1 Introduction

Among numerous mechanisms for user authentication, passwords are definitely the most commonly used method of accessing modern computer networks and information systems [1]. Password authentication, usually integrated with key exchange simultaneously, has been proven to enjoy many advantages. For example, it can be easily operated and deployed as it only requires users to remember low-entropy passwords [2]; it is naturally compatible with various authentication means such as smart cards and biometric templates because passwords are convenient to obtain [3]. As a consequence, much attention has been paid on the fundamental security of passwords [4], the theoretical analyses and designing techniques of password authenticated key exchange (PAKE) protocols [5], as well as the standardization of password authentication schemes [6].

Anonymous Password Authenticated Key Exchange. Along with the increased awareness of security and privacy, there is an urgent need for strengthening the widely deployed PAKE protocols with additional anonymity property [7]. To be specific, it is desirable to authenticate legitimate users via low-entropy passwords while keeping their actual identities private to outside adversaries and even to the server.

To address this need, Viet et al. [8] proposed the first anonymous password authenticated key exchange (APAKE) protocol, through neatly blending an oblivious transfer (OT) protocol into a traditional two-party PAKE scheme. Since then, many research results have been put forward on the construction of more secure and more efficient APAKE protocols, either in password-only setting [9,10,11,12] or in the storage-extra setting [13,14,15,16]. Furthermore, the international organization for standardization (ISO) has developed and published the international standard ISO/IEC 20009-4 [17], which standardizes both the above two types of APAKE protocols.

For password-only APAKE protocols [8, 11, 12], a password is the only long-term secret that a user needs. They are very convenient from a user’s point of view, but enjoy poor scalability since the computational complexity is in linear proportion to the number N of possible users [13]. As an innovative solution, APAKE protocols in the storage-extra setting were proposed by Yang et al. [13, 14], and further improved by Zhang et al. [15] and Shin et al. [16], in which each user obtains a credential from the server, protects it by her password and stores the password-wrapped credential on some public storage (e.g., a public directory or an ipad). Then, in the authentication phase, the user recovers the credential via using her password and shows the possession of a valid credential to the server in an anonymous way, usually relying on some appropriate zero-knowledge proof systems. Notably, the computational cost needed by the server in the storage-extra setting is independent of the number of registered users, thus breaking the lower bound \(\mathcal {O}(N)\) in the password-only setting.

However, we note that most of the existing APAKE protocols are developed in the random oracle model. Specifically, only few of APAKE protocols in the password-only setting [12, 18] and, to the best of our knowledge, no APAKE protocols in the storage-extra setting have been proven secure in the standard model. Note that the random oracle model is only an ideal abstraction for the cryptographic hash functions, and there exists no random oracle definition that a public PPT algorithm can hope to satisfy [19]. Therefore, it is urgent to design storage-extra APAKE protocols in the standard model.

Storage-Extra APAKE in the Standard Model. Although we might be able to adapt classic storage-extra APAKE protocols to provide security in the standard model by adopting zero-knowledge proof schemes in the standard model (and without pairing-based assumptions). This approach will inherently increase the round number of the resulting APAKE protocols, since it is well known that one zero-knowledge proof typically requires at least three moves in this scenario.

The situation seems to be changed with the introduction of designated-verifier non-interactive zero-knowledge (DVNIZK) proof systems by Chaidos et al. [20], which could provide proof of knowledge for a wide variety of algebraic statements related with some public words. One may wish to construct storage-extra APAKE protocols in standard model by starting from the efficient APAKE protocol [15] in the random oracle model based on algebraic message authentication codes (MACs) [21], and simply replacing the underlying zero-knowledge proof systems by some kind of DVNIZK proof schemes. Nevertheless, it is shown by Couteau et al.’s work [22] that constructing DVNIZK proof schemes compatible with algebraic MACs is not as simple as we first thought, because that the secret MAC keys have been re-used in the verification of the DVNIZK proofs. The solution developed by Couteau et al. consists of not only introducing additional random masks (i.e., \(t_i \cdot G\) in Sect. 5.2 of [22]), but also requiring the underlying algebraic MAC scheme to satisfy a stronger (and cumbersome) notion of unforgeability called extended unforgeability.

Our Contributions. In this paper, we present a new storage-extra APAKE protocol in the standard model by further exploiting the construction of DVNIZK proof system compatible with algebraic MACs. Our main contributions can be summarized as follows:

  • We give out a new construction of the oblivious DVNIZK proof scheme compatible with a new class of algebraic MAC schemes. Recall that Couteau et al. constructed oblivious DVNIZK proofs only for the algebraic MAC scheme abstracted from \(MAC_{\mathtt {GGM}}\), which is one of the two MAC schemes presented in [23]. We present an oblivious DVNIZK proof system for a class of algebraic MAC schemes generalized from \(MAC_{\mathtt {wBB}}\), which is based on the weak Boneh-Boyen signature [24].

  • We avoid the requirement of the cumbersome security notion of extended unforgeability for the algebraic MAC scheme, which is quite hard to be verified and brings additional difficulties to the security proof. Note that the main reason for such a complicated definition is that the secret MAC key has been reused in the verification process of the DVNIZK proof. We overcome this obstacle by simulating verification oracles of the DVNIZK proof through the outputs of the MAC scheme instead of the MAC key.

  • We present the first storage-extra APAKE protocol in the standard model without pairing-based assumptions, based on algebraic MACs and oblivious DVNIZK proofs. Beyond proving possession of a credential on a single value of identity, our construction can support credentials certifying many attributes at once and thus could handle more complex access policies such as expiration dates and access rights. Our APAKE protocol needs only 2 flows of messages during the authentication phase, which is very efficient in terms of round efficiency.

Organization. In Sect. 2, we briefly recall the necessary preliminaries. In Sect. 3, our construction of an oblivious DVNIZK proof system for a new class of algebraic MAC scheme is presented. Then, a new storage-extra APAKE protocol in the standard model is proposed in Sect. 4.

2 Preliminaries

In this section, we review the main cryptographic primitives needed in our construction. Throughout this paper, \(\lambda \) denotes the security parameter.

2.1 Algebraic Message Authentication Codes

A message authentication code (MAC) is defined by the following four PPT algorithms \(M = (M.Setup,\) M.KeyGenM.MacM.Verify) with an associated tag space \(\mathcal {T}\), such that

  • \(M.Setup(1^{\lambda })\) sets up the public parameters \(\mathtt {pp}\) of the MAC, which will be implicitly (or explicitly) passed as an argument to the algorithms below.

  • \(M.KeyGen(\mathtt {pp})\) is a key generation algorithm which takes as input the public parameters \(\mathtt {pp}\), outputs a secret key sk and public issuer parameters \(\mathtt {ipp}\);

  • M.Mac(skm) is a MAC algorithm which takes as input the key sk and a message m, generates an authentication tag \(\sigma \) on the message;

  • \(M.Verify(sk,m,\sigma )\) is the verification algorithm which takes as input the key sk, a message m and a tag \(\sigma \), outputs \(b=1\) when \(\sigma \) is a valid tag with respect to sk and m and outputs \(b=0\) otherwise.

We will need MAC schemes that are existentially unforgeable under chosen message and verification attacks (\(\mathtt {UF}\)-\(\mathtt {CMVA}\)).

Definition 1

(\(\mathtt {UF}\)-\(\mathtt {CMVA}\) Security). A MAC scheme M is \(\mathtt {UF}\)-\(\mathtt {CMVA}\) secure if for any PPT adversary \(\mathcal {A}\) which has access to the public issuer parameters \(\mathtt {ipp}\) as well as the MAC and verification oracles, it holds that

$$ \Pr \left[ \begin{aligned}&Q\leftarrow \emptyset , \mathtt {pp} \leftarrow M.Setup(1^{\lambda }),\\&(sk,\mathtt {ipp})\leftarrow M.KeyGen(\mathtt {pp}), \\&(m,\sigma )\leftarrow \mathcal {A}^{\mathcal {O}_{sk}(\cdot )}(\mathtt {pp},\mathtt {ipp}) \end{aligned} : \begin{aligned}&M.Verify(sk,m,\sigma )=1, \\&\wedge m\notin Q \end{aligned} \right] \le negl(\lambda ), $$

where the oracle \({\mathcal {O}_{sk}(\cdot )}\) treats the MAC and verification queries as follows: \(\mathcal {O}.Mac(m)\) outputs M.Mac(skm) and sets \(Q\leftarrow Q\cup \{m\}\); \(\mathcal {O}.Verify(m,\sigma )\) outputs \(M.Verify(sk,m,\sigma )\).

For our purpose, we additionally require the MAC scheme to satisfy pseudorandomness property, which means that, as long as the MAC key is kept secret, no PPT adversary could distinguish a valid MAC tag from a random one. Based on the definitions of pseudorandom functions (PRFs) and weak pseudorandomness [15], we define the pseudorandomness property as follows.

Definition 2

(Pseudorandomness). A MAC scheme M is said to satisfy pseudorandomness property, if for any PPT adversary \(\mathcal {A}\), it holds that

$$ \Pr \left[ \begin{aligned}&\mathtt {pp} \leftarrow M.Setup(1^{\lambda }),\\&(sk,\mathtt {ipp})\leftarrow M.KeyGen(\mathtt {pp}),\\&(m^{*},\mathtt {st})\leftarrow \mathcal {A}^{\mathcal {O}.Mac(\cdot )}(\mathtt {ipp}),\\&\sigma _0 = M.Mac(sk,m^{*}), \sigma _1 \leftarrow \mathcal {T},\\&b\leftarrow \{0,1\}, b^{\prime } = \mathcal {A}^{\mathcal {O}.Mac(\cdot )}(y_b,\mathtt {st}) \end{aligned} : b^{\prime } = b \right] \le \frac{1}{2} + negl(\lambda ). $$

Algebraic MACs are a special kind of MACs that consist of only group operations instead of block ciphers or hash functions, thus easily suitable for efficient zero-knowledge proof of statements related to these MAC tags. In [23], Chase et al. proposed the first two algebraic MACs with efficient protocols for proof of knowledge, which are based on generic group model (GGM) and decisional Diffie-Hellman (DDH) assumption respectively. Since then, several improved algebraic MAC schemes have been put forward [15, 25, 26].

In this paper, we will use the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) proposed in [26], which is based on the weak Boneh-Boyen signature [24]. Denote by \(\beta \) a positive integer and \(\mathbf{m}= (m_1,m_2,\cdots ,m_\beta )\) a vector of message. Let \(GGen(1^\lambda )\) be an efficient algorithm which generates a multiplicative group \(\mathbb {G}\) of order p and a generator g of this group. The scheme consists of the following algorithms.

  • \(M.Setup(1^{\lambda })\) outputs \(\mathtt {pp} = (\mathbb {G},g,p) \leftarrow GGen(1^\lambda )\);

  • \(M.KeyGen(\mathtt {pp})\) chooses randomly \(\beta +1\) elements \(x_i \leftarrow \mathbb {Z}_p^{*}\), computes \(X_i = g^{x_i}\) for every \(i \in \{0,1,\cdots ,\beta \}\). Then, the secret key is \(sk = (x_0,x_1,\cdots ,x_\beta )\) and the public issuer parameter is \(\mathtt {ipp} = (X_0,X_1, \cdots ,X_\beta )\);

  • \(M.Mac(sk,\mathbf{m})\) takes as input the key \(sk = (x_0,x_1,\cdots ,x_\beta )\) and a vector of messages \(\mathbf{m}= (m_1,m_2,\cdots ,m_\beta )\), computes \(\sigma = g^{{1}/(x_0 + \sum _{j=1}^{\beta }{ x_j \cdot m_j })}\) and \(\sigma _j = \sigma ^{x_j}\) for \(j=1,2,\cdots , \beta \)Footnote 1, and sets the MAC tag as \(\varSigma = (\sigma , \sigma _1,\cdots , \sigma _{\beta })\);

  • \(M.Verify(sk,\mathbf{m},(\sigma , \sigma _1,\cdots , \sigma _{\beta }))\) is the verification algorithm, which outputs \(b=1\) iff \(\sigma = g^{{1}/(x_0 + \sum _{j=1}^{\beta }{ x_j \cdot m_j })}\) and \(\sigma _j = \sigma ^{x_j}\) for \(j=1,2,\cdots , \beta \).

With respect to the security, it has been proven by Camenisch et al. [26] that this algebraic MAC scheme is \(\mathtt {UF}\)-\(\mathtt {CMVA}\) under the SCDHI assumption, which is a computational variation of the SDDHI assumption [27]. Moreover, we can easily prove that under the SDDHI assumption this algebraic MAC scheme satisfies the pseudorandomness property.

Theorem 1

If the SDDHI and SCDHI assumptions hold in group \(\mathbb {G}\), then the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) satisfies the pseudorandomness property.

2.2 Additively Homomorphic Encryption Schemes

A public key encryption scheme is defined as a triple of PPT algorithms \(\mathcal {E} = (\mathcal {E}.KeyGen, \mathcal {E}.Enc, \mathcal {E}.Dec)\) with an associated message space \(\mathbb {Z}_{N}\) and a random space \(\mathbb {Z}_{R}\), such that

  • \(\mathcal {E}.KeyGen(1^{\lambda })\) takes as input the security parameter \(1^{\lambda }\) and outputs a pair of encryption and decryption keys (ekdk);

  • \(\mathcal {E}.Enc(ek,m;r)\) takes as input a public encryption key ek, a message \(m \in \mathbb {Z}_{N}\) and a random value \(r \in \mathbb {Z}_{R}\), and outputs a ciphertext c;

  • \(\mathcal {E}.Dec(dk,c)\) takes as input a decryption key dk and a ciphertext c, and outputs a message m or \(\perp \).

The \(\mathtt {IND}\)-\(\mathtt {CPA}\) security for a public key encryption scheme is defined as follows.

Definition 3

(\(\mathtt {IND}\)-\(\mathtt {CPA}\) Security). A public key encryption scheme \(\mathcal {E}\) is \(\mathtt {IND}\)-\(\mathtt {CPA}\) secure, if for any PPT adversary \(\mathcal {A}\), it holds that

$$ \Pr \left[ \begin{aligned}&(ek,dk)\leftarrow \mathcal {E}.KeyGen(1^{\lambda }),\\&(m_0,m_1,\mathtt {st}) \leftarrow \mathcal {A}(ek), b\leftarrow \{0,1\},\\&r\leftarrow \mathbb {Z}_{R}, c\leftarrow \mathcal {E}.Enc(ek,m_b;r), b^{\prime } = \mathcal {A}(\mathtt {st},c) \end{aligned} : b^{\prime } = b \right] \le \frac{1}{2} + negl(\lambda ). $$

In this paper, we focus on public key encryption schemes that are additively homomorphic for both the message and the random value. We say that an encryption scheme is strongly additive, if there exists an efficient operation \(\oplus \) such that for any key pair \((ek,dk)\leftarrow \mathcal {E}.KeyGen(1^{\lambda })\), any two ciphertexts \(c_i = \mathcal {E}.Enc(ek,m_i;r_i)\) of messages \(m_i \in \mathbb {Z}_{N}\) under the randomness \(r_i \in \mathbb {Z}_{R}\) for \(i\in \{1,2\}\), it holds that \(c_1 \oplus c_2 = \mathcal {E}.Enc(ek,m_1+m_2 \mod N;r_1+r_2 \mod R)\). For an integer \(\rho \in \mathbb {Z}\), we denote by \(\rho \odot c\) the ciphetext \(\mathcal {E}.Enc(ek,\rho m \mod N;\rho r \mod R)\), which can be efficiently computed using the formula of the form \(\mathcal {E}.Enc(ek,m;r)\oplus \cdots \oplus \mathcal {E}.Enc(ek,m;r)\). Moreover, given two ciphertexts \(c,c^{\prime }\), we denote by \(c\ominus c^{\prime }\) the operation \(c \oplus ((-1) \odot c^{\prime })\).

A strongly additive encryption scheme \(\mathcal {E}\) is further said to be DVNIZK-friendly, if \(gcd(N,R)=1\) and for any \((ek,dk)\leftarrow \mathcal {E}.KeyGen(1^{\lambda })\), the value \(\mathcal {E}.Enc(ek,m;0)\) is efficiently decodable to get the plaintext \(m \mod N\). For DVNIZK-friendly encryption scheme over groups \(\mathbb {Z}_{N}\) of composite order of the form \(N=pq\), we can resort to a slight variation [20, 28] of the well-known Paillier encryption scheme [29]; For groups \(\mathbb {Z}_{N}\) of prime order \(N=p\), we could instantiate it with the Castagnos-Laguillaumie encryption scheme [30].

Note that the above encryption/decryption algorithms and scalar product could be extended to vectors in a natural way. For example, given vectors \(\mathbf{m}=(m_1,m_2,\cdots ,m_\beta )\) and \(\mathbf{r}=(r_1,r_2,\cdots ,r_\beta )\) of the length \(\beta \ge 1\), we could view \(\mathcal {E}.Enc(ek,\mathbf{m};\mathbf{r})\) as the vector \((\mathcal {E}.Enc(ek,m_i;r_i))_{i=1}^{\beta }\). Given \(\mathbf{\rho } = (\rho _1,\rho _2,\cdots ,\rho _{\beta })\) and \(c=\mathcal {E}.Enc(ek,m;r)\), we let \(\mathbf{\rho } \odot c\) denote the vector \((\mathcal {E}.Enc(ek,\rho _i m;\rho _i r))_{i=1}^{\beta }.\)

2.3 Designated-Verifier Non-interactive Zero-Knowledge Proof

A designated-verifier non-interactive zero-knowledge (DVNIZK) proof system [20] for a family of languages \( \{\mathfrak {L}_{\mathtt {crs}}\}\) consists of four algorithms \(\varPi = (\varPi .Setup, \) \(\varPi .KeyGen, \varPi .Prove, \varPi .Verify)\). The setup algorithm \(\varPi .Setup(1^\lambda )\) outputs a common reference string \(\mathtt {crs}\); The algorithm \(\varPi .KeyGen(\mathtt {crs})\) outputs a public proving key pk and a secret verification key vk; The proving algorithm \(\varPi .Prove(pk,x,w)\) takes as input the proving key pk, a word x and a witness w for the statement \(x \in \mathfrak {L}_{\mathtt {crs}}\), generates a proof \(\pi \); The verification algorithm \(\varPi .Verify(pk,vk,x,\pi )\) outputs \(b\in \{0,1\}\) indicating either accept or reject.

However, when taking an algebraic MAC tag with respect to a user’s identity as her credential, the original definition of DVNIZK proof system cannot be directly used to prove knowledge of the identity. The main difficulty is that the MAC verification cannot be carried out by the user while she does not know the secret MAC key. To tackle this problem, Couteau et al. [22] introduced a new primitive called oblivious DVNIZK proof system, which can be used to prove knowledge of a witness w corresponding to a secret relation \(R({sk},w,x)=1\) with sk unknown to the prover.

In this paper, we will focus on secret relations \(\{R_{\mathtt {crs}}(sk,\cdot ,\cdot )\}\) and languages \(\{\mathfrak {L}_{\mathtt {crs}}\}\) that are defined by algebraic MAC schemes. Given a MAC scheme M with secret MAC key sk, we will simply set sk as the secret relation key, and take a MAC message and tag pair as a witness and word pair, in the sense that \(R_{\mathtt {crs}}({sk},w,x)=1\) and \(x \in \mathfrak {L}_{\mathtt {crs}}\) if and only if \(M.Verify(sk,w,x)=1\).

Definition 4

(Oblivious DVNIZK Proof [22]). An oblivious DVNIZK proof system for a family of languages related with secret relations \(\{R_{\mathtt {crs}}\}\) is defined by the following algorithms \(\varPi = (\varPi .Setup,\varPi .RelSetup,\) \(\varPi .KeyGen,\) \(\varPi .Prove,\) \(\varPi .Verify)\), such that

  • \(\varPi .Setup(1^\lambda )\) takes as input the security parameter \(1^\lambda \), outputs a common reference string \(\mathtt {crs}\) and a trapdoor \(\mathtt {td}\);

  • \(\varPi .RelSetup(\mathtt {crs})\) generates a secret key sk for the secret relation, together with some public issuer parameters \(\mathtt {ipp}\);

  • \(\varPi .KeyGen(\mathtt {crs})\) outputs a key pair (pkvk), consisting of a public proving key pk and a secret verification key vk;

  • \(\varPi .Prove(\mathtt {crs},\mathtt {ipp},pk,(x_p,x_s),w)\) takes as input the parameters \(\mathtt {crs},\mathtt {ipp}\), the proving key pk, a word \(x=(x_p,x_s)\in \mathfrak {L}_{\mathtt {crs}}\) consisting of a public subword \(x_p\) and a secret subword \(x_s\), and a witness for the relation \(R_{\mathtt {crs}}(sk,w,x)=1\), then outputs a proof \(\pi \);

  • \(\varPi .Verify(\mathtt {crs},\mathtt {ipp},pk,vk,sk,x_p,\pi )\) is the verification algorithm which verifies whether a proof \(\pi \) is valid with respect to the relation \(R_{\mathtt {crs}}(sk,w,x)=1\). It outputs \(b=1\) if the proof is valid and \(b=0\) otherwise.

We say that an oblivious DVNIZK proof system is secure, if it satisfies completeness, knowledge extractability (which is a strengthening of soundness) and oblivious zero-knowledge properties defined as follows.

Definition 5

(Completeness). An oblivious DVNIZK proof system \(\varPi \) satisfies completeness property, if for all parameters \((\mathtt {crs},\mathtt {td}) \leftarrow \varPi .Setup(1^\lambda )\), \((sk,\mathtt {ipp}) \leftarrow \varPi .RelSetup(\mathtt {crs})\), \((pk,vk) \leftarrow \varPi .KeyGen(\mathtt {crs})\), and every proof \(\pi \leftarrow \varPi .Prove(\mathtt {crs},\mathtt {ipp},pk,(x_p,x_s),w)\), it holds that \(\varPi .Verify(\mathtt {crs},\mathtt {ipp},pk,vk,\) \(sk,x_p,\pi ) = 1.\)

Definition 6

(Knowledge Extractability). An oblivious DVNIZK proof system \(\varPi \) for secret relations \(\{R_{\mathtt {crs}}\}\) defined by an algebraic MAC M is said to satisfy knowledge extractability property, if for every PPT adversary \(\mathcal {A}\), there exists an efficient extracting algorithm Ext such that

$$ \Pr \left[ \begin{aligned}&(\mathtt {crs},\mathtt {td}) \leftarrow \varPi .Setup(1^\lambda ),\\&(sk,\mathtt {ipp}) \leftarrow \varPi .RelSetup(\mathtt {crs}),\\&(pk,vk) \leftarrow \varPi .KeyGen(\mathtt {crs}),\\&(\pi ,x_p) \leftarrow \mathcal {A}^{O_{M.Mac},O_{\varPi .Ver}}(\mathtt {crs},\mathtt {ipp},pk)\\&(x_s,w) \leftarrow Ext(\mathtt {crs},\mathtt {ipp},pk,x_p,\pi ,\mathtt {td}) \end{aligned} : \begin{aligned}&R_{\mathtt {crs}}({sk},w,(x_p,x_s))=0, \\&\varPi .Verify(\mathtt {crs},\mathtt {ipp},pk,\\&\quad \quad \ vk, sk,x_p,\pi ) = 1 \end{aligned} \right] \le negl(\lambda ), $$

where the oracle \(O_{M.Mac}(\cdot )\) denotes \(M.Mac(sk,\cdot )\), and the oracle \(O_{\varPi .Ver}(\cdot ,\cdot )\) denotes \(\varPi .Verify(\mathtt {crs},\mathtt {ipp},pk,vk,sk,\cdot ,\cdot )\). In addition, it is required that the oracle \(O_{\varPi .Ver}(\cdot ,\cdot )\) should be efficiently simulated, when the secret key sk is replaced by oracle access to \(M.Verify(sk,\cdot ,\cdot )\).

Definition 7

(Oblivious Zero Knowledge). An oblivious DVNIZK proof system \(\varPi \) for secret relations \(\{R_{\mathtt {crs}}\}\) defined by an algebraic MAC M is said to satisfy oblivious zero knowledge property, if for every PPT adversary \(\mathcal {A}\), there exists an efficient algorithm Sim such that

$$ \left| \Pr \left[ \begin{aligned}&(\mathtt {crs},\mathtt {td}) \leftarrow \varPi .Setup(1^\lambda ),\\&(pk,vk) \leftarrow \varPi .KeyGen(\mathtt {crs}),\\&(x,w,sk,\mathtt {ipp},\mathtt {st}) \leftarrow \mathcal {A}(\mathtt {crs},pk,vk)\\&\pi \leftarrow \varPi .Prove(\mathtt {crs},\mathtt {ipp},pk,x,w) \end{aligned} : \begin{aligned}&R_{\mathtt {crs}}({sk},w,x)=1, \\&\wedge \mathcal {A}(\mathtt {st},\pi ) = 1 \end{aligned} \right] -\right. \quad \quad $$
$$ \quad \left. \Pr \left[ \begin{aligned}&(\mathtt {crs},\mathtt {td}) \leftarrow \varPi .Setup(1^\lambda ),\\&(pk,vk) \leftarrow \varPi .KeyGen(\mathtt {crs}),\\&(x,w,sk,\mathtt {ipp},\mathtt {st}) \leftarrow \mathcal {A}(\mathtt {crs},pk,vk)\\&\pi \leftarrow Sim(\mathtt {crs},\mathtt {ipp},pk,x_p,vk,sk) \end{aligned} : \begin{aligned}&R_{\mathtt {crs}}({sk},w,x)=1, \\&\wedge \mathcal {A}(\mathtt {st},\pi ) = 1 \end{aligned} \right] \right| \le negl(\lambda ), $$

where \(x= (x_p,x_s)\) consists of a public subword \(x_p\) and a secret subword \(x_s\).

3 A New Construction of Oblivious DVNIZK Proof

In this section, we introduce a new construction of oblivious DVNIZK proof system for languages related to the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) presented in Sect. 2.1, and prove the security properties of our construction.

3.1 The Construction of Oblivious DVNIZK Proof

We will take an algebraic MAC tag on a user’s attributes as a credential for this user, which is treated in a similar way as in [22, 23]. Nevertheless, the specific property of the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) based on weak Bonel-Boyen signature (see definition in Sect. 2.1) will allow us to build a more efficient oblivious DVNIZK proof system than before. Recall that, when the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) is considered, a MAC tag on a vector of attributes \(\mathbf{m}= (m_1,m_2,\cdots ,m_\beta )\) under the secret key \(sk = (x_0,x_1, \cdots , x_\beta )\) is of the form \(\varSigma = (\sigma , \sigma _1,\cdots , \sigma _{\beta })\), where \(\sigma = g^{{1}/\left( {x_0 + \sum _{j=1}^{\beta }{x_j \cdot m_j}}\right) }\). It can be rewritten as \(\sigma ^{- \sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g= \sigma ^ {x_0}\), where the first part \(\sigma ^{- \sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g\) has exponents linear in both attributes \(\mathbf{m}= (m_1,m_2,\cdots ,m_\beta )\) and secret keys \((x_1, x_2,\cdots , x_\beta )\). This property would be preserved even after some re-randomize technique has been applied on the credential \(\sigma \). For example, when it is re-randomized as \(T = \sigma ^a\) for a random a, it still holds that \(T^{- \sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^a= T ^ {x_0}\).

Based on the above observation, we are now ready to present our construction of oblivious DVNIZK proof system for secret relations defined by the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\). Given the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) denoted by \(MAC_{\mathtt {wBB}} = (M.Setup,\) M.KeyGenM.MacM.Verify) and a DVNIZK-friendly encryption scheme \(\mathcal {E} = (\mathcal {E}.KeyGen, \mathcal {E}.Enc, \mathcal {E}.Dec)\) with message space \(\mathbb {Z}_N\) of prime order \(N=p\), the concrete steps of the oblivious DVNIZK proof system \(\varPi \) are as follows.

  • \(\varPi .Setup(1^\lambda )\) takes as input the security parameter \(1^\lambda \), computes \((ek,dk)\leftarrow \mathcal {E}.KeyGen(1^{\lambda })\) and \(\mathtt {pp} = (\mathbb {G},g,p) \leftarrow M.Setup(1^{\lambda })\), sets the common reference string as \(\mathtt {crs} = (ek,\mathtt {pp})\) and the trapdoor as \(\mathtt {td} = dk\). Without loss of generality, we assume that the public key ek also determines the message space \(\mathbb {Z}_{N}\), the random source \(\mathbb {Z}_R\) and a public bound B on R;

  • \(\varPi .RelSetup(\mathtt {crs})\) is essentially the key generation algorithm of the underlying MAC scheme \(MAC_{\mathtt {wBB}}\). It chooses randomly \(\beta +1\) elements \(x_i \leftarrow \mathbb {Z}_p^{*}\) and computes \(X_i = g^{x_i}\) for every \(i \in \{0,1,\cdots ,\beta \}\). Then, the secret key is \(sk = (x_0,x_1,\cdots ,x_\beta )\) and the public issuer parameter is \(\mathtt {ipp} = (X_0,X_1, \cdots ,X_\beta )\);

  • \(\varPi .KeyGen(\mathtt {crs})\) chooses at random a value \(e\leftarrow \mathbb {Z}_l\) where \(l=2^{\lambda }\cdot N\cdot B\), then sets the secret verification key as \(vk = e\) and the public proving key as \(pk = \mathcal {E}.Enc(ek,0;e)\);

  • \(\varPi .Prove(\mathtt {crs},\mathtt {ipp},pk,(x_p,x_s),w)\) takes as input the parameters \(\mathtt {crs},\mathtt {ipp}\), the proving key pk, a credential \(x= (x_p = \perp , x_s = \sigma )\) and a vector of attributes \(w= (m_1,m_2,\cdots ,m_\beta )\), selects a random value \(a \leftarrow \mathbb {Z}_{N}\) and computes \(T = \sigma ^ a\). It then chooses at random \(a^{\prime }\leftarrow \mathbb {Z}_{N}\), \(m_j^{\prime } \leftarrow \mathbb {Z}_{N}\) for \(j=1,2,\cdots , \beta \), and computes \(T^{\prime } = \varPi _{j=1}^{\beta }{\sigma _j}^{-a\cdot m_j^{\prime }}\cdot g^{a^{\prime }}\). Next, it chooses a random vector \(\mathbf{r} = (r_0,r_1,\cdots ,r_\beta ) \leftarrow \mathbb {Z}_R^{\beta +1}\), sets \(\overline{\mathbf{m}} = (a,m_1,m_2,\cdots ,m_\beta )\) and \(\overline{\mathbf{m}}^{\prime } = (a^{\prime },m_1^{\prime },m_2^{\prime },\cdots ,m_\beta ^{\prime })\), and computes \(\mathbf{X} = \mathcal {E}.Enc(ek, \overline{\mathbf{m}};\mathbf{r})\) and \(\mathbf{X}^{\prime } = \mathcal {E}.Enc(ek, \overline{\mathbf{m}}^{\prime };\mathbf{0}) \ominus (\mathbf{r} \odot pk)\). At last, the proving algorithm outputs a proof \(\pi = (T,T^{\prime },\mathbf{X},\mathbf{X}^{\prime })\).

  • \(\varPi .Verify(\mathtt {crs},\mathtt {ipp},pk,vk,sk,x_p=\perp ,\pi )\) verifies the proof \(\pi \) as follows. It first parses \(\pi \) as \(\pi = (T,T^{\prime },\mathbf{X},\mathbf{X}^{\prime })\), computes \(\mathbf{X}^{\prime } \oplus (e\odot \mathbf{X})\) and checks that the values in this vector are decodable, then decodes them to a vector \(\mathbf{d} = (d_0,d_1,\cdots ,d_\beta )\). Next, it checks that \(T \ne 1\) and

    $$\begin{aligned} \left( T^{x_0} \right) ^{e} \cdot T^{\prime } = T^{-\sum _{j=1}^{\beta }{x_j \cdot d_j}} \cdot g^{d_0}. \end{aligned}$$
    (1)

    Finally, it outputs \(b=1\) if \(\pi \) can be parsed correctly, \(\mathbf{X}^{\prime } \oplus (e\odot \mathbf{X})\) is decodable and the above equation holds; otherwise, it outputs \(b=0\).

3.2 Security Analysis

In this section, we show that our oblivious DVNIZK proof system satisfies completeness, knowledge extractability and oblivious zero-knowledge properties.

Theorem 2

If the underlying encryption scheme \(\mathcal {E}\) is DVNIZK-friendly, then the oblivious DVNIZK proof system \(\varPi \) satisfies the completeness property.

Proof

Firstly, if a proof \(\pi = (T,T^{\prime },\mathbf{X},\mathbf{X}^{\prime })\) is generated honestly, one can easily deduce that

$$\begin{aligned} \mathbf{X}^{\prime } \oplus (e\odot \mathbf{X})= & {} \left( \mathcal {E}.Enc(ek, \overline{\mathbf{m}}^{\prime };\mathbf{0}) \ominus (\mathbf{r} \odot pk) \right) \oplus \left( e\odot \mathcal {E}.Enc(ek, \overline{\mathbf{m}};\mathbf{r}) \right) \\= & {} \mathcal {E}.Enc(ek, \overline{\mathbf{m}}^{\prime };- e\cdot \mathbf{r} ) \oplus \mathcal {E}.Enc(ek, e\cdot \overline{\mathbf{m}};e\cdot \mathbf{r}) \\= & {} \mathcal {E}.Enc(ek, \overline{\mathbf{m}}^{\prime } + e\cdot \overline{\mathbf{m}};\mathbf{0}), \end{aligned}$$

which is decodable according to the definition of DVNIZK-friendly encryption schemes. Moreover, we can obtain that \(\mathbf{d} = \overline{\mathbf{m}}^{\prime } + e\cdot \overline{\mathbf{m}} \mod N\), yielding that \(d_0 = a^{\prime } + e\cdot a \mod N\) and \(d_j = m_j^{\prime } + e\cdot m_j \mod N\) for all \(j=1,2,\cdots ,\beta \). Therefore, by combining with the equation \(T^{- \sum _{j=1}^{\beta }{m_j\cdot x_j}} \cdot g^a= T ^ {x_0}\), we have

$$\begin{aligned} \left( T^{x_0} \right) ^{e} \cdot T^{\prime }= & {} \left( T^{- \sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^a \right) ^{e} \cdot \left( \varPi _{j=1}^{\beta }{\sigma _j}^{-a\cdot m_j^{\prime }}\cdot g^{a^{\prime }} \right) \\= & {} \left( T^{- \sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^{a} \right) ^{e} \cdot \left( T^{- \sum _{j=1}^{\beta }{x_j \cdot m_j^{\prime }}} \cdot g^{a^{\prime }} \right) \\= & {} T^{-\sum _{j=1}^{\beta }{x_j \cdot (m_j^{\prime } + e\cdot m_j)}} \cdot g^{ a^{\prime } + e\cdot a }\\= & {} T^{-\sum _{j=1}^{\beta }{x_j \cdot d_j}} \cdot g^{d_0}. \end{aligned}$$

Theorem 3

If the underlying encryption scheme \(\mathcal {E}\) is DVNIZK-friendly, and the algebraic MAC scheme \(MAC_{\mathtt {wBB}}\) is \(\mathtt {UF}\)-\(\mathtt {CMVA}\) secure, then the oblivious DVNIZK proof system \(\varPi \) satisfies the knowledge extractability property.

Proof

Our proof starts with the construction of an extracting algorithm Ext. Given a proof \(\pi = (T,T^{\prime },\{T_j^{\prime }\}_{j=1}^{\beta },\mathbf{X},\mathbf{X}^{\prime })\) and the trapdoor \(\mathtt {td} = dk\), the algorithm Ext computes \(\overline{\mathbf{m}} = (a,m_1,m_2,\cdots ,m_\beta ) = \mathcal {E}.Dec(dk,\mathbf{X})\), sets \(\sigma = T^{1/a}\) and then outputs \((x_s =\sigma , w= (m_1,m_2,\cdots , m_\beta ))\).

We next turn to estimate the probability of the event \( R_{\mathtt {crs}}({sk},w,(x_p,x_s))=0\ \wedge \ \varPi .Verify(\mathtt {crs},\mathtt {ipp},pk, vk, sk,\) \(x_p,\pi ) = 1\). Recall that we only focus on secret relations that are defined by algebraic MAC schemes in the sense that \(R({sk},w,x)=1 \Leftrightarrow M.Verify(sk,w,x)=1\). It is then sufficient to show that the oracle \(O_{\varPi .Ver}(\cdot ,\cdot ) = \varPi .Verify(\mathtt {crs},\mathtt {ipp},pk, vk, sk,\cdot ,\cdot ) \) can be efficiently simulated, with sk replaced by oracle access to \(M.Verify(sk,\cdot ,\cdot )\).

We denote by \(O_{SimVer}(\cdot ,\cdot ) = {SimVerify}(\mathtt {crs},\mathtt {ipp},pk, vk,dk,\cdot ,\cdot )\) the simulated verification algorithm with access to the oracle \(M.Verify(sk,\cdot ,\cdot )\), and proceed as follows. Assuming that \((\mathtt {crs},\mathtt {td}=dk),(sk,\mathtt {ipp}),(pk,vk)\) are generated as before and \((\mathtt {crs},\mathtt {ipp},pk, vk,dk)\) are provided to SimVerify as input. Then, for each query \((x_p = \perp ,\pi )\) asked by the adversary \(\mathcal {A}\), we can decrypt the ciphertexts \(\mathbf{X}, \mathbf{X}^{\prime }\) to vectors \(\overline{\mathbf{m}} = (a,m_1,m_2,\cdots ,m_\beta ) \leftarrow \mathcal {E}.Dec(dk,\mathbf{X})\), \(\overline{\mathbf{m}}^{\prime } = (a^{\prime },m_1^{\prime },m_2^{\prime }, \cdots ,m_\beta ^{\prime }) \leftarrow \mathcal {E}.Dec(dk, \mathbf{X}^{\prime })\). Finally, we compute \(\sigma = T^{1/a}\), and check that all the following equations are true:

$$\begin{aligned}&-e\odot (\mathbf{X} \ominus \mathcal {E}.Enc(ek,\overline{\mathbf{m}};\mathbf{0})) = \mathbf{X}^{\prime } \ominus \mathcal {E}.Enc(ek,\overline{\mathbf{m}}^{\prime };\mathbf{0}),&\end{aligned}$$
(2)
$$\begin{aligned}&M.Verify(sk,(m_1,m_2,\cdots ,m_\beta ),\sigma ) = 1,&\end{aligned}$$
(3)
$$\begin{aligned}&T^{\prime } = T^{- \sum _{j=1}^{\beta }{x_j \cdot m_j^{\prime }}} \cdot g^{a^{\prime }}.&\end{aligned}$$
(4)

If all the checks succeeded, SimVerify outputs 1; otherwise, it outputs 0.

Here we remark that, under the conditions \(\sigma = T^{1/a}\) and \(M.Verify(sk,(m_1,\) \(m_2,\cdots ,m_\beta ),\sigma ) = 1\), the check Eq. (4) could in fact be calculated without the knowledge of the secret key \(sk = (x_0,x_1,\cdots ,x_\beta )\). Alternatively, we can ask to the MAC oracle to get \((\sigma , \sigma _1,\cdots , \sigma _{\beta }) = M.Mac(sk,(m_1, m_2,\cdots ,m_\beta ))\) and then check that

$$\begin{aligned} T^{\prime } = \varPi _{j=1}^{\beta }{\sigma _j}^{-a\cdot m_j^{\prime }}\cdot g^{a^{\prime }}. \end{aligned}$$
(5)

This property is very attractive for the context of DVNIZK proof, since it enables us to avoid resorting to a stronger notion of unforgeability (called extended unforgeability [22]) for the underlying algebraic MAC schemes.

In the following, we will prove that the simulated oracle \(O_{SimVer}(\cdot ,\cdot )\) is indistinguishable from the real oracle \(O_{\varPi .Ver}(\cdot ,\cdot )\). First, we show that, given a query \(\pi \), if \(O_{SimVer}(\perp ,\pi ) = 1\), then \(O_{\varPi .Ver}(\perp ,\pi ) = 1\). Recall that \(\overline{\mathbf{m}} \leftarrow \mathcal {E}.Dec(dk,\mathbf{X})\) and \(\overline{\mathbf{m}}^{\prime } \leftarrow \mathcal {E}.Dec(dk,\) \(\mathbf{X}^{\prime })\), it follows immediately that the Eq. (2) implies \(\mathbf{X},\mathbf{X}^\prime \) are of the form \(\mathbf{X} = \mathcal {E}.Enc(ek, \overline{\mathbf{m}};\mathbf{r})\) and \(\mathbf{X}^{\prime } = \mathcal {E}.Enc(ek, \overline{\mathbf{m}}^{\prime }; -e \cdot \mathbf{r})\) for some random vector \(\mathbf{r}\). Henceforth, the vector \(\mathbf{X}^{\prime } \oplus (e\odot \mathbf{X})\) is decodable, and the decoded vector is \(\mathbf{d} = \overline{\mathbf{m}}^{\prime } + e \cdot \overline{\mathbf{m}}\). On the other hand, if the Eq. (3) is satisfied, it yields that \(\sigma = g^{{1}/\left( {x_0 + \sum _{j=1}^{\beta }{x_j \cdot m_j}}\right) }\), which in turn implies that \(T^{- \sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^a= T ^ {x_0}\). Combining these facts with Eq. (4), we can easily get the equation \( \left( T^{x_0} \right) ^{e} \cdot ( \varPi _{j=1}^{\beta } (T_j^{\prime })^{-x_j} \cdot T^{\prime } ) = T^{-\sum _{j=1}^{\beta }{x_j \cdot d_j}} \cdot g^{d_0}. \) This indicates that \(O_{\varPi .Ver}(\perp ,\pi ) = 1\).

Next, we prove that, if \(O_{\varPi .Ver}(\perp ,\pi ) = 1\), then \(O_{SimVer}(\perp ,\pi ) = 1\). Assume that \(\mathbf{X} = \mathcal {E}.Enc(ek, \overline{\mathbf{m}};\mathbf{r})\) and \(\mathbf{X}^{\prime } = \mathcal {E}.Enc(ek, \overline{\mathbf{m}}^{\prime }; \mathbf{r}^\prime )\) for some random vectors \(\mathbf{r}\) and \(\mathbf{r}^\prime \). We would easily deduce from the fact \(\mathbf{X}^{\prime } \oplus (e\odot \mathbf{X})\) is decodable that \(\mathbf{r}^\prime = -e \cdot \mathbf{r}\), which thus yields that the Eq. (2) is satisfied. Furthermore, to obtain a contradiction, we now suppose that Eq. (1) holds, while the Eqs. (3) or (4) is rejected. Note that the Eq. (1) can be rewritten as

$$\begin{aligned} \left( T^{x_0} / {T^{-\sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^{a}}\right) ^{e} = T^{-\sum _{j=1}^{\beta }{x_j \cdot m_j^\prime }} \cdot g^{a^{\prime }}/{T^{\prime }}. \end{aligned}$$
(6)

If the Eq. (3) does not hold, we get \( T^{x_0} / {T^{-\sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^{a}} \ne 1\); if (4) does not hold, we have \(T^{-\sum _{j=1}^{\beta }{x_j \cdot m_j^\prime }} \cdot g^{a^{\prime }}/{T^{\prime }} \ne 1\). Since e is randomly chosen from some sufficiently large space, it holds with overwhelming probability that \(e\ne 0 \mod N\). Hence, we can conclude that \( T^{x_0} / {T^{-\sum _{j=1}^{\beta }{x_j \cdot m_j}} \cdot g^{a}} \ne 1\) and \(T^{-\sum _{j=1}^{\beta }{x_j \cdot m_j^\prime }} \cdot g^{a^{\prime }}/{T^{\prime }} \ne 1\) will happen simultaneously. Using a similar technique as in [20], we can then get from Eq. (6) the value \(e\mod N\), which is supposed to be statistically hidden.

Now, since the simulated oracle \(O_{SimVer}(\cdot ,\cdot )\) is indistinguishable from the real oracle \(O_{\varPi .Ver}(\cdot ,\cdot )\), and the valid of secret relation has essentially been checked through Eq. (3), we conclude that the event \( R({sk},w,(x_p,x_s))=0\ \wedge \ \varPi .Verify(\mathtt {crs},\mathtt {ipp},pk, vk, sk,\) \(x_p,\pi ) = 1\) happens with only negligible probability. This completes the proof.

Theorem 4

If the underlying encryption scheme \(\mathcal {E}\) is \(\mathtt {IND}\)-\(\mathtt {CPA}\) secure, then the oblivious DVNIZK proof system \(\varPi \) is obliviously zero-knowledge.

Proof

The proof will be divided into two steps: constructing a simulator and proving the indistinguishability. We first construct a simulator \(Sim(\mathtt {crs},\mathtt {ipp},pk,\) \(x_p,vk,sk)\) which producing simulated zero-knowledge proof \(\pi \) as follows. It first selects randomly \(T\leftarrow \mathbb {G}\) and \(\mathbf{d}=(d_0,d_1,\cdots ,d_\beta )\leftarrow \mathbb {Z}_{N}^{\beta +1}\), and computes

$$\begin{aligned} T^{\prime } = T^{-\sum _{j=1}^{\beta }{x_j \cdot d_j}} \cdot g^{d_0} / {\left( T^{x_0} \right) ^{e} }. \end{aligned}$$
(7)

The simulator then chooses at random \(\overline{\mathbf{m}} = (a,m_1,m_2,\cdots ,m_\beta )\leftarrow \mathbb {Z}_{N}^{\beta +1}\), \(\overline{\mathbf{m}}^{\prime } = (a^{\prime },m_1^{\prime },m_2^{\prime },\cdots ,m_\beta ^{\prime })\leftarrow \mathbb {Z}_{N}^{\beta +1}\) and \(\mathbf{r} = (r_0,r_1,\cdots ,r_\beta ) \leftarrow \mathbb {Z}_R^{\beta +1}\), and computes

$$\begin{aligned} \mathbf{X}= & {} \mathcal {E}.Enc(ek, \overline{\mathbf{m}};\mathbf{r}), \end{aligned}$$
(8)
$$\begin{aligned} \mathbf{X}^\prime= & {} \mathcal {E}.Enc(ek,\mathbf{d} - e\cdot \overline{\mathbf{m}}; - e\cdot \mathbf{r}). \end{aligned}$$
(9)

We now show that, given an adversary \(\mathcal {A}\) against the indistinguishability of \(\varPi .Prove\) and Sim, we can construct an adversary \(\mathcal {A}_S\) against the \(\mathtt {IND}\)-\(\mathtt {CPA}\) security of S. The \(\mathtt {IND}\)-\(\mathtt {CPA}\) adversary \(\mathcal {A}_S\) first obtains \((x=(x_p=\perp ,x_s =\sigma ), w= (m_1,m_2,\cdots , m_\beta ))\) from the adversary \(\mathcal {A}\), then it chooses randomly \(a\leftarrow \mathbb {Z}_{N}\), sets \(\overline{\mathbf{m}} = (a,m_1,m_2,\cdots ,m_\beta )\) and \(T=\sigma ^a\), picks at random \(\widetilde{\mathbf{m}} = (\tilde{a},\tilde{m}_1,\tilde{m}_2,\cdots ,\tilde{m}_\beta )\leftarrow \mathbb {Z}_{N}^{\beta +1}\), and sends the \((\overline{\mathbf{m}}, \widetilde{\mathbf{m}})\) to the \(\mathtt {IND}\)-\(\mathtt {CPA}\) challenger to get back a challenging ciphertext \(\mathbf{X}\). Next, it selects randomly \(\mathbf{d}=(d_0,d_1,\cdots ,\) \(d_\beta )\leftarrow \mathbb {Z}_{N}^{\beta +1}\), computes \(\mathbf{X}^\prime = \mathcal {E}.Enc(ek,\mathbf{d};\mathbf{0}) \ominus (e\cdot \mathbf{X})\), and sets \(T^{\prime }\) as in Eq. (7). Finally, the adversary \(\mathcal {A}_S\) sends \(\pi ^{*} = (T,T^{\prime },\mathbf{X},\mathbf{X}^\prime )\) to the adversary \(\mathcal {A}\), and takes the bit \(b\in \{0,1\}\) outputted by \(\mathcal {A}\) as its own output.

While the relation \(R_{\mathtt {crs}}({sk},w,x)=1\) holds, it is easy to check that, if the challenging ciphertext \(\mathbf{X} = \mathcal {E}.Enc(ek, \overline{\mathbf{m}};\mathbf{r})\), then the proof \(\pi ^{*}\) is distributed identical to a proof in the real game; if \(\mathbf{X} = \mathcal {E}.Enc(ek, \widetilde{\mathbf{m}};\mathbf{r})\), then the proof \(\pi ^{*}\) is distributed exactly as that is produced by the simulator. Therefore, if the adversary \(\mathcal {A}\) has non-negligible probability in distinguishing \(\varPi .Prove\) and Sim, then the adversary \(\mathcal {A}_S\) will win the \(\mathtt {IND}\)-\(\mathtt {CPA}\) game with non-negligible probability.

4 A New Storage-Extra APAKE Protocol

In this section, we first describe the construction of our new storage-extra APAKE protocol. Then, the design rationale and detailed comparisons of our protocols, in terms of both efficiency and security, are presented.

4.1 The Construction of the APAKE Protocol

Assume that \(MAC_{\mathtt {wBB}} = (M.Setup, M.KeyGen,M.Mac,M.Verify)\) is the algebraic MAC scheme presented in Sect. 2.1, \(\mathcal {E} = (\mathcal {E}.KeyGen, \mathcal {E}.Enc, \mathcal {E}.Dec)\) is a DVNIZK-friendly homomorphic encryption scheme as defined in Sect. 2.2, and \(\varPi = (\varPi .Setup,\varPi .RelSetup, \varPi .KeyGen, \) \(\varPi .Prove, \varPi .Verify)\) is the oblivious DVNIZK proof scheme introduced in Sect. 3.1. We also use a traditional MAC scheme \(\mathtt {M}=(\mathtt {KeyGen},\mathtt {Mac},\mathtt {Verify})\) and a traditional signature scheme \(S=(S.KeyGen,S.Sign,\) S.Verify).

For each user \(U\in \mathbf{U}\), denote by \(\mathbf{m}= (m_1,m_2,\cdots ,m_\beta )\) the vector of attributes and by pw the password held by this user. The construction of the APAKE protocol consists of the following steps.

Setup. In the setup phase, we first run \(\varPi .Setup(1^\lambda )\) to obtain \(\mathtt {crs} = (ek,\mathtt {pp}) = (ek,(\mathbb {G},g,p)) \) and the trapdoor \(\mathtt {td} = dk\), run \(\varPi .KeyGen(\mathtt {crs})\) to generate a secret relation key \(sk = (x_0,x_1,\cdots ,x_\beta )\) and \(\mathtt {ipp} = (X_0,X_1, \cdots ,X_\beta )\), run \(S.KeyGen(1^\lambda )\) to get a signing key SK and the related signature verification key VK. Then, we select a random element \(h\leftarrow \mathbb {G}\), set the common reference string of the APAKE protocol as \((\mathtt {crs},\mathtt {ipp}, VK,h)\), and provide to the server with the secret keys (skSK).

Registration. In this phase, each user registers to the server to prepare for subsequent anonymous authentication. The registration phase is assumed to be executed over secure channels. To begin with, each user sends her attributesFootnote 2 \(\mathbf{m}= (m_1,m_2,\cdots ,m_\beta )\) to the server. Upon receiving this registration request, the server generates a MAC tag \(\varSigma = (\sigma , \sigma _1,\cdots , \sigma _{\beta })\leftarrow M.Mac(sk,\mathbf{m})\) and sends it to the user as its credentialFootnote 3. When the credential \(\varSigma \) is received, the client encrypts it with her password pw to obtain a password-wrapped credential \([\varSigma ]_{pw}\), and puts it on some (publicly) extra-storage.

Authentication. To login the server, a user interacts with the server as follows.

  1. 1.

    At the beginning, the server runs \(\varPi .KeyGen(\mathtt {crs})\) to generate a proof verification key \(vk = e\) and the corresponding proving key \(pk = \mathcal {E}.Enc(ek,0;e)\), picks at random \(\gamma \leftarrow \mathbb {Z}_{p}\) and computes \(Y = h^\gamma \), \(\sigma _S = S.Sign(SK,(pk,Y))\). Then, the server sends to the client the message \((pk,Y,\sigma _S)\).

  2. 2.

    Upon receiving the message \((pk,Y,\sigma _S)\) from the server, the client first checks the validity of the signature \(\sigma _S\). Next, she fetches back the password-wrapped credential \([\varSigma ]_{pw}\) and decrypts it with her password pw to recover the credential \(\varSigma = (\sigma , \sigma _1,\cdots , \sigma _{\beta })\). Then, the user generates a DVNIZK proof \(\pi \leftarrow \varPi .Prove(\mathtt {crs},\mathtt {ipp},pk,(x_p,x_s),w)\), where \(x= (x_p = \perp , x_s = \sigma )\) and \(w= (m_1,m_2,\cdots ,m_\beta )\). The user also chooses randomly \(\xi \leftarrow \mathbb {Z}_{p}\), computes \(X = h^\xi \), \(tk_U^{(1)} = Y^\xi \),\(tk_U^{(2)} = \varPi _{j=1}^{\beta } \sigma _j^{-a\cdot m_j} \cdot g^a\) and \(\sigma _U = \mathtt {Mac}(tk_U^{(2)},\sigma _S||X||\pi )\). Finally, the user sends \((X,\pi ,\sigma _U)\) to the server, and computes the session key as \(K_U = tk_U^{(1)}\cdot tk_U^{(2)}\).

  3. 3.

    When the server receives \((X,\pi ,\sigma _U)\), it ensures that \(T\ne 1\), computes \(tk_S^{(1)} = X^\gamma ,tk_S^{(2)} = T^{x_0}\), checks that \(\sigma _U = \mathtt {Mac}(tk_S^{(2)},\sigma _S||X||\pi )\), verifies the DVNIZK proof \(\pi \), and aborts if any of these checks is failed. If all checks are valid, the server computes the session key as \(K_S = tk_S^{(1)}\cdot tk_S^{(2)}\).

4.2 Design Rationale

The core of our construction is a DVNIZK proof \(\pi \) to prove that the algebraic MAC tag \(\sigma \) held by the user is valid, without compromising the privacy of this credential and the user’s attributes. The privacy protection property is guaranteed by the zero-knowledge property of the underlying DVNIZK proof scheme; and the soundness property of the DVNIZK proof system ensures that, the user in communication is a legitimate member with a valid algebraic MAC tag as her credential.

Based on these observations, we could even obtain a one-pass variant of the above protocol for anonymous entity authentication, through sending only one flow of message consisting of the DVNIZK proof \(\pi \) to the server. The resulting protocol guarantees privacy-preserving non-interactive authentication, as expected by [20]. However, as a one-pass protocol, it is inherently open to replay attacks [31]. Although it is well-known that replay attacks can be prevented by maintaining synchronized state (via counters or timestamps) between the sender and receiver, we emphasize that synchronized timestamps are actually quite tedious in practical applications.

In order to prevent replay attacks and to establish a secure session key for subsequent use, we alternatively choose to have the server send an additional message \((pk,Y,\sigma _S)\) to the client. In this message, the server generates and sends a fresh proving key pk for every session, which guarantees that the DVNIZK proof \(\pi \) is newly generated as well. Moreover, with the extra flow of message, we can embed in this protocol of a Diffie-Hellman tuple (XY), which offers forward security for both participants.

4.3 Comparisons with Existing Storage-Extra APAKE Protocols

In the following, we compare our storage-extra APAKE protocol with similar anonymous authentication protocols, in terms of both security and efficiency.

Security Comparisons. First, recall that our main purpose is to design a storage-extra APAKE protocol secure in the standard model, instead of in the random oracle model. As indicated in Table 1, our storage-extra APAKE protocol is the only one with proven security in the standard model, while all the existing protocols [14,15,16] are analyzed in the random oracle model. However, the random oracle model is arguably “unnatural” and differs from real-world constructions significantly [19]. We thus have reasons to believe that an APAKE protocol with provable security in the standard model would provide a stronger guarantee of security than those only proven secure in the random oracle model. In addition, our protocol not only satisfies the same mutual authentication property as the existed protocols, but also permits more flexibility in terms of identity type, as our protocol allows users to prove a vector of personal attributes rather than a single value of identity.

Efficiency Comparisons. With respect to efficiency, we compare our protocol with the existing storage-extra APAKE protocols in terms of rounds, communication and computational cost. The details are illustrated in Table 2. We stress that our protocol requires only two flows of messages during the authentication phase, which is very efficient for a protocol with explicitly mutual authentication. Although our protocol is less efficient, which is similar to those protocols with provable security in the standard model, than its counterpart proven secure in the random oracle, it is still considerably efficient. In particular, when the length of attributes is set to \(\beta =1\), we get a protocol that is even more efficient than Yang et al.’s scheme [14], which is right the storage-extra APAKE protocol contained in the standard ISO/IEC 20009-4 [17].

Table 1. Security comparisons among storage-extra APAKE protocols
Full size table
Table 2. Efficiency comparisons among storage-extra APAKE protocols
Full size table

4.4 Security Analysis of the APAKE Protocol

By utilizing a security model for storage-extra APAKE protocol formalized by Zhang et al. in [15], we could prove that the APAKE protocol presented above guarantees AKE security of session keys and achieves user anonymity with respect to the honest-but-curious server. However, the detailed security model and rigorous proofs are omitted here due to the page limit. We refer the reader to our full paper for more details.

5 Conclusions

In this paper, we first give out a new construction of the oblivious DVNIZK proof system compatible with a new class of algebraic MAC schemes, which avoids the requirement of the cumbersome security notion called extended unforgeability. Then, we present a new APAKE protocol in the standard model by combing the technique of algebraic MAC with oblivious designated-verifier non-interactive zero-knowledge (DVNIZK) proof. Comparisons show that our protocol enjoys stronger security guarantees as well as achieves considerably communication and computation performance.