthe group for which usk corresponds.

– Verify(m, σ, mpk, grpID). This outputs true if the signature σ is on the mes-sage m and was issued by the someone in the group grpID, otherwise itshould output false.

– Open(gsk, σ, m). This returns the identifier of the user who produced thesignature σ on the message m. Note that in some situations the message mneed not be input to the Open algorithm. This algorithm is run by the groupmanager.

For correctness we require that if gsk is the group secret key corresponding thegroup with identifier grpID, then

1. Verify (m, Sign(m, Join(userID, gsk)), mpk, grpID) = true2. Open (msk, Sign(m, Join(userID, gsk)), m) = userID.

Security models. To define the security of ID-based group signatures we ex-tend the model introduced by Bellare et. al. [3] to this setting. Specifically, wecast the properties of full-anonymity (signatures do not reveal information aboutthe signer) and full-traceability (the identity of the signer can be recovered bythe group manager) to the ID-based setting. These security notions are well-established by now, so we will not repeat the ideas behind their design.

Anonymity is captured by an indistinguishability experiment between an ad-versary and the group signature. The adversary has full control over the scheme:can create new groups (and obtain the group manager’s key), can add users togroup (and obtain their signing keys), open signatures at will etc. These capa-bilities are modelled by appropriate access to several oracles. At some point theadversary outputs a group identity, two identities of group members and a mes-sage. It receives in return a signature on that messages, created with the secretkey an identity selected at random between the two output by the adversary.The goal of the adversary is to guess which of the users created the signature. Ofcourse, we impose the minimal requirements that the adversary does not knowthe master secret used for setup, and the opening key associated to the groupunder attack.

Definition 3 (Full-Anonymity). Let Π = (Setup, GrpSetUp, Join, Sign, Verify,Open) be an identity based group signature. Consider the experimentExpanon−b

Π,A (1k) that involves an adversary A and is parametrised by bit b. The ex-periment uses msk, mpk as global variables. It also maintains two lists grpIDs(used to record the manager secret keys of the groups) and userIDs (used torecord the secret signing keys of users, for the various groups to which theybelong), as global variables. Initially both these lists are empty. During the ex-periment, the adversary has access to the following three oracles:


– Oracle GrpSetUp(·) on input a query grpID ∈ IdSp the oracle checks thelist grpIDs for an entry (grpID, gsk). If such an entry is found, thengsk is returned to the adversary. Otherwise, the oracle executes gsk ←GrpSetUp(msk, grpID), adds (grpID, msk) to the list grpIDs and returnsgsk to the adversary.

– Oracle Join(·) is given as input a pair (grpID, userID). If the list grpIDsdoes not contain an element of the form (grpID, gsk) then the oracle executesgsk← GrpSetUp(msk, grpID) and adds (grpID, gsk) to grpIDs.

Assuming now that grpIDs contains an element of the form (grpID, gsk),if the list userIDs contains an element of the form ((grpID, userID), usk)then usk is returned to the adversary. Otherwise, the oracle runs usk ←Join(gsk, userID) to obtain a signing key for user identity returns the usersigning key for that group.

– The Open(·) oracle on input a tuple (grpID, σ, m) that consists of a groupidentity, a message m and a signature σ on m (valid for the group grpID),finds a pair (grpID, gsk) in grpIDs and then returns to the adversaryuserID← Open(gsk, σ, m).

The experiment proceeds as follows:

Expanon−bΠ,A (1k)

(mpk, msk)← Setup(1k).(grpID∗, userID0, userID1, m, state)← AGrpSetUp(),Join(),Open()(mpk)b← {0, 1}σ∗←Sign(m, usk), where ((grpID∗, userIDb), usk) is an entry in userIDs.d← A

GrpSetUp(),Join(),Open()2 (σ∗, state).

Return d = b.

The experiment only makes sense if the adversary is not allowed to call theGrpSetUp oracle on grpID∗ and is not allowed to call the Open oracle on(grpID, σ∗, m∗). We call such an adversary a proper one. We say that schemeΠ is fully-anonymous if for any proper adversary A, its advantage:

AdvanonA,Π(k) = Pr

[Expanon−1

A,Π (k) = 1]− Pr

[Expanon−0

A,Π (k) = 1],

is negligible.

The second security property that we demand from group signatures is full-traceability: a signer, or a group of signers cannot produce a valid signaturewhich the group manager cannot trace to one of the signers. This is a notionwhich itself implies the notion of unforgeability of the resulting signatures. Thegame that we consider involves an adversary with similar powers as the one in theprevious experiment. The adversary can setup groups, add users to groups, seesignatures of users of his choice, and open arbitrary signatures. In this experimenthowever we keep track of the set of corrupt users (users for which the adversarylearns the signing key). The goal of the adversary is to produce a valid signatureon a message of his choosing, which when opened by the group manager is nottraced to one of the corrupt users.


Definition 4 (Full-Traceability). The experiment ExptraceΠ,A(k) used to de-

fine full traceability of IDGS scheme Π = (Setup, GrpSetUp, Extract, Sign, Verify,Open) involves an adversary A. The experiment maintains three lists:corrgrpIDs keeps track of the corrupt identities in each of the groups of sign-ers, and grpIDs and userIDs have the same use as in the experiment foranonymity). During the experiment the adversary may access the following fiveoracles:

– Oracle GrpSetUp(·) on input a query (grpID, type) ∈ IdSp×{h, c} the oraclechecks the list grpIDs for an entry (grpID, gsk). If such an entry is found,then gsk is returned to the adversary. Otherwise, the oracle executes gsk←GrpSetUp(msk, grpID), adds (grpID, msk) to the list grpIDs. If type = cthen it the oracle returns gsk.

– Oracle Join(·) is given as input ((grpID, userID), type) ∈ (IdSp × IdSp) ×{h, c}. If the list grpIDs does not contain an element of the form(grpID, gsk) then the oracle computes gsk via gsk ← GrpSetUp(msk, grpID)and adds (grpID, gsk) to grpIDs.

Assuming that grpIDs contains an element of the form (grpID, gsk),the oracle runs usk ← Join(gsk, userID), and it adds the tuple((grpID, userID), usk) to userIDs.

If type = c then the oracle adds (grpID, userID) to corrgrpIDs andreturns usk.

– Oracle Sign on input a tuple ((grpID, userID), m) the oracle searchesuserIDs for an entry of the form ((grpID, userID), usk). If such an entrydoes not exist it returns ⊥. Otherwise, the oracle computes σ ← Sign(usk, m)and returns σ.

– Oracle Open on input a tuple (grpID, σ, m) searches the grpIDs for an en-try (grpID, gsk). If such an entry does not exist, it returns ⊥. Otherwise itreturns the result of Open(gsk, σ, m).

The experiment that defines security is as follows:

ExptraceΠ,A(k)

(mpk, msk)← Setup(1k)(m, σ, grpID∗)← AGrpSetUp(),Join(),Sign(),Open()(mpk).Let gsk∗ = Extract(msk, grpID∗)If Verify(m, σ, mpk, grpID∗) = false or

(grpID∗, Open(gsk∗, σ, m)) ∈ corrgrpIDsThen Return 0Else Return 1

The experiment only makes sense if the adversary does not request the groupmanager key for group grpID∗ (i.e. it does not make a query (grpID∗, c) to theGrpSetUp oracle). We call such an adversary proper. The scheme Π is a fullytraceable if for any proper adversary its advantage, defined by:

AdvtraceΠ,A (k) = Pr[Exptrace

Π,A (k) = 1],

is negligible.


5 Generic HIBE-Based Construction of an ID-BasedGroup Signature

In this section we detail a generic construction of a ID-based group signaturefrom a HIBE.

Outline: The construction is based on the following idea. We setup a four levelHIBE and identify the root with the trusted authority that generates the pa-rameters of the systems. Then, the first level corresponds to the various groupsof signers. To create a new group of signers with public key grpID, the trustedauthority produces the secret key associated to identity (grpID) in the HIBEand hands that as the group manager’s key. This key is to be used for bothadding members to the group, and as opening signatures to discover the under-lying signer. To add a new group member userID to the group grpID, the groupmanager uses its secret key to compute the secret key associated to the hierar-chical identity (grpID, userID). The resulting key d(grpID,userID) is the key thatuser userID uses to sign messages on behalf of the group grpID. User userIDmember of the group grpID, signs a message m as follows: it selects a ran-dom basic identity rID in IdSp, computes a distilled key e associated to identity(grpID, userID, m, rID), and then uses its secret key to compute the decryptionkey d associated to e. The pair (e, d) is part of the signature that is output. Theidea here is that since the HIBE is random identity hiding, the key e does notreveal any information about (grpID, userID, m, rID) which is a random identity(due to the randomisation introduced by rID.) We also need to ensure that themanager is able to recover the identity of the signer. For this we ask that thesigner encrypts his identity under the identity of the group manager (i.e. undergrpID) and then proves in zero-knowledge that the identity userID that had beenencrypted under grpID is the same as the identity used in (grpID, userID, m, rID)to distill e. Here, we use a non-interactive proof obtained from a Σ protocol viathe Fiat–Shamir transform.

As pointed out in the introduction, one could avoid the random oracle by us-ing a non-interactive simulation sound zero knowledge protocol. However, findingpractically efficient instantiations of such proofs for the language that we needfor our construction seems to be difficult. However, we note that using the ran-dom oracle model not only produces a gain in efficiency, the proof also becomesconceptually simpler due to the stronger properties of the proof of knowledge.Secondly, our specific constructions via the BBG HIBE uses the random oraclemodel, thus using the random oracle model in the overall construction does notloose us anything. We however point out that a proof of the generic constructionin the standard model can be given.

The construction: We first define the NP-language that captures the de-sired relation between distilled keys and encrypted identities sketched above.For a fixed public key mpk, part of the parameters of a HIBE scheme(Setup, Distill, Encr, Extr, Decrypt), and a bijection f between the space of ba-sic identities IdSp and the plaintext space for the HIBE, we define the followingNP relation:


R((e, enc, grpID, m), (userID, rID, r) = 1

if and only if

e = Distill((grpID, userID, m, rID), mpk) ∧ enc = Encrypt(grpID, f(userID); r))

Informally, an element (e, enc, grpID, m) of the language LR defined by the rela-tion R in the usual way satisfies the property that the user identity userID usedto obtain the distilled key e equals the identity that had been encrypted undergrpID to produce the ciphertext enc.

Given a canonical HIBE scheme (SetupH, Distill, Extr, Encr, Decrypt), a Σ-protocol (P ,V) for the language LR above, and a hash function H (which wemodel as a random oracle) we construct an ID-based group signature schemeGS(HIBE, (P ,V), H) = (SetupG, GrpSetUp, Join, Sign, Verify, Open).

SetupG(1k)

(mpk, msk)← SetupH(1k, 4)Return (mpk, msk)

GrpSetUp(msk, grpID)e← Distill((grpID));dgrpID ← Extr(msk, e)Return (grpID, dgrpID)

Sign(m, (grpID, userID, dID))rID ← IdSpe← Distill((grpID, userID, m, rID), mpk)d← Extr(dID, e)enc← Encrypt(mpk, grpID, f(userID); r)π ← FSP((e, enc, grpID, m),

(userID, rID, r))(m)Return (e, d, enc, π)

Verify(m, σ, mpk, grpID)Parse σ as (e, d, enc, (r, s)).If V(r, H(mpk||e||enc||m||r), s) = 0

Then Return 0Else

m←MIf m = Decrypt(d,Encr(e,m))

Then Return 1Else Return 0

Open(gsk, σ, m)Parse σ as (e, d, enc, (r, s))Output f−1(Decrypt(gsk, c))

Join((grpID, dgrpID), userID)e← Distill((grpID, userID), mpk)d← Extr(dgrpID, (grpID, userID))Return (grpID, userID, d)

Fig. 1. Generic construction of an ID-based group signature scheme from a canonicalHIBE

The algorithms are summarised in Figure 1. They work as follows.Setup.The parameter setup algorithm SetupG simply runs the setup algorithmfor the underlying HIBE scheme, and sets up a 4-level HIBE with public keympk and secret key msk. The secret key of the trusted authority is set to msk.Group setup. To setup a new group for identity grpID, the authority handsover to the group manager the secret key dgrpID associated to the hierarchicalidentity (grpID). User userID is added to the group of signers with public identitygrpID by giving him the key d(grpID,userID) associated to the hierarchical identity(grpID, userID). Notice that this key enables the user userID to compute theassociated key of any hierarchical identity to which (grpID, userID) is a parent.


Signing. To produce a signature on message m, user userID uses distills thepublic key e associated to (grpID, userID, m, rID) (for a randomly chosen rID)and uses his secret key to compute an associated decryption key d. Next, heencrypts the identity userID under the identity of the group. Finally, it usesthe Fiat–Shamir transform to produce a non-interactive zero knowledge proofΣ that (e, d, enc, grpID, m) belong to the language LR described above. Thesignature is then (e, d, enc, Σ).Verification. A signature (e, d, enc, Σ) for message m and public key grpID isverified by first checking that Σ proves that (e, enc, grpID, m) ∈ LR, and thenchecking that d is a valid decryption key for e. The second part of the verificationis done by encrypting a random message under e and decrypting the resultingciphertext with d.Open. To open a signature (e, d, enc, Σ) for message m, the group managergrpID decrypts e using his secret key, and obtains the encrypted identity whichit then outputs.Instantiation based on BBG HIBE. In Appendix A we present our genericconstruction applied to the BBG HIBE in detail.

6 Security of Our Construction

In this section we discuss the security of our generic construction. we start withthe anonymity property. The intuition here is that a signature (e, d, enc, Σ) doesnot leak information about the identity of its creator since e is obtained froma random identity, the encryption enc hides its underlying plaintext, and Σ isa zero-knowledge proof. Since our construction uses the Fiat–Shamir heuristic,in addition to the above conditions we also need to require that the underlyingproof system has high-entropy commitment and challenges (or alternatively, thatthe commitments and challenges are distributed uniformly over large enoughspaces). These requirements ensure that rewinding strategies work in extractingnecessary secrets.

Theorem 2. Let HIBE be a HIBE scheme, (P ,V) a proof system for the lan-guage LR (defined above), and H a random oracle. If HIBE is an IND-ID-CCA,(respectively IND-ID-CPA) HIBE scheme which is random identity hiding, theproof system (P ,V) has high-entropy commitments and challenges, and satis-fies special soundness and special zero-knowledge, then GS(HIBE, (P ,V), H) isa fully-anonymous (respectively fully-anonymous under CPA attacks) identity-based group signature scheme.

Proof. The proof can be found in the full version of this paper.

Next we show that our scheme is fully-traceable. The intuition is that the sig-nature produced by a coalition of signers needs to contain the encryption encof some identity grpID. At the same time in a well-formed signature the dis-tilled key e that is part of the signature has to be obtained from a hierarchical


identity of the form grpID, userID, m, rID for the same userID as encrypted inenc. However,the only way one can compute a key d associated to e is if oneknows the secret key associated to some identity on the path from the root to(grpID, userID, m, rID).

Theorem 3. Let HIBE be a HIBE, (P ,V) a proof system for the language LRand H a random oracle. If HIBE is an IND-ID-CCA secure HIBE, and (P ,V) satis-fies special soundness and has high-entropy challenges, then GS(HIBE, (P ,V), H)is fully-traceable.

Proof. The proof can be found in the full version of this paper.

7 Extensions: Standard and Hierarchical GroupsSignatures from HIBE

We conclude with an application of the core idea of our paper to a couple ofextensions. Recall that the structure that we use to setup identity-based groupsignature is as follows. We use a four-level HIBE scheme where on the firstlevel we place group identities, on the second level we place user identities,on the third level messages to be signed, while the fourth level is reserved to arandomiser. The group manager of group grpID can add user userID to the groupby handing over the secret key associated to hierarchical identity (grpID, userID).A signature by this user on a message m is then a pair of encryption, decryptionkeys that correspond to the hierarchical identity (grpID, userID, m, rID) togetherwith extra information to allow for the recovery of the signer and that ensurethe signature is well-formed.

Standard group signatures. The first observation that we make is thatby eliminating the first layer, that of group identities, we obtain a standardgroup signature in a non PKI setting. More precisely, the public key of thegroup is the public key mpk of the underlying HIBE. The group manager whohas the corresponding secret key msk adds users by extracting the secret keysassociated to their identity. Signatures can then be formed as before, with thedifference that the encryption enc is under mpk, as opposed to group identity.The resulting scheme shares with standard group signature schemes the idea ofhaving a “standard” public-key, and with ID-based signature scheme, as definedin this paper (and as previously considered in the literature) the idea that partiesare identified by unstructured identities. The intuition regarding the securityof the resulting scheme follows the same lines as those of the construction wedetailed in this paper.

Hierarchical group signatures. The second extension that we propose isto hierarchical group signatures. Here, we would like for groups of signers beorganised in a hierarchy so that users at the lower level can sign on behalf of anyof the groups to which they belong. For example, in a university UniId, one could


have subgroups faculty and admin. The faculty could then be divided into re-search group research1,research2,..., where as the admin group could be onspecialised departments finance,undergraduate,.... Finally, individual usersuser1,user2,... belong to one of these lower level subgroups. In a hierarchicalidentity based signature, we would like that managers of groups be permittedto add users to the group that it manages, or to any of his group’s subgroups.Also, we would like for a user to be able to produce, anonymously, signatures forany of the groups to which he belongs. Finally, a group manager should be ableto open signatures created by any of the users in the group that it manages, nomatter on behalf of which of subgroups of the group the signature was produced.

Our construction can be easily extended to this more complex setting. Insteadof working with a four-level HIBE, we work with a k + 4 level HIBE, where k isthe maximal number of subgroups that a group can have (for k = 0 we fall on thesetting of our main construction). The construction that we suggest is to placeon the first k levels the group identities, in a way that reflects the desired hier-archy. Creating new groups, and adding group members is then done as before:the group managers extracts a key for the appropriate hierarchical identity. Forexample, the manager of the group UniId creates the group faculty by extract-ing the key associated to the hierarchical identity (UniId,faculty). The keyof a user would be the key associated to (level1,level2,...,levelk,user).Signatures in this construction generalise ours, with one exception. The usercan choose for which of the groups to which it belongs produces the signature,and in particular, under which of the subgroup identities it encrypts his ownidentity. There is flexibility also who can open a signature: any group managerthat is a parent identity to the one under which the user encrypts his identitycan identify the signer. For our example, a faculty members that belongs to thegroup research can sign on behalf of that group, on behalf of the whole groupfaculty, or on behalf of the university UniId. Furthermore, only the managerof the group for which the signature is produced (or a parent of the manger)can identify the signer. The security of this construction relies on the same basicidea as that of our main construction of this paper.

Acknowledgements. The authors would like to thank G. Neven for variousdiscussions whilst the work in this paper was carried out. The authors wouldlike to acknowledge the support of the eCrypt-2 Network of Excellence. The firstauthor was supported by a Royal Society Wolfson Merit Award.

References

1. Abdalla, M., Dent, A.W., Malone-Lee, J., Neven, G., Phan, D.H., Smart, N.P.:Identity-based traitor tracing. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS,vol. 4450, pp. 361–376. Springer, Heidelberg (2007)

2. Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.-J.: Efficient andprovably-secure identity-based signatures and signcryption from bilinear maps. In:Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidel-berg (2005)


3. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formaldefinitions, simplified requirements, and a construction based on general assump-tions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629.Springer, Heidelberg (2003)

4. Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption with-out random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004.LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)

5. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with con-stant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494,pp. 440–456. Springer, Heidelberg (2005)

6. Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. In: Kil-ian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg(2001)

7. Boyen, X., Waters, B.: Compact group signatures. In: Vaudenay, S. (ed.) EURO-CRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)

8. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity basedencryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS,vol. 3027, pp. 207–222. Springer, Heidelberg (2004)

9. Cha, J.C., Cheon, J.H.: An identity-based signature from gap Diffie-Hellmangroups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer,Heidelberg (2003)

10. Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.)CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006)

11. Chen, L., Cheng, Z., Malone-Lee, J., Smart, N.P.: Efficient ID-KEM based onthe Sakai-Kasahara key construction. IEE Proceedings - Information Security 153,19–26 (2006)

12. Chen, X., Zhang, F., Kim, K.: A new ID-based group signature scheme from bilin-ear pairings. IACR e-Print (2003), http://eprint.iacr.org/2003/116.pdf

13. Cocks, C.: An identity-based encryption scheme based on quadratic residues. In:Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363.Springer, Heidelberg (2001)

14. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.)ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002)

15. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In:Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer,Heidelberg (2008)

16. Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg,K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidel-berg (2003)

17. Han, S., Wang, J., Liu, W.: An efficient identity-based group signature schemeover elliptic curves. In: Freire, M.M., Chemouil, P., Lorenz, P., Gravey, A. (eds.)ECUMN 2004. LNCS, vol. 3262, pp. 417–429. Springer, Heidelberg (2004)

18. Park, S., Kim, S., Won, D.: ID-based group signature. Electronics Letters 33, 1616–1617 (1997)

19. Popescu, C.: An efficient ID-based group signature scheme. Studia Univ. Babes-Bolyai Info. 47, 29–36 (2002)

20. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000Symposium on Cryptography and Information Security, Okinawa, Japan (January2000)


21. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing over ellipticcurve (in Japanese). In: The 2001 Symposium on Cryptography and InformationSecurity, Oiso, Japan (January 2001)

22. Sakai, R., Kasahara, M.: ID based cryptosystems with pairing on elliptic curve.Cryptology ePrint Archive, Report 2003/054 (2003)

23. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R.,Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg(1985)

24. Trolin, M., Wikstrom, D.: Hierarchical group signatures. In: Caires, L., Italiano,G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580,pp. 446–458. Springer, Heidelberg (2005)

25. Tseng, Y., Jan, J.: A novel ID-based group signature. In: Int. Comp. Symp. onCrypto and Info. Sec., pp. 159–164 (1998)

26. Waters, B.R.: Efficient identity-based encryption without random oracles. In:Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer,Heidelberg (2005)

27. Wei, V.K., Yuen, T.H., Zhang, F.: Group signature where group manager, membersand open authority are identity-based. In: Boyd, C., Gonzalez Nieto, J.M. (eds.)ACISP 2005. LNCS, vol. 3574, pp. 468–480. Springer, Heidelberg (2005)

A Instantiation Using the BBG HIBE

In this appendix we detail how our generic construction applies to the BBGHIBE. A similar construction can be given for other HIBE constructions, byfollowing the same basic principles.

Our explicit constructions are all based on an asymmetric pairing t : G× G −→GT , between three groups of prime order q. We assume that G = 〈g〉 and G = 〈g〉.Elements of G will be denoted by lower case letters a, b, c etc, elements of G will bedenoted by a, b, c etc, elements of GT will be denoted by gothic letters a, b, c etc.

The original Boneh-Boyen-Goh HIBE is proved secure in the selective IDsetting, this is turned into full security via replacing the identities with calls toa hash function, which is then modelled as a random oracle. Hence, to obtaina group signature scheme which is anon-ID-CPA secure we introduce a hashfunction G to hash the identities to elements of Zq. We also require a hashfunction H : {0, 1}∗ → Zq for our proof of knowledge proof, which we alsomodel as a random oracle.

In addition the following scheme is only secure in the sense of anon-ID-CPA,i.e. Open are not allowed in the adversary queries. A fully secure version ispossible to construct, but we present the simpler version here for clarity.

In addition we have performed some elementary optimisations on the schemewhich results from the generic construction. These do not affect security, butmake use of the properties of the Distill function of the BBG HIBE. In particularthe signature only contains the unknown part of the Distill function, since theother public part can be reconstructed by the verifier. This not only makes thepresentation simpler, it also simplifies the proof of knowledge.


A.1 The Required Proof of Knowledge

We present the proof of knowledge and its verification which are required in theSign and Verify operations. To aid exposition we set

f = (u0 · uG(grpID)1 ) and g = t(h1, g2).

Our proof of knowledge is then given by the underlying Σ protocol for thelanguage

L ={c6 = ux

2 · uy4 ∧ e1 = gz ∧ e2 = fz ∧ e3 = nx · gz : (x, y, z)

},

where all values bar x, y, z are public. The naming of the variables is to aid thereader in seeing how this proofs fits in with the variables in the ID-based groupsignature below.

Standard techniques provide the following construction of a non-interactive proofof knowledge, assuming H is modelled as a random oracle.

Prover’s Algorithm: The prover generates k1, k2, k3 ∈ Zq at random and sets

r1 ← uk12 · uk2

4 , r2 ← gk3 , r3 ← fk3 , r4 ← nk1 · gk3 .

Then the prover computes

c← H(grpID‖u0‖u1‖u2‖u4‖g‖f‖n‖g‖c6‖e1‖e2‖e3‖r1‖r2‖r3‖r4).

Finally the prover computes

s1 ← k1 + c · x, s2 ← k2 + c · y and s3 ← k3 + c · z.

The proof of knowledge is then given by (c, s1, s2, s3).

Verifier’s Algorithm: To verify the proof the verifier computes the values

r′1 ← us12 · us2

4 · c−c6 , r′2 ← gs3 · e−c

1 , r′3 ← fs3 · e−c2 , r′4 ← ns1 · gs3 · e−c

3 ,

and then checks whether

c = H(grpID‖u0‖u1‖u2‖u4‖g‖f‖n‖g‖c6‖e1‖e2‖e3‖r′1‖r′2‖r′3‖r′4).

A.2 An ID-Based Group Signature from the BBG HIBE

Setup(1k): The trusted authority chooses random values g2, u0, u1, u2, u3, u4 ∈G and a value α ∈ Zq. The trusted authority then computes h1 ← gα, h2 ← gα

2 ,generates an element n at random from GT , and sets

mpk← (g, g2, h1, u0, u1, u2, u3, u4, n) and msk← h2.


GrpSetUp(grpID, msk): On input of a group identifier string grpID, the trustauthority generates a random value r1 ∈ Zq and sets gsk ← (a0, a2, a3, a4, a5),where

a0 ← h2 ·(u0 · uG(grpID)

1

)r1

, a2 ← ur12 , a3 ← ur1

3 , a4 ← ur14 , a5 ← gr1 .

Extract(userID, gsk): On input of a user identifier string userID the groupmanager takes its key gsk = (a0, a2, a3, a4, a5), generates a random value r2 ∈ Zq,and computes the user secret key via usk← (b0, b3, b4, b5) where

b0 ← a0 · aG(userID)2 ·

(u0 · uG(grpID)

1 · uG(userID)2

)r2

= h2 ·(u0 · uG(grpID)

1

)r1 · ur1·G(userID)2 ·

(u0 · uG(grpID)

1 · uG(userID)2

)r2


1 · uG(userID)2

)r1+r2

,

b3 ← a3 · ur23 = ur1+r2

3 , b4 ← a4 · ur24 = ur1+r2

4 , b5 ← a5 · gr2 = gr1+r2 .

Sign(m, usk): To sign a message m ∈ Zq using the secret key usk = (b0, b3, b4,b5) the user generates a random values r3 ∈ Zq, and a random identity r4.The value r3 acts very much like the values r1 and r2 in the GrpSetUp and theExtract algorithms, whilst the value r4 is used to create a blinding identity, so asto maintain user anonymity. In addition the signer picks an additional randomvalues k ∈ Zq, so as to encrypt its identity to the group manager. A signature isgiven by

σ ← (c0, c5, c6, e1, e2, e3, Σ)

where

c0 ← b0 · bm3 · aG(r4)

4 ·(u0 · uG(grpID)

1 · uG(userID)2 · um

3 · uG(r4)4

)r3


1 · uG(userID)2

)r1+r2 · um(r1+r2)3 · uG(r4)·(r1+r2)

4 ·(u0 · uG(grpID)


3 · uG(r4)4

)r3



3 · uG(r4)4

)r1+r2+r3

,

c5 ← b5 · gr3 = gr1+r2+r3 , c6 ← uG(userID)2 · uG(r4)

4 ,

e1 ← gk, e2 ← (u0 · uG(grpID)1 )k, e3 ← nG(userID) · t(h1, g2)k,

Σ ← POK

(c6 = ux

2 · uy4 ∧ e1 = gz ∧ e2 =

(u0 · uG(grpID)

1

)z

∧e3 = nx · t(h1, g2)z : (G(userID), G(r4), k)

).

Note, that the value of t(h1, g2) can be precomputed, we shall indeed denote thisvalue by g in what follows. Thus, signing requires no pairing computations.


Verify(m, σ, mpk, grpID): We verify the signature by essentially encryptinga random message under the underlying HIBE and then checking whether itdecrypts to the correct value. On input of a signature σ = (c0, c5, c6, e1, e2, e3,Σ) on a message m, as issued by a member of the group grpID, the verifiergenerates the following random values t ∈ Zq, m ∈ GT and computes

d1 ← gt, d2 ←(u0 · uG(grpID)

1 · um3 · c6

)t

, d3 ← m · t(h1, g2)t.

The verifier then checks whether

m = d3 · t(c5, d2)t(d1, c0)

and verifies the POK Σ.

That a valid signature will verify follows from the following set of equations:

t(c5, d2)t(d1, c0)

=t(gr,

(u0 · uG(grpID)

1 · um3 · c6

)t

)

t(gt, h2 ·

(u0 · uG(grpID)


3 · uG(r4)4

)r)

=t(gr,

(u0 · uG(grpID)


3 · uG(r4)4

)t

)

t(gt, h2 ·

(u0 · uG(grpID)


3 · uG(r4)4

)r)

=1

t(gt, h2)=

1t(gt, gα

2 )=

1t(gα, g2)t

=1

t(h1, g2)t.

where r = r1 + r2 + r3.

Open(gsk, σ): On input of a valid signature σ = (c0, c5, c6, e1, e2, e3, Σ) thegroup manager computes

t← t(e1, a0)t(a5, e2)

=t(gk, h2 ·

(u0 · uG(grpID)

1

)r1

)

t(gr1 , (u0 · uG(grpID)1 )k)

=t(gk, h2) · t(gr1 , (u0 · uG(grpID)

1 )k)

t(gr1 , (u0 · uG(grpID)1 )k)

= t(gk, h2) = t(h1, g2)k.

The Group manager goes through all user identifiers userID issued to the groupgrpID and checks which one is satisfies the equation

e3 = nG(userID) · t.

Forward-Secure Group Signatures from Pairings

Toru Nakanishi, Yuta Hira, and Nobuo Funabiki

Department of Communication Network Engineering, Okayama University,3-1-1 Tsushima-Naka, Okayama 700-8530, Japan{nakanisi,funabiki}@cne.okayama-u.ac.jp

Abstract. To reduce the damage of key exposures, forward-secure groupsignature schemes have been first proposed by Song. In the forward-secure schemes, a secret key of a group member is updated by a one-wayfunction every interval and the previous secret key is erased. Thus, evenif a secret key is exposed, the signatures produced by the secret keysof previous intervals remain secure. Since the previous forward-securegroup signature schemes are based on the strong RSA assumption, thesignatures are longer than pairing-based group signatures. In addition,the complexity of the key update or signing/verification is O(T ), whereT is the total number of intervals. In this paper, a forward-secure groupsignature scheme from pairings is proposed. The complexity of our keyupdate and signing/verification is O(log T ).

Keywords: anonymity, group signatures, forward-security, pairings.

1 Introduction

1.1 Backgrounds and Previous Works

Group signatures [11] allow a signer to sign a message anonymously as a groupmember. The difference from ring signatures [17] with similar characteristicsare the involvement with entities with special authority. One of the entities isa group manager (GM) who permits a user to join the group. The other is anopening manager (OM) who can identify the signer from the signature, in caseof disputes. The applications of group signatures include anonymous credentials,direct anonymous attestations, and ID management reported in [9,8,16].

Toward making the group signatures practicable, Boneh et al. have proposeda short group signature scheme from pairings [5], where signatures are shorterthan existing RSA-based group signature schemes. With the advance of theimplementations of pairings (e.g., [1,15]), we can obtain the implementations ofthe group signatures with practical computation times and data sizes.

One of great threats in cryptosystems is exposure of secret keys. This mayhappen by virus, human errors and so on. One of the cryptographic countermea-sures to reduce the damage of the exposure is the forward-security. In case ofgroup signatures, a forward-secure group signature scheme has been proposeddue to Song in [18]. In the forward-secure scheme, the secret key of a signer isupdated every interval using a one-way function. Let uskt be the secret key at


172 T. Nakanishi, Y. Hira, and N. Funabiki

interval t for 0 ≤ t ≤ T , where T is the total number of intervals. The signerinitially obtains usk0. At the beginning of interval t, the user updates uskt−1 touskt. At the update, uskt−1 is deleted, and cannot be restored due to the one-way-ness. The signature at interval t is computed using uskt. Then, consider theexposure of uskt at interval t. Since the previous keys before the exposure can-not be obtained even by the signer, the previous signatures before the exposurecannot be forged. Thus, the damage of the exposure is reduced.

In [18], two forward-secure group signature schemes (Scheme I and Scheme II)have been first proposed, which are based on the strong RSA assumption. Since2,048 bits or more are currently required for the RSA assumption, one weaknessof the previous schemes is that the signatures are long. Another problem is theasymptotic efficiency w.r.t. T (the total number of time intervals). In Scheme I,the signing and verification algorithms are inefficient due to O(T ) complexity.In Scheme II, the key update algorithm has O(T ) complexity.

On the other hand, in the setting of public-key encryption, an efficient forward-secure scheme has been proposed in [10], where the complexity of all algorithms(and sizes of all parameters) are O(log T ).

Remark 1. In [21], a forward-secure scheme has been proposed, but [19] showsthat the scheme is insecure.

1.2 Our Contributions

This paper proposes a forward-secure group signature scheme from pairings. Inour scheme, the signing/verification and key-update algorithms all have O(log T )complexity. Our scheme is constructed on the base of Boyen-Waters pairing-basedgroup signature scheme [7]. Although the underlying scheme utilizes groups withcomposite orders, our scheme utilizes groups with prime orders to achieve the moreefficiency. In addition, we employ the binary tree approach similar to [10] to obtainO(log T ) efficiency. We formally define forward-secure traceability that implies theforward-secure unforgeability in the setting of group signatures, and prove thatour construction satisfies this security.

2 Model and Security Definitions

Forward-secure group signature scheme consists of the following algorithms:

KeyGen: This probabilistic key generation algorithm for GM and OM , oninputs, security parameter 1�, the maximum time T , and N that is themaximum number of members, outputs the group public key gpk, GM ’smaster secret key msk and OM ’s secret key osk, and members’ initial secretkeys usk0[i] for all i ∈ [1, N ].

KeyUpdate: This probabilistic algorithm, on inputs gpk, uskt−1[i] that is themember i’s secret key at time t − 1, and the time t, outputs the secret keyuskt[i] at time t.

Forward-Secure Group Signatures from Pairings 173

Sign: This probabilistic algorithm, on inputs gpk, uskt[i], t, and signed messageM , outputs the signature σ.

Verify: This is a deterministic algorithm for verification. The input is gpk, t, asignature σ, and the message M . Then the output is ’valid’ or ’invalid’.

Open: This deterministic algorithm, on inputs gpk, osk, t, σ and M , outputsi, which indicates the signer of σ.

The security requirements, forward-secure traceability and CPA-anonymity aredefined as follows.

Forward-Secure Traceability. The conventional traceability [2] requirementcaptures the unforgeability of group signatures. This new requirement addition-ally captures the forward-security. Consider the following forward-secure trace-ability game between an adversary A and a challenger, where A tries to forge asignature that cannot be traced to one of members corrupted by A or to forgea signature at interval t∗ that is traced to a member corrupted by A at intervalt s.t. t > t∗.

Setup: The challenger runs KeyGen, and obtains gpk, msk, osk and usk0[i]for all i ∈ [1, N ]. He provides A with gpk and osk, and run A. He sets t = 0and CU with empty, where CU denotes the set of IDs of users corrupted byA.

Queries: At the beginning of every interval t ∈ [1, T ], the challenger announcesthe beginning of t to A, where t is incremented. At the current interval t, Acan query the challenger about the followings.Signing: A requests a signature on a message M for a member i. The

challenger responds the corresponding signature at the current t, if i /∈CU .

Corruption: A requests the secret key of a member i at the current t. Thechallenger responds uskt[i] if i /∈ CU . The challenger adds i to CU .

Output: At the current interval t, A stops and outputs a message M∗ and asignature σ∗ at the target interval t∗ ∈ [0, T ] that A chooses.

Then, A wins if

1. Verify(gpk, t∗, σ∗, M∗) = valid,2. A did not obtain σ∗ by making a signing query at M∗, and3. for i∗ = Open(gpk, osk, t∗, σ∗, M∗),

(a) i∗ /∈ CU , or(b) i∗ = CU but A did not obtain uskt[i∗] such that t ≤ t∗.

Forward-secure traceability requires that for all PPT A, the probability thatA wins the forward-secure traceability game is negligible.

CPA-Anonymity. As the analogy of IND-CCA2 security of public-key en-cryption, the anonymity of group signatures is defined in [2]. On the other hand,in [5], the relaxed definition capturing IND-CPA security is adopted. Since ourscheme follows the opening mechanism of [5], the anonymity satisfies the relaxed


version, called CPA-anonymity. Since our extension from the underlying schemeto the forward-secure scheme does not have a great influence on the anonymity,the CPA-anonymity is informally defined here.

Consider an adversary given access to the signing oracle and corruption oracle.In the case of the CPA-anonymity, it is not allowed to access to the openingoracle. Then, the adversary tries to decide whether a challenged signature on amessage is issued from user i0 or i1, where the message, i0, i1 are chosen by theadversary. The CPA-anonymity requires that all adversary cannot decide it withnon-negligible probability over 1/2.

3 Preliminaries

3.1 Bilinear Groups

Our scheme utilizes the following bilinear groups:

1. G and T are multiplicative cyclic groups of prime order p,2. g is randomly chosen generators of G,3. e is an efficiently computable bilinear map: G × G → T , i.e., (1) for all

u, u′, v, v′ ∈ G, e(uu′, v) = e(u, v)e(u′, v) and e(u, vv′) = e(u, v)e(u, v′), andthus for all u, v ∈ G and a, b ∈ Z, e(ua, vb) = e(u, v)ab, and (2) e(g, g) �= 1.

3.2 Assumptions

Our scheme is based on the q-HSDH assumption [7].

Definition 1 (Hidden Strong DH (q-HSDH) assumption). For all PPTalgorithm A, the probability

Pr[A(g, h, gθ, (g1/(θ+ξ1), gξ1 , hξ1), . . . , (g1/(θ+ξq), gξq , hξq )) = (g1/(θ+ξ), gξ, hξ)∧∀i ∈ [1, q] : gξ �= gξi ]

is negligible, where g, h ∈R G and θ, ξi, ξ ∈R Zp.

In addition, we utilize the DLIN assumption [5].

Definition 2 (Decision Linear (DLIN) assumption). For all PPT algo-rithm A, the probability

|Pr[A(g, h, f, gθ, hξ, fθ+ξ) = 0] − Pr[A(g, h, f, gθ, hξ, f ζ) = 0]|

is negligible, where g, h, f ∈R G and θ, ξ, ζ ∈R Zp.

3.3 Proving Relations on Representations

As well as [5,6,12], we adopt signatures converted by Fiat-Shamir heuristic fromzero-knowledge proofs of knowledge (PK). We call the signatures SPKs. TheSPKs we adopt are the generalization of the Schnorr signature. We introducethe following notation.


SPK{(x1, . . . , xt) : R(x1, . . . , xt)}(M),

which means a signature of message M by a signer who knows secret valuesx1, . . . , xt satisfying a relation R(x1, . . . , xt). This paper utilizes an SPK provingthe knowledge of a representation of C ∈ G to the bases g1, g2, . . . , gt ∈ G onmessage M , which is denoted as

SPK{(x1, . . . , xt) : C = gx11 · · · gxt

t }(M).

This can be also constructed on group T . The SPK can be extended to provingmultiple representations with equal parts.

4 Proposed Scheme

4.1 Construction Idea

Conventional group signature scheme is informally as follows. When a memberjoins, GM issues the member a membership certificate S = Sign(x), where Signis a signing function of GM and x is a value that is unique to each member. Then,the group signature consists of E = Enc(x), where Enc is an encryption functionusing OM ’s public key, and the following SPK on the signed message M .

SPK{(x, S) : S = Sign(x) ∧ E = Enc(x)}(M).

Note that (x, S) is a secret key of the member. When opening the group signa-ture, the manager decrypts E.

On the other hand, in the setting of ordinary public-key encryptions (or signa-tures), an efficient forward-secure scheme has been invented in [10], which is con-structed from an HIBE (Hierarchical Identity-Based Encryption). The schemeachieves at most logarithmical dependency on T by using an HIBE-like key up-date based on a binary tree approach. Thus, if the secret key (x, S) in the groupsignature can be updated by using the HIBE-like key update, we can obtain aforward-secure group signature by the similar methodology to [10].

Now, examine concrete underlying group signature schemes. The first candi-date is the state-of-the-art pairing-based group signature scheme due to Bonehet al. [5]. In the scheme, a BB signature [4] is used as the certificate Sign(x), andthe signature is computed as g1/(X+x), where X ∈R Zp is the secret key of GMand g ∈ G, Y = gX are the corresponding public key. We consider the updateof the signed secret x , since it is not easy to update the signature g1/(X+x).However, in the underlying HIBE such as [13,3,20], the master key is gx wherethe exponent x should be unknown. Thus, it is not simple to adapt it to thegroup signature scheme [5] where the member has to know the exponent.

The next candidate is Boyen-Waters group signature scheme [7] based on theHSDH assumption, where the member’s secret key consists of gx, hx (h ∈ G)for the same membership certificate S = g1/(X+x), where x is unknown to themember. Therefore, by adapting the HIBE-like key update to the HSDH-basedgroup signature scheme, we can obtain the forward-secure scheme.


The next step to obtain the forward-secure group signatures is to find outhow to ensure the correctness of the updated key anonymously in the groupsignatures. In the underlying group signature scheme [7], in order to exclude therandom oracle, an NIZK (Non-Interactive Zero-Knowledge) proof without therandom oracle is used. However, due to the use of groups with a composite order,the scheme is inefficient. In this paper, we aim to obtain an efficient forward-secure scheme to allow the random oracle, and adopt the efficient Schnorr-typeSPKs for representations. Thus, we newly design the SPK proving S = Sign(x)and E = Enc(x) together with the correctness of the updates. The point of thedesign is that the signer have to prove the sameness on the representations with-out knowing the exponent x of gx, and thus we utilize the pairing to constructthe SPK without knowing the exponent.

As the final remark, we need E = Enc(x) part in the signature for opening.Since the DDH assumption does not always hold in bilinear groups, we adopt alinear encryption [5] based on the DLIN assumption. In the adoption, we alsohave to care about the SPK proving E = Enc(x) without knowing the exponent.

4.2 Proposed Algorithms

KeyGen: The inputs of this algorithm are security parameter 1�, the maximumtime T , and N that is the maximum number of members, and the outputs arethe group public key gpk, GM ’s secret keys msk, osk, and members’s initialsecret keys usk0[i] for all i ∈ [1, N ].

1. Select bilinear group G with prime order p of length �, and the bilinear mape. Select hash function H : {0, 1}∗ → Zp.

2. Let d = �log2 T . Select g, g1, u, w1,0, . . . , wd,0, w1,1, . . . , wd,1 ∈R G.3. Select X ∈R Zp and compute Y = gX .4. Select X1, X2 ∈R Zp and compute Y1 = gX1 and Y2 = gX2 .5. For all i ∈ [1, N ], select xi ∈R Zp and compute Ki,1 = g1/(X+xi), Ki,2 = gxi ,

Ki,3 = uxi.6. Output gpk = (p,G, e, H, d, g, g1, u, w1,0, . . . , wd,0, w1,1, . . . , wd,1, Y, Y1, Y2),

msk = X , osk = (X1, X2), and usk0[i] = (Ki,1, Ki,2, Ki,3).

KeyUpdate: The inputs of this algorithm are gpk, t and uskt−1[i], and theoutput is uskt[i].

Consider a binary tree of depth d, where the root node is denoted as ε (emptystring), and for a parent node τ = τ1 · · · τδ, the lefthand (resp., righthand) childis denoted as τ ′ = τ1 · · · τδ0 (resp., τ ′ = τ1 · · · τδ1). Then, we assign each nodeto time t according to a pre-order traversal. I.e, time 0 is assigned to ε. Foran internal node τ corresponding to time t, the time t + 1 is assigned to thelefthand child node τ0. For a leaf node τ corresponding to time t, the time t+1is assigned to the node τ ′1, where τ ′ is the longest string such that τ ′0 is a prefix


of τ . Hereafter, to clarify the connection between time t and the correspondingnode τ , we denote τ t as the node τ corresponding to t.

To each node, a node key is assigned. The key of node τ t is denoted as nkτ t .Then, we consider that uskt[i] is a stack of node keys, where the top of the stackis nkτ t . uskt[i] additionally consists of node keys of all right siblings of nodeson the path from the root to τ t. These node keys are needed for obtaining nodekeys after t.

Then, KeyUpdate algorithm is executed as follows, according to the type ofthe node τ t−1.Case of leaf node τ t−1:

Pop nkτ t−1 from the stack uskt−1[i], and erase nkτ t−1 . Then, the top of thestack is nkτ t . Output the popped stack as uskt[i].

Case of internal node τ t−1

1. Let b be the depth of node τ t. Then, pop nkτ t−1 from the stack uskt−1[i].nkt−1 consists of Ki,1, Ki,2, Ki,3, Ki,4. In case of nkε, Ki,4 is empty.Otherwise, Ki,4 = (κi,1, . . . , κi,b−1).

2. Select rb,0, rb,1 ∈R Zp and compute K(0)i,3 = Ki,3 · wb,0

rb,0 and K(1)i,3 = Ki,3 ·

wb,1rb,1 .

3. Compute κ(0)i,b = grb,0 and κ

(1)i,b = grb,1 . Let K

(0)i,4 = (κi,1, . . . , κi,b−1, κ

(0)i,b ) and

K(1)i,4 = (κi,1, . . . , κi,b−1, κ

(1)i,b ). Let nkτ t−10 = (Ki,1, Ki,2, K

(0)i,3 , K

(0)i,4 ) and

nkτ t−11 = (Ki,1, Ki,2, K(1)i,3 , K

(1)i,4 ).

4. Push nkτ t−11, and then push nkτ t−10.5. Erase nkτ t−1 . Then, output the stack as uskt[i].

As the result of the update, for τ t = τ1 · · · τb, we obtain

Ki,3 = uxi

b∏

j=1

wj,τj

rj,τj ,

Ki,4 = (gr1,τ1 , . . . , grb,τb ).

Sign: The inputs of this algorithm are gpk, uskt[i], t and M ∈ {0, 1}∗, and theoutput is the signature σ.

1. Retrieve the node key nkτ t from the stack uskt[i]. Let nkτ t = (Ki,1, Ki,2,Ki,3, Ki,4), where Ki,4 = (κi,1, . . . , κi,b). Let τ t = τ1 · · · τb.

2. Select ρ1, ρ2, ρ3, ρ4,1, . . . , ρ4,b ∈R Zp, compute γ = ρ1ρ2 mod p, and com-pute commitments C1 = Ki,1g

ρ11 , C2 = Ki,2g

ρ21 , C3 = Ki,3g

ρ31 , and C4,1 =

κi,1gρ4,11 , . . . , C4,b = κi,bg

ρ4,b

1 , C5 = gρ1gρ51 , and C6 = gγgρ6

1 .3. Select randoms δ1, δ2 ∈R Zp, and compute ciphertext T1 = Ki,2g

δ1+δ2 , T2 =Y δ1

1 , and T3 = Y δ22 .


4. Compute the following SPK V :

SPK{(ρ1, ρ2, ρ3, ρ4,1, . . . , ρ4,b, ρ5, ρ6, γ, γ′, δ1, δ2) :e(C1, Y C2)/e(g, g) = e(g1, Y C2)ρ1e(C1, g1)ρ2/e(g1, g1)γ

∧e(u, C2)b∏

j

e(C4,j , wj,τj )/e(g, C3)

= e(u, g1)ρ2

b∏

j

e(g1, wj,τj )ρ4,j /e(g, g1)ρ3

∧C5 = gρ1gρ51 ∧ C6 = gγgρ6

1 ∧ C6 = Cρ25 gγ′

1

∧C2/T1 = gρ21 /g(δ1+δ2) ∧ T2 = Y δ1

1 ∧ T3 = Y δ22 }(M)

5. Output σ = (C1, C2, C3, C4,1, . . . , C4,b, C5, C6, T1, T2, T3, V ).

Remark 2. This SPK proves

e(Ki,1, Y Ki,2) = e(g, g),

e(u, Ki,2)b∏

j=1

e(κi,j , wj,τj ) = e(g, Ki,3),

T1 = Ki,2gδ1+δ2 , T2 = Y δ1

1 , T3 = Y δ22 ,

due to the lemma 1 in the following section. These relations mean the the correct-ness of Ki,1 (i.e., BB signature of Ki,2 = gxi), the correctness of the updated keyKi,3 (i.e, Ki,3 = uxi

∏bj=1 wj,τj

rj,τj ), and the correctness of the linear encryption(T1, T2, T3) of Ki,2.

How to compute this SPK is described in Appendix A.

Verify: The inputs are gpk, t, a target signature σ, and the message M . Checkthe SPK V . Output ’valid’ (resp., ’invalid’) if it is correct (resp., incorrect).

Open: The inputs are gpk, the secret key osk = (X1, X2), t, a target signatureσ = (C1, C2, C3, C4,1, . . . , C4,b, C5, C6, T1, T2, T3, V ) and the message M .

1. Verify σ. If it is invalid, abort.2. Using X1, X2, compute T1/(T 1/X1

2 T1/X23 ) to obtain Ki,2.

3. Output i.

Signature Size and Performance: Let Size(G) and Size(Zp) be the sizes ofa G element and a Zp element, respectively. Then, the signature size is

(b + 8)Size(G) + (b + 10)Size(Zp).

This is O(log T ), due to b ≤ d = �log2 T .


The computational cost of key update is mainly 4 exponentiations on G, i.e.,O(1) cost. The signature generation needs (b+19) exponentiations on G, (b+5)exponentiation on T , and (b + 5) pairings (some of the pairings can be precom-puted). The verification cost is 15 exponentiations on G, (b + 7) exponentiationon T , and (2b + 9) pairings (some of the pairings can be precomputed, and themulti-pairing can be accelerated [14]). The performance of both algorithms isO(log T ).

5 Security

Before proving the forward-security traceability, we prepare the following lemmaon the SPK.

Lemma 1. Under the DL assumption, the SPK V proves the knowledge ofKi,1, Ki,2, Ki,3, κi,1, . . . , κi,b, δ1, δ2 s.t.

e(Ki,1, Y Ki,2) = e(g, g),

e(u, Ki,2)b∏

j=1

e(κi,j , wj,τj ) = e(g, Ki,3),

T1 = Ki,2gδ1+δ2 , T2 = Y δ1

1 , T3 = Y δ22 .

Proof. From V , we can extract (ρ1, ρ2, ρ3, ρ4,1, . . . , ρ4,b, ρ5, ρ6, γ, γ′, δ1, δ2) s.t.

e(C1, Y C2)/e(g, g) = e(g1, Y C2)ρ1e(C1, g1)ρ2/e(g1, g1)γ , (1)

e(u, C2)b∏

j

e(C4,j , wj,τj )/e(g, C3) = e(u, g1)ρ2

b∏

j

e(g1, wj,τj )ρ4,j /e(g, g1)ρ3 ,(2)

C5 = gρ1gρ51 , (3)

C6 = gγgρ61 , (4)

C6 = Cρ25 gγ′

1 , (5)

C2/T1 = gρ21 /g(δ1+δ2), (6)

T2 = Y δ11 , (7)

T3 = Y δ22 . (8)

Then, from the equations (3) and (5), we obtain

C6 = (gρ1gρ51 )ρ2gγ′

1 = gρ1ρ2gρ5ρ2+γ′1 .

Thus, using the equation (4), this means gγgρ61 = gρ1ρ2gρ5ρ2+γ′

1 . Based on theDL assumption, since the DL of g1 to base g cannot be computed, the equationγ = ρ1ρ2 has to hold.


Next, from the equation (1), using γ = ρ1ρ2, we obtain

e(C1, Y C2)/e(g1, Y C2)ρ1 = e(g, g)e(C1, g1)ρ2/e(g1, g1)ρ1ρ2

e(C1, Y C2)/e(gρ11 , Y C2) = e(g, g)e(C1, g

ρ21 )/e(gρ1

1 , gρ21 )

e(C1/gρ11 , Y C2) = e(g, g)e(C1/gρ1

1 , gρ21 )

e(C1/gρ11 , Y C2/gρ2

1 ) = e(g, g)

Thus, letting Ki,1 = C1/gρ11 and Ki,2 = C2/gρ2

1 , we obtain

e(Ki,1, Y Ki,2) = e(g, g).

From the equation (2), we obtain

e(u, C2)b∏

j

e(C4,j , wj,τj )/(e(u, g1)ρ2

b∏

j

e(g1, wj,τj )ρ4,j ) = e(g, C3)/e(g, g1)ρ3

e(u, C2)b∏

j

e(C4,j , wj,τj )/(e(u, gρ21 )

b∏

j

e(gρ4,j

1 , wj,τj )) = e(g, C3)/e(g, gρ31 )

e(u, C2/gρ21 )

b∏

j

e(C4,j/gρ4,j

1 , wj,τj ) = e(g, C3/gρ31 )

Thus, letting Ki,3 = C3/gρ31 and κi,j = C4,j/g

ρ4,j

1 for all 1 ≤ j ≤ b, we obtain

e(u, Ki,2)b∏

j

e(κi,j , wj,τj ) = e(g, Ki,3).

Finally, substituting C2 = Ki,2gρ21 to the equation (6), we obtain

Ki,2gρ21 /T1 = gρ2

1 /g(δ1+δ2)

T1 = Ki,2gρ21 g(δ1+δ2)/gρ2

1

T1 = Ki,2g(δ1+δ2) �

Theorem 1. The proposed scheme satisfies the forward-secure traceability un-der the q-HSDH assumption, in the random oracle model.

Proof. Assume an adversary A for the forward-secure traceability game, and wewill construct the adversary B in the q-HSDH assumption. We separate A into2 types, and construct B for each types.

Type-1: This type of A is correspondent to the case that the signer i∗ of thesignature σ∗ outputted by A is different from signers i requested in queries.The inputs ofB are g, h, gθ, (g1/(θ+ξ1), gξ1 , hξ1), . . ., (g1/(θ+ξq), gξq , hξq ), whereg, h ∈R G and θ, ξi ∈R Zp. Using the inputs, conduct the forward-secure trace-ability game with A, as follows.


Setup: KeyGen is simulated as follows.1. Set u = h and Y = gθ, and define X = θ, where θ is unknown

to B. Select g1 ∈R G. Select ρj,0, ρj,1 ∈R Zp, and compute wj,0 =gρj,0 , wj,1 = gρj,1 for all 1 ≤ j ≤ d.

2. Compute X1, X2, Y1, Y2 as usual.3. Set Ki,1 = g1/(θ+ξi), Ki,2 = gξi , Ki,3 = hξi .

Then, provides A with gpk, osk and run A.Queries: The response to any query can be treated as usual, using uskt[i]

that is updated as usual.Output: Finally, A outputs a forged signature σ∗ for the signer i∗ at inter-

val t∗. Then, using the extractor of the SPK V , with a non-negligibleprobability, we can obtain (Ki∗,1, Ki∗,2, Ki∗,3, Ki∗,4) s.t.

e(Ki∗,1, Y Ki∗,2) = e(g, g), (9)

e(u, Ki∗,2)b∗∏

j=1

e(κi∗,j , wj,τ∗j) = e(g, Ki∗,3), (10)

where τ t∗ = τ∗1 · · · τ∗

b∗ .Since i∗ is not any requested i, Ki∗,2 �= Ki,2. Thus, we can set Ki∗,2 = gξ

for some ξ ∈ Zp (ξ �= ξi). From the equation (9), this means Ki∗,1 =g1/(θ+ξ). On the other hand, from the equation (10),

e(u, gξ)b∗∏

j=1

e(κi∗,j , gρj,τ∗

j ) = e(g, Ki∗,3)

e(uξb∗∏

j=1

κρj,τ∗

j

i∗,j , g) = e(g, Ki∗,3)

Thus, we can set Ki∗,3 = uξ∏b∗

j=1 κρj,τ∗

j

i∗,j . Then, compute

Ki∗,3 ·b∗∏

j=1

κ−ρj,τ∗

j

i∗,j ,

which is equal to uξ = hξ.Therefore, output (g1/(θ+ξ), gξ, hξ), where ξ �= ξi.

Type-2: This type of A is correspondent to the case that the signer i∗ of thesignature σ∗ outputted by A was requested in the queries.The inputs ofB are g, h, gθ, (g1/(θ+ξ1), gξ1 , hξ1), . . ., (g1/(θ+ξq), gξq , hξq ), whereg, h ∈R G and θ, ξi ∈R Zp. Using the inputs, conduct the forward-secure trace-ability game with A as follows.Setup: KeyGen is simulated as follows.

1. Guess targets i∗ ∈R [1, N ] and t∗ ∈R [0, T ]. Let τ t∗ = τ∗1 · · · τ∗

b∗ .2. Set u = h and Y = gθ, and define X = θ, where θ is unknown to B.

Select α ∈R Zp and compute f = Y −1gα.


3. Select ρ1,0, . . . , ρd,0, ρ1,1, . . . , ρd,1 ∈R Zp, and compute wj,τ∗j

= gρj,τ∗

j

for τ∗j of all j ∈ [1, b∗]. For other wj,τj , compute wj,τj = fgρj,τj .

4. Compute X1, X2, Y1, Y2 as usual.5. For i except i∗, set Ki,1 = g1/(θ+ξi), Ki,2 = gξi , Ki,3 = hξi .

For i∗, compute Ki∗,1 = g1/α, Ki∗,2 = f . However, Ki∗,3 is unknown.Set xi∗ = α − θ, which is also unknown. Then, Ki∗,1 = g1/(θ+xi∗) =g1/(X+xi∗), and Ki∗,2 = Y −1gα = g−θ+α = gxi∗ .

Then, provides A with gpk, osk and run A.Queries: Except the queries for i∗, the response to any query can be treated

as usual, using uskt[i] that is updated as usual. The queries for i∗ aresimulated as follows. Let τ t = τ1 · · · τb for the current interval t.Signing for i∗: The commitments and SPK in the group signature can

be easily simulated without uskt[i]. The ciphertext (T1, T2, T3) canbe simulated using Ki∗,2.

Corruption for i∗: If t ≤ t∗, abort. Otherwise, consider two cases:τ t is a descendant node of τ t∗ : In this case, b > b∗ and τ1 =

τ∗1 , . . . , τb∗ = τ∗

b∗ . Select rj,τj ∈R Zp for 1 ≤ j ≤ b. SimulateKi∗,3, Ki∗,4 = (κi,1, . . . , κi,b) as follows.

Ki∗,3 = u−ρb∗+1,τb∗+1

b∏

j=1

wrj,τj

j,τj,

κi∗,j = grj,τj (1 ≤ j ≤ b and j �= b∗ + 1),κi∗,b∗+1 = u−1g

rb∗+1,τb∗+1 .

Then, setting rb∗+1,τb∗+1 = rb∗+1,τb∗+1 − dlogg(u),

Ki∗,3 = u−ρb∗+1,τb∗+1 (

b∗∏

j=1

wrj,τj

j,τj) · w

rb∗+1,τb∗+1b∗+1,τb∗+1

·b∏

j=b∗+1

wrj,τj

j,τj

= u−ρb∗+1,τb∗+1 (

b∗∏

j=1

wrj,τj

j,τj) · w

rb∗+1,τb∗+1b∗+1,τb∗+1

·(fgρb∗+1,τb∗+1 )dlogg(u) ·

b∏

j=b∗+1

wrj,τj

j,τj

= u−ρb∗+1,τb∗+1 (

b∗∏

j=1

wrj,τj

j,τj) · w

rb∗+1,τb∗+1b∗+1,τb∗+1

·((gxi∗ )dlogg(u)uρb∗+1,τb∗+1 ) ·

b∏

j=b∗+1

wrj,τj

j,τj

= uxi∗ (b∗∏

j=1

wrj,τj

j,τj) · w

rb∗+1,τb∗+1b∗+1,τb∗+1

·b∏

j=b∗+1

wrj,τj

j,τj


κi∗,b∗+1 = u−1grb∗+1,τb∗+1

= u−1grb∗+1,τb∗+1

+dlogg(u)

= grb∗+1,τb∗+1

The distributions are the same as ones outputted by the realalgorithm. Respond (Ki∗,1, Ki∗,2, Ki∗,3, Ki∗,4).

τ t is not a descendant node of τ t∗ : Note that τ t is also not anancestor node of τ t∗ . In this case, for some j ∈ [1, min(b, b∗)],we necessarily have τj �= τ∗

j . Select rj,τj ∈R Zp for 1 ≤ j ≤ b.Simulate Ki∗,3, Ki∗,4 = (κi,1, . . . , κi,b) as follows.

Ki∗,3 = u−ρj,τj

b∏

j=1

wrj,τj

j,τj,

κi∗,j = grj,τj (1 ≤ j ≤ b and j �= j),κi∗,j = u−1grj,τj .

Then, by the similar discussion, the distributions are the sameas ones outputted by the real algorithm. Respond

(Ki∗,1, Ki∗,2, Ki∗,3, Ki∗,4).

Output: If the guess of t∗ fails, abort. Otherwise (the guess is correct witha non-negligible probability), A outputs a forged signature σ∗ at the in-terval t∗. Then, using the extractor of the SPK V , with a non-negligibleprobability, obtain (Ki∗,1, Ki∗,2, Ki∗,3, Ki∗,4) satisfying the equations(9), (10). If the guess of i∗ fails, abort. Otherwise (the guess is correctwith a non-negligible probability), set ξ = xi∗ and thus Ki∗,1 = g1/(θ+ξ)

and Ki∗,2 = gξ, where ξ �= ξi. Then, since wj,τ∗j

are all gρj,τ∗

j , from theequation (10),

e(u, gξ)b∗∏

j=1

e(κi∗,j , gρj,τ∗

j ) = e(g, Ki∗,3)

e(uξb∗∏

j=1

κρj,τ∗

j

i∗,j , g) = e(g, Ki∗,3)

Thus, similarly, we can set Ki∗,3 = uξ∏b∗

j=1 κρj,τ∗

j

i∗,j . Thus, by Ki∗,3 ·∏b∗

j=1 κ−ρj,τ∗

j

i∗,j , obtain uξ(= hξ). Finally, output (g1/(θ+ξ), gξ, hξ), whereξ �= ξi.

Therefore, with a non-negligible probability, we can break the q-HSDH assump-tion in both types. Thus, by randomly choosing one among Type-1 and Type-2,and by playing it again and again, we can break the assumption with a non-negligible probability. �


Theorem 2. The proposed scheme satisfies the CPA-anonymity under the DLINassumption, in the random oracle model.

The proof of this theorem is similar to that in [5]. By the similar proof to thesecurity proof of ElGamal encryption under the DDH assumption, it is shownthat the linear encryption is semantically secure under the DLIN assumption. Inboth the original scheme in [5] and our scheme, the signature consists of the linearencryption (T1, T2, T3) of gxi , an SPK V and statistically hiding commitments(C1, C2, C3, C4,1, . . . , C4,b, C5, C6, ). Since the SPK and commitments can beeasily simulated, we can reduce the CPA-anonymity game of our scheme to theIND-CPA game of the linear encryption.

6 Conclusion

We have proposed a forward-secure group signature scheme from pairings. Sincethe proposed scheme excludes the RSA-type assumptions, it is more efficientthan the previous scheme [18]. Due to the HIBE-like key update algorithm, thesigning/verification achieves O(log T ) computational costs. The dominant costis O(log T ) pairings, which can be efficiently computed by the multi-pairingtechnique [14].

An open problem is to explore a forward-secure scheme with the signing andverification requiring only O(1) pairings.

References

1. Barreto, P.S.L.M., Galbraith, S.D., O’hEigeartaigh, C., Scott, M.: Efficient pairingcomputation on supersingular abelian varieties. Designs, Codes and Cryptogra-phy 42(3), 239–271 (2007)


3. Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption with-out random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004.LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)


5. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.)CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)

6. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Proc.11th ACM Conference on Computer and Communications Security (ACM-CCS2004), pp. 168–177 (2004)



8. Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proc.11th ACM Conference on Computer and Communications Security (ACM-CCS2004), pp. 132–145 (2004)

9. Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemixanonymous credential system. In: Proc. 9th ACM Conference on Computer andCommunications Security (ACM-CCS 2002), pp. 21–30 (2002)

10. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme.In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer,Heidelberg (2003)

11. Chaum, D., van Heijst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

12. Furukawa, J., Imai, H.: An efficient group signature scheme from bilinear maps. In:Boyd, C., Gonzalez Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 455–467.Springer, Heidelberg (2005)

13. Gentry, C., Silverberg, A.: Hierarchical id-based cryptography. In: Zheng, Y. (ed.)ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002)

14. Granger, R., Smart, N.: On computing products of pairings. Cryptology ePrintArchive: Report 2006/172 (2006)

15. Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Infor-mation Theory 52(10), 4595–4602 (2006)

16. Isshiki, T., Mori, K., Sako, K., Teranishi, I., Yonezawa, S.: Using group signaturesfor identity management and its implementation. In: Proc. 2nd ACM Workshopon Digital Identity Management, pp. 73–78 (2006)

17. Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.)ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)

18. Song, D.X.: Practical forward secure group signature schemes. In: Proc. 8th ACMConference on Computer and Communications Security (ACM-CCS 2001), pp.225–234 (2001)

19. Wang, G.: On the security of a group signature scheme with forward security. In:Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 27–39. Springer,Heidelberg (2003)

20. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer,R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg(2005)

21. Zhang, J., Wu, Q., Wang, Y.: A novel efficient group signature scheme with forwardsecurity. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836,pp. 292–300. Springer, Heidelberg (2003)

A Detail of SPK

Here, we describe the SPK V in the proposed scheme, using the SPK for therepresentations. V has to prove knowledge of (ρ1, ρ2, ρ3, ρ4,1, . . . , ρ4,b, ρ5, ρ6, γ, γ′,δ1, δ2) s.t.

e(C1, Y C2)/e(g, g) = e(g1, Y C2)ρ1e(C1, g1)ρ2/e(g1, g1)γ ,

e(u, C2)b∏

j

e(C4,j , wj,τj )/e(g, C3) = e(u, g1)ρ2

b∏

j

e(g1, wj,τj )ρ4,j /e(g, g1)ρ3 ,

C5 = gρ1gρ51 , C6 = gγgρ6

1 , C6 = Cρ25 gγ′

1 ,

C2/T1 = gρ21 /g(δ1+δ2), T2 = Y δ1

1 , T3 = Y δ22 .


The SPK is computed as follows.

1. Select rρ1 , rρ2 , rρ3 , rρ4,1 , . . . , rρ4,b, rρ5 , rρ6 , rγ , rγ′ , rδ1 , rδ2 ∈R Zp, and com-

pute

R1 = e(g1, Y C2)rρ1 e(C1, g1)rρ2 /e(g1, g1)rγ ,

R2 = e(u, g1)rρ2

b∏

j

e(g1, wj,τj )rρ4,j /e(g, g1)rρ3 ,

R3 = grρ1 grρ51 , R4 = grγ g

rρ61 , R5 = C

rρ25 g

rγ′1 ,

R6 = grρ21 /g(rδ1+rδ2), R7 = Y

rδ11 , R8 = Y

rδ22 .

2. Compute

c = H(gpk, M, C1, C2, C3, C4,1, . . . , C4,b, C5, C6, T1, T2, T3, R1, R2, R3, R4,

R5, R6, R7, R8).

3. Compute

sρ1 = rρ1 + cρ1, sρ2 = rρ2 + cρ2, sρ3 = rρ3 + cρ3,

sρ4,1 = rρ4,1 + cρ4,1, . . . , sρ4,b= rρ4,b

+ cρ4,b,

sρ5 = rρ5 + cρ5, sρ6 = rρ6 + cρ6, sγ = rγ + cγ, sγ′ = rγ′ + cγ′,sδ1 = rδ1 + cδ1, sδ2 = rδ2 + cδ2.

4. Output V = (c, sρ1 , sρ2 , sρ3 , sρ4,1 , . . . , sρ4,b, sρ5 , sρ6 , sγ , sγ′ , sδ1 , sδ2).

The verification is as follows.

1. Retrieve

R1 = e(g1, Y C2)sρ1 e(C1, g1)sρ2 /e(g1, g1)sγ (e(C1, Y C2)/e(g, g))−c,

R2 = e(u, g1)sρ2

b∏

j

e(g1, wj,τj )sρ4,j /e(g, g1)sρ3 (e(u, C2)

·b∏

j

e(C4,j , wj,τj )/e(g, C3))−c,

R3 = gsρ1 gsρ51 C−c

5 , R4 = gsγ gsρ61 C−c

6 , R5 = Csρ25 g

sγ′1 C−c

6 ,

R6 = gsρ21 /g(sδ1+sδ2 )(C2/T1)−c, R7 = Y

sδ11 T−c

2 , R8 = Ysδ22 T−c

3 .

2. Check

c = H(gpk, M, C1, C2, C3, C4,1, . . . , C4,b, C5, C6, T1, T2, T3, R1, R2, R3, R4,

R5, R6, R7, R8).

Efficient Traceable Signatures in the Standard

Model

Benoıt Libert1,� and Moti Yung2

1 Universite Catholique de Louvain, Crypto Group, Belgium2 Google Inc. and Columbia University, USA

Abstract. Traceable signatures (TS), suggested by Kiayias, Tsiounisand Yung, extend group signatures to address various basic traceabilityissues beyond merely identifying the anonymous signer of a rogue signa-ture. Namely, they enable the efficient tracing of all signatures producedby a misbehaving party without opening the identity of other parties.They also allow users to provably claim ownership of a previously signedanonymous signature. To date, known TS systems all rely on the randomoracle model. In this work we present the first realization of the primitivethat avoids resorting to the random oracle methodology in its securityproofs. Furthermore, our realization’s efficiency is comparable to that ofnowadays’ fastest and shortest standard model group signatures.

Keywords: Traceable signatures, anonymity, standard model.

1 Introduction

Group Signatures Background. Group signatures, introduced by Chaumand van Heyst [19], allow members of a group to sign messages without revealingtheir identity. When the necessity arises, an authority holding some privilegedpiece of information can “open” signatures and uncover the signer’s identity.Such primitives find applications in electronic auctions or trusted computingplatforms where anonymity is a central issue.

The first scalable coalition-resistant system was proposed by Ateniese et al. [4].The recent years saw a continued interest in the primitive with the appearanceof pairing-based constructions (e.g. [12,36]). In general, when it comes to signa-tures, pairing has been employed to achieve two goals: (1) short signatures and(2) realizations in the standard model, not relying on the random oracle idealiza-tion. Notably, Boneh, Boyen and Shacham [12] showed the first scheme featuringsignatures shorter than 200 bytes. Its security was analyzed in (a relaxation of)the model of Bellare, Micciancio and Warinschi (BMW) [7], which captures therequirements of group signatures in three properties but assumes static groups.The setting of dynamic groups was formalized by Bellare-Shi-Zhang (BSZ) [9]

� This author acknowledges the Belgian National Fund for Scientific Research (F.R.S.-F.N.R.S.) for their financial support and the BCRYPT Interuniversity AttractionPole.


188 B. Libert and M. Yung

and, independently, by Kiayias-Yung [33] while efficient systems were givenin [33,36,25,22].

Forementioned practical proposals all rely on the random oracle model [8].In the standard model, the theoretical constructions of [7,9] were “only” proofsof concept (plausibility results), since the main interest is in getting efficientschemes. Using improved non-interactive zero-knowledge (NIZK) techniques[30,29] inspired by an earlier homomorphic encryption scheme [13], Boyen andWaters [16] showed a fairly efficient realization with logarithmic-size signaturesin the static BMW model. They subsequently improved [17] it to get rid ofthe dependency of signatures’ size on the group cardinality. Ateniese et al. [3]independently constructed another scheme relying on on stronger interactive as-sumptions. Meanwhile, Groth [27] came up with constant-size signatures withoutrandom oracles in the (dynamic) BSZ model but signatures remained too longfor practical use. In 2007, Groth showed [28] another standard model schemewith signatures shorter than 2 kB and full anonymity in the BSZ model.

Traceable Signatures. In group signatures, if we are given a member’s nameand his public key, scanning all signatures and verify which ones were signed bythat member is only doable by revoking the anonymity of all signatures (inparticular, signatures of honest users). To overcome this and allow further trac-ing properties, Kiayias, Tsiounis and Yung [32] introduced traceable signatures(TS). They still allow the group manager (GM) to open signatures individually.In addition, however, the GM can reveal a trapdoor allowing clerks to trace sus-picious members’ signatures without having to revoke anonymity of every singlesignature. Misbehaving users can thus be traced without affecting the anonymityof honest ones. Moreover, such a traceability results in increased scalability sincetracing agents can run in parallel whereas traditional group signatures involvea centralized tracing authority1. Traceable signatures also support a mechanismenabling users to claim (and prove) the authorship of their own anonymouslygenerated signatures.

Kiayias, Tsiounis and Yung (KTY) formalized the security of traceable sig-natures via three properties termed misidentification security, non-frameabilityand anonymity. They suggested a first implementation of the primitive (usingthe Fiat-Shamir heuristic [24] and thus the random oracle model) and provedits security under the Strong RSA and the Decision Diffie-Hellman assumptions.Later on, efficiency improvements were suggested by Ge and Tate [26]. Mean-while, Nguyen and Safavi-Naini [36] and Choi, Park and Yung [20] gave pairing-based constructions with shorter signatures. More recently, Benjumea el al. [10]considered traceable signatures with extended capabilities in the multi-groupsetting and implemented them in the random oracle model.

Our Contribution. Constructions with security proofs in the random oraclemodel are known to sometimes have realizability problems [18]. Primitives that

1 Group signatures with verifier-local revocation [14] are an exception as verificationentails to publicly run some implicit tracing mechanism to make sure that the signeris not revoked.

Efficient Traceable Signatures in the Standard Model 189

are initially presented with proofs under the random oracle idealization thus de-serve further investigations towards instantiations in the standard model. In thispaper we construct the first efficient traceable signature in the standard model,where we employ the Groth-Sahai [31] non-interactive witness indistinguishable(NIWI) proof systems as part of the construction. We prove it secure in the KTYsense under non-interactive (and thus falsifiable) assumptions.

As far as efficiency goes, our scheme is on par with most efficient standardmodel group signatures: for recommended parameters, we obtain signatures ofless than 2.6 kB, which is close to the size of Groth’s signatures [28].

Organization. In the following, section 2 first describes the model of the TSprimitive and the various tools and assumptions that we use. The scheme isdescribed in section 3 and its security results are proved in appendix.

2 Background

Throughout the paper, when S is a set, x$← S denotes the action of choosing x

uniformly at random in S. By a ∈ poly(λ), we mean that a is a polynomial in λwhile b ∈ negl(λ) says that b is a negligible function of λ (i.e., a function thatdecreases faster than the inverse of any a ∈ poly(λ)). When a and b are binarystrings, a||b stands for their concatenation.

2.1 Complexity Assumptions

We use groups (G, GT ) of prime order p and endowed with an efficiently com-putable map e : G × G → GT such that e(ga, hb) = e(g, h)ab for any elements(g, h) ∈ G×G, a, b ∈ Z and e(g, h) �= 1GT whenever g, h �= 1G.

In this algebraic setting, we rely on hardness assumptions that are all falsifi-able [35]. The first one, introduced by Boneh, Boyen and Shacham [12], allowsconstructing NIWI proofs as pointed out in [31].

Definition 1. In a group G = 〈g〉 of prime order p > 2λ, the Decision Lin-ear Problem (DLIN) is to distinguish the distributions (ga, gb, gac, gbd, gc+d)and (ga, gb, gac, gbd, gz), with a, b, c, d

$← Z∗p, z

$← Z∗p. The Decision Linear

Assumption asserts that, for any PPT distinguisher D,

AdvDLING,D (λ) = |Pr[D(ga, gb, gac, gbd, gc+d) = 1|a, b, c, d

$← Z∗p]

− Pr[D(ga, gb, gac, gbd, gz) = 1|a, b, c, d$← Z

∗p, z

$← Z∗p]| ∈ negl(λ).

This problem amounts to deciding whether vectors −→g1 = (ga, 1, g), −→g2 = (1, gb, g)and −→g3 are linearly dependent or not.

We also use a variant, first considered by Boyen and Waters [17], of the StrongDiffie-Hellman assumption [11].

Definition 2 ([17]). In a group G of prime order p, the �-Hidden StrongDiffie-Hellman problem (�-HSDH) is, given elements (g, Ω = gω, u) $← G

3


and � distinct triples (g1/ω+si , gsi , usi) with s1, . . . , s� ∈ Z∗p, to find another triple

(g1/ω+s, gs, us) such that s �= si for i = 1, . . . , �.

We finally need a variant of the problem, called Triple Diffie-Hellman, recentlyconsidered by Belenkiy et al. [6].

Definition 3. Let G be a group of prime order p. The (modified) �-TripleDiffie-Hellman Problem (�-mTDH) is, given (g, ga, gb) ∈ G3, for randomlychosen a, b

$← Z∗p, and � distinct pairs (g1/(a+ci), ci) with c1, . . . , c� ∈ Z∗

p, tooutput a triple (gμ, gbμ, gabμ) for some non-zero μ ∈ Z∗

p.

The original Triple Diffie-Hellman problem [6] was to find a triple (gaμ, gbμ, gabμ)given the same inputs. In the paper, we only need these to comprise of a singlepair (c, g1/(a+c)) (i.e., � = 1). A related assumption, called BB-CDH [5], assertsthe infeasibility of finding gab on input of (ga, gb) as well as pairs (g1/(a+ci), ci)with c1, . . . , c� ∈ Z∗

p. Under the knowledge of exponent assumption (KEA)2

[21], the �-mTDH problem is equivalent to the BB-CDH problem. The generichardness of �-mTDH is thus implied by that of KEA [23,1] and BB-CDH.

2.2 Model and Security Notions

A traceable signature consists of the following algorithms or protocols.

Setup: given a security parameter λ ∈ N, this algorithm (possibly run by atrusted party) generates a group public key Y, that is widely distributed,and the matching private key S which is handed to the group manager.

Join(GM,Ui): is an interactive protocol, between the group manager GM and theprospective user Ui, whereby the latter obtains a membership secret seci, thatnobody else knows, and a membership certificate certi. The GM stores thewhole transcript in a database called transcripts, which is a private databasealso containing the coin tosses that were used by the GM.

Sign: given a certificate membership certi, a membership secret seci and a mes-sage M , this algorithm outputs a traceable signature σ of M .

Verify: on input of a signature σ, a message M and a group public key Y, thisdeterministic algorithm returns 0 or 1.

Open: takes as input a signature σ that verifies under the group public key Y,the corresponding private key S and the database transcripts of all transcriptsof join protocols. It outputs the identity i of a group member.

Reveal: takes as input the group manager’s private key S, the index i of a groupmember and the join transcript transcripti of user i. It outputs the latter’stracing trapdoor tracei.

Trace: on input of a valid traceable signature σ, the group public key Y and atracing trapdoor tracei for user i, this algorithm outputs either 0 or 1.

Claim: takes as input the group public key Y, a valid signature σ issued by useri, the latter’s membership secret seci and certificate certi. The output is anauthorship claim τ of user i for σ.

2 This assumption states that, given g, ga ∈ G, the only way to generate a pair(h, ha) ∈ G

2 is to raise g and ga to some power and thus know x = logg(h).


Claim-Verify: given a group public key Y, a signature σ and a claim τ , thisdeterministic algorithm outputs 0 or 1.

Security properties are formalized by experiments where the adversary is grantedaccess to oracles sharing certain variables:

- state: contains the join transcripts, membership certificates and secrets thathave been defined so far.

- N is the number of users in the group.- Sigs: is the database of signatures issued by the Qsig oracle.- Revs: is the set of members that have been the input of a Qreveal query.- Up: is the set of honest users introduced in the system via a Qp-join query.- Ua: is the set of adversarially-controlled users in the system.- U b: is the set of users that were introduced by the adversary acting as a

dishonest group manager. For such users, the transcript of the join protocolis leaked to the adversary.

The various oracles that adversaries are given access to are listed below.

- QY : returns the public information (N,Y) of the system.- QS : returns the group manager’s private key and thereby allows the adver-

sary to corrupt the latter.- Qp-join: is an oracle that privately introduces new honest users in the group.

It simulates the join protocol in private, adds index N into Up, increasesN by 1, sets state ← state||(N, transcriptN, certN, secN) and transcripts ←transcripts||(N, transcriptN).

- Qa-join: allows the adversary to introduce users under her control in thegroup. The oracle, acting as the group manager, interacts with the mali-cious prospective user in the join protocol. If the protocol successfully termi-nates, the oracle increments N, sets state ← state||(N, transcriptN, certN,⊥),transcripts← transcripts||(N, transcriptN) and adds N into Ua.

- Qb-join: allows the adversary, acting as a dishonest group manager, to in-troduce new group members. The oracle, acting on behalf of the prospec-tive user, interacts with the malicious group manager in the join proto-col. If the latter successfully terminates, the oracle increases N by 1, setsstate← state||(N, transcriptN, certN,⊥), and adds N into U b.

- Qsig: on input of a message M and a user index i, the oracle checks if statecontains an entry of the form (i, ·, certi, seci). If no such record is found or ifi ∈ Ua, it returns⊥. Otherwise, it generates and returns a traceable signatureon behalf of user i using certi and seci. It also sets Sigs← Sigs||(i, M, σ).

- Qreveal: on input of a user index i, this oracle returns ⊥ if user i does notexist or if i ∈ U b. Otherwise, it returns the output of Reveal(i, transcripts)and adds i to Revs.

Misidentification Attacks. In a misidentification attack, the adversary isallowed to control a number of group members. Through the Qp-join and Qsig

oracles, she can observe operations while users are added and generate signatures.She is also given access to users’ tracing information via the Qreveal oracle. Her


goal is to produce a non-trivial valid signature that does not open to any of theusers under her control or that cannot be traced back to one of them.

Definition 4. A traceable signature is secure against misidentification attacksif Advmis-id

A (λ) = Pr[Exptmis-idA (λ) = 1] ∈ negl(λ) for any PPT adversary A

involved in the experiment below.

Experiment Exptmis-idA (λ)

(Y,S)← Setup(λ);(M�, σ�)← A(QY , Qp-join, Qa-join, Qsig, Qreveal);If Verify(M�, σ�,Y) = 0 then return 0;If

((Open(σ�,Y,S) �∈ Ua) ∨ (

∧i∈Ua Trace(σ�, Reveal(i)) = 0)

)

∧( ∧i∈Up(i, M�, ∗) �∈ Sigs

)then return 1;

Return 0;

Framing Attacks. In a framing attack, the adversary can corrupt the groupmanager (via the QS oracle) and observe the system while users are addedand produce signatures. Two kinds of framing attacks are considered. First,the adversary is deemed successful if she manages to produce a signature thatopens or traces to an innocent group member. Second, she also wins if she cansuccessfully claim a signature produced by another user as her own.

The model of non-frameability considered in [33,20] implicitly captures a flavorof strong unforgeability [2] in that it can only be satisfied when adversaries areunable to randomize existing signatures and turn them into other signatures onthe same message. Here, due to the use of NIWI proof systems where proofs arepublicly re-randomizable, we will need to consider a slightly relaxed flavor of non-frameability. To this end, we define an equivalence relation over the signaturespace. In our scheme, each signature consists of a number of traceability values,several commitments and a set of proofs elements. We say that two message-signature pairs (M1, σ1), (M2, σ2) belong to the same equivalence class, whichwe denote by (M1, σ1) ≡s (M2, σ2), if they pertain to the same message (i.e.,M1 = M2) and comprise identical traceability values.

Definition 5. A traceable signature is secure against framing attacks if, for anyPPT adversary A, Advfra

A (λ) = Pr[ExptfraA (λ) = 1] is negligible.

Experiment ExptfraA (λ)

(Y,S)← Setup(λ);(M�, σ�, τ�)← A(QY , QS , Qb-join, Qsig);If Verify(M�, σ�,Y) = 0 then return 0;If

((Open(σ�,Y,S) = i ∈ U b) ∨ (∃i ∈ U b s.t. Trace(σ�, Reveal(i)) = 1)

)

∧(�∃(i, M, σ) ∈ Sigs s.t. (M�, σ�) ≡s (M, σ))

then return 1;If (∃i ∈ U b s.t. (i, M, σ) ∈ Sigs and (M�, σ�) ≡s (M, σ))∧(Claim-Verify(σ�, τ�) = 1) then return 1 ;

Return 0;

Anonymity. An anonymity adversary runs in two stages called play and guess.In the first one, the adversary is allowed to join the system via Qa-join-queries onpolynomially-many occasions. Using the Qp-join, Qsig oracles, she can observe the


system while users are privately introduced and sign messages. She can finallyobtain tracing trapdoors for users of her choice. At the end of the play stage, shechooses two privately introduced users i�0, i

�1 that were not the input of a Qreveal-

query and obtains a signature on behalf of one of them. In the guess stage, sheaims at finding out who the signer was among i�0 and i�1.

Definition 6. A traceable signature is anonymous if, for any PPT adversaryA, we have Advanon(A) := |Pr[Exptanon

A (λ) = 1]− 1/2| ∈ negl(λ), where

Experiment ExptanonA (λ)

(Y,S)← Setup(λ);(aux, M�, i0, i1)← A(play : QY , Qp-join, Qa-join, Qsig, Qreveal);If (i�0 �∈ Up) ∨ (i�1 �∈ Up) ∨ (i�0 ∈ Revs) ∨ (i�1 ∈ Revs) then return 0;d� $← {0, 1}; σ� ← Sign(M�,Y, certi�

d�, seci�

d�);

d′ ← A(guess, σ�, aux : QY , Qp-join, Qa-join, Qsig, Qreveal);If (i�0 ∈ Revs) ∨ (i�1 ∈ Revs) then return 0;If d′ = d� then return 1;Return 0;

The KTY model does not provide adversaries with an opening oracle in the defi-nition of anonymity. On the other hand, since tracing is a distributed operation,the model considers (via the Qreveal oracle) the threat of corrupted tracing agents.In the following, we will stick to that model. In applications where anonymityshould be preserved when opening queries are allowed, it is not hard to modifyour scheme (using the technique of [28]) to obtain anonymity in the CCA2 sense.

2.3 Groth-Sahai Commitments

In the following, for equal-dimension vectors or matrices A and B containinggroup elements, A�B stands for their component-wise product.

When based on the DLIN assumption, the Groth-Sahai proof systems [31]use a common reference string comprising vectors −→g1 ,

−→g2,−→g3 ∈ G3 where, for

some elements g1, g2 ∈ G, −→g1 = (g1, 1, g), −→g2 = (1, g2, g). To commit to a groupelement X ∈ G, one sets

−→C = (1, 1, X) � −→g1

r � −→g2s � −→g3

t with r, s, t$← Z∗

p.When the proof system is chosen to provide perfectly sound proofs, −→g3 is chosenas −→g3 = −→g1

ξ1 � −→g2ξ2 with ξ1, ξ2

$← Z∗p. Commitments are then Boneh-Boyen-

Shacham (BBS) encryptions since−→C = (gr+ξ1t

1 , gs+ξ2t2 , X · gr+s+t(ξ1+ξ2)) and

decryption is possible using α1 = logg(g1), α2 = logg(g2). In the WI setting,−→g1,−→g2,−→g3 are linearly independent and

−→C is a perfectly hiding commitment.

Under the DLIN assumption, the two reference strings are indistinguishable.To commit to exponents x ∈ Zp, one uses vectors −→ϕ ,−→g1 ,

−→g2 and computes−→C = −→ϕ x�−→g1

r�−→g2s. In the soundness setting −→ϕ ,−→g1 ,

−→g2 are linearly independentvectors whereas, in the WI setting, choosing −→ϕ = −→g1

ξ1 � −→g2ξ2 gives a perfectly

hiding commitment as−→C is a BBS encryption of 1G regardless of the value x.

To give evidence that committed variables satisfy a set of relations, the ideais to start from the relations themselves and replace variables by commitments.


The prover then generates a proof (consisting of a set of group elements) foreach relation. The whole proof consists of one commitment per variable and oneproof for each relation.

3 Construction

Intuition. The group manager has a public key comprising (Ω = gω, h0, h1, h2)and uses ω ∈ Z∗

p to generate membership certificates. These consist of 5 elements(K1, K2, K3, K4, y) and are reminiscent of users’ private keys in [17]. Namely,K1 is derived as K1 = (h0 ·hx

1 ·hy2)

1/(ω+sID), where sID is chosen by GM and iden-tifies the user U while x is only known to U as his membership secret. The lastelement y is chosen by GM as part the tracing trapdoor for U . The certificatealso contains K3 = gsID and K4 = usID

0 as in [17]. Security proofs also requireto include K2 = g1/(ω+sID) (so that, as in [15], ω and sID simultaneously appearmore than once as denominators in the exponent).

To ensure traceability, each signature must contain “traceability values” thatmake it possible to link the signature to its issuer using the appropriate trap-door. One of the technical points to address is to get these traceability val-ues to interact with Groth-Sahai proof systems in a simple manner. Indeed,at some step of the proof of anonymity, knowledge of the underlying valueswill have to be simulated in a zero-knowledge way (i.e., without knowing theactual witnesses). Previously used approaches using pairings (e.g., [20]) wouldrequire the traceability components to satisfy some pairing-product equation[31], for which zero-knowledge proofs usually come at some additional cost. Assuch traceability values, we rather let the signer include pieces of a linear tuple(T1, T2, T3) = (gxδ1 , gyδ2 , gδ1+δ2) – which is a set of multi-exponentiation equa-tions in the Groth-Sahai terminology – in each signature in such a way thatthe tracing trapdoor (X = gx, y) allows testing whether a signature stems fromuser U by checking if e(T1, g) = e(X, T3/T

1/y2 ). Thanks to the use of multi-

exponentiation equations, knowledge of the underlying δ1, δ2 will be simulatable(in the WI setting) in a simple way in the proof of anonymity, which eventuallyrelies on the sole Decision Linear assumption.

In traceability concerns, attention must be paid to the fact that users maybe tempted to alter their certificate and modify X, y so as to defeat tracingattempts. Therefore, we require each signature to include (commitments to)quantities hx

1 · hy2 and hx

3 · hy4 , for some group elements h3 and h4, which ren-

ders certificate randomizations infeasible (as established by the proof againstType III forgeries in the security analysis against misidentification attacks).Signers are able to claim their signatures by proving knowledge of x, y suchthat T3 = T

1/x1 · T 1/y

2 . Such proofs are also non-interactive and use an indepen-dent common reference string that must be generated by a trusted party (andnot by the group manager as the latter could claim honest users’ signatures if itwere allowed to generate this reference string itself) .

In [17], group members sign messages by choosing r at random and com-puting pairs (θ1, θ2) = (usID

0 · G(m)r, gr) using Waters’ technique [37] and a


suitable hash function G. In non-frameability concerns, we force signers to alsouse their membership secret x and generate such pairs (θ1, θ2) somewhat in thefashion of the Waters-based multi-signature of Lu et al. [34]. Instead of sign-ing m as (θ1, θ2) = (usID

0 · ux1 · G(m)r , gr), we need to generate such pairs as

(θ1, θ2) = (usID0 · uxδ1

1 · G(m)r, gr) for the proof of non-frameability to work. Ofcourse, u1 and the set of group elements that implement the number theoretichash function G(.) are assumed to come from a trusted key generation proce-dure. In particular, the discrete logarithm logg(u1) must be held back from thegroup manager as, otherwise, a dishonest GM could frame honest users.

To ensure non-repudiation, we also assume that users have a public key upkregistered in some PKI and use the private key usk to sign (using a regularsignature scheme) parts (X, K1, K2, K3, y) of their membership certificate. Thisactually follows [9] that explicitly requires such a PKI to implement the usuallyassumed private authenticated channels in group signatures.

Description. In notations hereafter, it is convenient to define the coordinate-wise pairing E : G × G3 → G3

T such that, for any h ∈ G and −→g = (g1, g2, g3),E

(h,−→g )

=(e(h, g1), e(h, g2), e(h, g3)

). We also use a symmetric bilinear map

F : G3 × G3 → GT such that, for any vectors−→X = (X1, X2, X3) ∈ G3 and−→

Y = (Y1, Y2, Y3) ∈ G3, F (

−→X,−→Y ) = F (

−→X,−→Y )1/2 · F (

−→Y ,−→X )1/2, where the non-

commutative mapping F : G3 × G3 → G9T sends (

−→X,−→Y ) onto the matrix

F (−→X,−→Y ) of entry-wise pairings (i.e., containing e(Xi, Yj) in its entry (i, j)).

Also, for any z ∈ GT , ιT (z) denotes the 3 × 3 matrix containing z in posi-tion (3, 3) and 1 everywhere else. For X ∈ G, the notation ι(X) will sometimesdenote the vector (1, 1, X) ∈ G3.

Setup(λ, n): for security parameters λ and n ∈ poly(λ), choose bilinear groups(G, GT ) of order p > 2λ, with g, h0, h2, h3, h4, u0, u1

$← G. Select γ1, ω$← Z∗

p

and set h1 = gγ1 , Ω = gω. Select v = (v0, v1, . . . , vn) $← Gn+1. Choose

vectors g = (−→g1,−→g2,−→g3) such that −→g1 = (g1, 1, g) ∈ G3, −→g2 = (1, g2, g) ∈ G3,

and −→g3 = −→g1ξ1 �−→g2

ξ2 , with g1 = gα1 , g2 = gα2 and α1, α2$← Z

∗p, ξ1, ξ2

$← Zp.

It also chooses f = (−→f ,−→f1 ,−→f2) so that

−→f ,−→f1,−→f2 are linearly independent.

The algorithm also specifies a hash function H : {0, 1}∗ → {0, 1}n from acollision-resistant family. The group public key is defined to be

Y :=(g, h0, h1 = gγ1 , h2, h3, h4, Ω = gω, u0, u1, v, g, f , H

)

while the private key S :=(γ1, ω, α1, α2

)is given to the group manager.

Join(GM,Ui): the prospective group member Ui and the group manager GM runan interactive protocol whereby the user obtains a membership certificatecerti and a membership secret seci. The protocol is the following:1. User Ui and the GM execute an interactive protocol (such as Groth’s

protocol [28, Section 4.1] recalled in appendix A) allowing them to jointlygenerate X = gx so that x ∈ Zp is randomly distributed and known onlyto the user while GM learns the corresponding public value X .


2. GM computes hx1 = Xγ1 and uses it to compute K1 = (h0·hx

1 ·hy2)

1/(ω+sID),K2 = g1/(ω+sID), K3 = gsID and K4 = usID

0 , for newly chosen random val-ues sID, y

$← Z∗p. Elements K1, K2, K3 and y are sent to the user.

3. Ui checks that received elements (K1, K2, K3, y) satisfy

e(K1, Ω ·K3) = e(h0, g) · e(h1, X) · e(h2, g)y,

e(K2, Ω ·K3) = e(g, g).

If so, he generates a signature sigi = Signusk[i]

(X ||K1||K2||K3||gy

)and

sends it back to GM.4. If Verifyupk[i]

(X ||K1||K2||K3||gy, sigi

)= 1, GM sends K4 = usID

0 to Ui

and stores the record transcripti := (X, K1, K2, K3, K4, y, sigi) in itsdatabase transcripts. User Ui checks that e(K3, u0) = e(g, K4). If so,he sets his membership certificate is certi := (K1, K2, K3, K4, y) and hismembership secret as seci := x.

Sign(M,Y, certi, seci): to sign M , user Ui parses certi as (K1, K2, K3, K4, y) andseci as x ∈ Z∗

p and conducts the following steps.1. Choose δ1, δ2

$← Z∗p and compute the traceability values

T1 = gxδ1 T2 = gyδ2 T3 = gδ1+δ2

2. Set G(m) = v0 ·∏n

j=1 vmj

j with m = m1 . . . mn = H(M ||T1||T2||T3).3. Pick rs

$← Z∗p and compute

θ1 = K1 = (h0 · hx1 · hy

2)1/(ω+sID)

θ2 = K2 = g1/(ω+sID)

θ3 = K3 = gsID

θ4 = K4 · uxδ11 ·G(m)rs

= usID0 · uxδ1

1 ·G(m)rs

θ5 = grs

θ6 = hx1 · hy

2

θ7 = hx3 · hy

4

θ8 = gx

θ9 = gy

so that

e(θ1, Ω · θ3) = e(h0, g) · e(θ6, g) (1)e(θ2, Ω · θ3) = e(g, g) (2)

e(θ4, g) = e(u0, θ3) · e(u1, T1) · e(G(m), θ5). (3)e(θ6, g) = e(h1, θ8) · e(h2, θ9) (4)e(θ7, g) = e(h3, θ8) · e(h4, θ9) (5)

4. Commit to variables θi, for i = 1, . . . , 9. That is, for i = 1, . . . , 9, chooseri, si, ti

$← Z∗p and set−→σi = (1, 1, θi)·−→g1

ri ·−→g2si ·−→g3

ti . Then, commit to δ1, δ2

by choosing r10, s10, r11, s11$← Z∗

p and setting −→σ10 = −→ϕ δ1 · −→g1r10 · −→g2

s10 ,−→σ11 = −→ϕ δ2 · −→g1

r11 · −→g2s11 , where −→ϕ = −→g3 � (1, 1, g).

5. Give proofs that committed variables θ1, . . . , θ9 satisfy (1)-(5) and that−→σ10, −→σ11 are commitment to values δ1, δ2 satisfying

T1 = θδ18 T2 = θδ2

9 T3 = gδ1+δ2 (6)


a. Relations (1)-(2) are quadratic pairing-product equations (in the ter-minology of [31]) over variables θ1, θ2, θ3, θ6. Each relation requiresa proof consisting of 9 group elements. Let us call these proofsπ1 = (−→π 1,1,

−→π 1,2,−→π 1,3), π2 = (−→π 2,1,

−→π 2,2,−→π 2,3). Relations (6) are

multi-exponentiation equations. The first two ones are quadratic andproofs π6 = (−→π 6,1,

−→π 6,2,−→π 6,3) and π7 = (−→π 7,1,

−→π 7,2,−→π 7,3) both

consist of 3 vectors of G3. The third relation of (6) is a linear multi-exponentiation equation and the proof π8 = (π8,1, π8,2) is just 2group elements.

b. Relations (3)-(5) are linear pairing-product equations over variablesθ3, . . . , θ9. Corresponding proofs cost 3 group elements each andπ3, π4, π5 are all vectors of G3.

For clarity, we abstract away the construction of these proofs from thepresent description and refer to [31] for details.

The signature finally consists of σ = (T1, T2, T3,−→σ1, . . . ,

−→σ11, π1, . . . , π8).

Verify(M, σ,Y): parse the signature σ as (T1, T2, T3,−→σ1, . . . ,

−→σ11, π1, . . . , π8). Setm = m1 . . .mn = H(M ||T1||T2||T3) and compute G(m) = v0 ·

∏nj=1 v

mj

j .Verifying π1, . . . , π8 entails to check whether the following equations (someof which bear resemblance with relations (1)-(5)), where −→ϕ = −→g3 � (1, 1, g),are all satisfied. The verifier returns 1 if they are and 0 otherwise.

1) F(−→σ1, ι(Ω) �−→σ3

)= ιT

(e(h0, g)

)� F(−→σ6, ι(g)

)

�F(−→g1,−→π 1,1

)� F(−→g2 ,−→π 1,2

)� F(−→g3,−→π 1,3

)

2) F(−→σ2, ι(Ω) · −→σ3

)= ιT

(e(g, g)

)� F(−→g1,−→π 2,1

)� F(−→g2 ,−→π 2,2)� F (−→g3 ,

−→π 2,3

)

3) E(g,−→σ4

)= E

(u0,−→σ3

)� E(u1, ι(T1)

)� E(G(m),−→σ5

)

�E(π3,1,

−→g1

)� E(π3,2,

−→g2

)� E(π3,3,

−→g3

)

4) E(g,−→σ6

)= E

(h1,−→σ8

)�E(h2,−→σ9

)

�E(π4,1,

−→g1

)� E(π4,2,

−→g2

)� E(π4,3,

−→g3

)

5) E(g,−→σ7

)= E

(h3,−→σ8

)�E(h4,−→σ9

)

�E(π5,1,

−→g1

)� E(π5,2,

−→g2

)� E(π5,3,

−→g3

)

6) F(−→σ8,−→σ10

)= F

(ι(T1),−→ϕ

)� F(−→g1,−→π 6,1

)� F(−→g2 ,−→π 6,2

)� F(−→g3,−→π 6,3

)

7) F(−→σ9,−→σ11

)= F

(ι(T2),−→ϕ

)� F(−→g1,−→π 7,1

)� F(−→g2 ,−→π 7,2

)� F(−→g3,−→π 7,3

)

8) E(g,−→σ10 �−→σ11

)= E(T3,

−→ϕ )� E(π8,1,

−→g1

)� E(π8,2,

−→g2

)

Open(σ,Y,S): parse σ as (T1, T2, T3,−→σ1, . . . ,

−→σ11, π1, . . . , π8) and the private keyS as {γ1, ω, α1, α2}. For i = 3, 8, 9 parse, −→σi as (σi,1, σi,2, σi,3) ∈ G3 andcompute θi = σi,3 · σi,1

−1/α1 · σi,2−1/α2 . Check whether transcripts contains

a record transcripti = (X, K1, K2, K3, K4, y, sigi) such that θ3 = K3, θ8 = Xand θ9 = gy. If yes, return i as the signer’s index. Otherwise, return ⊥.

Reveal(i, transcripts): to reveal the tracing trapdoor for user Ui, scan transcriptsto find transcripti = (X, K1, K2, K3, K4, y, sigi) and output tracei := (X, y).


Trace(σ, tracei,Y): parse σ as (T1, T2, T3,−→σ1, . . . ,

−→σ11, π1, . . . , π8) and tracei as(X, y) ∈ G× Z∗

p. Return 1 if e(T3/T1/y2 , X) = e(g, T1) and 0 otherwise.

Claim(M, σ, seci,Y): given σ = (T1, T2, T3,−→σ1, . . . ,

−→σ11, π1, . . . , π8), seci = x andpart y of certi, prove knowledge of x, y such that T3 = T

1/x1 · T 1/y

2 using thereference string f . That is, generate commitments

−→C1 =

−→f 1/x �−→f1

r1 �−→f2s1 ,−→

C2 =−→f 1/y �−→f1

r2 �−→f2s2 , with r1, s1, r2, s2

$← Z∗p, and proofs

τ1 = T r11 · T r2

2 τ2 = T s11 · T s2

2

The claim is τ := (−→C1,−→C2, τ1, τ2).

Claim-Verify(M, σ, τ,Y): given σ = (T1, T2, T3,−→σ1, . . . ,

−→σ11, π1, . . . , π8), to verifyτ =

(−→C1,−→C2, τ1, τ2

), return 1 iff

E(T1,−→C1

)� E(T2,−→C2

)= E

(T3,−→f

)� E(τ1,−→f1

)�E(τ2,−→f2

).

Comments. The opening algorithm performs BBS decryptions on ciphertexts−→σ3, −→σ8 and −→σ9. Theoretically, decrypting only −→σ3 could suffice (since sID must beunique in the database transcripts). However, also decrypting −→σ8 and −→σ9 simpli-fies the proofs of security against misidentification attacks and framing attacks.In the former for instance, a failure of the implicit tracing mechanism implies afailure of the opening algorithm and reduces the number of cases to consider.

We note that the claiming system does not prevent eavesdroppers from copy-ing claims in an attempt to be recognized as the author of a signature. The modelassumes that the claimed message is transferred either (1) when the receiver istrusted, or (2) the claim is done on a public board so that the commitment to thesignature is public and recorded. If no such board is available and we are worriedabout the receiver of the claim abusing it, the signer can still claim signaturesusing non-transferable interactive zero-knowledge proofs of knowledge of x, y.

Efficiency. From an efficiency point of view, each signature consists of 83group elements. Using a symmetric pairing configuration with 256-bit prime or-der groups, we obtain signatures of 2.593 kB.

Signing requires a few tens of exponentiations. While a number of pairingevaluations seem necessary to verify at first glance, probabilistic batch verifi-cation techniques allow for dramatic improvements (at the expense of a smallprobability of wrongly accepting an invalid signature) w.r.t. naive implemen-tations where each pairing is calculated individually. When suitably processedaltogether, verification equations 3-5 and 8 require to compute a product of nomore than 9 pairings and a few multi-exponentiations. Verification equations 1-2and 6-7 can be handled by first translating them into a randomized product ofseveral bilinear maps of the type F (·, ·). The structure of matrices F (·, ·) thenmakes it possible the decrease the overall verification cost of conditions 1-2 and6-7 to the equivalent of a product of 15 pairings and some multi-exponentiations.


Security. We establish the security of the scheme in the standard model underthe assumptions of section 2.1. Due to space limitations, we only detail part ofthe proof of security against misidentification attacks in this version and deferother proofs to the full version of the paper.

Theorem 1. The scheme satisfies misidentification security, non-frameabilityand anonymity if the HSDH, mTDH and DLIN assumptions all hold in G.

Acknowledgements

We thank the anonymous referees for their comments.

References

1. Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.)TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007)

2. An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In:Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer,Heidelberg (2002)

3. Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical groupsignatures without random oracles. Cryptology ePrint Archive: Report 2005/385(2005)

4. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably securecoalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000.LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000)

5. Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham,H.: Randomizable Proofs and Delegatable Anonymous Credentials. In: Halevi, S.(ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009)

6. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and nonin-teractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948,pp. 356–374. Springer, Heidelberg (2008)


8. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designingefficient protocols. In: 1st ACM Conference on Computer and CommunicationsSecurity (ACM CCS 1993), pp. 62–73. ACM Press, New York (1993)

9. Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: The case of dy-namic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153.Springer, Heidelberg (2005)

10. Benjumea, V., Choi, S.G., Lopez, J., Yung, M.: Fair traceable multi-group sig-natures. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 231–246. Springer,Heidelberg (2008)



12. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.)CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)

13. Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In:Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg(2005)

14. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: ACMConference on Computer and Communications Security (ACM CCS 2004), pp.168–177. ACM Press, New York (2004)

15. Boyen, X., Delerablee, C.: Expressive subgroup signatures. In: Ostrovsky, R., DePrisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 185–200. Springer,Heidelberg (2008)

16. Boyen, X., Waters, B.: Compact group signatures without random oracles. In:Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer,Heidelberg (2006)


18. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited.Journal of the ACM 51(4), 557–594 (2004)

19. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)

20. Choi, S.G., Park, K., Yung, M.: Short traceable signatures based on bilinear pair-ings. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura,S.-i. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 88–103. Springer, Heidelberg (2006)

21. Damgard, I.: Towards practical public key systems secure against chosen ciphertextattacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456.Springer, Heidelberg (1992)

22. Delerablee, C., Pointcheval, D.: Dynamic fully anonymous short group signatures.In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer,Heidelberg (2006)

23. Dent, A.: The hardness of the DHK problem in the generic group model. CryptologyePrint Archive: Report 2006/156 (2006)

24. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identificationand signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263,pp. 186–194. Springer, Heidelberg (1986)

25. Furukawa, J., Imai, H.: An efficient group signature scheme from bilinear maps. In:Boyd, C., Gonzalez Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 455–467.Springer, Heidelberg (2005)

26. Ge, H., Tate, S.-R.: Traceable signature: better efficiency and beyond. In: Gavrilova,M.L., Gervasi, O., Kumar, V., Tan, C.J.K., Taniar, D., Lagana, A., Mun, Y., Choo,H. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 327–337. Springer, Heidelberg (2006)

27. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant sizegroup signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284,pp. 444–459. Springer, Heidelberg (2006)

28. Groth, J.: Fully anonymous group signatures without random oracles. In: Kuro-sawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Hei-delberg (2007)

29. Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques forNIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer,Heidelberg (2006)


30. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP.In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer,Heidelberg (2006)


32. Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Ca-menisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer,Heidelberg (2004)

33. Kiayias, A., Yung, M.: Efficient secure group signatures with dynamic joins andkeeping anonymity against group managers. In: Dawson, E., Vaudenay, S. (eds.)Mycrypt 2005. LNCS, vol. 3715, pp. 151–170. Springer, Heidelberg (2005)

34. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregatesignatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EU-ROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006)

35. Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.)CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003)

36. Nguyen, L., Safavi-Naini, R.: Efficient and provably secure trapdoor-free groupsignature schemes from bilinear pairings. In: Lee, P.J. (ed.) ASIACRYPT 2004.LNCS, vol. 3329, pp. 372–386. Springer, Heidelberg (2004)

37. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer,R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg(2005)

A Groth’s Key Generation Protocol

In [28], Groth described the following 5-move protocol that allows a prospectivegroup member U and a group manager GM to jointly generate X = gx ∈ G insuch a way that only the user knows x ∈ Z∗

p and the latter is further guaranteedto be uniformly distributed. The user U first generates ga. Both parties runa coin-flipping protocol to generate a random value b + c, that also serves as achallenge when U proves knowledge of a, and the common output finally consistsof X = ga+b+c, whereas only U happens to know x = a + b + c.

1. U picks a, r$← Zp, η

$← Z∗p and sends A = ga, R = gr, h = gη to GM.

2. GM picks b, s$← Zp and sends a commitment B = gb · hs to U .

3. U sends c$← Zp to GM.

4. GM opens the commitment B and sends the values b, s back to U .5. U checks that B = gb · hs. If so, U sends z = (b + c)a + r mod p and η to

GM and outputs x = a + b + c.6. GM finally checks that η ∈ Z∗

p, h = gη and Ab+c ·R = gz. If so, GM outputsX = A · gb+c.

Under the discrete logarithm assumption in G, this protocol has black-box sim-ulators that can emulate the view of a malicious user or a malicious groupmanager. In the former case, the simulator has rewind access to the malicioususer and can force his private output to be a given value x ∈ Zp. In the lattercase, the view of the malicious issuer can be simulated to get his output to be agiven X ∈ G. Moreover, the simulator does not need to know x = logg(X).


B Proofs of Security

Due to space limitations, we only partially outline the proof of security againstmisidentification attacks. As for anonymity and security against framing attacks,proofs will be available in the full version.

Theorem 2 (Misidentification). The scheme is secure against misidentifica-tion attacks assuming that the �-HSDH problem, where � is the total number ofQa-join and Qp-join-queries, and the 1-mTDH problem are both hard in G.

Proof. To win the misidentification game, the adversary must output a non-trivial signature for which the opening algorithm or the implicit tracing algo-rithm fail to point to an adversarially-controlled group member.

Let σ� = (T �1 , T �

2 , T �3 ,−→σ1

�, . . . ,−→σ11�, π�

1 , . . . , π�8) denote the adversary’s forgery

and let us first assume that Open(σ�,Y,S) �∈ Ua. We distinguish three cases:

- Type I forgeries are those for which the BBS decryption θ�3 = gsID of −→σ3

�

does not appear anywhere in transcripts. We distinguish Type I-A forgeries,where the underlying θ�

3 = gsID never appears at any time during the game,from Type I-B forgeries for which θ�

3 does not correspond to any recordof transcripts but did appear (implicitly, as part of K3) in a join protocol(triggered by a Qa-join query) that aborted before reaching its last step.

- Type II forgeries are such that −→σ3� decrypts to a value θ�

3 = gsID that wasassigned to some honest user i ∈ Up (initialized via a Qp-join-query). Suchforgeries thus include those for which the opening algorithm points to someuser i ∈ Up that did not sign the associated message.

- Type III forgeries open in such a way that −→σ3� decrypts to the θ�

3-value ofan adversarially-controlled user in transcripts but (−→σ8

�,−→σ9�) does not. These

forgeries include those that would defeat the implicit tracing algorithm.

Lemmas 1, 2 and 3 show that, if the adversary could produce either of suchforgeries, it would be possible to break the HSDH or the 1-mTDH assumption.

Finally, one can readily check that an adversary cannot come up with a fakesignature defeating the implicit tracing algorithm without being one of the abovekinds of forgeries. Indeed, let σ� be such a forgery and let us consider the decryp-tion θ�

3 of −→σ3�. If it differs from any K3 appearing in transcripts, σ� is actually a

Type I forgery. If θ�3 matches K3 in transcripti for some i ∈ Up, we have a Type

II forgery. We are left with the case where θ�3 matches K3 in transcripti for some

i ∈ Ua. Here, a failure of the implicit tracing necessarily means that A, actingas a cheating group member, was able to twist her membership certificate soas to keep the same sID and alter the membership secret x or the “traceabilitycomponent” y. We thus have a Type III forgery. ��Lemma 1. The advantage of any Type I forger A is bounded by

Advmis-id-IA (λ) ≤ 2 · �a ·Adv(�a+�p)-HSDH(λ)

where �a and �p denote the number of Qa-join and Qp-join-queries respectively.

Proof. Given in the full version of the paper. ��


Lemma 2. The scheme is secure against Type II forgeries under the HDSHassumption. The advantage of any Type II adversary A is at most

Advmis-id-IIA (λ, n) ≤ 4 · n · �s ·

(1− �a

p

)−1 ·Adv�a-HSDH(λ)

where �a and �s stand for the number of Qa-join and Qsig-queries.

Proof. Detailed in the full version of the paper. ��

Lemma 3. The advantage of any Type III adversary A is bounded by

Advmis-id-IIIA (λ, n) ≤ �a ·

(1− 1

p

)−1 ·Adv1-mTDH(λ)

where �a is the number of Qa-join-queries.

Proof. In a Type III forgery σ�, the opening algorithm decrypts −→σ3� to a value

θ�3 = σ�

3,3 · σ�3,1

−1/α1 · σ�3,2

−1/α2 that equals some K3 appearing in the transcriptof a user in Ua whereas the BBS decryption of (−→σ8

�,−→σ9�) does not match the

values (X, y) that were assigned to that user.The simulator B receives a modified 1-Triple Diffie-Hellman instance consist-

ing of (g, A = ga, B = gb) ∈ G3 and a single pair (C = g1/(a+c), c) ∈ G×Z∗p. To

prepare the public key Y, it picks ω, ρu,0, ρu,1, β0, . . . , βn$← Z∗

p. It sets Ω = gω,vi = gβi , for i = 0, . . . , n, and ui = gρu,i for i = 0, 1. Then, it draws new randomvalues ρ, γ0, γ1, γ2, γ3, γ4, x

�, y� $← Z∗p and defines h1 = gρ · Bγ1 , h2 = gρ · Bγ2 ,

h3 = gγ3 · Aρ, h4 = gγ4 · Aρ and h0 = gγ0 · h−x�

1 · h−y�

2 . It finally chooses vectorsets g, f to have perfectly sound proof systems.The group public key is

Y :=(g, {hi}i=0,...,4, Ω, u0, u1, {vi}i=0,...,n, g, f

).

At the outset of the simulation, B draws an index i�$← {1, . . . , �a} and initializes

variables ctra, ctr′a, ctrp ← 0.

- Qa-join-queries: B increments ctr′a and considers the following two cases.

- If ctr′a �= i�, B acts as the group manager as specified by the protocol(recall that it knows ω and can always properly generate certificates).

- If ctr′a = i�, B simulates A’s view in the first step of the join protocolto force A’s membership secret to be x� (so that the public value isX = gx�

). The simulation implicity defines sIDi� = 1a+c − ω (and thus

1/(sIDi� + ω) = a + c) by setting

K1 = (h0 · hx�

1 · hy�

2 )1

ω+sIDi� = (A · gc)γ0 K3 = gsIDi� = C · g−ω

K2 = g1

ω+sIDi� = A · gc K4 = usIDi�

0 =(C · g−ω)ρu,0


K1 = (h0 · hx�

1 · hy�

2 )1

ω+si� = (A · gc)γ0

K2 = g1

ω+si� = A · gc

K3 = gsi� = g1/(a+c) · g−ω = C · g−ω

K4 = usi�

0 = (C · g−ω)ρu,0

In step 2, B first sends K1, K2, K3, y� to A and aborts if she fails to send

back a valid signature on X ||K1||K2||K3||gy�

. If A correctly answers, Bhands her K4, increments ctra and stores a record (N, transcriptsN), withN = ctra + ctrp in transcripts.

- Qp-join-queries and Qsig-queries: to answer Qp-join-queries, B follows the joinprotocol using the group secret key S := (γ1, ω, p) and increments ctrp. Itcan also perfectly answer signing queries on behalf of honest user since itknows their membership certificates and secrets.

- QY and Qreveal(i)-queries: can be handled according to the specification ofthe scheme since B always knows the values requested by A.

- Qsig-queries: always involve users in Up and B thus always knows privateelements that it needs to answer the query.

Eventually, A outputs a message M� along with a valid traceable signatureσ� = (T �

1 , T �2 , T �

3 ,−→σ1�, . . . ,−→σ11

�, π�1 , . . . , π�

8) that must be a type III forgery. Atthis stage, B fails if the decryption of −→σ3

� differs from the element K3 = C · g−ω

that B calculated at the i�th Qa-join-query (as it guessed the wrong i�).Otherwise, for all i ∈ {1, . . . , 9}\{3}, it decrypts other −→σi

� into θ�i . Since the

proof system is configured for the perfect soundness setting, it comes that

θ�1 = (h0 · hx′

1 · hy′2 )

1ω+sIDi� θ�

6 = hx′1 · hy′

2

=(gγ0 · h(x′−x�)

1 · hy′−y�

2

)a+cθ�7 = hx′

3 · hy′4

θ�8 = gx′

θ�9 = gy′

for some x′, y′ ∈ Z∗p that B does not know. However, if we set Δx = x′ − x� and

Δy = y′ − y�, B can compute

Z1 = θ�1/K1 =

(hΔx

1 · hΔy2

)a+c =(gρ(Δx+Δy) ·Bγ1Δx+γ2Δy

)a+c

Z2 = θ�7/(hx�

3 · hy�

4 ) = hΔx3 · hΔy

4 = gγ3Δx+γ4Δy · Aρ(Δx+Δy)

Z3 = θ�8/gx�

= gΔx

Z4 = θ�9/gy�

= gΔy

Z5 = θ�6/(hx�

1 · hy�

2 ) = hΔx1 · hΔy

2 = gρ(Δx+Δy) · Bγ1Δx+γ2Δy

which in turn reveal

Z6 = (A · gc)ρ(Δx+Δy) =(Z2/(Zγ3

3 · Zγ44 )

)· (Z3 · Z4)ρc

Z7 = Bγ1Δx+γ2Δy = Z5 · (Z3 · Z4)ρ


and finally

Z8 = gab(γ1Δx+γ2Δy) = Ba(γ1Δx+γ2Δy) = Z1/(Z6 · Zc7),

so that, if we implicitly set μ = γ1Δx + γ2Δy, B has eventually found a triple

(gμ, gbμ, gabμ) = (Zγ13 · Zγ2

4 , Z7, Z8).

Since γ1 and γ2 are perfectly hidden from A’s view, we have gμ �= 1G (i.e.,γ1Δx + γ2Δy �= 0 mod p) with overwhelming probability (greater than 1− 1/p)and the triple is non-trivial. We easily check that, if A is successful, so is B aslong as it correctly guesses i� ∈ {1, . . . , �a}. ��

Strongly Secure Certificateless Key Agreement�

Georg Lippold, Colin Boyd, and Juan Gonzalez Nieto

Information Security Institute, Queensland University Of Technology,GPO Box 2434, Brisbane QLD 4001, Australia

{g.lippold,c.boyd,j.gonzaleznieto}@qut.edu.au

Abstract. We introduce a formal model for certificateless authenticatedkey exchange (CL-AKE) protocols. Contrary to what might be expected,we show that the natural combination of an ID-based AKE protocolwith a public key based AKE protocol cannot provide strong security.We provide the first one-round CL-AKE scheme proven secure in therandom oracle model. We introduce two variants of the Diffie-Hellmantrapdoor introduced by [4]. The proposed key agreement scheme is secureas long as each party has at least one uncompromised secret. Thus, ourscheme is secure even if the key generation centre learns the ephemeralsecrets of both parties.

1 Introduction

Certificateless encryption introduced by Al-Riyami and Paterson [1] is avariant of identity based encryption that limits the key escrow capabilities of thekey generation centre, which is inherent in identity based encryption [3]. Dent[6] published a survey of more than twenty certificateless encryption schemesthat focuses on the different security models and the efficiency of the respec-tive schemes. In certificateless cryptography schemes, there are three secrets perparty:

– The key issued by the key generation centre (Dent [6] calls it “partial privatekey”). We assume in the following that this key is ID-based, although it doesnot necessarily have to be ID-based.

– The user generated private key xID (Dent calls it “secret value”).– The ephemeral value chosen randomly for each session.

Key agreement schemes provide an efficient means for two parties to com-municate over an adversarial controlled channel. An overview of almost twentyidentity based key agreement protocols has been compiled by Chen, Cheng andSmart [5]; they also provide security proofs for two of the surveyed protocols.Many ID-based schemes guarantee full privacy for both parties as long as thekey generation centre (KGC) does not learn any of the ephemeral secrets usedin computing the session key. But as Krawczyk [10] points out, the leakage of

� Research funded by the Australian Research Council through Discovery ProjectDP0773348.


Strongly Secure Certificateless Key Agreement 207

ephemeral keys should not be neglected as they are usually precomputed andnot stored in secure memory. In the context of identity based key agreementprotocols, this means that as soon as the ephemeral key of either party leaks, amalicious KGC is able to compute the session key.

An overview of current certificateless key agreement schemes

has been compiled by Swanson [18]. Certificateless key agreement schemes at-tempt to provide full privacy even if the ephemeral secrets of the parties leak tothe key generation centre or if the key generation centre actively interferes withthe messages that are exchanged (e.g. does a man-in-the-middle attack). Thefirst certificateless key agreement scheme was published by Al-Riyami and Pa-terson [1] as a side note to their certificateless encryption scheme. However, theyprovided neither a security model for certificateless key agreement schemes nora proof of security for the scheme. Other certificateless key agreement schemeswere published by Mandt and Tan [16] and improved by Xia et al. [21], Wang,Cao and Wang [20], and Shao Zu-hua [24], but the respective authors gave onlyheuristic arguments as to why their schemes would be secure. Swanson [18]analysed these certificateless schemes and showed generic attacks that break thenotions of security claimed by the respective authors. Swanson also posed threeopen questions in the last chapter of her thesis that we will answer in this paper.

By combining an ID-based scheme with a public key based scheme,certificateless encryption [22], [14], certificateless signatures [23], and certificate-less key encapsulation mechanisms [2] can be readily constructed from existingprotocols. Contrary to what would be expected, we show that a certificatelesskey agreement protocol cannot be securely constructed by a natural combinationof an ID-based key agreement protocol with a public key based key agreementprotocol.

The security model is an extension of Swanson’s [18] modified version ofthe extended Canetti and Krawczyk model presented in [12] for certificatelesskey agreement. In this paper, we strengthen the model further (thus giving morepower to the adversary) and provide the first formal proof for a strongly securecertificateless key agreement scheme in the random oracle model. Moreover, theprotocol we propose is a one round protocol that withstands all of Swanson’sattacks, although the messages exchanged in our protocol are exactly the samemessages as in Mandt and Tan’s protocol [16]. To withstand the attacks we usea modified version of the technique presented by Xia et al. [21].

We prove that our certificateless key agreement protocol is secure even ifthe key generation centre actively tries to break the scheme: it may either revealephemeral secrets or reveal secret values / replace public keys but not both.In fact, we show that as long as each party still has at least one uncompro-mised secret, our scheme is still secure in the random oracle model assumingthat the computational Diffie-Hellman assumption and the computational bi-linear Diffie-Hellman assumption hold. Our proofs are in the strongest securitymodel available for certificateless schemes, i.e. it corresponds to Dent’s [6] StrongType I and Strong Type II security where the adversary is allowed to replacecertificateless public keys and the challenger still has to answer all oracle queries.

208 G. Lippold, C. Boyd, and J. Gonzalez Nieto

The main contributions of this paper are:

– Strongest formal model for secure authenticated certificateless key exchangeprotocols today. We provide the equivalent of a strong decryption oracle [6]for reveal queries.

– An analysis of why certificateless key establishment schemes (CL-AKE)cannot be readily composed by combining an ID-based authenticated keyestablishment (ID-AKE) scheme with a public key authenticated key estab-lishment (PK-AKE) scheme in our security model.

– First one-round protocol for certificateless key agreementwith a security proofin the random oracle model that fulfills all notions of security of our model andwithstands recent attacks on certificateless key agreement protocols.

The organization of the paper is as follows: we introduce the securitymodel in Section 2 and relate it to existing notions of security for key agreementschemes and certificateless encryption. We also show why a generic compositionof ID-AKE with PK-AKE does not have sufficient security guarantees in ourmodel. A description of the scheme is given in Section 3. Section 5 discusses thesecurity proof of the new protocol. We conclude our paper by answering someopen questions in Section 6.

2 Security Model for Certificateless Key AgreementSchemes

The following security properties are commonly required of key establishmentprotocols in general.

Resistance to basic impersonation attacks. An adversary who does notknow the private key of party A should not be able to impersonate A.

Resistance to Unknown Key-Share (UKS) attacks. An adversaryM in-terferes with two honest parties A and B such that both parties accept thesession and compute the same key. However, while A thinks that the key isshared with B, B is convinced that the key is shared withM.

Known key security. Each run of a key agreement protocol between twoparties A and B should produce a unique session key. A protocol should notbecome insecure if the adversary has learned some of the session keys [13].

Weak Perfect Forward Secrecy (wPFS). A key-exchange protocol pro-vides weak PFS (wPFS) if an attackerM cannot distinguish from random akey of any session for which the session and its matching session are clean1

even if M has learned the private keys of both peers to the session [10,Definition 22].

Resistance to Key-Compromise Impersonation (KCI) attacks. Wesay that a KE-attacker M that has learned the private key of party Asucceeds in a Key-compromise impersonation (KCI) attack against A if M

1 Roughly speaking clean is the same as fresh in Definition 1.


is able to distinguish from random the session key of a complete session at Afor which the session peer is uncorrupted and the session and its matchingsession (if it exists) are clean [10, Definition 20].

Resistance to disclosure of ephemeral secrets. The protocol shouldbe resistant to the disclosure of ephemeral secrets. The disclosure of anephemeral secret should not compromise the security of sessions where theephemeral secret was not used.

ID-based protocols usually require the following property in addition to theseproperties:

KGC forward secrecy. The key generation centre (KGC) should be unableto compute the session key knowing all publicly available information.

For certificateless protocols, we will additionally require the following property.Mandt & Tan [16] call this property “Resistance to known session-specific tempo-rary information”, but they provide only an informal definition. It is not possibleto provide this property in an ID-based key agreement scheme since a KGC whoknows the ephemeral secrets has all inputs to the session key.

Resistance to leakage of ephemeral secrets to the KGC. If a mali-cious KGC learns the ephemeral secrets of any session, the KGC should notbe able to compute the session key.

2.1 Formal Definition of the Security Model

We present a strengthened version of Swanson’s [18] model, which in turnis based on LaMacchia, Lauter & Mityagin’s [12] extended Canetti-Krawczyk(eCK) model. We discuss the changes to the respective models in Section 2.2.

Let U = {U1, . . . Un} be a set of parties. The protocol may be run between anytwo of these parties. For each party there exists an identity based public key thatcan be derived from its identifier. There is a key generation centre that issuesidentity based private keys to the parties through a secure channel. Additionally,the parties generate their own secret values and certificateless public keys.

The adversary is in control of the network over which protocol messages areexchanged. Πt

i,j represents the tth protocol session which runs at party i withintended partner party j. Additionally, the adversary is allowed to replace cer-tificateless public keys that are used to compute the session key. The adversarydoes not have to disclose the private key matching the replaced certificatelesspublic key to the respective party.

A session Πti,j enters an accepted state when it computes a session key SKt

i,j .Note that a session may terminate without ever entering into an accepted state.The information of whether a session has terminated with acceptance or withoutacceptance is assumed to be public. The session Πt

i,j is assigned a partner IDpid = (IDi, IDj). The session ID sid of Πt

i,j at party i is the transcript of themessages exchanged with party j during the session. Two sessions Πt

i,j and Πuj,i

are considered matching if they have the same pid (and sid).


The game runs in two phases. During the first phase of the game, the adversaryM is allowed to issue the following queries in any order:

Send(Πti,j , x): If the session Πt

i,j does not exist, it will be created as initiator atparty i if x = λ, or as a responder at party j otherwise. If the participatingparties have not been initiated before, the respective private and publickeys are created. Upon receiving the message x, the protocol is executed.After party i has sent and received the last set of messages specified by theprotocol, it outputs a decision indicating accepting or rejecting the session.In the case of one-round protocols, party i behaves as follows:x = λ: Party i generates an ephemeral value and responds with an outgoing

message only.x �= λ: If party i is a responder, it generates an ephemeral value for the

session and responds with an outgoing message m and a decision indi-cating acceptance or rejection of the session. If party i as an initiator, itresponds with a decision indicating accepting or rejecting the session.

In this work, we require i �= j, i.e. a party will not run a session with itself.Reveal master key: The adversary is given access to the master secret key.Session key reveal(Πt

i,j): If the session has not accepted, it returns ⊥, other-wise it reveals the accepted session key.

Reveal ID-based secret(i): Party i responds with its ID-based private key,e.g. sH1(IDi).

Reveal secret value(i): Party i responds with its secret value xi that corre-sponds to its certificateless public key. If i has been asked the replace publickey query before, it responds with ⊥.

Replace public key(i, pk): Party i’s certificateless public key is replaced withpk chosen by the adversary. Party i will use the new public key for all com-munication and computation.

Reveal ephemeral key(Πti,j): Party i responds with the ephemeral secret

used in session Πti,j .

We can group the key reveal queries into three types: the reveal master keyand reveal ID-based secret queries try to undermine the security of the ID-basedpart of the scheme, the reveal secret value and replace public key queries try toundermine the security of the public key based part of the scheme, and the revealephemeral key query tries to undermine the security of one particular session.

We define the state fully corrupt as a session that was asked all three types ofreveal queries: the reveal master key or reveal ID-based secret, the reveal secretvalue or the replace public key, and the reveal ephemeral key query.

Once the adversaryM decides that the first phase is over, it starts the secondphase by choosing a fresh session Πt

i,j and issuing a Test(Πti,j) query, where the

fresh session and test query are defined as follows:

Definition 1 (Fresh session). A session Πti,j is fresh if (1) Πt

i,j has accepted;(2) Πt

i,j is unopened (not being issued the session key reveal query); (3) thesession state at neither party participating in this session is fully corrupted; (4)there is no opened session Πu

j,i which has a matching conversation to Πti,j.


Test(Πti,j): The input session Πt

i,j must be fresh. A bit b ∈ {0, 1} is randomlychosen. If b = 0, the adversary is given the session key, otherwise it randomlysamples a session key from the distribution of valid session keys and returnsit to the adversary.

After the test(Πti,j) query has been issued, the adversary can continue querying

except that the test session Πti,j should remain fresh. We emphasize here that

partial corruption is allowed as this is a benefit of our security model. Addition-ally, replace public key queries may be issued to any party after the test sessionhas been completed.

At the end of the game, the adversary outputs a guess b for b. If b = b, wesay that the adversary wins. The adversary’s advantage in winning the game isdefined as

AdvM(k) =∣∣∣∣Pr[M wins]− 1

2

∣∣∣∣

Definition 2 (Strong Type I secure key agreement scheme). A certifi-cateless key agreement scheme is Strong Type I secure if every probabilistic, poly-nomial-time adversaryM has negligible advantage in winning the game describedin Section 2.1 subject to the following constraints:

– M may corrupt at most two out of three types of secrets per party involvedin the test session,

– M is allowed to replace public keys of any party; however, this counts as thecorruption of one secret,

– M may not reveal the secret value of any identity for which it has replacedthe certificateless public key,

– M is allowed to ask session key reveal queries even for session keys computedby identities where M replaced the identity’s public key.

– M is allowed to replace public keys of any party after the test query has beenissued.

Definition 3 (Strong Type II secure key agreement scheme). A certi-ficateless key agreement scheme is Strong Type II secure if every probabilistic,polynomial-time adversary M has negligible advantage in winning the game de-scribed in Section 2.1 subject to the following constraints:

– M is given the master secret key s at the start of the game,– M may corrupt at most one additional type of secret per party participating

in the test query,– M is allowed to replace public keys of any party; however, this counts as the

corruption of one secret,– M may not reveal the secret value of any identity for which it has replaced

the certificateless public key,– M is allowed to ask session key reveal queries even for session keys computed

by identities where he replaced the identity’s public key.– M is allowed to replace public keys of any party after the test query has been

issued.


2.2 Relation to Existing Notions of Security

Swanson’s [18] replace public key query is weaker in assuming that the partywhose key was replaced continues to make its computations with its original(unreplaced) public key (and its matching private key). Although it seems thatSwanson’s model is more “natural” than our model, strong certificateless en-cryption has been the goal of many papers, a discussion of the benefits anddrawbacks can be found in [7]. As it gives more power to the adversary, we thinkthat schemes that are strongly secure are preferable to those in a weaker securitymodel.

When checking for a matching conversation, Swanson omits the certificate-less public keys from the conversation transcript. This weakens the adversarycompared to our model, as the adversary would not be allowed to replace publickeys and try to replay the conversation with the replaced keys of the test queryafter the test query has been issued.

With respect to LaMacchia et al. [12], the main difference of our definitionis that instead of having only four pieces of secret information, in certificatelessprotocols there are six: the ID-based secret keys, the user’s secret value, and theephemeral private keys of both parties. We require a certificateless AKE to besecure as long as each party still holds at least one uncompromised secret.

We note that as the challenger has to answer session key reveal queries evenfor keys where the respective certificateless public keys have been replaced, theadversary has access to the equivalent of a “Strong Decrypt” oracle in certifi-cateless encryption. Strong decryption oracles were first introduced by Al-Riyamiand Paterson [1]. Dent [6] defines the Strong Decryption Oracle as follows.

Definition 4 (Strong Decryption Oracle). The adversary supplies an iden-tity ID and a ciphertext C, and the challenger responds with the decryption ofC under the private key skID. Note that if the attacker has replaced the publickey for ID, then this oracle should return the correct decryption of C using theprivate key that inverts the public key pkID currently associated with the identityID (or ⊥ if no such private key exists).

A strong decryption oracle in public key cryptography is able to return the plain-text for a given ciphertext (which does not necessarily mean that the plaintexthas been decrypted using the correct key, as with double encryption). We notethat in a session key reveal query the correct key for a given session has to be re-vealed, which is a stronger requirement. The scheme in Section 3 is both StrongType I and Strong Type II secure with respect to Dent’s definitions.

In the security proof in Section 5 and Section 5.4 we do not differentiatebetween these two types of adversarial behaviour but treat them together. If theadversary was split to be either Strong Type I or Strong Type II, then a StrongType II adversary would be applicable only for the Strategies 1, 2, 3, and 4 inSection 5.1. Being able to distinguish between Type I and Type II adversarieswould thus increase the probability of success for the challenger.


2.3 Why a Natural Composition of CL-AKE from ID-AKE andPK-AKE Is Not Possible in Our Model

In the security model, a session can only be fresh as long as each party stillhas at least one uncompromised secret. A composition of an ID-AKE with aPK-AKE is depicted in Figure 1. A natural way to achieve such a compositionconsists of running the two protocols in parallel and deriving the session key ofthe overall composition as a publicly known function of solely the two componentsession keys. This composition cannot offer the desired level of security, becauseno security guarantees exist if party A still has an uncompromised key in thePK-AKE and party B still has an uncompromised key in the ID-AKE (bothAKE schemes are broken at this moment). This may explain why no CL-AKEschemes with a proof of security have been published before.

Public Key AKE

Party A Party B

pkA pkB

ephpkAephpkB

KCI

eph discl

KCI

wPFS

+

ID-based AKE

Party A Party B

IDA IDB

ephIDAephIDB

KCI

eph discl

KCI

wPFS

�=

Certificateless AKE

Party A Party B

pkA pkB

IDA IDB

ephpkA, ephIDA

ephpkB, ephIDB

eph + pk discl

eph + ID discl

KCI KCI

wPFS

KCI

wPFS

The lines indicate what combination of secrets gives resistance against which attacktype. Examples for public key schemes applicable to this diagram would be NAXOS[12] and CMQV [19], an example for an ID-based scheme would be the ASIACCS09[9] scheme. However, a combination of these schemes would not have any securityguarantees about the dashed lines in the certificateless part of the diagram.

Fig. 1. PK-AKE + ID-AKE �= CL-AKE

3 Description of the Certificateless Key AgreementScheme

We describe the phases of our certificateless authenticated key exchange protocolin this section. Our protocol consists of three phases: setup, message exchangeand key computation. We also briefly address the efficiency of the proposedprotocol.

3.1 Setup

– The KGC publishes a generator P ∈ � and an admissible bilinear pairingsmap e : �×�→ �T that fulfills the following criteria:Let� and�T be groups of prime order p. A bilinear pairings map e : �×�→�T between the groups � and �T satisfies the following properties:Bilinear: We say that a map e : � × � → �T is bilinear if e(aP, bP ) =

e(P, P )ab for all P ∈ � and a, b ∈ �p.


Non-degenerate: We say that e is non-degenerate if it does not send all pairsin � × � to the identity in �T . Since � and �T are groups of primeorder p, it follows that if P ∈ � is a generator of �, then e(P, P ) is agenerator of �T .

Computable: There is an efficient algorithm to compute e(P, Q) for anyP, Q ∈ �.

Suitable pairing groups for this protocol would be Type 1 and Type 4 pairings(see Chen, Cheng & Smart [5] for a discussion). Asymmetric pairings arenot possible because we use the non-interactive ID-based key agreementof Sakai, Ohgishi and Kasahara (SOK) [17] as part of our protocol. Thisrequires hashing to both �1 and �2. The SOK protocol has been provenby Dupont and Enge [8] using gap assumptions. As an added benefit of ourproof, we show how to prove the SOK protocol secure under the weakercomputational bilinear Diffie-Hellman assumption using the twin bilinearDiffie-Hellman trapdoor [4] in section 5.4, Strategy 9.

– The KGC picks a random s ∈ �p as master secret key and sets its publickey to sP

– The KGC selects three cryptographic hash functions

H1 : {0, 1}∗ → �

H2 : {0, 1}∗ × {0, 1}∗ ×�8 ×�T6 → {0, 1}n for some integer n > 0

H3 : �→ �

H2 is the key derivation function for our scheme.

Each party participating in the key agreement protocol additionally computes aprivate key and a matching certificateless public key:

– Each user U generates a secret value xU$← �p and a public key xUP ∈ �

– Each user U gets an ID-based private key {sH1(IDU ), sH3(H1(IDU ))} ∈ �2

from the key generation centre.

3.2 Message Exchange

To establish a common key, user A generates the ephemeral secret rA$← �p and

user B generates the ephemeral secret rB$← �p. They exchange the following

messages:

A→ B : EA = (rAP, xAP ) B → A : EB = (rBP, xBP )

We note that the certificateless public keys can be stripped from the messages ifthey are published in a public online directory. This will save bandwidth, but atthe same time may make the scheme more vulnerable to the equivalent of denialof decryption attacks in certificateless encryption: an adversary may manipulatethe entries of the directory more easily than the message exchange between twoparties.


As we propose a one-round protocol, our protocol achieves only implicit au-thentication. Krawczyk [10, Section 8] shows that explicit authentication is pos-sible with three half rounds. To achieve explicit authentication, this protocol canbe patched in the same way that HMQV is patched to HMQV-C.

In the following we require implicitly that each party always checks subgroupmembership for all elements of messages that are exchanged in the protocol todefend against small subgroup attacks [15].

3.3 Key Computation

To compute the certificateless session key, each user computes

KA = e(H1(IDB), sP )rAe(sH1(IDA), rBP )= e(H1(IDB), P )rAse(H1(IDA), P )rBs = KB = K

K ′A = e(H3(H1(IDB)), sP )rAe(sH3(H1(IDA)), rBP )

= e(H3(H1(IDB)), P )rAs · e(H3(H1(IDA)), P )rBs = K ′B = K ′

LA = e(H1(IDB), sP )xAe(sH1(IDA), xBP )= e(H1(IDB), P )xAse(H1(IDA), P )xBs = LB = L

L′A = e(H3(H1(IDB)), sP )xAe(sH3(H1(IDA)), xBP )

= e(H3(H1(IDB)), P )xAse(H3(H1(IDA)), P )xBs = L′B = L′

NA = e(H1(IDB), sH1(IDA)) = e(H1(IDB), H1(IDA))s = NB = N

N ′A = e(H3(H1(IDB)), sH3(H1(IDA)))

= e(H3(H1(IDB)), H3(H1(IDA)))s = N ′B = N ′

The session key is then computed as SK = H2(A, B, EA, EB, rArBP, xAxBP,rAxBP, xArBP, K, K ′, L, L′, N, N ′). In Section 5 and Section 5.4 the challengerB uses the adversaryM to solve either the computational Diffie-Hellman (CDH)or the computational bilinear Diffie-Hellman (CBDH) problem. K, L, and N areused in the proof to embed the input to the CBDH challenge into the testsession. Each of these values is necessary to defend against one possible attackstrategy of the adversary M. K is the product of two encapsulated Boneh-Franklin session keys, L′ is similar but with certificateless long-term keys. N ′

is the non-interactive ID-based key agreement scheme proposed by [17]. K ′, L′,and N ′ are needed to answer reveal queries of the adversary M consistently.To answer reveal queries, the challenger B makes use of the twin bilinear Diffie-Hellman problem as introduced by Cash, Kiltz and Shoup [4]. The twin bilinearDiffie-Hellman “backdoor” is embedded in K ′, L′ and N ′.

3.4 Efficiency Considerations

Although the protocol is one round, the computational overhead imposed onthe parties is rather high: each party has to compute 5 exponentiations in �and 10 pairings. We would like to note that we need the H3 hash functionin the proof for full computational bilinear Diffie-Hellman security. If the gap


bilinear Diffie-Hellman assumption is used (see Kudla and Paterson [11] for gapassumptions), the H3 hash function can be omitted which saves 2 hash queriesand reduces the complexity of the protocol to 3 exponentiations in � and 5pairing computations (as K ′, L′, and N ′ do not have to be computed). If thereare multiple runs of the protocol between the same users (e.g. for rekeying inVPN’s), then the complexity can be reduced by caching xAxBP , L, L′, N , andN ′ in secure memory which then reduces the complexity for successive runs to 4exponentiations and 4 pairing computations (or 2 exponentiations and 2 pairingcomputations if the gap bilinear Diffie-Hellman assumption is used). It may bepossible to do better in terms of computational efficiency. However, the aim ofthis paper is to provide a strong model for certificateless key agreement and toshow that schemes corresponding to the model exist.

We introduce the theorems that we later use as decisional oracles to be ableto answer the H2 queries of the adversary consistently (and to determine whenthe adversary submits the solution to a hard problem to the H2 oracle). Wecontinue then by embedding a hard problem in each of the uncorrupted secretsthat are available in the respective strategies.

4 The Twin Bilinear Diffie-Hellman Trapdoor Theorems

The proof in section 5.4 for Strategy 5 to 8 relies heavily on the followingtheorem:

Theorem 1 (Trapdoor Test). Let e : � × � → �T be a bilinear pairing,where �,�T are two cyclic groups of prime order p. Let P ∈ � be a generatorof �. Suppose B1 ∈ �, y, z ∈ �p are mutually independent random variables.Define B2 := yP − zB1. Further, suppose that A, C are random variables in �and T1, T2 are random variables in �T , each of which is defined as some functionof B1 and B2. Then we have:

1. B2 is uniformly distributed over �.2. B1 and B2 are independent.3. If B1 = b1P and B2 = b2P , then the probability that the truth value of

T z1 · T2

?= e(A, C)y (1)

does not agree with the truth value of

T1?= e(A, C)b1 ∧ T2

?= e(A, C)b2 (2)

is at most 1/p, moreover, if Equation 2 holds, then Equation 1 certainlyholds.

See [4], [9] for an explanation and a proof.Additionally we need the “Additive double BDH Trapdoor Test” and the

“Multiplicative double BDH Trapdoor Test” for Strategy 9:


Theorem 2 (Additive double BDH Trapdoor Test). Let e : �×�→ �T

be a bilinear pairing, where �,�T are two cyclic groups of prime order p. LetP ∈ � be a generator of �. Suppose B1, D1 ∈ �, y1, y2, z ∈ �p are mutuallyindependent random variables. Define B2 := y1P − zB1 and D2 := y2P − zD1.Further, suppose that A, C are random variables in � and T1, T2 are randomvariables in �T , each of which is defined as some function of (A, C, B1, D1) and(A, C, B2, D2). Then we have:

(i) B2 and D2 are uniformly distributed over � (guaranteed by y1 and y2), asis B2 + D2.

(ii) B1 and B2 are independent and D1 and D2 are independent and B2 andD2 are independent, and B1 +D1 and B2 +D2 are independent (also due toy1 and y2).

(iii) If B1 = b1P, B2 = b2P, D1 = d1P, D2 = d2P , then the probability that thetruth value of

T z1 T2

?= e(A, C)y1+y2 (3)


T1?= e(A, C)b1e(A, C)d1 ∧ T2

?= e(A, C)b2e(A, C)d2 (4)


Proof. This proof is a rewrite of Cash, Kiltz and Shoup’s [4] trapdoor test proof.Observe that y1 + y2 = z(b1 + d1) + (b2 + d2). It is easy to verify that B2 + D2

is uniformly distributed over �, and that B1 + D1, B2 + D2, z are mutuallyindependent, from which (i) and (ii) follow. To prove (iii), condition on fixedvalues of B1 + D1 and B2 + D2. In the resulting conditional probability space,z is uniformly distributed over �p, while (b1 + d1), (b2 + d2), e(A, C), T1 and T2

are fixed. If Equation 4 holds, then by multiplying together the two equationsin Equation 4, we see that Equation 3 certainly holds. Conversely, if Equation4 does not hold, we show that Equation 3 holds with probability at most 1/p.Observe that Equation 3 is equivalent to

(T1

e(A, C)b1+d1

)z

=e(A, C)b2+d2

T2. (5)

It is not hard to see that if T1 = e(A, C)b1+d1 and T2 �= e(A, C)b2+d2 , then Equa-tion 5 certainly does not hold. This leaves us with the case T1 �= e(A, C)b1+d1 .But in this case, the left hand side of Equation 5 is a random element of �T

(since z is uniformly distributed in �p), but the right hand side is a fixed elementof �T . Thus, Equation 5 holds with probability 1/p in this case.

Theorem 3 (Multiplicative double BDH Trapdoor Test).2 Let e : � ×� → �T be a bilinear pairing, where �,�T are two cyclic groups of prime2 If this test was implemented with B2 = y1P − z1bP and C2 = y2P − z2cP , then

the probability that Equation 7 holds would be 1p2 . We use z instead of z1 and z2

because we need Theorem 2 simultaneously.


order p. Let P ∈ � be a generator of �. Suppose B1, C1 ∈ �, y1, y2, z ∈ �p

are mutually independent random variables. Define B2 := y1P − zB1 and C2 :=y2P − zC1. Further, suppose that A is a random variables in � and T1, T2 arerandom variables in �T , each of which is defined as some function of (A, B1, C1)and (A, B2, C2). Then we have:

(i) B2 and C2 are uniformly distributed over � (guaranteed by y1 and y2), ande(B2, C2) is uniformly distributed over �T .

(ii) B1 and B2 are independent and C1 and C2 are independent and B2 and C2

are independent, and e(B1, C1) and e(B2, C2) are independent (also due toy1 and y2).

(iii) If B1 = b1P, B2 = b2P, C1 = c1P, C2 = c2P , then the probability that thetruth value of

T2

T1z2

?=e(A, P )y1y2

e(A, C1)y1e(A, B1)y2(6)


T1?= e(A, P )b1c1 ∧ T2

?= e(A, P )b2c2 (7)


Proof. Observe that y1y2 = (zb1 + b2)(zc1 + c2) = z2b1c1 + zb1c2 + zb2c1 +b2c2. It is easy to verify that e(B2, C2) is uniformly distributed over �T , andthat e(B1, C1), e(B2, C2), z are mutually independent, from which (i) and (ii)follow. To prove (iii), condition on fixed values of e(B1, C1) and e(B2, C2). Inthe resulting conditional probability space, z is uniformly distributed over �p,while b1c1, b2c2, A, T1 and T2 are fixed. If Equation 7 holds, then by multiplyingtogether the two equations in Equation 7, we see that Equation 6 certainly holds.Conversely, if Equation 7 does not hold, we show that Equation 6 holds withprobability at most 2/p. Observe that Equation 6 is equivalent to

(T1

e(A, P )b1c1

)z2

=e(A, P )b2c2

T2. (8)

It is not hard to see that if T1 = e(A, P )b1c1 and T2 �= e(A, P )b2c2 , then Equation8 certainly does not hold. This leaves us with the case T1 �= e(A, P )b1c1 . But inthis case, the left hand side of Equation 8 is the square of a random element of�T . Since z is uniformly distributed in �p, z2 is uniformly distributed over halfof �p as half of the elements of �p are quadratic residues. On the other hand,the right hand side of 8 is a fixed element of �T . Thus, Equation 8 holds withprobability 2/p in this case.

5 Security Proof for the Certificateless Key AgreementScheme

We will prove that the certificateless key agreement scheme is a secure key agree-ment scheme in the random oracle model under the computational bilinear


Diffie-Hellman (CBDH) assumption and the computational Diffie-Hellman(CDH) assumption. The CBDH the assumption states that given {aP, bP, cP} ∈�3 it is hard to compute e(P, P )abc ∈ �T . Let Z be an algorithm that takes asinput a triple {aP, bP, cP} ∈ �3, and outputs an element Z ∈ �T . We definethe CBDH advantage of Z to be

Pr[

a, b, c$← �p : Z(aP, bP, cP ) = e(P, P )abc

]

The CDH assumption states that given {aP, bP} ∈ �2 it is hard to computeabP ∈ �. Let Z be an algorithm that takes as input the pair {aP, bP} ∈ �2,and outputs an element T ∈ �. We define the CDH advantage of Z to be

Pr[

a, b$← �p : Z(aP, bP ) = abP

]

To relate the advantage of an adversary against our protocol to the above as-sumptions, we use a classical reduction approach. We assume that an adversaryM has an advantage in winning the game outlined in Section 2.1. Additionally,the adversaryMmay query the random oracles H1, H2, and H3. In the following,the challenger B is interested to use the adversaryM to turnM’s advantage indistinguishing a random session key from the correct session key in an advantageto solve either the computational Diffie-Hellman problem or the computationalbilinear Diffie-Hellman problem. Let q0 be the maximum number of sessions thatany one party may have. We assume that the adversary M makes at most q1

distinctive H1 queries. The adversary may make any number of H2 queries orH3 queries. At the end of the game, M outputs its guess b ∈ {0, 1} for b. LetAdvM(k)[Π ] be the advantage that the adversaryM has against the protocol,i.e. the event that b = b and M wins the game.

Theorem 4. If there exists an adversary that has an advantage against ourcertificateless key agreement scheme (AdvM(k)[Π ]), the challenger B can usethis adversary to solve either the computational Diffie-Hellman or the computa-tional bilinear Diffie-Hellman problem. We show that the success probability ofany adversary against the scheme is limited by

AdvM(k)[Π ] ≤ 9q0q21 max

(

AdvB(k)[CDH ], AdvB(k)[CBDH ])

where AdvB(k)[CDH ] is the advantage that the challenger gets in solving thecomputational Diffie-Hellman problem given security parameter k using the ad-versary and AdvB(k)[CBDH ] is the advantage that the challenger gets in solv-ing the computational bilinear Diffie-Hellman problem given security parameterk using the adversary.

We note that the CBDH problem is strictly weaker than the CDH problem.Thus, an adversary that is able to solve the CDH problem will also be able tosolve the CBDH problem. We differentiate between these two problems becausesecurity against a Type II adversary is based solely on the CDH problem, whereassecurity against a Type I adversary is based on both the CDH problem and theCBDH problem.


5.1 Possible Strategies for the Challenger

Before the game starts, the challenger B tries to guess the test session. To thisend, B randomly selects two indexes I, J ∈ {1, . . . , q1} : I �= J that represent theIth and the J th distinct query to the H1 oracle. The probability that B choosesI and J correctly is (as there are at most q1 entries in H1)

1q1(q1 − 1)

>1q21

B chooses T ∈ {1, . . . , q0} and thus determines the test oracle ΠTI,J , which is

correct with probability larger than 1q0q2

1. If B did not guess the test session

correctly, B aborts the game.In order to use the adversary M to gain an advantage in computing the

CBDH or the CDH challenge, the challenger B will guess the parts of the keyin the session corresponding to the test query that the adversary may not learn.Depending on the chosen strategy, B aborts the game whenever M’s queriestarget one of the forbidden elements. Otherwise, the game proceeds as usual.There are nine choices for B (see also Table 1):

Table 1. Possible corrupt queries sorted by strategy

Strategy 1 2 3/4(mirr.) 5/6(mirr.) 7/8(mirr.) 9

Value at party p I J I J I J I J I J I J

sH1(IDp) c c c c c c c c

sH3(H1(IDp)) c c c c c c c c

xp / xpP c/r c/r c/r c/r c/r c/r c/r c/r

rp c c c c c c c c

Embedding in xIxJP rIrJP rIxJP/rJxIP K L N

Problem type CDH CDH CDH CBDH CBDH CBDHc = corrupt, r = replace, mirr. = swap columns I and J

Strategy 1 - 4 are related to the computational Diffie-Hellman problem, Strategies5 - 9 are related to the computational bilinear Diffie-Hellman problem. In the proof,the problem is always embedded in the values that the adversary may not corruptor replace.

1. The adversary may neither learn the secret value of IDI nor of IDJ .2. The adversary may neither learn the ephemeral private key of IDI nor of

IDJ .3. The adversary may neither learn the secret value of IDJ nor replace the

public key of IDJ and may also not learn the ID-based private key of IDI .4. The adversary may neither learn the ephemeral private key of IDJ nor the

secret value of IDI .5. The adversary may neither learn the ephemeral private key of IDI nor the

secret value of IDJ .


6. The adversary may neither learn the secret value of IDI nor replace thesecret value of IDI and may also not learn the ID-based private key of IDJ .

7. The adversary may neither learn the ephemeral private key of IDJ nor theID-based private key of IDI .

8. The adversary may neither learn the ephemeral private key of IDI nor theID-based private key of IDJ .

9. The adversary may neither learn the ID-based private key of IDI nor ofIDJ .

As there are nine strategies, the probability that B does not abort the gameafter B selected the strategy and the test session beforehand is now larger than

19q0q2

1. The adversary may learn the key generation centre’s master secret only

in Strategy 1,2,3, and 4. Furthermore, B replaces the H2 oracle by a table whichrecords input/output pairs. If a query is made that matches one of the previousinputs, the corresponding output is returned, otherwise, a value from the respec-tive output domain is chosen at random, the new input/output pair is added tothe list and the value is returned. The H1 and H3 oracle operate as explainedin Table 2 and Table 3 respectively.

Relation to the security model. We gave a list of desirable notions of se-curity in Section 2 and would like to analyse the security of the protocol inrelation to the strategies. We note that UKS attacks are not a problem as thekey derivation function H2 uses the identities of the parties as input and wouldoutput different keys in the event of an UKS attack. Furthermore, the identity-based public keys are derived from the identity’s name and prevent UKS attacks,too. Basic impersonation attacks are not possible as it is necessary to know theprivate keys of a party to compute K, K ′, L, L′, N and N ′ which are inputs tothe key derivation function H2. Weak perfect forward secrecy is guaranteed by

Table 2. Modified H1 oracle

ID H1(ID) l$← �p

ID1 l1P l1. . . . . . . . .IDI bP ⊥. . . . . . . . .IDJ cP ⊥. . . . . . . . .

Instead of choosing H1(IDi) at random from �, B chooses li ∈ �p at random,records it, and sets H1(IDi) to liP . For Strategy 5, 7 and 9, the Ith entry is set toH1(IDI) = bP ; for Strategy 6 and 8, the Jth entry is set to H1(IDJ) = bP . ForStrategy 9 the Jth entry is set to H1(IDJ) = cP . bP and cP are taken from theinputs to the BDH challenge. As bP and cP are random in �, this modificationis indistinguishable for any adversary. The table above shows the H1 oracle forStrategy 9 as an example.


the proof for Strategy 2. Resistance to key compromise impersonation attacks isalso proved using Strategy 2. Resistance to (partial) disclosure of ephemeral se-crets is proven in all strategies except Strategy 2, where Strategies 1, 3 and 9 aremost important: Strategy 1 also provides security against leakage of ephemeralsecrets to the key generation centre or an adversary who compromised both iden-tity based private keys, Strategy 3 provides security against leakage of ephemeralsecrets to an adversary who replaced the certificateless public key of one identityand corrupted the ID-based public key of the other identity, Strategy 9 providessecurity against leakage of ephemeral secrets to a adversary who replaces thecertificateless public keys of both identities.

5.2 Behaviour of the Challenger Based on the Chosen Strategy

To solve the computational DH problem usingM, B is given the values (aP, bP )and B’s task is to compute abP . To solve this problem, B uses the H2 oracle.The bilinear pairing is used for consistency checks.

To solve the computational BDH problem using M, B is given the values(aP, bP, cP ) and B’s task is to compute e(P, P )abc. To solve this problem, B usesthe H2 and the H1 oracle. The H3 oracle is used for consistency checks andoperates as in Table 3.

Table 3. Modified H3 oracle suitable for twin bilinear Diffie-Hellman

gi ∈ � H3(gi) yi$← �p z

$← �p

H1(IDI) = bP ytbdh1P − zbP ytbdh1 zH1(IDJ ) = cP ytbdh2P − zcP ytbdh2 zg1 y1P y1 ⊥. . . . . . . . . ⊥

Instead of choosing H3(gi) for gi ∈ � at random from �, B chooses yi ∈ �p atrandom, records it, and sets H3(gi) to yiP . For Strategy 5, 6, 7, 8 and 9, the oracle ispatched before the game starts by setting H3(bP ) = ytbdh1P −zbP . For Strategy 9,the oracle is additionally patched before the game starts with H3(cP ) = ytbdh2P −zcP . bP and cP are taken from the inputs to the BDH challenge. As the pre-patchedvalues are completely re-randomized, this modification is indistinguishable for anyadversary. The table above shows the H3 oracle for Strategy 9 as an example.

The session key SK is generated by querying H2 on (IDi, IDj , riP, xiP, rjP,xjP, rirjP, xixjP, rixjP, rjxiP, K, K ′, L, L′, N, N ′) where

K = e(H1(IDj), P )ris

︸︷︷︸

K1

· e(H1(IDi), P )rjs

︸︷︷︸

K2

,

L = e(H1(IDj), P )sxi

︸︷︷︸

L1

· e(H1(IDi), P )sxj

︸︷︷︸

L2

, N = e(H1(IDi), H1(IDj))s

Depending on the chosen strategy, B embeds the challenge in the test queryand answers the test query as specified in Section 2.1.


Patching the H2 oracle B has to maintain consistency between the H2 or-acle and session key reveal queries, as B will not be able to compute all datanecessary to query the H2 oracle for a valid session key in some instances (e.g.if certificateless public keys have been replaced by the adversary). If B has beenasked on the H2 oracle first and is then later asked a matching session key revealquery, B is always able to answer these requests correctly (it uses its decisionaloracles that are explained in the proofs for respective strategies, see Section5.4). However, if B is asked a session key reveal query for which no matchingH2 query exists yet, B proceeds as follows: B inserts all available data and alldata that B is able to compute (see also section 5.3) into the H2 oracle but mayhave to leave some fields (like K and K ′ or L and L′ or N and N ′) empty. Bchooses a random value from H2’s output domain as the session key and recordsthat value together with the incomplete H2 query data. For the following H2

queries, B first checks if one of the incomplete entries of the H2 oracle matchesM’s query data by using the respective decisional oracle(s). If that is the case,B records the complete information submitted byM and returns the H2 entry.B additionally fills up all long term values that it can determine (even if it isnot able to fill a H2 entry completely). If B finds no matching entry, B simplygenerates a new H2 entry as usual.

5.3 Handling a Session Key Reveal Query for Sessions Πti,j Where

Party i and j Are Not Participating in the Test Query

Without loss of generality, we assume that i is the initiator of the session. Givenparty i that has incoming message (rMj P, xMj P ) (whereMj indicates that thevalues may be adversarial controlled) and that thus accepts, the challenger knowsat least the identity based private keys and the ephemeral private key of party i,i.e. the challenger knows sH1(IDi), sH3(H1(IDi)), ri. The adversary may havereplaced the certificateless public key of party i with xMiP . To obtain a sessionkey, party i has to query the H2 oracle with the session data (as explained inSection 3.3) on the following elements:

SK = H2(i, j, riP, xMiP, rMj P, xMj P, rirMj P, xMixMj P, rixMj P, xMirMj P,

K, K ′, L, L′, N, N ′)

Besides the public values i, j, riP, xMiP, rMj P, xMj P that are part ofthe H2 query, the challenger acting as party i is able to computethe following values knowing its (possibly corrupted) private informationsH1(IDi), sH3(H1(IDi)), ri:

rirMj P trivially, by computing ri(rMj P )rixMj P by computing ri(xMJ P )K due to the patched H1 oracle (see Table 2), the challenger knows

logP H1(IDi) = li and logP H1(IDj) = lj . Thus K can be computed as

K = e(H1(IDj), sP )rie(lisP, rMj P )


K ′ just like for K, the challenger knows logP H3(H1(IDi)) = yi and logP H3

( H1(IDj)) = yj (see Table 3). Thus K ′ can be computed as

K ′ = e(H3(H1(IDj)), sP )rie(yisP, rMj P )

L Knowing li and lj from the H1 oracle computing L is easy:

L = e(lj(xMiP ), sP )e(lisP, xMj P )

L′ can be computed similarly, just like K ′ above.N and N ′ are easy as the ID-based private keys are known.

The only missing values are xMixMj P and xMirMj P which cannot be com-puted by the challenger. However, as we point out in the proof for Strategy 1in Section 5.4, the challenger is still able to answer session state reveal and H2

queries consistently: If the challenger is asked a H2 query first and then laterasked a matching session state reveal query, the challenger can identify the cor-responding H2 entry by checking for all entries if e(xiP, xjP ) = e(xixjP, P )and if e(xMiP, rMj P ) = e(xMirMj P ). If the challenger is asked a session statereveal query, but there is no matching H2 entry, the challenger can create a newrandom value from the output domain of H2 and assign it to the incompleteentry. The challenger checks the subsequent queries of the adversary to the H2

oracle and is able to answer the queries correctly by using the pairing as above.In the following, we will split the challenger’s behaviour based on the strategy

chosen in Section 5.1. Additionally, we omit the indices ti,j with respect to key

computations for specific sessions to increase readability. Usually it is evident forwhich particular session the computations are needed. For the proof we assumethat the adversaryM does not get an advantage in outputting its guess b for bunlessM queries the H2 oracle on the session key.

5.4 Proofs for Strategy 1 to 9

Strategy 1. The allowed corrupt queries for the adversary are listed in Table 1.The challenger B wants to use the adversary M to solve the computationalDiffie-Hellman problem. The input for B is (aP, bP ) ∈ �2 and B’s goal is tocompute abP . To this end, B sets the certificateless public key of IDI to aPand the certificateless public key of IDJ to bP . B uses the pairing to checkwhether the queries of the adversary to the H2 oracle are valid: by computinge(aP, bP ) = e(abP, P ), B is able to identify valid queries. As soon as B finds sucha query, B aborts the game and returns abP as solution of the CDH challenge.

The probability that B is able to find a solution to the CDH challenge is

AdvB(k)[CDH ] ≥ AdvM(k)[Π ]9q0q2

1

B is able to compute all other elements (xIxJP, K, K ′, L, L′, N, N ′) that arenecessary for H2 queries as the respective private values are under B’s control. If


M is a Type II adversary as explained in Section 2.1, B gives s toM at the startof the game. We note that as B knows s, B is able to generate ID-based privatekeys for any identity; thus the game does not have to be changed for Type IIadversaries. We note that M is allowed to replace the certificateless public keyof IDI and/or IDJ after the test query has been issued.

IfM replaces the certificateless public keys of other identities and asks revealqueries, B first uses the pairing to check for matching queries to the H2 oracle.If no matching query is found, B first generates a random value v of the outputdomain of H2, inserts the available session data together with v into the H2

table as described in Section 5.2 (i.e. everything including the certificatelesspublic keys; except xixjP which B cannot compute) and returns v. If B is thenlater asked H2 queries containing the correct xixjP and the certificateless keysxiP and xjP , B is able to tell so by using the pairing computation and completesthe entries in the H2 table wherever possible.

Strategy 2. The allowed corrupt queries for the adversary are listed in Table 1.The challenger B wants to use the adversaryM to solve the computational Diffie-Hellman problem. The input for B is (aP, bP ) ∈ �2 and B’s goal is to computeabP . To this end, B sets the ephemeral key of IDI to aP and the ephemeral keyof IDJ to bP in the test query. B uses the pairing to check whether the queriesof the adversary to the H2 oracle are valid: by computing e(aP, bP ) = e(abP, P ),B is able to identify valid queries. As soon as B find such a query, B aborts thegame and returns abP as solution of the CDH challenge.

The probability that B is able to find a solution to the CDH challenge is


1

AsM is allowed to replace the certificateless public keys of any identity, B usesthe technique described in Strategy 1 to decide how to answer reveal queries andH2 queries.

Strategy 3 and 4. The allowed corrupt queries for the adversary are listed inTable 1. For Strategy 3, we want to embed the CDH challenge in rIxJP , becausethe input to other values used in the key derivation function can be corruptedby the adversary. Here, B selects the master private key s

$← �p. B is able toprovide ID-based secret keys for all identities, as B is in possession of the mastersecret key. Furthermore, B sets the certificateless public key of IDI to xIP = aPand the ephemeral public key of party IDJ to rJP = bP in session ΠT

I,J . If theadversary is a Type II adversary as described in Section 2.1, then B gives s toM at the start of the game.

Similar to Strategy 1 and 2, B checks the H2 queries for entries where

e(P, rJxIP ) ?= e(aP, bP )

As soon as B finds such an entry, B aborts the game and returns rJxIP as solutionto the BDH challenge. The probability that this happens is lower bounded by



1

B uses the techniques described in Strategy 1 to deal with replaced certificatelesskeys of identities other than IDI . We note that M is allowed to replace thecertificateless public key of IDI after the test query has been issued.

We note that as Strategy 4 is symmetric to Strategy 3, its probability ofsuccess is equal to the probability of success for Strategy 3. Only IDI and IDJ

are exchanged and the computational BDH challenge is embedded in rIxJPinstead of rJxIP .

Strategy 5 and 6. The allowed corrupt queries for Strategy 5 for the adversaryare listed in Table 1. The BDH challenge can only be embedded in L2 if Strategy 5is chosen, because the input to all other values used in the key derivation functioncan be corrupted by the adversary. To accomplish this, the challenger B sets themaster public key to aP and implements the H1 oracle as described in Table2, thus H1(IDI) = bP . B patches the H3 oracle as described in Table 3, thusH3(H1(IDI)) = H3(bP ) = ytbdh1P−zbP . B can still generate private keys for allidentities except IDI by computing sH(IDi) = liaP and sH3(H1(IDi)) = yiaP .Additionally, B sets the certificateless public key of IDJ to cP .

A problem for B arises when the adversary asks session key reveal queries forother sessions than the test session that include IDI and IDJ , or for sessionsthat include IDI and another party for which the adversary issued a replacepublic key query. Whenever B is asked a reveal query, B first checks if the keyderivation function H2 was asked with a matching session string involving bothIDI and IDJ . As B is unable to compute L, B uses the twin bilinear Diffie-Hellman trapdoor (see Theorem 1) to check if M submitted a valid query, i.e.if the query should be answered with a record from H2 (if such a record exists).The challenger extracts the discrete logarithm for IDJ ’s private keys, lJ and yJ

from the H1 and H3 oracle respectively (H3(H1(IDJ)) = H3(lJP ) = yJP andB is able to extract both lJ and yJ). Then, B extracts L and L′ from each entrythat matches the session for which the reveal query is being asked, computesL1 = e(lJaP, xIP ), L′

1 = e(yJaP, xIP ) and checks if(

L

L1

)z

· L′

L′1

=(

e(H1(IDJ ), P )sxI · e(H1(IDI), P )sxJ

e(lJaP, xIP )

)z

·e(H3(H1(IDJ)), P )sxI · e(H3(H1(IDI)), P )sxJ

e(yJaP, xIP )

=(

e(lJP, aP )xI · e(bP, P )ac

e(lJaP, xIP )

)z

·e(yJP, P )axI · e(ytbdh1P − zbP, P )ac

e(yJaP, xIP )= e(bP, P )acz1 · e(ytbdh1P − zbP, P )ac

= e(P, P )z1abce(P, P )ytbdh1ac−z1abc = e(P, P )ytbdh1ac

?= e(aP, cP )ytbdh1


As soon as M submits such an entry to the H2 oracle, B aborts the game andreturns

L

L1=

e(H1(IDJ), P )sxI · e(H1(IDI), P )sxJ

e(lJaP, xIP )=

e(lJP, aP )xI · e(bP, P )ac

e(lJaP, xIP )

= e(P, P )abc

as solution to the BDH challenge.B uses the same strategy for reveal queries to sessions of IDI where the

adversary replaced the certificateless public key of IDj , except that B does notabort the game if a matching H2 query is found but returns the correct H2 value.If no matching H2 query is found, B proceeds as in Section 5.2. If the adversaryreplaces the certificateless public key of IDI , B additionally uses the strategydescribed in Strategy 1. We note thatM is allowed to replace the certificatelesspublic key of IDJ after the test query has been issued.

The probability that B is able to find a solution to the CBDH challenge is

AdvB(k)[CBDH ] ≥ AdvM(k)[Π ]9q0q2

1

Strategy 6 is symmetric to Strategy 5, so it has the same probability (only IDI

and IDJ are exchanged). The BDH challenge is embedded in L1 instead of L2.

Strategy 7 and 8. The allowed corrupt queries for the adversary are listed inTable 1. The BDH challenge can only be embedded in K2, because the inputto all other values used in the key derivation function can be corrupted by theadversary. Using this strategy, the challenger sets the master public key sP toaP (notice that B does not know s). B changes the mode of operation of the H1

oracle so that H1 operates as in Table 2, thus H1(IDI) = bP . B patches the H3

oracle as described in Table 3, thus H3(H1(IDI)) = H3(bP ) = ytbdh1P − zbP .B can still generate private keys for all identities except IDI by computingsH(IDi) = liaP and sH3(H1(IDi)) = yiaP . As queries for IDI ’s private keyswere ruled out, this does not affect the overall success probability. Additionally,B sets the ephemeral public key of party J �= I that participates in the T th

oracle ΠTI,J to cP .

If the adversary has an advantage in this strategy, thenM needs to query theH2 oracle on the session key. To distinguish this entry from other H2 queries,B re-computes K1 = e(aP, P )lJ rI and similarly the K ′

1 = e(aP, P )yJrI . Then, Bsearches in the table of the H2 oracle for an entry where

(K

K1

)z

· K ′

K ′1

= e(aP, cP )ytbdh1

B aborts the game as soon as such an entry is submitted to the H2 oracle andreturns K/K1 as solution to the computational bilinear Diffie-Hellman challenge.The probability that this happens is lower bounded by


1


A problem for B occurs ifM replaces certificateless public keys. As B knows theID-based private keys for all identities except IDI , B can compute K, K ′, L, L′, Nand N ′ for any session except for sessions involving IDI . B may be unable tocompute xixjP if M replaced both xiP and xjP but can use the pairing asdescribed in Strategy 1. For reveal queries involving IDI and replaced certifi-cateless public keys, B uses the H3 oracle as described in Strategy 5.

Strategy 8 is symmetric to Strategy 7, so it has the same probability (only IDI

and IDJ are exchanged). The BDH challenge is embedded in K1 instead of K2.

Strategy 9. The allowed corrupt queries for the adversary are listed in Table 1.The BDH challenge will be embedded in N . To accomplish this, the challenger setsthe master secret key to aP , H1(IDI) = bP , and H1(IDJ ) = cP . Additionally, theH3 oracle (see Table 3) is modified before the game starts so that H3(H1(IDI)) =H3(bP ) = ytbdh1P − zbP and H3(H1(IDJ)) = H3(cP ) = ytbdh2P − zcP .

A problem for B arises when the adversary asks session key reveal queries forother sessions than the test session that include IDI and IDJ , or for sessionswhere the adversaryM replaces the certificateless public keys of any of the targetidentities. In these cases the challenger is unable to computer neither N nor L.Whenever B is asked a session key reveal query, B first checks if H2 was askedwith a matching session string involving both IDI and IDJ . As B is generallyunable to compute either L or N , B uses the trapdoor as explained in Theorem 3for N and Theorem 2 for L to check ifM submitted a valid query, i.e. if the queryshould be answered with a record from H2 (if such a record exists). To this end,B extracts L, L′, N and N ′ from each entry that matches the session for whichthe reveal query is being asked, and checks if N ′

Nz2 = e(aP,P )ytbdh1

ytbdh2

e(cP,aP )ytbdh1 e(bP,aP )

ytbdh2

and if LzL′ = e(aP, cP )ytbdh1+ytbdh2 . If no matching record exists, B patches theH2 oracle as explained in Section 5.2. As soon asM submits such an entry to theH2 oracle, B aborts the game and returns N as solution to the BDH challenge.The probability that this happens is lower bounded by


1

B is able to distinguish between H2 queries that have correct session data andH2 queries that have invalid session data and is thus able to operate the H2

oracle consistently. B may have to use the techniques explained in Strategy 1and Strategy 5 to operate the H2 oracle.

Theorem 1 follows from the above strategies. �

6 Conclusion

We give the strongest security model for certificateless encryption and relateit to Type I and Type II adversaries [6]. We give the first construction for astrongly secure one round certificateless key agreement scheme that is provento be secure in the random oracle model, if the computational bilinear Diffie-Hellman and the computational Diffie-Hellman assumptions hold. This enables


us to positively answer Swanson’s [18, Chapter 7] first question, whether it iseven possible to construct a certificateless key agreement scheme that meets theextended eCK model. The protocol is compatible with existing certificatelesskey infrastructures and can thus be deployed easily. It is furthermore a naturalcomplement to certificateless encryption, which brings us to Swanson’s secondquestion: We show that a practical protocol for CL-AKE exists, although it iscomputationally expensive. We also show how the computational cost can bereduced if we use gap assumptions. We prove our scheme to be more securethan ID-based schemes, in the sense that the KGC can be more actively tryingto learn secrets. To answer Swanson’s third question, whether the flexibility ofcertificateless schemes is worth the increased likeliness of vulnerabilities, we notethat the ability of the adversary to replace public keys does not necessarily haveto introduce vulnerabilites. CL-AKE schemes therefore combine user flexibilitywith enhanced privacy.

It remains to devise computationally more efficient one round protocols forcertificateless key agreement proven secure with respect to standard computa-tional problems such as DH or BDH. Furthermore, a proof for a certificatelesskey agreement scheme in the standard model would be very interesting.

References

1. Al-Riyami, S.S., Paterson, K.G.: Certificateless Public Key Cryptography. In: Laih,C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg(2003), http://eprint.iacr.org/2003/126.pdf

2. Bentahar, K., Farshim, P., Malone-Lee, J., Smart, N.P.: Generic Constructions ofIdentity-Based and Certificateless KEMs. J. Cryptology 21(2), 178–199 (2008)

3. Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. SIAMJournal of Computing 32(3), 586–615 (2003),http://crypto.stanford.edu/~dabo/papers/bfibe.pdf

4. Cash, D., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman Problem and Applications.In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer,Heidelberg (2008)

5. Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols frompairings. Int. J. Inf. Sec. 6(4), 213–241 (2007)

6. Dent, A.W.: A survey of certificateless encryption schemes and security models.International Journal of Information Security 7(5), 349–377 (2008)

7. Dent, A.W., Libert, B., Paterson, K.G.: Certificateless encryption schemes stronglysecure in the standard model. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939,pp. 344–359. Springer, Heidelberg (2008)

8. Dupont, R., Enge, A.: Practical non-interactive key distribution based on pairings.Cryptology ePrint Archive, Report 2002/136 (2002),http://eprint.iacr.org/2002/136

9. Huang, H., Cao, Z.: An ID-based Authenticated Key Exchange Protocol Basedon Bilinear Diffie-Hellman Problem. Cryptology ePrint Archive, Report 2008/224(2008), http://eprint.iacr.org/2008/224 (to be published, ASIACCS 2009)

10. Krawczyk, H.: HMQV: A High-Performance Secure Diffie-HellmanProtocol. Cryptology ePrint Archive, Report 2005/176 (2005),http://eprint.iacr.org/2005/176


11. Kudla, C., Paterson, K.G.: Modular Security Proofs for Key Agreement Protocols.In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer,Heidelberg (2005)

12. LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger Security of Authenticated KeyExchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784,pp. 1–16. Springer, Heidelberg (2007)

13. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An Efficient Protocol forAuthenticated Key Agreement. Des. Codes Cryptography 28(2), 119–134 (2003)

14. Libert, B., Quisquater, J.-J.: On Constructing Certificateless Cryptosystems fromIdentity Based Encryption. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.)PKC 2006. LNCS, vol. 3958, pp. 474–490. Springer, Heidelberg (2006)

15. Lim, C.H., Lee, P.J.: A Key Recovery Attack on Discrete Log-based Schemes Us-ing a Prime Order Subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS,vol. 1294, pp. 249–263. Springer, Heidelberg (1997)

16. Mandt, T.K., Tan, C.H.: Certificateless Authenticated Two-Party Key AgreementProtocols. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 37–44.Springer, Heidelberg (2006)

17. Sakai, R., Oghishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Pro-ceedings of Symposium on Cryptography and Information Security (SCIS 2000),pp. 233–238 (2000)

18. Swanson, C.M.: Security in Key Agreement: Two-Party Certificateless Schemes.Master Thesis, University of Waterloo (2009),http://uwspace.uwaterloo.ca/bitstream/10012/4156/1/Swanson_Colleen.pdf

(Download, 2009-01-29)19. Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from

(H)MQV and NAXOS. Des. Codes Cryptography 46(3), 329–342 (2008)20. Wang, S., Cao, Z., Wang, L.: Efficient Certificateless Authenticated Key Agreement

Protocol from Pairings. Wuhan University Journal of Natural Sciences 11(5), 1278–1282 (2006)

21. Xia, L., Wang, S., Shen, J., Xu, G.: Breaking and repairing the certificatelesskey agreement protocol from ASIAN 2006. Wuhan University Journal of NaturalSciences 13(5), 562–566 (2008)

22. Yum, D.H., Lee, P.J.: Generic Construction of Certificateless Encryption. In: La-gana, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.)ICCSA 2004. LNCS, vol. 3043, pp. 802–811. Springer, Heidelberg (2004)

23. Yum, D.H., Lee, P.J.: Generic Construction of Certificateless Signature. In: Wang,H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 200–211. Springer, Heidelberg (2004)

24. Zu-hua, S.: Efficient authenticated key agreement protocol using self-certified pub-lic keys from pairings. Wuhan University Journal of Natural Sciences 10(1), 262–270(2005)

Universally Composable Adaptive Priced

Oblivious Transfer

Alfredo Rial, Markulf Kohlweiss, and Bart Preneel

Katholieke Universiteit Leuven, ESAT/SCD/COSIC and IBBT{alfredo.rialduran,markulf.kohlweiss,bart.preneel}@esat.kuleuven.be

Abstract. An adaptive k-out-of-N Priced Oblivious Transfer (POT)scheme is a two-party protocol between a vendor and a buyer. The vendorsells a set of messages m1, . . . ,mN with prices p1, . . . , pN . In each transferphase i = 1, . . . , k, the buyer chooses a selection value σi ∈ {1, . . . ,N }and interacts with the vendor to buy message mσi in such a way thatthe vendor does not learn σi and the buyer does not get any informationabout the other messages.

We present a POT scheme secure under pairing-related assumptions inthe standard model. Our scheme is universally composable and thus, un-like previous results, preserves security when it is executed with multipleprotocol instances that run concurrently in an adversarially controlledway. Furthermore, after an initialization phase of complexity O(N ), eachtransfer phase is optimal in terms of rounds of communication and it hasconstant computational and communication cost. To achieve these prop-erties, we design the first efficient non-interactive proof of knowledge thata value lies in a given interval we are aware of.

Keywords: Universally composable security, priced oblivious transfer,bilinear maps, non-interactive range proofs of knowledge.

1 Introduction

A number of studies [1] show that transaction security and privacy concernsare among the main reasons that discourage the use of e-commerce. Althoughsometimes it is argued that users who claim to be worried about their privacy donot consistently take actions to protect it, recent research [2] demonstrates that,when they are confronted to a prominent display of private information, they notonly prefer vendors that offer better privacy protection but also are willing topay higher prices to purchase from more privacy protective websites. Therefore,it is of interest for vendors to deploy e-commerce applications where buyers needto disclose the minimum information needed to carry out their transactions.

So far, the solutions proposed to develop privacy-enhancing e-commerce ofdigital goods can roughly be divided into two categories: those that hide theidentity of the buyer from the vendor (anonymous purchase), and those that hidewhich goods are bought (oblivious purchase). Anonymous purchase [3,4] usuallyemploys anonymous e-cash [5,6,7] to construct systems where buyers can with-draw coins from a bank and spend them without revealing their identity. These


232 A. Rial, M. Kohlweiss, and B. Preneel

systems have several shortcomings. First, they hinder customer management(e.g. the vendor cannot easily apply marketing techniques like giving discountsto regular buyers). Second, they do not allow for other methods of payment.Finally, strong anonymity is difficult to achieve and there exist several attacksto reduce it [8].

Oblivious purchase is thus more appealing in scenarios where full anonymitycannot be obtained or when the disadvantages that anonymity causes are impor-tant. Oblivious purchase permits effective customer management and allows forevery method of payment. Like for anonymous purchase [3,4], it has also beenshown how to integrate it into existing Digital Rights Management systems [9].One can argue that, since the vendor does not know which items are sold, he canfind it difficult to discover which products are more demanded. However, we notethat this information can be obtained from other sources, e.g., by conductingmarketing researches.

Oblivious purchase employs the Priced Oblivious Transfer (POT) [10] prim-itive, which is a generalization of the well-known Oblivious Transfer (OT) [11]primitive intended to permit private purchases. OT is a two-party protocol be-tween a sender S and a receiver R, where S offers a set of messages m1, . . . ,mN

to R. R chooses selection values σ1, . . . , σk ∈ {1, . . . ,N } and interacts with S insuch a way that R learns mσ1 , . . . ,mσk and nothing about the other messages,and S does not learn anything about σ1, . . . , σk.

POT is a two-party protocol between a vendor V and a buyer B, where V sells aset of messages m1, . . . ,mN with prices p1, . . . , pN to B. Besides the requirementsthat V must not learn σ1, . . . , σk and B must not learn anything about the othermessages, in POT B must pay prices pσ1 , . . . , pσk without V learning anythingabout the amount of money paid.

Both OT and POT admit an adaptive variant [12] (OTNk×1,POT

Nk×1) where,

in transfer phase i, R or B may choose σi after receiving mσi−1 . The adaptivevariant is more suitable for constructing an oblivious database, enabling appli-cations of OT such as medical record storage or location-based services [12,13],and the deployment of privacy-preserving e-commerce.

Previous work. The universally composable security paradigm [14] provides aframework for representing cryptographic protocols and analyzing their security.Protocols that are proven UC-secure maintain their security even when they arerun concurrently with an unbounded number of arbitrary protocol instancescontrolled by an adversary.

Traditionally, security in OT was analyzed under a half-simulation model,where simulation security is required against R, but just stand-alone privacy isrequired against S. This notion was showed to admit practical attacks againstreceiver’s security [12]. Camenisch et al. [15], as well as subsequent works [16],present efficient adaptive OT schemes in a full-simulation model. However, theseworks are not UC-secure because they use black-box simulation with adversarialrewinding in their security proofs.

Recently, an adaptive UC-secure OT scheme was proposed [17]. They uti-lize the approach of assisted decryption used in [15,16], where S sends to R a

Universally Composable Adaptive Priced Oblivious Transfer 233

collection of ciphertexts and in each transfer phase helps R to decrypt one ofthem. As pointed out in [17], this approach allows for transfer phases with con-stant computational and communication complexity, and it is suitable to ensurethat S does not change the messages in each transfer phase, which are impor-tant properties for constructing an oblivious database. This is in contrast to theapproach used in other non-adaptive UC-secure OT schemes [18,19], where, ineach transfer phase, R hands a set of keys to S, who sends back a collection ofciphertexts such that R is able to decrypt only one of them.

Despite this recent progress in OT, so far there are no efficient POT schemeswhose security is proven within the UC security paradigm. The first POT scheme[10], as well as subsequent works [20], analyze security in the half-simulationmodel. In [18] it is explained why these protocols fail even under sequentialcomposition and a practical attack is shown.

The existing conditional oblivious transfer schemes [21,22], where sender withinput x and receiver with input y interact in such a way that a transfer is com-pleted only when q(x, y) = 1 for some public predicate q(·, ·), are non-adaptiveand employ the half-simulation model. On the other hand, security of boththe non-adaptive [23,24] and the adaptive [25] Generalized Oblivious Transferschemes proposed so far, which can be instantiated as non-adaptive and adap-tive POT schemes respectively, depends on the underlying OT scheme utilized toimplement them, but we note that these solutions are rather inefficient. Finally,access control schemes for OT based on stateful anonymous credentials [26] arenot UC-secure either.

Our contribution. We present a POTNk×1 scheme that is UC-secure under the

assumption that there is an honestly generated common reference string. Secu-rity is proven in a static corruption model without relying on random oracles.After an initialization phase of complexity O(N ), each transfer phase is opti-mal in terms of rounds of communication and has constant computational andcommunication cost.

Our construction follows the approach in [10] of building a prepaid mechanismwhere B makes an initial deposit to V . In each transfer phase, B chooses aselection value σi, proves that she has enough funds to buy message mσi andsubtracts price pσi from her deposit, while V learns neither pσi nor the newvalue of the deposit. For this purpose, B employs a zero-knowledge proof ofknowledge that she updates her account correctly and that the new account isnon-negative. To allow for the latter we design a non-interactive range proof ofknowledge by applying the efficient interactive range proof recently proposed in[27] to the non-interactive proof system due to Groth and Sahai [28]. This is thefirst efficient non-interactive proof of knowledge in the standard model to provethat a value lies in a given interval we are aware of.

We also employ the assisted decryption approach and some techniques uti-lized in the adaptive UC-secure OT scheme in [17]. Specifically, we use dou-ble trapdoor encryption and we prove security of ciphertexts under the DLIN[29] assumption. Nonetheless, unlike [17], we make extensive use of P-signatures[30], i.e., signature schemes that have efficient non-interactive proofs of signature


possession, to let B prove that she computes her requests honestly. In particu-lar, we employ a slightly modified variant of the P-signature scheme for signingblocks of messages proposed in [7], which is secure under the HSDH [31] andTDH [30] assumptions. (P-signatures also utilize Groth-Sahai proofs, which weinstantiate using the DLIN assumption.) The use of multi-block P-signaturesallows our scheme to have a smaller ciphertext size than the one in [17]. We notethat our POT scheme can easily be simplified to obtain an OT scheme, whichconstitutes an alternative to the one in [17].

Outline of the paper. In Section 2 we briefly review the universally composablesecurity paradigm and we define the ideal functionality for POT. The securityassumptions we use, the Groth-Sahai proof system, and other cryptographicbuilding blocks are described in Section 3. In Section 4 we show how to constructa non-interactive range proof. Finally, in Section 5 we depict the multi-block P-signature scheme and our POT scheme.

2 Definitions

Adaptive k-out-of-N priced oblivious transfer (POTNk×1). A POTN

k×1 scheme isa two-party protocol between a vendor V and a buyer B. In the initializationphase, V receives messages (m1, . . . ,mN ) with prices (p1, . . . , pN ) as input. Breceives an initial deposit ac0 as input. B stores state information B0 and Vstores state information V0 and outputs ac0. After that, V and B engage inup to k transfer phases. In the ith transfer, V gets state information Vi−1 asinput, and B gets state information Bi−1 and selection value σi ∈ {1, . . . ,N }.If ac0 −

∑j∈S pσj ≥ 0, where S contains the indices of all transfers that ended

successfully, then V stores state information Vi and B stores state informationBi and outputs mσi . Otherwise V stores Vi = Vi−1 and B stores Bi = Bi−1.

Universally composable security. We use the universally composable securityframework [14] with static corruptions to prove security of our construction. Inthis framework, parties are modeled as probabilistic polynomial time interac-tive Turing machines. A protocol ψ is UC-secure if there exists no environmentZ that can distinguish whether it is interacting with adversary A and partiesrunning protocol ψ or with the ideal process for carrying out the desired task,where ideal adversary E and dummy parties interact with an ideal functionalityFψ. More formally, we say that protocol ψ emulates the ideal process when, forall environments Z, the ensembles IDEALFψ,E,Z and REALψ,A,Z are compu-tationally indistinguishable. We refer to [14] for a more detailed description ofthe UC framework.

Our construction operates in the FCRS-hybrid plain model, where partieshave access to an honestly-generated common reference string crs and to au-thenticated channels. As in [17], we assume that Z obtains crs from A. Thisallows the simulator E to set up a crs with trapdoor information to be able tosimulate A in the security proof.


Below we recall the description of the ideal functionality for generating com-mon reference strings FCRS [32]. FCRS is parameterized with a distribution Dand a set of participants P , which is restricted to contain the buyer B and thevendor V of the POT scheme only. We also describe an ideal functionality forPOT FPOT based on the ideal functionality for OT given in [17].FCRS. On input (sid , crs) from party P , if P /∈ P it aborts. Otherwise, if thereis no value r recorded, it picks r ← D and records r . It sends (sid , crs, r) to P .FPOT . Parameterized with integers (N , l), a maximum price pmax , and a depositupper bound A, and running with a vendor V and a buyer B, FPOT works asfollows:

- On input a message (sid , vendor,m1, . . . ,mN , p1, . . . , pN ) from V , where eachmi ∈ {0, 1}l and each pi ∈ [0, pmax ], it stores (m1, . . . ,mN ) and (p1, . . . , pN )and sends (sid , p1, . . . , pN ) to B and to the adversary.

- On input a message (sid , buyerdep, deposit), where deposit ∈ [0,A), if a (sid ,vendor, . . .) message was not received before, then it does nothing. Otherwise,it stores deposit and sends (sid , deposit) to V .

- On input a message (sid , buyerreq, σ) from B, where σ ∈ {1, . . . ,N }, if eithermessages (sid , vendor,m1, . . . ,mN , p1, . . . , pN ) and (sid , buyerdep, deposit)were not received before or deposit − pσ < 0, then it does nothing. Oth-erwise, it sends (sid , request) to V and receives (sid , b) in response. It hands(sid , b) to the adversary. If b = 0, it sends (sid ,⊥) to B. If b = 1, it updatesdeposit = deposit − pσ and sends (sid ,mσ) to B.

3 Technical Preliminaries

A function ν is negligible if, for every integer c, there exists an integer K suchthat for all k > K, |ν(k)| < 1/kc. A problem is said to be hard (or intractable) ifthere exists no probabilistic polynomial time (p.p.t.) algorithm that solves it withnon-negligible probability (in the size of the input or the security parameter).

Bilinear maps. Let G and GT be groups of prime order p. A map e : G×G→ GT

must satisfy the following properties:

(a) Bilinearity. A map e : G×G→ GT is bilinear if e(ax, by) = e(a, b)xy;(b) Non-degeneracy. For all generators g ∈ G, e(g, g) generates GT ;(c) Efficiency. There exists an efficient algorithm that outputs the pairing group

setup (p,G,GT , e, g) and an efficient algorithm to compute e(a, b) for anya, b ∈ G.

3.1 Assumptions

The security of our scheme relies on the Hidden Strong DH assumption [31], theTriple DH assumption [30], and the Decision Linear assumption [29]:

Definition 1 (HSDH). On input (g, gα) ∈ G2, u ∈ G, and a set of tuples(g1/(α+ci), gci , uci)li=1, the l -HSDH assumption holds if it is computationallyhard to output a new tuple (g1/(α+c), gc , uc).


Definition 2 (TDH). On input (g, gx , gy) ∈ G3 and a set of tuples (g1/(x+ci),ci)li=1, the l -TDH assumption holds if it is computationally hard to output atuple (gμx , gμy , gμxy) for μ ∈ Zp/{0}.Definition 3 (DLIN). On input (g, ga, gb, gac, gbd, z) ∈ G6 for random expo-nents a, b, c, d ∈ Zp, the DLIN assumption holds if it is computationally hard todecide whether z = gc+d.

3.2 Non-interactive Zero-Knowledge Proofs of Knowledge

Let R be an efficiently computable relation and L = {y : ∃w |R(y,w) = accept}be an NP-language. For tuples (y,w) ∈ R, we call y the instance and w thewitness. A non-interactive proof of knowledge system [33] consists of algorithmsPKSetup, PKProve and PKVerify. Algorithm PKSetup(1κ) outputs a commonreference string crsPK . PKProve(crsPK , y,w) computes a proof pok of instancey by using witness w . Algorithm PKVerify(crsPK , y, pok ) outputs accept if pokis correct.

Zero-knowledge captures the notion that a verifier learns nothing from theproof but the truth of the statement. Witness indistinguishability is a weakerproperty that guarantees that the verifier learns nothing about which witnesswas used in the proof. In either case, we will also require soundness, meaningthat an adversarial prover cannot convince an honest verifier of a false statement,and completeness, meaning that all correctly computed proofs are accepted bythe honest verification algorithm. See [34,35,36,37] for formal definitions.

In addition, a proof of knowledge needs to be extractable, which means thatthere exists a polynomial time extractor (PKExtractSetup,PKExtract). AlgorithmPKExtractSetup(1κ) generates parameters crsPK that are identically distributedto the ones generated by algorithm PKSetup and an extraction trapdoor tdext .PKExtract(crsPK , tdext , y, pok ) extracts the witness w with all but negligibleprobability when PKVerify(crsPK , y, pok ) outputs accept.

We recall the notion of f-extractability defined by Belenkiy et al. [30], whichis an extension of the original definition of extractability (as given by De Santiset al. [33]). In an f -extractable proof system the extractor PKExtract extracts avalue z such that ∃w : z = f(w)∧ (y,w) ∈ R. If f(·) is the identity function, weget the usual notion of extractability.

Commitment schemes. A non-interactive commitment scheme consists of the al-gorithms ComSetup and Commit. ComSetup(1κ) generates the parameters of thecommitment scheme paramsCom . Commit(paramsCom , x, open) outputs a com-mitment C to x using auxiliary information open. A commitment is opened byrevealing (x, open) and checking Commit(paramsCom , x, open) = C. A commit-ment scheme has a hiding property and a binding property. Informally speaking,the hiding property ensures that a commitment C to x does not reveal any infor-mation about x, whereas the binding property ensures that C cannot be openedto another value x′. (When it is clear from the context, we omit the commitmentparameters paramsCom .)


A notation for f -extractable non-interactive proofs of knowledge (NIPK). We areinterested in NIPK about (unconditionally binding) commitments. By ‘x inC’ wedenote that there exists open such that C = Commit(paramsCom , x, open). Fol-lowing Camenisch and Stadler [38] and Belenkiy et at. [30], we use the followingnotation to express an f -extractable NIPK for instance (C1, . . . , Cn,Condition)with witness (x1, open1, . . . , xn, openn, s) that allows to extract all the witnessexcept the openings of the commitments (s denotes the part of the witness thatis not related to the commitments in the instance):

NIPK{ (x1, . . . , xn, s) : Condition(crs , x1, . . . , xn, s) ∧ x1 inC1 ∧ . . . ∧ xn inCn}The f -extractability of a NIPK ensures that, with overwhelming probability overthe choice of crs , if PKVerify accepts then we can extract (x1, . . . , xn, s) from π,such that xi is the content of the commitment Ci, and Condition(crs , x1, . . . , xn,s) is satisfied. To further abbreviate this notation, we omit crs when it is clearfrom the context.Applying the notation to Groth-Sahai proofs. Groth-Sahai proofs [28] allowproving statements about pairing product equations. The pairing group setup(p,G,GT , e, g) is part of the common reference string crsPK as output byPKSetup(1κ) and the instance consists of the coefficients {aq, bq}q=1...Q ∈ G,t ∈ GT , {αq,i, βq,i}q=1...Q,i=1...m ∈ Zp of the pairing product equation:

∏Qq=1 e(aq

∏mi=1 x

αq,ii , bq

∏mi=1 x

βq,ii ) = t. The prover knows {xi}mi=1 that satisfy this

equation.Internally Groth-Sahai proofs prove relations between commitments. A homo-

morphism guarantees that the same relations also hold for the committed values.Normally, as the first step in creating the proof, the prover prepares commit-ments {Ci}i=1...m for all values xi in G. Then, the instance, known to the proverand the verifier, is the pairing product equation alone (i.e., its coefficients).

In addition, it is possible to add pre-existing Groth-Sahai commitments{Ci}i=1...n, n ≤ m, to the instance for some of the xi values. The correspond-ing openings openi become part of the witness. The proof will be computedin the same way, except that for values with existing commitments no freshcommitments need to be computed. We will write Ci ← Commit(xi, openi) tocreate Groth-Sahai commitments. Note that they use parameters contained inthe crsPK of the Groth-Sahai proof system. The Groth-Sahai proof system gen-erates f-extractable witness indistinguishable1 NIPK of the form:

NIPK{(x1, . . . , xn, xn+1, . . . xm) :Q∏

q=1

e(aqn∏

i=1

xαq,ii , bq

m∏

i=1

xβq,mi ) = t

∧ x1 inC1 ∧ · · · ∧ xn inCn}

3.3 P-Signature Schemes

A signature scheme consists of the algorithms Keygen, Sign and VerifySig. Keygenoutputs a secret key sk and a public key pk . Sign(sk ,m) outputs a signature s1 Some classes of pairing product equations also admit zero-knowledge proofs.


of message m. VerifySig(pk ,m, s) outputs accept if s is a valid signature of mand reject otherwise. (This definition can be extended to support multi-blockmessages m = {m1, . . . ,mn}.) A signature scheme must be correct and unforge-able [39]. Informally speaking, correctness implies that the VerifySig algorithmalways accepts an honestly generated signature. Unforgeability means that nop.p.t adversary should be able to output a message-signature pair (s ,m) unlesshe has previously obtained a signature on m.

P-Signatures are defined by Belenkiy et al. [30] as signature schemes equippedwith a common reference string crsSig and a NIPK that allows proving possessionof a signature of a committed message. Belenkiy et al. show how to use the Groth-Sahai proof system to build this proof. Since in their constructions m ∈ Zp andGroth-Sahai proofs prove knowledge of a witness in G, they need to compute abijection F (m) ∈ G and prove knowledge of F (m). To avoid that given a securesignature scheme an adversary may still be able to compute a forgery (s ,F (m))even though he is unable to compute (s ,m), [30] defines F -unforgeability, whichmeans that no p.p.t adversary can output (s ,F (m)) without previously obtaininga signature on m.

4 Non-interactive Range Proof

We construct an efficient non-interactive range proof that a committed valueσ ∈ Zp lies in an interval [0,A). Our scheme is based on the efficient interactiverange proof recently proposed in [27]. The technique of [27] consists in writingσ in base-d to show that it lies in an interval [0, da). First, the verifier sendsthe prover signatures Ai on d -ary digits, i.e., i ∈ Zd. Then the prover provesthat σ =

∑j∈Za

σjd j and that all σj are d -ary digits. For the latter, she provespossession of a verifier’s signature on σj . Our idea consists in employing P-signatures, which allow for a non-interactive proof of signature possession, toconstruct a non-interactive range proof following this approach.

A handy P-signature scheme. We employ the P-signature scheme of [30] that isbased on the strong Boneh-Boyen signature scheme [40].

Setup(1κ) runs the Groth-Sahai PKSetup(1κ) to obtain crsPK for pairing groups(p,G,GT , e, g), picks random u ∈ G, and outputs crsSig = (crsPK , u).

Keygen(crsSig ) picks a secret key sk = (α, β) ← Zp and computes a public keypk = (v , w) = (gα, gβ).

Sign(crsSig , sk ,m) picks r ← Zp/{α−msgβ } and computes s = (s1, s2, s3) =

(g1/(α+m+βr), wr, ur).VerifySig(crsSig , pk ,m, s) outputs accept when e(s1, vgms2) = e(g, g), e(u, s2) =

e(s3, w). Otherwise, it outputs reject.

Using Groth-Sahai proofs, [30] shows how to construct a NIPK of such asignature. This is a proof of a pairing product equation of the form

NIPK{(gm , um , s1, s2, s3) : e(s1, vgms2) = e(g, g) ∧ e(u, s2) = e(s3, w)∧ e(u, gm) = e(um , g)}


We abbreviate this expression by using NIPK{(gm , um , s) : VerifySig(pk , s ,m) =accept}. This scheme is F -unforgeable (F (m) = (gm , um)) under the HSDH andTDH assumptions.

Range proof. This is a proof that σ ∈ Zp lies in an interval [0,A). The rangeproof uses a common reference string crsSig as output by Setup. In addition,we require that the verifier can distribute public parameters paramsRange ←RPInitVerifier(crsSig ,A). These parameters do not need to be honestly generated,as they can be verified by the prover using RPInitProver.

RPInitVerifier(crsSig ,A). On input A = da , it executes Keygen(crsSig ) to ob-tain (sk , pk), and, ∀i ∈ Zd, it computes Ai = Sign(crsSig , sk , i). It outputsparamsRange = (pk , {Ai}i∈Zd

).RPInitProver(crsSig , paramsRange). It parses paramsRange to get {Ai}i∈Zd

andpk . It verifies the signatures by computing, for all i ∈ Zd, VerifySig(crsSig ,pk , i,Ai). If these verifications succeed, it outputs accept. Otherwise it out-puts reject.

RangeProve(crsSig , paramsRange, g , σ, openσ) computes the following proof fora commitment Cσ = Commit(gσ , openσ):

NIPK{(gσ, {gσj , uσj ,Aσj}a−1j=0 ) :

{VerifySig(pk , σj ,Aσj ))}a−1j=0∧ (1)

e(g, gσ)a−1∏

j=0

e(g−dj , gσj ) = 1 ∧ gσ inCσ} (2)

Intuitively, (1) ensures that each σj is a d -ary digit by proving that the valuewas used by the verifier to compute a signature Aσj , and (2) proves that σis correctly decomposed, i.e., that σ =

∑j∈Za

σjd j . We use the short formNIPK{(gσ) : 0 ≤ σ < A ∧ gσ inCσ} to refer to this proof.

This proof is only witness indistinguishable. While this is sufficient for our appli-cation, it is possible to make the proof zero-knowledge using techniques describedin [28]. This proof can be extended to handle intervals of the form [A,B) in thesame way as in [27].

5 UC-Secure Adaptive k-Out-of-N Priced ObliviousTransfer

5.1 Intuition Behind Our Construction

Our priced oblivious transfer scheme is based on the oblivious transfer scheme byGreen and Hohenberger [17]. Specifically, it is an assisted decryption scheme thatemploys double trapdoor encryption (based on the linear encryption scheme in[29]). The ciphertext of message m contains values (w r1

1 ,w r22 , hr1

1 , hr22 ,m ·hr1+r2

3 ),


where (w1,w2) are public parameters generated by vendor V and (h1, h2, h3) be-long to the common reference string. (w r1

1 ,w r22 ) are used by buyer B to generate

the request message in each transfer phase, whereas (hr11 , h

r22 ) are used in the

security proof by the ideal protocol adversary E to obtain the messages fromV without the necessity of extracting a secret key from a proof of knowledge.This is useful because if the secret key is a value in Zp, then Groth-Sahai proofsdo not permit its extraction. In order to be able to decrypt, E creates trapdoorinformation when generating the crs . (We note that the environment learns crsthrough the adversary. As mentioned in [17], there are impossibility results forrealizing UC-secure OT if E cannot craft crs .) In addition, by using doubletrapdoor encryption we also prove the security of ciphertexts under the DLINassumption.

The message space is {0, 1}l , but we abuse notation and also writem to denotethe corresponding group element in G according to some efficient and invertiblemapping. We will do the same when encrypting the account ac0 that is a valuein Zp using linear encryption. For such a mappings between a bit string {0, 1}land an element in G see, e.g., [41].

The ciphertexts also contain signatures of (w r11 ,w r2

2 ) that are used to ensurethat B generates her requests honestly. Green and Hohenberger [17] employsignature schemes that sign elements in G. However, we use a multi-block P-signature scheme that signs elements in Zp, and thus we sign values (r1, r2).Consequently, we need to provide B with the values F (r1, r2) = (gr1

1 , gr22 , ur1

1 , ur22 )

of this signature scheme. Nonetheless, we note that in our scheme the ciphertextshave less group elements than in [17].

In order to permit oblivious purchases, our POTNk×1 extends the OTN

k×1 con-struction sketched above. We follow the approach of [10] of building a prepaidscheme, where in the initialization phase the buyer B pays an initial deposit ac0

to the vendor V , and in subsequent transfer phases this deposit is subtracted bythe price pσ of the message that is being bought.

The POT scheme must ensure that V learns neither the price of the messagenor the new value of the account, but also that B pays the right price for themessage and that she has enough funds to buy it. To achieve this, in the initial-ization phase B sends a commitment to the deposit. In the ith transfer, B sendsa commitment to the new value of the account aci and proves that (1) this valueis correct, i.e., that aci = aci−1 − pσ, and that (2) it is non-negative. In orderto allow for (1), we need to ensure that B uses the right price. To accomplishthis, V adds the price of the message to the message block (r1, r2, pσ). Thanksto that, when B proves possession of the signature, B can include in this proofa pairing product equation to prove that aci = aci−1 − pσ. To verify this proof,V employs the commitment to aci−1 that he got in the previous transfer phase.To achieve (2), in the initialization phase V computes parameters of the rangeproof and hands then to B. In each transfer phase, B proves that the new valueof the account aci belongs to [0,A), where A is the deposit upper bound.


5.2 P-Signatures for Blocks of Messages

We describe an F -unforgeable P-signature scheme for signing multiple messageblocks that is based on the single block scheme presented in [7]. Let m =〈m1, . . . ,mn〉 denote n message blocks.

Setupn(1κ) executes the Groth-Sahai PKSetup(1κ) to obtain crsPK for pair-ing groups (p,G,GT , e, g), picks random u ∈ G, and outputs crsSig =(crsPK , u).

Keygenn(crsSig ) picks random (α, β1, . . . , βn , λ1, . . . , λn)← Zp and sets a publickey Pk = (v , g1, . . . , gn , u1, . . . , un) = (gα, gβ1 , . . . , gβn , uλ1 , . . . , uλn ) and asecret key Sk = (α, β1, . . . , βn).

Signn(crsSig , Sk ,m) chooses random r ← Zp/{−(α+ β1m1 + . . .+ βnmn)} andcomputes a signature s = (s1, s2, s3) = (g1/(α+r+β1m1+...+βnmn), gr , ur ).

VerifySign(crsSig ,Pk ,m , s) outputs accept if e(s1, vs2∏ni=1 gmi

i ) = e(g, g) ande(u, s2) = e(s3, g).

We extend the multi-block signature scheme with a protocol for proving pos-session of a signature.

NIPK{({gmi

i , umi

i }ni=1, s1, s2, s3) : {e(ui, gmi

i )e(umi

i , g−1i ) = 1}ni=1∧

e(u, s2)e(s3, g−1) = 1 ∧ e(s1, vs2n∏

i=1

gmi

i ) = e(g, g)}

We use the short form NIPK{({gmi

i , umi

i }ni=1, s) : VerifySign(Pk ,m , s) = accept}to refer to this proof.

Theorem 1. Let F (m1, . . . ,mn) = (gm11 , um1

1 , . . . , gmnn , umn

n ). This P-signaturescheme is F-unforgeable under the HSDH and TDH assumptions. We proveTheorem 1 in the full version.

We make use of the observation that an F-unforgeable signature scheme canalso be verified using the F (mi) values alone, i.e., without knowing mi. Like inthe proof, an additional check of the equations {e(ui, gmi

i )e(umi

i , g−1i ) = 1}ni=1

is needed to verify that the F (mi) values are constructed correctly. Moreover,the F (mi) values are sufficient to create a proof of possession of a signature. Wewrite, e.g., VerifySign(Pk , 〈m1,F (m2),m3〉, s) to indicate that the signature s isverified using only the F value of message m2.

5.3 Construction

We begin with a high level description of the priced oblivious transfer scheme.The vendor V and the buyer B interact in the initialization phase and in severaltransfer phases. Details on the algorithms can be found below. We recall thatthe scheme is parameterized with integers (N , l) for the number of messages andtheir length, an upper bound pmax for the prices and an upper bound A = da

for the deposit.


Initialization phase. On input (sid , vendor,m1, . . . ,mN , p1, . . . , pN ) for thevendor and (sid , buyerdep, ac0) for the buyer (that fulfill the restrictionsimposed by the parameters of the scheme):1. V queries FCRS with (sid , crs). FCRS runs POTGenCRS(1κ, pmax ,A) and

sends (sid , crs, crs) to V .2. B queries FCRS with (sid , crs). FCRS sends (sid , crs, crs) to B.3. V runs POTInitVendor(crs ,m1, . . . ,mN , p1, . . . , pN ,A) to get a database

commitment T and a secret key sk , and sends (sid ,T ) to B.4. B gets (sid ,T ) and computes (P ,D (priv)

0 )← POTInitBuyer(crs ,T , ac0).B aborts if the output is reject. Otherwise, B sends (sid ,P) to V . (Balso needs to pay an amount of ac0 to V through an arbitrary paymentchannel.)

5. (Upon receiving the money) V runs (D0, ac0)← POTGetDeposit(crs ,P ,A) and checks that ac0 corresponds to the amount of money received.

V stores state information V0 = (T , sk ,D0) and outputs (sid , ac0), and Bstores state information B0 = (T ,D (priv)

0 ).Transfer phase. In the ith transfer, V with state information Vi−1 and input

(sid , vendor, b) and B with state information Bi−1 and input (sid , buyerreq,σi) interact as follows:1. B runs POTRequest(crs ,T ,D (priv)

i−1 , σi) to get a request Q and privatestate (Q (priv),D (priv)

i ). B sends (sid ,Q) to V and stores (sid ,Q (priv),

D (priv)i ).

2. V obtains (sid ,Q). If b = 0, V sends (sid ,⊥) to B. Otherwise V executesPOTRespond(crs ,T , sk ,Di−1,Q) to obtain a response R and state Di.V sends (sid ,R) to B.

3. B receives (sid ,R) and runs POTComplete(crs ,T ,R,Q (priv)) to obtainmσi .

V stores state information Vi = (T , sk ,Di), and B stores state informationBi = (T ,D (priv)

i ) and outputs (sid ,mσi).

POTGenCRS(1κ, pmax ,A). Given security parameter κ, it generates two Groth-Sahai reference strings crsVPK and crsBPK for the same pairing group setup(p,G,GT , e, g) such that −pmax > A mod p holds. (In the proof of securitythe two setups allow the simulator to simultaneously make use of knowledgeextraction and simulation for the first and the second proof respectively.) Itpicks random a, b, c ← Zp and computes (h1, h2, h3) = (ga , gb , gc). It picksrandom u ← G. It outputs crs = (crsVPK , crs

BPK , u, h1, h2, h3).2

POTInitVendor(crs ,m1, . . . ,mN , p1, . . . , pN ,A). On input the messages (m1, . . . ,mN ) with prices (p1, . . . , pN ):1. It parses crs to obtain crsSig = (crsBPK , u) and (h1, h2, h3).2. It picks random x1, x2 ← Zp and sets (w1,w2) = (h1/x1

3 , h1/x23 ).

2 Note that the set crsSig = (crsBPK , u) is used as common reference string for both

the multi-block signature scheme and the single-message signature scheme, which isused for running the range proof.


3. It runs Keygenn to obtain (Pk ,Sk), where Pk = (v , g1, g2, g3, u1, u2, u3)and Sk = (α, β1, β2, β3).

4. For i = 1, . . . ,N , it encrypts m as follows:(a) It picks random r1, r2 ← Zp.(b) It computes (s1, s2, s3) = Signn(crsSig , Sk , (r1, r2, pi)).(c) It sets Ci = (w r1

1 ,w r22 , hr1

1 , hr22 ,mi · hr1+r2

3 , gr11 , g

r22 , ur1

1 , ur22 , s1, s2, s3,

pi).5. V runs RPInitVerifier(crsSig ,A) to obtain paramsRange.6. It sets pk = (w1,w2,Pk , paramsRange), sk = (x1, x2) and T = (pk ,C1,. . . ,CN ). It outputs (T , sk ).

POTInitBuyer(crs ,T , ac0). On input a database commitment T and a depositac0 ∈ [0,A):1. It parses crs to obtain crsSig = (crsBPK , u), T as (pk ,C1, . . . ,CN ), pk as

(w1,w2,Pk , paramsRange) and Pk as (v , g1, g2, g3, u1, u2, u3).2. It runs RPInitProver(crsSig , paramsRange) to verify paramsRange.3. For i = 1, . . . ,N :

(a) It parses Ci = (c1, c2, c3, c4, c5, c6, c7, c8, c9, s1, s2, s3, pi).(b) It runs VerifySign(Pk , 〈(c6, c8), (c7, c9), pi〉, s), where s = (s1, s2, s3).(c) It checks that e(c1, h1) = e(c3,w1)∧e(c2, h2) = e(c4,w2)∧e(h1, c6) =

e(c3, g1) ∧ e(h2, c7) = e(c4, g2).4. If not all these checks verify, it outputs reject. Otherwise it picks random

(l1, l2) ← Zp and sets P = (w l11 ,w

l22 , ac0 · hl1+l2

3 ) and D (priv)0 = (ac0,

openac0 = 0). It outputs (P ,D (priv)0 ).

POTGetDeposit(crs ,P ,A). It works as follows:1. It parses P as (c1, c2, c3).2. It computes ac0 = c3/(cx1

1 cx22 ) and checks that ac0 ∈ [0,A).

3. It sets D0 = Commit(gac03 , 0). It outputs (D0, ac0).

POTRequest(crs ,T ,D (priv)i−1 , σ). On input a database commitment T and a se-

lection value σ ∈ {1, . . . ,N }, it works as follows:1. It parses T as (pk ,C1, . . . ,CN ), pk as (w1,w2,Pk , paramsRange), crs to

get (crsBPK , u, h3) and Cσ as (c1, c2, c3, c4, c5, c6, c7, c8, c9, s1, s2, s3, pσ).2. It picks random y1, y2 ← Zp and computes (d1, d2) = (c1 · wy1

1 , c2 · wy22 )

and (t1, t2) = (hy13 , hy2

3 ).3. It parses D (priv)

i−1 as (aci−1, openaci−1) to execute algorithm Di−1 =Commit(gaci−1

3 , openaci−1). It also picks a fresh openaci to compute Di =Commit(gaci

3 , openaci), for aci = aci−1 − pσ.4. It runs PKProve on input crsBPK to compute a witness-indistinguishable

proof pok1:

NIPK{(c6, c8, c7, c9, gpσ3 , upσ

3 , s1, s2, s3, gaci3 , gaci−1

3 , c1, c2, t1, t2) :VerifySign(Pk , 〈(c6, c8), (c7, c9), (g

pσ3 , upσ

3 )〉, (s1, s2, s3)) = accept∧e(w−1

1 , c6)e(c1, g1) = 1 ∧ e(w−12 , c7)e(c2, g2) = 1∧

e(c1, h3)e(t1,w1) = e(d1, h3) ∧ e(c2, h3)e(t2,w2) = e(d2, h3)∧e(g, gaci−1

3 )e(g−1, gaci3 )e(g−1, gpσ

3 ) = 1∧∧ 0 ≤ aci < A ∧ gaci

3 inDi ∧ gaci−13 inDi−1}


5. It sets Q = (d1, d2, pok1,Di), Q (priv) = (Q , σ, y1, y2) and D (priv)i = (aci,

openaci). It outputs (Q ,Q (priv),D (priv)i ).

POTRespond(crs ,T , sk ,Di−1,Q). On input a database commitment T , a secretkey sk , private state Di−1, and a request Q , it works as follows:1. It parses crs to obtain (crsVPK , crs

BPK , u, h3), T as (pk ,C1, . . . ,CN ), pk

as (w1,w2,Pk , paramsRange), sk as (x1, x2), Q as (d1, d2, pok1,Di).2. It verifies pok1 by running PKVerify on input crsBPK and it aborts if the

output is reject. For this verification, it uses the commitments Di−1 andDi.

3. It computes (z1, z2) = (dx11 , dx2

2 ) and z = z1 · z2.4. It runs PKProve on input crsVPK to compute a zero-knowledge proof of

knowledge3 pok2:

NIPK{(z1, z2) : e(z1,w1) = e(d1, h3) ∧ e(z2,w2) = e(d2, h3)∧ e(z1, h3)e(z2, h3) = e(z , h3)}

5. It outputs R = (z , pok 2) and Di.POTComplete(crs ,T ,R,Q (priv)). On input a database commitment T , a re-

sponse R and private state Q (priv):1. It parses crs to obtain (crsVPK , h3), T as (pk ,C1, . . . ,CN ), R as (z , pok2)

and Q (priv) as (Q , σ, y1, y2).2. It verifies pok2 by running PKVerify on input crsVPK . If verification fails,

it outputs reject.3. It parses Cσ to obtain c5 and it outputs the message mσ = c5/(z · h−y1

3 ·h−y23 ).

Theorem 2. This POT scheme securely realizes FPOT under the DLIN, HSDHand TDH assumptions. We prove Theorem 2 in the full version.

5.4 Properties and Extensions

This scheme offers extra features over previous ones [10]. Namely, it permits thatseveral messages have the same price without scaling up prices and accounts, andit allows the vendor to charge different prices for the same message to differentbuyers, which can be used to apply marketing techniques like making discountsto regular or underage buyers. This can be done by recomputing the signaturesincluded in the ciphertexts on different prices depending on the particular buyer.In order to allow for a precomputed database, V can assign buyers to differentgroups and associate to each group j ∈ {1, . . . , } a different price for eachmessage mi by signing s(j) = Signn(crsSig ,Sk , (r1, r2, j, pij)). (Note that r1 andr2 have the same value in the signatures of all the groups in order to reuse thesame encryption of mi.) In the transfer phase, when proving possession of themulti-block P-signature s(j) for their group, buyers must reveal the attribute j.3 To let this proof be zero-knowledge we introduce a new variable z3. The set of

equations is e(z1,w1)e(d−11 , z3) = 1∧e(z2,w2)e(d−1

2 , z3) = 1∧e(z1z2, z3)e(z−1, z3) =1 ∧ e(w1, z3) = e(w1, h3).


The POT scheme can be simplified to obtain an OT scheme, which constitutesan alternative to the one in [17]. Additionally, the multi-block signature schemeprovides high flexibility to implement other access control policies for oblivioustransfer beyond those required for POT. For example, if an index i is signedinstead of price pi, then access control methods based on stateful anonymouscredentials [26], which support a wide variety of policies, can be applied.

5.5 Efficiency Analysis and Comparison

In Table 1 we compare the performance of our POT scheme with the performanceof the OT scheme in [17] and with the OT scheme obtained by simplifying ourPOT scheme. We show the number of group elements in the crs , in the databaseT , in the request message, and in the response message. (We recall that thedeposit upper bound is A = da .) See the full version for more details.

Table 1. Performance comparison with the OT scheme in [17]

POT scheme OT scheme [17] Our underlying OT scheme

crs 23 16 23Database T 12N + 3d + 11 18N + 11 12N + 7Request 86 + 30a 66 65Response 28 35 28

Albeit we analyze the POT scheme as a two-party protocol between a vendorand a buyer, we would also want to use it in applications where a single vendor in-teracts with multiple buyers. Although this can be achieved by making the vendorrun different protocol instances with each buyer, for efficiency reasons it is moreappropriate if the vendor can publish a single database for every buyer. Moreover,this ensures consistency, i.e., all the buyers that share a database obtain the samemessages and pay the same prices. In our scheme, this is possible to accomplishby modifying FCRS such that it returns common reference strings crs that sharethe same bilinear setup and the same values (u, h1, h2, h3). In the proof, this per-mits the simulator to obtain all messages from a database T intended for multiplebuyers, and the fact that they share a crs with common values can be addressedby applying the universal composition with joint state theorem [42].

References

1. Koargonkar, P., Wolin, L.: A multivariate analysis of web usage. Journal of Adver-tising Research, 53–68 (March/April 1999)

2. Tsai, J., Egelman, S., Cranor, L., Acquisti, R.: The effect of online privacy in-formation on purchasing behavior: An experimental study, working paper (June2007)

3. Grimm, R., Aichroth, P.: Privacy protection for signed media files: a separation-of-duty approach to the lightweight drm (lwdrm) system. In: Dittmann, J., Fridrich,J.J. (eds.) MM&Sec, pp. 93–99. ACM, New York (2004)


4. Lee, D.G., Oh, H.G., Lee, I.Y.: A study on contents distribution using electroniccash system. In: EEE 2004: Proceedings of the 2004 IEEE International Conferenceon e-Technology, e-Commerce and e-Service (EEE 2004), Washington, DC, USA,pp. 333–340. IEEE Computer Society, Los Alamitos (2004)

5. Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp.199–203. Plenum Press, New York (1999)

6. Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-Cash. In: Cramer, R.(ed.) EUROCRYPT2005. LNCS, vol. 3494, pp. 302–321. Springer,Heidelberg (2005)

7. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact e-cash andsimulatable VRFs revisited. Cryptology ePrint Archive, Report 2009/107 (2009),http://eprint.iacr.org/

8. Berthold, O., Federrath, H., Kohntopp, M.: Project anonymity and unobservabilityin the internet. In: CFP 2000: Proceedings of the tenth conference on Computers,freedom and privacy, pp. 57–65. ACM, New York (2000)

9. Sun, H.-M., Wang, K.-H., Hung, C.-F.: Towards privacy preserving digital rightsmanagement using oblivious transfer

10. Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: How to sell digitalgoods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135.Springer, Heidelberg (2001)

11. Rabin, M.O.: How to exchange secrets by oblivious transfer (1981)12. Naor, M., Pinkas, B.: Oblivious transfer with adaptive queries. In: Wiener, M. (ed.)

CRYPTO 1999. LNCS, vol. 1666, pp. 573–590. Springer, Heidelberg (1999)13. Kohlweiss, M., Faust, S., Fritsch, L., Gedrojc, B., Preneel, B.: Efficient oblivious

augmented maps: Location-based services with a payment broker. In: Borisov, N.,Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 77–94. Springer, Heidelberg (2007)

14. Canetti, R.: Universally composable security: A new paradigm for cryptographicprotocols. In: FOCS 2001: Proceedings of the 42nd IEEE symposium on Founda-tions of Computer Science, Washington, DC, USA, p. 136. IEEE Computer Society,Los Alamitos (2001)

15. Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In:Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Hei-delberg (2007)

16. Green, M., Hohenberger, S.: Blind identity-based encryption and simulatable obliv-ious transfer. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp.265–282. Springer, Heidelberg (2007)

17. Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer.Cryptology ePrint Archive, Report 2008/163 (2008), http://eprint.iacr.org/

18. Damgard, I., Nielsen, J.B., Orlandi, C.: Essentially optimal universally com-posable oblivious transfer. Cryptology ePrint Archive, Report 2008/220 (2008),http://eprint.iacr.org/

19. Wagner, D. (ed.): CRYPTO 2008. LNCS, vol. 5157. Springer, Heidelberg (2008)20. Tobias, C.: Practical oblivious transfer protocols. In: Petitcolas, F.A.P. (ed.) IH

2002. LNCS, vol. 2578, pp. 415–426. Springer, Heidelberg (2003)21. Crescenzo, G.D., Ostrovsky, R., Rajagopalan, S.: Conditional oblivious transfer and

timed-release encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592,pp. 74–89. Springer, Heidelberg (1999)

22. Blake, I.F., Kolesnikov, V.: Strong conditional oblivious transfer and computingon intervals. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 515–529.Springer, Heidelberg (2004)

23. Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applica-tions. In: Proc. of 5th ISTCS, pp. 174–183 (1997)


24. Shankar, B., Srinathan, K., Rangan, C.P.: Alternative protocols for generalizedoblivious transfer. In: Rao, S., Chatterjee, M., Jayanti, P., Murthy, C.S.R., Saha,S.K. (eds.) ICDCN 2008. LNCS, vol. 4904, pp. 304–309. Springer, Heidelberg (2008)

25. Herranz, J.: Restricted adaptive oblivious transfer. Cryptology ePrint Archive,Report 2008/182 (2008), http://eprint.iacr.org/

26. Coull, S., Green, M., Hohenberger, S.: Controlling access to an oblivious databaseusing stateful anonymous credentials. Cryptology ePrint Archive, Report 2008/474(2008), http://eprint.iacr.org/

27. Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membershipand range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp.234–252. Springer, Heidelberg (2008)


29. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M.K.(ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)

30. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and nonin-teractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948,pp. 356–374. Springer, Heidelberg (2008)


32. Canetti, R.: Obtaining universally compoable security: Towards the bare bones oftrust. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 88–112.Springer, Heidelberg (2007)

33. Santis, A.D., Di Crescenzo, G., Persiano, G.: Necessary and sufficient assumptionsfor non-interactive zero-knowledge proofs of knowledge for all NP relations. In:Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp.451–462. Springer, Heidelberg (2000)

34. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactiveproof systems. SIAM J. Comput. 18(1), 186–208 (1989)

35. Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge UniversityPress, New York (2000)

36. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its appli-cations. In: STOC 1988: Proceedings of the twentieth annual ACM symposium onTheory of computing, pp. 103–112. ACM Press, New York (1988)

37. Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofsunder general assumptions. SIAM Journal on Computing 29(1), 1–28 (1999)

38. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In:Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer,Heidelberg (1997)

39. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure againstadaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

40. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C.,Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer,Heidelberg (2004)

41. Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID tags via insub-vertible encryption. In: CCS 2005: Proceedings of the 12th ACM conference onComputer and communications security, pp. 92–101. ACM, New York (2005)

42. Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.)CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)

Conjunctive Broadcast and Attribute-Based

Encryption

Nuttapong Attrapadung and Hideki Imai

Research Center for Information Security (RCIS),National Institute of Advanced Industrial Science and Technology (AIST)

Akihabara-Daibiru Room 1003, 1-18-13, Sotokanda,Chiyoda-ku, Tokyo 101-0021, Japan

{n.attrapadung,h-imai}@aist.go.jp

Abstract. Attribute-based encryption (ABE) system enables an ac-cess control mechanism over encrypted data by specifying access poli-cies among private keys and ciphertexts. There are two flavors of ABE,namely key-policy and ciphertext-policy, depending on which of privatekeys or ciphertexts that access policies are associated with. In this pa-per we propose a new cryptosystem called Broadcast ABE for both fla-vors. Broadcast ABE can be used to construct ABE systems with directrevocation mechanism. Direct revocation has a useful property that re-vocation can be done without affecting any non-revoked users; in partic-ular, it does not require users to update keys periodically. For key-policyvariant, our systems appear to be the first fully-functional directly re-vocable schemes. For ciphertext-policy variant, our systems improve theefficiency from the previously best revocable schemes; in particular, oneof our schemes admits ciphertext and private key sizes roughly the sameas the currently best (non-revocable) ciphertext-policy ABE. Broad-cast ABE can also be utilized to construct multi-authority ABE in thedisjunctive setting.

Keywords: Attribute-based encryption, Ciphertext policy, Key pol-icy, Broadcast encryption, Revocable ABE, Disjunctive multi-authorityABE.

1 Introduction

Background. Attribute-based encryption (ABE) enables an access control mech-anism over encrypted data using access policies and ascribed attributes amongprivate keys and ciphertexts. ABE comes in two flavors called Ciphertext-PolicyABE and Key-Policy ABE.

In Ciphertext-Policy ABE, an encryptor can express any access policy, stat-ing what kind of receivers will be able to decrypt the message, directly inthe encryption algorithm (which can be run by anyone knowing the univer-sal public key issued priorly by an authority). Such a policy is specified interms of access structure over attributes. A user is ascribed by an attributeset, in the sense that each attribute corresponds to one of her credential, and


Conjunctive Broadcast and Attribute-Based Encryption 249

is priorly given the private key from the authority. Such a user can decrypt aciphertext if her attribute satisfies the access policy associated to the cipher-text. An example application of CP-ABE is secure mailing list system withaccess policy. There, a private key will be assigned for an attribute set,such as {“manager”, “age:30”, “institute:ABC”}, while policies overattributes such as “manager” ∨ (“trainee” ∧ “age:25”) will be associated tociphertexts.

In Key-Policy ABE, the roles of an attribute set and an access policy areswapped from what we described for CP-ABE. Attribute sets are used to anno-tate the ciphertexts and access policies over these attributes are associated tousers’ secret keys. An example application of KP-ABE is pay-TV system withpackage policy (called target broadcast system in [16]). There, a ciphertext willassociate with an attribute set, such as ω = {“title:24”, “genre:suspense”,“season:2”, “episode:13” }, while a policy such as A = “soccer”∨(“title:24”∧“season:5”) will be associated to TV program package keys that user receiveswhen subscribes.

Previous Works. ABE was introduced by Sahai and Waters [21] in the context ofa generalization of ID-based encryption (IBE) called Fuzzy IBE, which is an ABEthat allows only single threshold access structures. The first (and still being state-of-the-art) KP-ABE that allow any monotone access structures was proposed byGoyal et al. [16], while the first such CP-ABE, albeit with the security proofin the generic bilinear group model, was proposed by Bethencourt, Sahai, andWaters [5]. Ostrovsky, Sahai, and Waters [20] then subsequently extended bothschemes to handle also any non-monotone structures; therefore, negated clausescan be specified in policies. Goyal et al. [15] presented bounded CP-ABE in thestandard model. Waters [23] recently proposed the first fully expressive CP-ABEin the standard model. Chase [10] presented KP-ABE in multi-authority setting.

1.1 Two Motivating Problems

Motivation 1: Revocation Scheme for ABE. Revocation mechanism is necessaryfor any encryption schemes that involve many users, since some private keysmight get compromised at some point. In simpler primitives such as public keyinfrastructure and IBE, there are many revocation methods proposed in theliterature [17,1,18,7,13,6]. In attribute-based setting, Boldyreva et al. [6] onlyrecently proposed a revocable KP-ABE scheme. Their scheme uses a key updateapproach roughly as follows. Consider the package pay-TV system example asabove. The sender will encrypt to the attribute set ω ∪ {“time:2009.week3”},where it also includes the present time slot attribute. The key authority periodi-cally announces a key update material at each time slot so that only non-revokedusers can update their key, e.g., a user with a key for policy A can compute akey for A ∧ “time:2009.week3”, which can be used to decrypt ciphertexts en-crypted at this time slot. We call this approach an indirect revocation, since theauthority indirectly enables revocation by forcing revoked users to be unable toupdate their keys.

250 N. Attrapadung and H. Imai

While the indirect revocation has an elegant property that senders do notneed to know the revocation list, it also has a disadvantage that the key updatephase can be a bottleneck for both the key authority and all non-revoked users.It is thus left as an open problem to find an efficient revocation mechanism whichcan be done without affecting any non-revoked users and public key. With thisrestriction, it must be that the sender obtains the revocation list (and somehowwill embed it into the ciphertext), since otherwise revocation cannot take effectafter all. This setting (where sender knows the revocation list) is reasonable es-pecially in the package pay-TV system example, where the sender is the programdistributor company, who should possess the pirate key list to be revoked. Wewill call such solution where a sender directly specifies the revocation list whenencrypting a direct revocation.

For KP-ABE, a direct revocation approach is, however, not possible yet forthe normal present form of KP-ABE algorithm since a normal KP-ABE schemeallows only specifying attribute set associated to the ciphertext, not access policy.This motivates us to model and construct such a scheme in this paper. We notethat Golle et al. [14] proposed a directly revocable KP-ABE but their schemeis heuristic and works only when the number of attributes associated to eachciphertext is exactly half of the universe size.

On the other hand, for CP-ABE, such direct revocation can be done by usingABE that supports negative clauses, proposed by Ostrovsky, Sahai, Waters [20].To do so, one just adds conjunctively the AND of negation of revoked useridentities (where each is considered as an attribute here). However, this solutionstill somewhat lacks efficiency performance. In particular, their CP-ABE scheme1

will pose overhead O(|R|) group elements additively to the size of ciphertextand O(log n) multiplicatively to the size of private key over the original CP-ABE scheme of Bethencourt et al. [5], where n is the maximum size of revokedattributes set R. This motivates us to look for more efficient revocation schemesfor CP-ABE. We note that Sahai and Waters [22] recently proposed ABE thatsupport negative clauses which has efficiency improvement over the Ostrovskyet al. scheme [20]. However, their paper included only a KP-ABE variant.

Motivation 2: Disjunctive Multi-Authority ABE. One limitation in ABE systemsis the need to trust single central authority. A natural extension of ABE to avoidthis is to have many authorities where each can derive a private key. Considerthe policy-based secure mailing list example described in the usage of CP-ABEabove. Suppose that the sender wishes to send an email encrypted under somepolicy and she only trusts authorities say A1, . . . , At. She wishes to encrypt theemail so that only user who possesses a key such that its attribute set satisfiesthe policy and it is generated from one of those t trusted authority can decrypt.Using a trivial approach would require ciphertext of size O(t · c) where c is theciphertext size in the basic ABE. Our goal is to obtain more efficient schemethat requires ciphertext of size only O(c), which is independent of t.

A similar problem to this was indeed recently addressed by Boneh and Ham-burg [9]. In their paper, they proposed a framework called Generalized IBE1 The mentioned scheme was implicitly introduced in §3.5 of [20].


(GIBE) and gives a concrete construction of its special case called Spatial En-cryption. One property of their framework is that any primitive that is castedas GIBE can be efficiently augmented to its disjunctive multi-authority version.In their paper, they showed that KP-ABE also falls into the GIBE framework.However, the key size of the KP-ABE instantiated from Spatial Encryption islinear to the access structure size, which may be exponentially large.

We note that Chase [10] also proposed Multi-Authority ABE, albeit in theconjunctive setting. In conjunctive setting, the attribute space for each authorityis disjoint, while in our disjunctive setting, the attribute space is the same forall authorities. Also, in conjunctive setting, a private key will be created bygathering elements from all authorities, while in our disjunctive setting, a privatekey can be derived solely by each authority.

1.2 Our Contributions

We propose a new primitive called Conjunctive Broadcast and Attributed BasedEncryption, or simply Broadcast ABE for shorthand. Roughly speaking, it addsconjunctively a broadcast dimension a la Broadcast Encryption (BE) to ABE.Broadcast ABE efficiently solves both motivated problems: it can be used as anABE system that has a direct revocation mechanism and a disjunctive multi-authority ABE. We refer to [12,19,18,11,2,8,22] for historic details on BE.

In Broadcast ABE, a private key will be associated also with a user index IDand the ciphertext will be associated also with a user index set S, besides a set ofattributes and an access structure (respectively if CP-ABE is considered, or viceversa if KP-ABE is considered). The decryption can be done if the condition onattributes on the ABE part holds as usual and, in addition, ID ∈ S. BroadcastABE also realizes private key delegation in proper ways.

To realize a directly revocable ABE scheme, we set ID to be used as a uniqueserial number for each private key. To encrypt with a revoked serial number setR the sender just sets S = U \R, where U is the universe of user indexes, whilethe attribute related part is done as usual.

To realize a disjunctive multi-authority ABE scheme, we set ID to be usedas each authority’s identity. To derive a private key for a user, an authoritydelegates its key by specifying the attribute part properly.

Our Approach. We propose two concrete Broadcast Key-Policy ABE schemesand two concrete Broadcast Ciphertext-Policy ABE schemes. Each BroadcastKey-Policy ABE scheme is based on state-of-the-art Broadcast Encryptionscheme either by Boneh-Gentry-Waters [8] or Sahai-Waters [22] combined al-gebraically with Goyal et al. KP-ABE [16]. Similarly, each Broadcast Ciphertext-Policy ABE scheme is based on Broadcast Encryption scheme either byBoneh-Gentry-Waters or Sahai-Waters combined algebraically with Waters’ CP-ABE [23].

Each of four combinations is non-trivial at the first place, since, for example,one may think of obtaining Broadcast ABE by using AND-double encryption(even in a secure way) of BE and ABE. However, one can easily find out that


this mislead method is insecure due to collusion attacks of two attackers. Ourschemes algebraically combine those schemes in a more sophisticated way.

Efficiency. Our first broadcast KP-ABE scheme has almost the same efficiencyin ciphertext and private key sizes to that of original KP-ABE of Goyal etal.[16], albeit it has a large pubic key size linear to n, where n is the size of userindex universe. Our second broadcast KP-ABE scheme reduces the public keysize to almost the same of the original KP-ABE while the ciphertext requiresonly 2|R| group elements additively. Note that these are the first fully functionaldirectly revocable KP-ABE schemes in the literature. The performance also holdssimilarly for broadcast CP-ABE variant. In particular, our revocable CP-ABEschemes outperform the previous method applied from [20].

Organization of the Paper. We first provide preliminary materials in §2. Wepresent the definition of Broadcast ABE in §3. In §4 and §5, we present our fourconcrete broadcast ABE schemes for Key-policy and Ciphertext-policy variantrespectively. We give a brief security proof overview in §6 and postpone the fullproofs to the full version. The key delegation algorithms for each scheme aredescribed in §7. Finally, in §8, we present efficiency performance comparison.

2 Preliminaries

2.1 Access Structures and Linear Secret Sharing

We first provide the notion of access structure and linear secret sharing schemeas follows. Such formalization is recapped from [23].

Definition 1 (Access Structures). Let P = {P1, P2, . . . , Pn} be a set of par-ties. A collection A ⊆ 2P is monotone if for all B,C we have that if B ∈ A andB ⊆ C then C ∈ A. An access structure (respectively, monotonic access struc-ture) is a collection (respectively, monotone collection) A ⊆ 2P \{∅}. The sets inA are called the authorized sets, and the sets not in A are called the unauthorizedsets.

Definition 2 (Linear Secret Sharing Schemes (LSSS)). Let P be a set ofparties. Let M be a matrix of size � × k. Let ρ : {1, . . . , �} → P be a functionthat maps a row to a party for labeling. A secret sharing scheme Π for accessstructure A over a set of parties P is a linear secret-sharing scheme in Zp andis represented by (M,ρ) if it consists of two polynomial-time algorithms:

Share(M,ρ): The algorithm takes as input s ∈ Zp which is to be shared. It ran-domly chooses y2, . . . , yk ∈ Zp and let v = (s, y2, . . . , yk). It outputs Mv asthe vector of � shares. The share λρ(i) := Mi · v belongs to party ρ(i), wherewe denote Mi as the ith row in M .

Recon(M,ρ): The algorithm takes as input S ∈ A. Let I = {i| ρ(i) ∈ S}. It out-puts reconstruction constants {(i, μi)}i∈I which has a linear reconstructionproperty:

∑i∈I μi · λρ(i) = s.


2.2 Bilinear Maps and Some Assumptions

Bilinear Maps. We briefly review facts about bilinear maps. Let G,GT bemultiplicative groups of prime order p. Let g be a generator of G. A bilinearmap is a map e : G × G → GT for which the following hold: (1) e is bilinear;that is, for all u, v ∈ G, a, b ∈ Z, we have e(ua, vb) = e(u, v)ab. (2) The map isnon-degenerate: e(g, g) = 1. We say that G is a bilinear group if the group actionin G can be computed efficiently and there exists GT for which the bilinear mape : G × G → GT is efficiently computable.

Decision BDHE Assumption. Let G be a bilinear group of prime order p. TheDecision q-BDHE (Bilinear Diffie-Hellman Exponent) problem [8] in G is statedas follows: first the challenger picks a generator g ∈ G and random exponents, α. The attacker is given a vector

Y =(g, gs, gα, g(α2), . . . , g(αq), g(αq+2), . . . , g(α2q)

)

and an element Z ∈ GT as input, determine if Z = e(g, g)αq+1s. We denote gi =

g(αi) ∈ G for shorthand. An algorithm A that outputs b ∈ {0, 1} has advantage εin solving Decision q-BDHE in G if |Pr

[A(Y , e(g, g)αq+1s

)= 0]−Pr

[A(Y , Z)

=0]| ≥ ε. We refer to the distribution on the left as PBDHE and the distribution

on the right as RBDHE . We say that the Decision q-BDHE assumption holds inG if no polynomial-time algorithm has a non-negligible advantage in solving theproblem.

Decision MEBDH Assumption. Let G be a bilinear group of prime order p.The Decision q-MEBDH (Multi-Exponent Bilinear Diffie-Hellman) problem [22]in G is stated as follows: first the challenger picks a generator g ∈ G and randomexponent s, α, a1, . . . , ar. The attacker is given a vector X =

g, gs, e(g, g)α

∀1≤i,j≤q gai , gais, aaiaj , gα/a2i

∀1≤i,j,k≤q,i�=j gaiajs, gαaj/a2i , gαaiaj/a

2k , gαa

2i/a

2j

and an element Z ∈ GT as input, determine if Z = e(g, g)αs. An algorithm Athat outputs b ∈ {0, 1} has advantage ε in solving Decision q-MEBDH in G if|Pr[A(X , e(g, g)αs) = 0

]− Pr[A(X , Z) = 0

]| ≥ ε. We refer to the distributionon the left as PMEBDH and the distribution on the right as RMEBDH . Wesay that the Decision q-MEBDH assumption holds in G if no polynomial-timealgorithm has a non-negligible advantage in solving the problem.

3 Definitions and Applications

3.1 Broadcast Key-Policy ABE

Let U denote the set of all user indexes. Let N be the set of all attributes. Notethat both U and N are possibly of exponential sizes. Let A denote the set of


access structures over N which are allowed to be used. A (U ,A) Broadcast Key-Policy Attribute-Based Encryption (BKP-ABE) scheme consists of four defaultalgorithms Setup,Encrypt,KeyGen,Decrypt and may also include one optionaladditional algorithm Delegate.

Setup → (pk,msk). This is a randomized algorithm that takes no input otherthan the implicit security parameter. It outputs the public key pk and amaster key msk.

Encrypt(S, ω,M, pk) → ct. This is a randomized algorithm that takes as inputa user index set S ⊆ U , a set of attributes ω ⊆ N , a message M, and thepublic key pk. It outputs a ciphertext ct.

KeyGen(ID,A,msk, pk) → sk(ID,A). This is a randomized algorithm that takes asinput a user index ID ∈ U , an access structure A ∈ A, the master key msk,and the public key pk. It outputs a private decryption key sk(ID,A), which wesometimes simply denote as sk when its subscript is unambiguous.

Decrypt(ct, (S, ω), sk(ID,A), (ID,A), pk) → M. This algorithm takes as input theciphertext ct that was encrypted under a user set S with a set ω of attributes,the decryption key sk(ID,A) for user index ID with access control structure A,and the public key pk. It outputs the message M if ω ∈ A and ID ∈ S.

Delegate((x, y), sk(x,y), (x′, y′), pk

)→ sk(x′,y′). This is a randomized algorithm thattakes as input a secret key sk(x,y) (with its subscript) and a new subscript(x′, y′). It outputs a key sk(x′,y′). Let � be a special symbol. If we write thisoperation as sk(x,y) → sk(x′,y′) and denote msk = sk(�,�), then this algorithmis defined over the sequences

sk(�,�) → sk(ID,�) → sk(ID,A), sk(�,�) → sk(�,A) → sk(ID,A), sk(x,A) → sk(x,A′),

for any ID ∈ U ; A,A′ ∈ A where A ⊆ A′ and x can be either � or any

ID ∈ U .We require the standard correctness of decryption, that is, if Setup → (pk,msk)

then Decrypt(Encrypt(S, ω,M, pk), (S, ω),KeyGen(ID,A,msk, pk), (ID,A), pk

)→

M for all M in message space; ID ∈ U ; A ∈ A; ω ∈ N ; S ⊆ U . For the schemewith Delegate defined, we also require that sk(ID,A) output from this algorithmhas the same distribution as the one from KeyGen algorithm.

The selective security notion for BKP-ABE is defined in the following game.

Init. The adversary declares the target set of user indexes S� and the targetattribute set ω�.

Setup. The challenger runs the Setup algorithm of ABE and gives the publickey pk to the adversary.

Phase 1. The adversary is allowed to issue queries for private keys for pairs ofuser index and access structure (ID,A) such that ω� ∈ A or ID ∈ S�, i.e., thenegated condition of that of a legitimate key which can be used to decrypt achallenge ciphertext.


For the scheme with Delegate defined, the adversary can also query the keyfor sk(ID,�) such that ID ∈ S�, and the key for sk(�,A) such that ω� ∈ A.

Challenge. The adversary submits two equal length messages M0 and M1.The challenger flips a random bit b and computes the challenge ciphertext ct�

of Mb on the target pair (S�, ω�) of user set and target attribute set and thengives ct� to the adversary.

Phase 2. Phase 1 is repeated.

Guess. The adversary outputs a guess b′ of b.The advantage of an adversary in this game is defined as Pr[b = b′]− 1

2 . Note thatthis can be extended to handle chosen-ciphertext attacks by allowing decryptionqueries in Phase 1,2.

Definition 3. A BKP-ABE scheme is secure in the selective security notion ifall polynomial time adversaries have at most a negligible advantage in the abovegame.

3.2 Broadcast Ciphertext-Policy ABE

Let U ,N ,A denote the same values as before. A (U ,A) Broadcast Ciphertext-Policy Attribute-Based Encryption (BCP-ABE) scheme is defined in exactly thesame way as BKP-ABE except only that the role of the access structure and theset of attribute is swapped. That is, the private key is assigned to a pair of userindex ID ∈ U and attribute set ψ ⊆ N , and the ciphertext corresponds to a pairof user set S ⊆ U and access structure A ∈ A. The decryption can be done iffψ ∈ A and ID ∈ S. The definition of security notion can be adapted from thekey-policy case straightforwardly.

3.3 Solutions to Motivating Problems

Directly Revocable ABE. We apply broadcast ABE for realizing a direct revo-cation on ABE as follows. We use ID as a unique serial number for each privatekey (e.g., ID can be the number of keys distributed so far). That is, when a userrequest a key for y for appropriate y depending on KP-ABE or CP-ABE, theauthority picks an unused ID, and returns sk(ID,y). When encrypting, a senderassociates the set S = U \R, where R is the revoked serial number set, togetherwith the usual attribute-based part. In particular, whether users in S can de-crypt or not is a don’t care condition, which is left to be evaluated solely from theattribute-based part. The only care condition is that users in R cannot decrypt.

Disjunctive Multi-authority ABE. We apply Broadcast ABE for realizing dis-junctive multi-authority ABE as follows. We use broadcast ABE in which thekey sk(ID,�) is defined (and its corresponding Delegate). sk(ID,�) will be the keyfor the authority of identity ID. To generate key for a user, an authority delegateskey sk(ID,y) for appropriate y depending on KP-ABE or CP-ABE. To encrypt un-der a set of trusted authority S, the sender encrypt under user index set S andappropriate attribute set or access structure depending on KP-ABE or CP-ABE.


4 Broadcast Key-Policy ABE

We now present our two broadcast key-policy ABE schemes. The first schemeBKP-ABE1 is a combination of broadcast encryption of Boneh-Gentry-Waters [8]and KP-ABE of Goyal et al. [16]. The second scheme BKP-ABE2 is a combinationof broadcast encryption of Sahai-Waters [22] and KP-ABE of Goyal et al. [16].

The first scheme BKP-ABE1 has user index universe U = [n] = {1, . . . , n}.BKP-ABE2 has user index universe U = Zp. We note that the universe beingU = Zp implies that one can think of the primitive as an identity-based versionin the broadcast dimension, where we can hash any string in {0, 1}∗ into Zp in thereal usage. ID-based version implicitly implies the dynamic aspect of our schemesince a key for every user (∈ {0, 1}∗) will be well-defined from initialization.

Both schemes have attribute universe N = Zp and can deal with any linearsecret-sharing access structure which we denote its universe as ALSSS. Conse-quently, we let an access structure in its LSSS matrix form (cf. Definition 2) beinput directly to the algorithms in the scheme.

In each scheme, let m be the maximum size of objective attribute set allowedto be associated with a ciphertext, i.e., we restrict |ω| ≤ m. Let m′ = m− 1.

The intuition behind each combination that recurs throughout this paper isthat we combine the “core key” of both underlying schemes algebraically intosingle element so as to prevent collusion attacks. (Recall that such attack couldbe mounted in the case of simple combination by AND-double encryption inthe mislead method described in §1). We will describe the intuition for only thefirst scheme. For the readers who are familiar with Boneh-Gentry-Waters BE [8],we recall that gα

IDγ is the private key element of user ID. To combine this keyseamlessly to the core part of the KP-ABE scheme, we use the secret exponentαIDγ as the secret to be shared in the LSSS of the Goyal et al. [16] KP-ABE.We note that this technique is somewhat reminiscent of the scheme in [4].

4.1 Construction BKP-ABE1

� Setup: The algorithm first picks a random generator g ∈ G and a random α ∈Zp. It computes gi = g(αi) ∈ G for i = 1, 2, . . . , n, n+2, . . . , 2n. Next, it randomlypicks γ ∈ Zp and sets v = gγ ∈ G. It then randomly picks h0, . . . , hm′ ∈ G.The public key is pk =

(g, g1, . . . , gn, gn+2, . . . , g2n, v, h0, . . . , hm′

). The master

key is msk = (α, γ). It outputs (pk,msk). Define a function F : Zp → G by

F (x) =∏m′

j=0 h(xj)j .

� Encrypt(S, ω,M, pk): Inputs to the encryption algorithm are a user index setS ⊆ U and an attribute set ω ⊆ N . Pick a random s ∈ Zp. It then computes theciphertext as ct =

(C,C(1), {C(2)

k }k∈ω, C(3))

where

C = M· e(gn, g1)s, C(1) = gs, C(2)k = F (k)s, C(3) = (v

∏

j∈Sgn+1−j)s.

� KeyGen(ID, (N, π),msk, pk): Inputs to the encryption algorithm are a userindex ID ∈ U and a LSSS access structure (N, π) ∈ ALSSS. Let N be �o × ko


matrix. The algorithm first randomly chooses z2 . . . , zko ∈ Zp and lets v =(αIDγ, z2, . . . , zko). For i = 1 to �o, it calculates σi = Ni · v, where Ni is thevector corresponding to ith row of N . It also randomly chooses r1, . . . , r�o ∈ Zp.It outputs the private key as sk(ID,(N,π)) =

({D(1)i }i∈[1,�o], {D(2)

i }i∈[1,�o]

)where

D(1)i = gσiF (π(i))ri , D

(2)i = gri . (1)

� Decrypt(ct, (S, ω), sk(ID,(N,π)), (ID, (N, π)), pk): Suppose that the attribute setω satisfies the access structure (N, π) and the user index ID ∈ S (so that thedecryption is possible). Let Io = {i| π(i) ∈ ω}. It then calculates correspondingsets of reconstruction constants {(i, νi)}i∈Io = Recon(N,π)(ω). Then it computesthe following

K =e(gID, C

(3))e(∏

j∈Sj�=ID

gn+1−j+ID, C(1))

�o∏

i=1

⎛

⎝e(C(2)

π(i), D(2)i )

e(D(1)i , C(1))

⎞

⎠

νi

,

and obtains message M = C/K.

Correctness. We can verify its correctness as

K =e(gID, (v

∏j∈S gn+1−j)s)

e(∏

j∈Sj�=ID

gn+1−j+ID, gs)·�o∏

i=1

(e(F (π(i))s, gri)

e(gσiF (π(i))ri , gs)

)νi

=e(g(αID), (gγ

∏j∈S gn+1−j)s)

e(∏

j∈Sj�=ID

gn+1−j+ID, gs)· 1∏�oi=1 e(g, g)s·σi·νi

=e(g, g)(α

IDγs)e(g,∏j∈S gn+1−j+ID)s

e(∏

j∈Sj�=ID

gn+1−j+ID, g)s· 1e(g, g)s·(αIDγ)

= e(g, gn+1)s.

Theorem 1. If an adversary can break the BKP-ABE1 scheme with advantage εin the selective security model for (U = [n],ALSSS)-BKP-ABE, then a simulatorwith advantage ε in solving the Decision n-BDHE problem can be constructed.

4.2 Construction BKP-ABE2

� Setup: The algorithm first picks a random generator g, v, h0, . . . , hm′ ∈ G andrandom α, b ∈ Zp. The public key is pk =

(g, gb, gb

2, v, vb, h0, . . . , hm′ , e(g, g)α

).

The master key is msk = (α, b). It outputs (pk,msk). Define a function F : Zp →G by F (x) =

∏m′

j=0 h(xj)j .

� Encrypt(S, ω,M, pk): Inputs to the encryption algorithm are a user index setS ⊆ U and an attribute set ω ⊆ N . Let R = U \ S. Denote R = {ID1, . . . , IDr}.


Pick a random s ∈ Zp. Choose random s1, . . . , sr ∈ Zp such that s = s1+· · ·+sr.It computes ciphertext ct =

(C,C(1), {C(2)

k }k∈ω, {C(3)j }j∈[1,r], {C(4)

j }j∈[1,r]

)as

C = M· (e(g, g)α)s, C(1) = gs, C(2)k = F (k)s,

C(3)j = gb·sj , C

(4)j = (gb

2·IDjvb)sj .

� KeyGen(ID, (N, π),msk, pk): Inputs to the encryption algorithm are a userindex ID ∈ U and a LSSS access structure (N, π) ∈ ALSSS. Let N be �o × ko

matrix. The algorithm first randomly chooses t, z2 . . . , zko ∈ Zp and lets v =(α + b2t, z2, . . . , zko). For i = 1 to �o, it calculates σi = Ni · v, where Ni is thevector corresponding to ith row of N . It also randomly chooses r1, . . . , r�o ∈ Zp.It outputs the private key as sk =

({D(1)i }i∈[1,�o], {D(2)

i }i∈[1,�o], D(3), D(4)

)where


(2)i = gri

D(3) = (gb·IDv)t, D(4) = gt.(2)

� Decrypt(ct, (S, ω), sk, (ID, (N, π)), pk): Suppose that the attribute set ω satis-fies the access structure (N, π) and the user index ID ∈ S (so that the decryptionis possible). Let Io = {i| π(i) ∈ ω}. It then calculates corresponding sets of re-construction constants {(i, νi)}i∈Io = Recon(N,π)(ω). Then it computes

K =�o∏

i=1

⎛

⎝ e(D(1)i , C(1))

e(C(2)π(i), D

(2)i )

⎞

⎠

νi

·r∏

j=1

(e(D(4), C

(4)j )

e(D(3), C(3)j )

)1/(ID−IDj)

,

where it can compute since ID = IDj for all j = 1, . . . , r. It then obtains messageM = C/K.

Correctness. We can verify its correctness as

K =�o∏

i=1

(e(gσiF (π(i))ri , gs)e(F (π(i))s, gri)

)νi

·r∏

j=1

⎛

⎝e(gt, (gb

2·IDjvb)sj

)

e ((gb·IDv)t, gb·sj)

⎞

⎠

1/(ID−IDj)

=�o∏

i=1

e(g, g)s·σi·νi ·r∏

j=1

1

e (g, g)sj ·b2·t

= e(g, g)s·(α+b2t) · 1

e (g, g)s·b2·t = e(g, g)αs.

Theorem 2. If an adversary can break the BKP-ABE2 scheme with advantage εin the selective security model for (U = Zp,ALSSS)-BKP-ABE, then a simulatorwith advantage ε in solving the Decision q-MEBDH problem can be constructed,where the size of target revoked set |R�| ≤ q.


5 Broadcast Ciphertext-Policy ABE

We now present our two broadcast ciphertext-policy ABE schemes. The firstscheme BCP-ABE1 is a combination of broadcast encryption of Boneh-Gentry-Waters [8] and CP-ABE of Waters [23] (the random-oracle-free large-universescheme). The second scheme BCP-ABE2 is a combination of broadcast encryptionof Sahai-Waters [22] and CP-ABE of Waters. Both schemes have universes asU = N = Zp and can deal with any linear secret-sharing access structure ALSSS.

For each scheme, letm be the maximum size of subjective attribute set allowedto be assigned to a key, i.e., we restrict |ψ| ≤ m. Let �s,max be the maximumnumber of rows allowed in a subjective access structure matrix. Let m′ = m +�s,max − 1. Also, We will restrict ρ to be an injective function as in [23], but wecan extend to an unrestricted scheme similarly also as in [23].

5.1 Construction BCP-ABE1

� Setup: The algorithm first picks a random generator g ∈ G and a random α ∈Zp. It computes gi = g(αi) ∈ G for i = 1, 2, . . . , n, n+2, . . . , 2n. Next, it randomlypicks γ ∈ Zp and sets v = gγ ∈ G. It then randomly picks h0, . . . , hm′ ∈ G.The public key is pk =

(g, g1, . . . , gn, gn+2, . . . , g2n, v, h0, . . . , hm′

). The master

key is msk = (α, γ). It outputs (pk,msk). Define a function F : Zp → G by

F (x) =∏m′

j=0 h(xj)j .

� Encrypt(S, (M,ρ),M, pk): Inputs to the encryption algorithm are a user indexset S ⊆ U and a LSSS access structure (M,ρ) for subjective policy. Let M be�s × ks matrix. The algorithm first randomly chooses s, y2, . . . , yks ∈ Zp andlets u = (s, y2, . . . , yks). For i = 1 to �s, it calculates λi = Mi · u, whereMi is the vector corresponding to ith row of M . The ciphertext ct is set toct = (C,C(1), {C(2)

i }i∈[1,�s], C(3)), where

C = M · e(gn, g1)s, C(1) = gs, C

(2)i = (g1)

λiF (ρ(i))−s, C(3) = (v∏

j∈S

gn+1−j)s.

� KeyGen(ID, ψ,msk, pk): Inputs to the encryption algorithm are a user indexID ∈ U and an attribute set ψ ⊆ N . The algorithm randomly chooses r ∈ Zp. Itoutputs the private key as sk =

(D(1), D(2), {D(3)

x }x∈ψ)

where

D(1) = gαIDγ+αr, D(2) = gr, D(3)

x = F (x)r . (3)

� Decrypt(ct, (S, (M,ρ)), sk, (ID, ψ), pk): Suppose that the attribute set ψ satis-fies the access structure (M,ρ) and the user index ID ∈ S (so that the decryptionis possible). Let Is = {i| ρ(i) ∈ ψ}. It then calculates corresponding sets of recon-struction constants {(i, μi)}i∈Is = Recon(M,ρ)(ψ). Then it computes the followingand obtains message M = C/K.


K =e(gID, C

(3))e(∏

j∈Sj�=ID

gn+1−j+ID, C(1))·∏�si=1

(e(C(2)

i , D(2)) · e(C(1), D(3)ρ(i))

)μi

e(C(1), D(1)).

We leave the correctness verification to readers due to limited space here.

Theorem 3. If an adversary can break the BCP-ABE1 scheme with advantageε in the selective security model for (U = [n],ALSSS)-BCP-ABE with a challengesubjective access structure matrix of size ��s × k�s such that n ≥ m + k�s , thena simulator with advantage ε in solving the Decision n-BDHE problem can beconstructed.

5.2 Construction BCP-ABE2

� Setup: The algorithm first picks a random generator g, v, h0, . . . , hm′ ∈ G

and random α, a, b ∈ Zp. The public key is pk =(g, gb, gb

2, v, vb, ga, h0, . . . , hm′ ,

e(g, g)α). The master key is msk = (α, b). It outputs (pk,msk). Define a function

F : Zp → G by F (x) =∏m′

j=0 h(xj)j .

� Encrypt(S, (M,ρ),M, pk): Inputs to the encryption algorithm are a user indexset S ⊆ U and a LSSS access structure (M,ρ) for subjective policy. Let M be�s × ks matrix. Let R = U \ S. Denote R = {ID1, . . . , IDr}. The algorithm firstrandomly chooses s, y2, . . . , yks ∈ Zp and lets u = (s, y2, . . . , yks). For i = 1 to �s,it calculates λi = Mi ·u, where Mi is the vector corresponding to ith row of M .It also chooses random s1, . . . , sr ∈ Zp such that s = s1+ · · ·+sr. The ciphertextct is set to ct = (C,C(1), {C(2)

i }i∈[1,�s], {C(3)j }j∈[1,r], {C(4)

j }j∈[1,r]), where

C = M· (e(g, g)α)s, C(1) = gs, C(2)i = gaλiF (ρ(i))−s,

C(3)j = gb·sj , C

(4)j = (gb

2·IDjvb)sj .

� KeyGen(ID, ψ,msk, pk): Inputs to the encryption algorithm are a user indexID ∈ U and an attribute set ψ ⊆ N . The algorithm randomly chooses t, r ∈ Zp.It outputs the private key as sk =

(D(1), D(2), {D(3)

x }x∈ψ, D(4), D(5))

where

D(1) = gα+b2t · gar, D(2) = gr, D(3)x = F (x)r ,

D(4) = (gb·IDv)t, D(5) = gt.(4)

� Decrypt(ct, (S, (M,ρ)), sk, (ID, ψ), pk): Suppose that the attribute set ψ satis-fies the access structure (M,ρ) and the user index ID ∈ S (so that the decryptionis possible). Let Is = {i| ρ(i) ∈ ψ}. It then calculates corresponding sets of re-construction constants {(i, μi)}i∈Is = Recon(M,ρ)(ψ). Then it computes

K =e(C(1), D(1))

∏�si=1

(e(C(2)

i , D(2)) · e(C(1), D(3)ρ(i))

)μi·r∏

j=1

(e(D(5), C

(4)j )

e(D(4), C(3)j )

)1/(ID−IDj)

,

where it can compute since ID = IDj for j = 1, . . . , r. It then obtains M = C/K.


Theorem 4. If an adversary can break the BCP-ABE2 scheme with advantage ε inthe selective security model for (U = Zp,ALSSS)-BCP-ABE with a challenge sub-jective access structurematrix of size ��s ×k�s such that q ≥ m+k�s , then a simulatorwith advantage ε in solving the Decision q-MEBDH problem can be constructed.

6 Security Proof Overview

Due to limited space, we only give the security proof overview for the proposedschemes here and postpone the full proofs to the the full version of this paper.

Since each system is based on the combination of two underlying schemes,the security proof will be based on both proofs of underlying schemes. It isnatural to prove the security by reducing to the stronger assumption out of twobase assumptions. To do so, we must extract a problem instance for the other(weaker) base assumption out of the stronger one, so that we can also embedthat weaker assumption for the corresponding part of primitive. We summarizethe assumptions and the extracted part in Table 1. The assumption at the gray-color slot, which is the stronger one, is the actual underlying assumption forthe security of each of our schemes to be reduced to. Note that the extractedassumption for the fourth scheme is indeed not a problem instance for DecisionBDHE; however, we are able to prove the ABE part using this assumption.

Table 1. Assumptions in our broadcast ABE and their underlying BE and ABE

Scheme BE ABE Extracted assumption

BKP-ABE1 BGW[8] BDHE GPSW[16] BDH (gs, gα, gαq

, Z?= e(g, g)αq+1s)

BKP-ABE2 SW[22] MEBDH GPSW[16] BDH (gs, ga21 , gα/a2

1 , Z?= e(g, g)αs)

BCP-ABE1 BGW[8] BDHE W[23] BDHE

BCP-ABE2 SW[22] MEBDH W[23] BDHE (gs,∀1≤i,j≤q;i�=j ga2i , gα/a2

i , gαa2i /a2

j ,

Z?= e(g, g)αs)

7 Adding Key Delegation

In this section, we describe the key delegation algorithm for each of our fourschemes. Due to limited space, we postpone those of the two broadcast CP-ABEschemes to the full-length version of this paper. They can be done quite similarlyto the cases of broadcast KP-ABE below with some proper re-randomization.

We can say that our schemes subsume the original BE [8,22] and ABE [16,23],since one can delegate keys in these schemes to our broadcast ABE schemes.

7.1 Delegation in BKP-ABE1

This scheme supports delegation of type sk(�,�) → sk(ID,�) → sk(ID,(N,π)). Notethat we can base our KP-ABE portion of BKP-ABE on the access tree basedapproach instead of the LSSS based approach [16] and obtain a BKP-ABE whichsupports delegation also of type sk(x,A) → sk(x,A′). We omit that details here.


� Delegate[sk(�,�) → sk(ID,�) → sk(ID,(N,π))

]: From the master key msk =

sk(�,�) it computes the key sk(ID,�) = g(αIDγ). The key sk(ID,�) can be delegatedto sk(ID,(N,π)) =

({D(1)i }i∈[1,�o], {D(2)

i }i∈[1,�o]

)by randomly choosing z2, . . . , zko ,

r1, . . . , r�o ∈ Zp and setting

D(1)i =

(sk(ID,�)

)Ni,1g∑ko

j=2Ni,jzjF (π(i))ri , D(2)i = gri .

We can show that this key has the same distribution as the one from Key-

Gen by implicitly defining v = (αIDγ, z2, . . . , zko) and observing that D(1)i =

gNi·vF (π(i))ri as required.

7.2 Delegation in BKP-ABE2

This scheme supports delegation of both types: sk(�,�) → sk(ID,�) → sk(ID,(N,π))

and sk(�,�) → sk(�,(N,π)) → sk(ID,(N,π)). Again, we can base our scheme on theaccess tree approach and obtain the delegation of type sk(x,A) → sk(x,A′).

� Delegate[sk(�,�) → sk(ID,�) → sk(ID,(N,π))


sk(�,�) it computes the key sk(ID,�) =(D(1), D(3), D(4)

)by randomly choos-

ing t ∈ Zp and setting

D(1) = gα+b2t, D(3) = (gb·IDv)t, D(4) = gt.

The key sk(ID,�) can then be delegated to the key sk(ID,(N,π)) =({D′(1)

i }i∈[1,�o],

{D′(2)i }i∈[1,�o], D

′(3), D′(4)) by randomly choosing z2, . . . , zko , r1, . . . , r�o , t′ ∈ Zp

and setting

D′(1)i =

(D(1) · (gb2)t′)Ni,1

g∑ko

j=2 Ni,jzjF (π(i))ri , D′(2)i = gri

D′(3) = D(3) · (gb·IDv)t′ , D′(4) = D(4) · gt′ .We can show that this key has the same distribution as the one from KeyGen

by implicitly defining v = (α+ b2(t+ t′), z2, . . . , zko) and observing that D′(1)i =

gNi·vF (π(i))ri as required. The other terms are immediate.

� Delegate[sk(�,�) → sk(�,(N,π)) → sk(ID,(N,π))


sk(�,�) it computes the key sk(�,A) =({D(1)

i }i∈[1,�o], {D(2)i }i∈[1,�o]

)as follows. It

randomly chooses z2 . . . , zko , r1, . . . , r�o ∈ Zp and lets u = (α, z2, . . . , zko). Fori = 1 to �o, it calculates σi = Ni · u. It then lets


(2)i = gri .

The key sk(�,A) can then be delegated to the key sk(ID,(N,π)) =({D′(1)

i }i∈[1,�o],

{D′(2)i }i∈[1,�o], D

′(3), D′(4)) by randomly choosing z′2, . . . , z′ko, r′1, . . . , r′�o , t ∈ Zp

and setting

D′(1)i = D

(1)i · (gb2)tNi,1g

∑koj=2 Ni,jz

′jF (π(i))r

′i , D

′(2)i = D

(2)i · gr′i

D′(3) = (gb·IDv)t, D′(4) = gt.


We can show that this key has the same distribution as the one from KeyGenby implicitly defining v = (α + b2t, z2 + z′2, . . . , zko + z′ko

) and observing that

D′(1)i = gNi·vF (π(i))ri+r

′i as required. The other terms are immediate.

8 Efficiency

Table Description. In this section, we give an efficiency comparison using Table 2.Each amount in the table shows the number of group elements in G, which is a bi-linear group with bilinear map G×G → GT . The exception is that for those valueswith †, one element of GT is included in that amount. |cipher|, |priv|, |pub| are thesizes of ciphertext for key encapsulation, private key and public key respectively.Here r is the number of revoked user, n is the number of all users. Let t be the sizeof rows in LSSS access structure matrix, which is equal to the number of attributesappeared in the access structure. Recall that an access structure is associated withciphertext in the case of ciphertext-policy ABE and with private key in the caseof key-policy ABE. Let � be the maximum size allowed for t. Let k be the size ofthe attribute set (associated with private key in the case of ciphertext-policy ABEand with ciphertext in the case of key-policy ABE). Let m be the maximum sizeallowed for k.

The OSW scheme refers to the scheme mentioned implicitly in §3.5 of [20]. Theamount in the column in gray color shows the overhead of the present revocablescheme to its underlying original (non-revocable) ABE schemes: the underlyingCP-ABE of OSW scheme [20] is Bethencourt et al. scheme [5] (in which securityproof is done only in the generic group and random oracle model); the underlyingCP-ABE of both BCP-ABE1,2 is Waters’ CP-ABE [23]; the underlying KP-ABEof both BKP-ABE1,2 is KP-ABE of Goyal et al. [16]. In particular, the amountexcluding the gray column is the efficiency of those original schemes.

Efficiency of Revocable ABE. BKP-ABE1 scheme has almost the same effi-ciency in ciphertext and private key sizes to that of the original (non-revocable)

Table 2. Efficiency comparison among directly revocable ABE schemes

Revocable CP-ABE Revocable KP-ABEOSW [20]

Previous |cipher| = (2t + 1) +O(r) None|priv| = (2k + 2) ·(log n)

|pub| = (3† · log n) + O(n)BCP-ABE1 BKP-ABE1|cipher| = (t + 1) +1 |cipher| = (k + 1) +1|priv| = (k + 2) |priv| = (2t)

Ours |pub| = (m + � + 3)† +(2n − 1) |pub| = (m + 4) +(2n − 2)BCP-ABE2 BKP-ABE2|cipher| = (t + 1) +2r |cipher| = (k + 1) +2r|priv| = (k + 2) +2 |priv| = (2t) +2

|pub| = (m + � + 3)† +4 |pub| = (m + 4) +3†


KP-ABE of Goyal et al.[16], albeit it has a large pubic key size linear to n.BKP-ABE2 scheme reduces the public key size to almost the same of the original(non-revocable) KP-ABE while the ciphertext requires only 2r group elementsadditively. Note that these are the first fully functional directly revocable KP-ABE schemes in the literature. The efficiency performance also holds similarlyfor revocable CP-ABE variant. In particular, it performs better than the previ-ous OSW scheme, whose ciphertext requiresO(r) elements additively and privatekey requires logn overhead multiplicatively to the original scheme. Note that wecan improve all the four proposed schemes by using random oracle; the resultingschemes reduce the public key size by m elements.

We finally note two implicit possible schemes. Applying Sahai-Waters negatedclause framework [22] to Waters’ CP-ABE (analogously to the KP case describedin §5 of [22]), one can obtain CP-ABE that supports negated clauses, which canbe used as revocable CP-ABE as described in §1. This improves the OSW schemebut is still less efficient than our dedicated BCP-ABE. Furthermore, concurrentlyto this paper, Attrapadung and Imai [3] recently proposed a new variant of ABEcalled dual-policy ABE (DP-ABE), which is a conjunctively combined schemefrom KP and CP ABE. By using negated clauses in CP part, DP-ABE gives arevocable KP-ABE, but our dedicated BKP-ABE schemes are more efficient.

Efficiency of Disjunctive Multi-authority ABE. The efficiency from Table 2translates to the disjunctive multi-authority ABE application as it is, wheren is the number of all authorities and r = n − |S| is the number of revokedauthorities. For ciphertext-policy case, the only previous scheme is the trivialconcatenated scheme, whose ciphertext requires |S| overhead multiplicatively tothe original ABE scheme. For key-policy case, a simple multi-authority schemewhich is better than the trivial one can be constructed from KP-ABE by set-ting the authority key using policy ID. The key for policy A derived from thisauthority is set using policy ID ∧ A. Encrypting to attribute set ω is done byassociating ω ∪ {S} to ciphertext. This scheme poses overhead |S| additively tociphertext size. Our first BCP and BKP ABE is more efficient: its ciphertextsize is roughly the same as its original ABE.

References

1. Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation (extendedabstract). In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 137–152.Springer, Heidelberg (1998)

2. Attrapadung, N., Imai, H.: Graph-decomposition-based frameworks for subset-cover broadcast encryption and efficient instantiations. In: Roy, B. (ed.) ASI-ACRYPT 2005. LNCS, vol. 3788, pp. 100–120. Springer, Heidelberg (2005)

3. Attrapadung, N., Imai, H.: Dual-policy attribute based encryption. In: Abdalla, M.,Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536,pp. 168–185. Springer, Heidelberg (2009)

4. Attrapadung, N., Furukawa, J., Imai, H.: Forward-secure and searchable broadcastencryption with short ciphertexts and private keys. In: Lai, X., Chen, K. (eds.)ASIACRYPT 2006. LNCS, vol. 4284, pp. 161–177. Springer, Heidelberg (2006)


5. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryp-tion. In: IEEE Symposium on Security and Privacy 2007, pp. 321–334 (2007)

6. Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient re-vocation. In: ACM Conference on Computer and Communications Security 2008,pp. 417–426 (2008)

7. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In:Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg(2001)

8. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption withshort ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS,vol. 3621, pp. 258–275. Springer, Heidelberg (2005)

9. Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryptionschemes. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455–470.Springer, Heidelberg (2008)

10. Chase, M.: Multi-authority attribute based encryption. In: Vadhan, S.P. (ed.) TCC2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007)

11. Dodis, Y., Fazio, N.: Public-key broadcast encryption for stateless receivers. In:Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg(2002)

12. Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993.LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1993)

13. Gentry, C.: Certificate-based encryption and the certificate revocation problem.In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 272–293. Springer,Heidelberg (2003)

14. Golle, P., Staddon, J., Gagne, M., Rasmussen, P.: A content-driven access controlsystem. In: Symposium on Identity and Trust on the Internet — IDtrust 2008, pp.26–35 (2008)

15. Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded ciphertext policy attribute-based encryption. In: Aceto, L., Damgard, I., Goldberg, L.A., Halldorsson, M.M.,Ingolfsdottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp.579–591. Springer, Heidelberg (2008)

16. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: ACM Conference on Computer andCommunications Security 2006, pp. 89–98 (2006)

17. Micali, S.: Efficient certificate revocation. Tech. Report MIT/LCS/TM-542b (1996)18. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless

receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer,Heidelberg (2001)

19. Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Frankel, Y. (ed.) FC2000. LNCS, vol. 1962, pp. 1–20. Springer, Heidelberg (2001)

20. Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with non-monotonic access structures. In: ACM Conference on Computer and Communi-cations Security 2007, pp. 195–203 (2007)

21. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EU-ROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)

22. Sahai, A., Waters, B.: Revocation systems with very small private keys. CryptologyePrint archive: report 2008/309 (2008)

23. Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient,and provably secure realization. Cryptology ePrint archive: report 2008/290 (2008)

Author Index

Attrapadung, Nuttapong 248

Belenkiy, Mira 114Benger, Naomi 52, 78, 102Bonnecaze, Alexis 35Boyd, Colin 89, 206

Charlemagne, Manuel 52, 78, 102Chase, Melissa 114Costello, Craig 89

Dominguez Perez, Luis J. 78, 102

Freeman, David Mandell 52Fuchsbauer, Georg 132Funabiki, Nobuo 171

Gabillon, Alban 35Gonzalez Nieto, Juan 89, 206

Hira, Yuta 171Hisil, Huseyin 89

Imai, Hideki 248

Jao, David 1

Kachisa, Ezekiel J. 78, 102Kohlweiss, Markulf 114, 231

Le, Duc-Phong 35Lee, Hyang-Sook 66Libert, Benoıt 187Lippold, Georg 206Lysyanskaya, Anna 114

Nakanishi, Toru 171

Park, Cheol-Min 66Pointcheval, David 132Preneel, Bart 231

Rial, Alfredo 231Ruckert, Markus 17

Schroder, Dominique 17Scott, Michael 78, 102Smart, Nigel P. 150

Warinschi, Bogdan 150Wong, Kenneth Koon-Ho 89

Yoshida, Kayo 1Yung, Moti 187

Date post:	22-Dec-2016
Category:	Documents
Upload:	brent-waters
View:	214 times
Download:	1 times

Pairing-Based Cryptography - Pairing 2009: Third International Conference Palo Alto, CA, USA, August...

Documents