Keywords

1 Introduction

Background. A structure-preserving signature (SPS) scheme is a useful building block for cryptographic protocol design over bilinear groups. In SPS, signatures, messages and public-keys consist exclusively of source group elements of bilinear groups and their sizes are measured by the number of them. Since the signature size greatly impacts the efficiency of the accompanied proofs and the resulting protocol, it is of a great interest to investigate possible lower bounds for the signature size and to construct schemes that achieve these bounds. Table 1 summarizes known lower and upper bounds for the size of structure-preserving signatures over different settings.

Table 1. Bounds on the signature size of structure-preserving signature schemes. See discussion in Sect. 5 for entries with \(\dagger \),\(\ddagger \),\(\S \).
Full size table

Research on lower bounds for structure preserving signatures was initiated in [4], where the authors investigate the case of asymmetric bilinear groups (Type-III groups [16]) where no efficient morphisms are known between the source groups, \(\mathbb {G}_1\) and \(\mathbb {G}_2\). For schemes defined for unilateral messages (that belong to only one of the source groups), matching lower and upper bounds are known (w.r.t. both interactive and non-interactive assumptions). In the case of bilateral messages (that contain elements from both source groups), a construction is shown in [4] based on non-interactive assumption, but no lower bounds are provided to argue its optimality. In [8], the authors investigate the case of symmetric bilinear groups (Type-I groups) where \(\mathbb {G}_1= \mathbb {G}_2\), and present matching lower and upper bounds w.r.t. interactive assumptions. Their results are valid as well for asymmetric bilinear groups with an efficient morphism from \(\mathbb {G}_2\) to \(\mathbb {G}_1\) (Type-II groups) for some message types. The analysis over Type-II groups considering interactive assumptions is continued by [6] where the authors present matching bounds for unilateral messages with an ‘unexpected’ gap between messages in \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Nothing was known w.r.t. non-interactive assumptions in Type-II.

In summary, all known lower bounds are about schemes with unilateral messages or being secure under interactive assumptions. To the best of our knowledge, nothing has been shown for the case of bilateral messages and non-interactive assumptions, though this is the most general and preferred case in the context of structure-preserving signatures. Efficient and trustworthy constructions (based on weak assumptions) in this more general setting are desired, as they play an important role in the modular design of cryptographic primitives.

Our Results. We present lower bounds on the signature size of structure-preserving signature schemes over asymmetric bilinear groups signing bilateral messages and being secure based on non-interactive assumptions.

  • A tight lower bound for bilateral messages in Type-III groups. As illustrated in Table 1, this constitutes the last missing piece for structure preserving signatures over Type-III groups. We show that secure signatures for bilateral messages must contain at least 6 group elements as long as the underlying assumption is non-interactive (see Sect. 3). More concretely, we show that a signature scheme signing bilateral messages cannot be proved to be EUF-CMA by a black-box algebraic reduction to any non-interactive assumption if the signatures contain less than 3 group elements in one of the source groups and 3 in the other. Our lower bound matches an existing upper bound from [4]. Our result allows us to claim the optimality of that scheme.

  • Lower bounds for unilateral messages in \(\mathbb {G}_1\) and bilateral messages in Type-II groups. These are the first non-trivial lower bounds for Type-II groups involving non-interactive assumptions. We first show that when signing unilateral messages in \(\mathbb {G}_1\), signatures must contain at least 4 group elements (see Sect. 4). Note that the lower bound for unilateral messages in \(\mathbb {G}_1\) implies the same lower bound for bilateral messages That is because there exists a reduction from bilateral to unilateral messages in \(\mathbb {G}_1\). However, this reduction is valid only if messages belong to \(\mathbb {G}_1^{k_1} \times \mathbb {G}_2^{k_2}\) for some fixed \(k_1, k_2 \in \mathbb {N}\) and the underlying scheme supports messages in \(\mathbb {G}_1^{k_1 + k_2}\). For our purpose, it is sufficient to show a lower bound for schemes that sign messages consisting of only one group element in \(\mathbb {G}_1\) since such a result would also apply to those with larger message spaces. The result is unfortunately not known to be optimal as corresponding upper bounds are missing. We further discuss this point in Sect. 5.

Our approach follows the framework of [5], i.e., we show the existence of a crucial relation (see Sect. 2.3) in the algebraic model [10, 14]. It is known that if such a relation exists, a meta-reduction [12] can be constructed and the considered scheme cannot be proven under non-interactive assumptions. Having messages in both source groups or having a morphism from one group to the other makes the analysis more complex. We elaborate this point as follows. We first recap the argument used in [5]. Consider a SPS scheme over Type-III groups that yields 3-element signatures, (RST), for unilateral single-element message M in \(\mathbb {G}_1\). For the scheme to be secure, at most two elements in the signature, say R and S, must be in the same group as M. Thus, every pairing product equation can be written as

$$\begin{aligned} e(R, U_1 T^{a})\, e(S, U_2 T^{b})\, e(M, U_3 T^{c})\, e(V, T)\, =Z \end{aligned}$$
(1)

with parameters a, b, c, and public-key elements \(U_i\), V and Z that may be different in every equation. A reduction algorithm \(\mathcal{R}\) is given an instance of a non-interactive assumption and simulates signatures for certain messages. Let G and H be generators for \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. When \(\mathcal{R}\) is algebraic, the signature (RST) for message M must be computed as

$$\begin{aligned} R = G^{\varphi _r} M^{\alpha _r},\, S = G^{\varphi _s} M^{\alpha _s},\, T = H^{\varphi _t} \end{aligned}$$
(2)

for some variables \(\alpha _r\), \(\alpha _s\), \(\varphi _r\), \(\varphi _s\), and \(\varphi _t\) taking values in \(\mathbb {Z}_p\). Actually, \(G^{\varphi _r}\), \(G^{\varphi _s}\) and \(H^{\varphi _t}\) are linear combinations of group elements in the given problem instance. Therefore \(\varphi _{r}, \varphi _{s}, \varphi _{t}\) may not be known by \(\mathcal{R}\). By substituting (RST) in every verification equation of the form of (1) and taking logarithm for base e(GH), we get a system of equations in the above variables. Roughly, to show that \(\mathcal{R}\) will never be successful in breaking the assumption, it is necessary to show that \((\alpha _r,\alpha _s)\), called the crucial information, is uniquely identified. If this is done, \((\alpha _r,\alpha _s)\) can be extracted and used to simulate a valid forgery. The overall argument is not extremely intricate as the obtained equations are linear in the crucial information \((\alpha _r,\alpha _s)\). The difficulty significantly increases when applying the above procedure to show that at least 6 elements are necessary for signing bilateral messages (MN) in \(\mathbb {G}_1\times \mathbb {G}_2\) of Type-III groups.

In the case of Type-II groups with unilateral messages in \(\mathbb {G}_1\), the difficulty comes from the presence of an efficient morphism \(\phi :\mathbb {G}_1\rightarrow \mathbb {G}_2\). Observe that verification equations for 3-element signatures (RST) on message \(M \in \mathbb {G}_1\) will be of the form \( e(R, U_1 T^{a})\, e(S, U_2 T^{b})\, e(M, U_3 T^{c})\, e(\phi (T), U_4 T^{d})\, e(U_5, T)\, =Z\) for \((R,S,T) \in \mathbb {G}_1^2 \times \mathbb {G}_2\). When representing (RST) as in (2), the resulting system of equations w.r.t. the crucial information \((\alpha _r, \alpha _s)\) is linear, although it includes the quadratic term \(\varphi _t^2\), coming from \(e(\phi (T), T)\), and this makes the analysis slightly more involved than the one from [5]. In our actual proof in Sect. 4, we address a more general case where the signature element T (in the opposite group to M) consists of an arbitrary number of elements \(T_1,\dots ,T_{\ell }\). In this way, we handle all cases where signatures include less than three elements, at once.

Other Related Works. There exist variations and extensions of SPS for which the lower bounds appearing in Table 1 do not hold. For example, for one-time SPS schemes, there are constructions, e.g., [3, 7], whose signature consists of one or two group elements and their security is based on static assumptions. In [19, 20], the authors circumvent these bounds by considering messages in a special form (messages are bound by the Diffie-Hellman relation) and construct a SPS scheme over Type-III groups with two group elements in each signature.

Upper bounds are frequently being improved in the literature [2, 22,23,24]. The state of the art for static assumptions and Type-III groups is a scheme from [22] with six-elements signatures for unilateral messages. For bilateral messages, a scheme presented in [23] yields 10-elements signatures. However, we point out that combining the scheme from [22] for messages in \(\mathbb {G}_1\) with a partially one-time SPS from [2] for messages in \(\mathbb {G}_2\), results in a scheme for bilateral messages with 9 signature elements. A randomizable SPS scheme in [18] can be seen as an alternative scheme whose signature size matches the lower bound of three group elements in Type-III groups based on an interactive assumption. For Type-I groups, the generic construction from [22] yields a scheme with the smallest signature size of 9 when the underlying MDDH assumption [13] is instantiated with the DLIN assumption [9] adjusted to Type-I groups [2].

Structure-preserving signatures over Type-II groups received less attention, even though GS-proofs had been extended to Type-II groups [21]. This may be due to [6] that shows how the one-way morphism between source groups can be exploited in cryptographic designs. Note that significant gaps in signature size exist between Type-II and Type-III settings. However, as pointed out in [11], a smaller signature size does not necessarily imply that a scheme in Type-II is computationally more advantageous than its analogues scheme in Type-III when the cost of membership testing is taken into account. That is why, comparisons should be performed within the same group setting of bilinear groups.

2 Preliminaries

2.1 Signature Schemes, Bilinear Groups, and Algebraic Algorithm

In this section we briefly review notations and standard notions used throughout the paper. Due to the page restriction, we refer to [5], which our work is based on, for more formal definitions.

Let \(\mathcal{G}\) be a generator of bilinear groups that takes security parameter \(1^\lambda \) as input and outputs \(\varLambda := (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)\), where \(p\) is a \(\lambda \)-bit prime and \(\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T\) are groups of order \(p\) with efficiently computable group operations, membership tests, and bilinear mapping \(e: \mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\). An equation of the form \(\prod _i \prod _j e(A_i, B_j)^{a_{ij}}= Z\) for constants \(a_{ij} \in \mathbb {Z}_p, Z\in \mathbb {G}_T\), and constants or variables \(A_i\in \mathbb {G}_1\), \(B_j\in \mathbb {G}_2\) is called a pairing product equation (PPE). Symmetric bilinear groups refer the case where \(\mathbb {G}_1= \mathbb {G}_2\) and they are called Type-I groups. The case where \(\mathbb {G}_1\ne \mathbb {G}_2\) is known as are asymmetric groups. When no efficient morphism is provided for either direction between \(\mathbb {G}_1\) and \(\mathbb {G}_2\), the groups are called Type-III. If there is an efficient morphism from \(\mathbb {G}_2\) to \(\mathbb {G}_1\), they are said to be in Type-II setting. See [16] for their properties.

A signature scheme consists of polynomial-time algorithms \((\mathcal{C},\mathcal{K},\mathcal{S},\mathcal{V})\) where \(\mathcal{C}\) generates common parameters \( GK \), \(\mathcal{K}\) generates a pair of public and private keys, \(\mathcal{S}\) is a signing algorithm and \(\mathcal{V}\) is the verification algorithm. It is called structure preserving w.r.t. bilinear group generator \(\mathcal{G}\) if the common parameter \( GK \) consists of a group description \(\varLambda \) and some constants \(a_{ij}\) in \(\mathbb {Z}_p\), and public keys, messages, and signatures consist of group elements in \(\mathbb {G}_1\) and \(\mathbb {G}_2\), and verification algorithm \(\mathcal{V}\) evaluates membership in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and PPEs. A SPS scheme is considered secure if it is existentially unforgeable against adaptive chosen message attacks (EUF-CMA). It is assumed that there exists an efficiently computable key verification algorithm \( TstVk \) that takes \(\lambda \) and \( VK \) as input and checks the validity of \( VK \) s.t. if \(0 \leftarrow TstVk (1^\lambda , VK )\), then \(\mathcal{V}( VK ,*,*)\) always returns 0, and if \(1 \leftarrow TstVk (1^\lambda , VK )\) then the message space \(\mathsf {Msp}\) is well defined and it is efficiently and uniformly sampleable. A signature \(\varSigma \) is considered valid (w.r.t. \( VK \) and \(M\)), if \(1=\mathcal{V}( VK ,M,\varSigma )\). Otherwise, it is said to be invalid.

An algorithm is called algebraic w.r.t. a group if it takes a vector of elements \(\varvec{X}\) in the group and outputs a group element Y and there is a corresponding algorithm called an extractor that can output the representation of Y w.r.t. \(\varvec{X}\). For instance, if the algebraic algorithm \(\mathcal{R}\) takes source group elements AB as input and outputs element C in the same group, then \(\mathcal{R}\)’s extractor \(\mathcal{E}\) outputs (ab) such that \(C = A^a B^b\). It does not matter how \(\mathcal{R}\) has computed a and b. For instance, a can be a bit-slice of some group elements like Waters’ Hash [26]. The notion can also be extended naturally to oracle algorithms. Thus, it covers a wide range of algorithms and frequently used [17, 25]. For a formal definition, we refer to [5], which also argues the differences from the knowledge of exponent assumption. By \( \texttt {Cls} _{alg}\) we denote the set of all algebraic algorithms with respect to \(\mathcal{G}\). With respect to source groups in asymmetric bilinear groups, group elements are separated if no efficient morphism exist. Suppose that \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are source groups of Type-III and an algorithm takes \(\varvec{A}\) from \(\mathbb {G}_1\) and \(\varvec{B}\) from \(\mathbb {G}_2\) as input. If the algorithm outputs \(Y \in \mathbb {G}_1\), there is an extractor that outputs a representation of Y w.r.t. \(\varvec{A}\), i.e. Y is independent of \(\varvec{B}\). Also, if \(\mathbb {G}_1\) and \(\mathbb {G}_2\) are Type-II groups, the extractor outputs representation w.r.t. \(\varvec{A}\) and also \(\varvec{B}\) mapped to \(\mathbb {G}_1\).

2.2 Non-interactive Hardness Assumptions

Typically an assumption is defined in such a way that there is no efficient algorithm \(\mathcal{A}\) that returns a correct answer with better probability than random guessing. The following definition follows this intuition.

Definition 1

(Algebraic Non-interactive Hardness Assumption). A non-interactive problem consists of a triple of algorithms \(\mathcal{P}=(\mathcal{I},\mathcal{V},\mathcal{U})\) where \(\mathcal{I}\in \texttt {PPT} \) is an instance generator, which takes \(1^\lambda \) and outputs a pair of an instance and a witness, \((\textit{ins},\textit{wit})\), and \(\mathcal{V}\) is a verification algorithm that takes \(\textit{ins},\textit{wit}\) and an answer \(\textit{ans}\), and outputs 1 or 0 that represents acceptance or rejection, respectively. A non-interactive hardness assumption for problem \(\mathcal{P}\) is to assume that, for any \(\mathcal{A}\in \texttt {PPT} \), the following advantage function \(\text {Adv}\) is negligible in \(\lambda \).

$$\begin{aligned} \text {Adv}_{\mathcal{A}}(1^\lambda ) =&\Pr [(\textit{ins},\textit{wit}) \leftarrow \mathcal{I}(1^\lambda ), \textit{ans}\leftarrow \mathcal{A}(\textit{ins})\,:\, 1 = \mathcal{V}(\textit{ins},\textit{ans},\textit{wit})] \nonumber \\&- \Pr [ (\textit{ins},\textit{wit}) \leftarrow \mathcal{I}(1^\lambda ), \textit{ans}\leftarrow \mathcal{U}(\textit{ins})\,:\, 1 = \mathcal{V}(\textit{ins},\textit{ans},\textit{wit})] \end{aligned}$$

\(\mathcal{P}\) is called algebraic if \(\mathcal{I}\) also takes \(\varLambda \) generated by group generator \(\mathcal{G}(1^\lambda )\) with uniformly chosen default generators \(G \in \mathbb {G}_1\) and \(H \in \mathbb {G}_2\) as a part of input, and there exists an efficient extractor \(\mathcal{E}_{\mathcal{I}}\) that, given the same input as given to \(\mathcal{I}\), outputs a representation of the element w.r.t. generator G or H with overwhelming probability.

In search problems, \(\mathcal{U}\) is usually set to be an algorithm that returns constant \(\bot \) (or a random answer \(\textit{ans}\) when the domain is uniformly sampleable). In decision problems, \(\mathcal{U}\) typically returns 1 or 0 randomly winning only with probability 1 / 2.

2.3 Crucial Relation

We briefly recap the framework of [5] and restate the impossibility theorem in slightly refined and specific form. Let \( \texttt {Cls} \) be a class of algorithms (we actually consider class of algebraic algorithm in this paper) and \(\mathcal{R}\in \texttt {Cls} \) be a reduction algorithm that, given an instance \(\textit{ins}\) of a non-interactive hardness problem \(\mathcal{P}\), outputs \( VK \) and a poly-size internal state \(\varphi \). Given \(\varphi \) and messages \(\varvec{M}:=(M_1,\dots , M_n)\) for some \(n>0\), \(\mathcal{R}\) outputs signatures \(\varvec{\varSigma }:= (\varSigma _1,\dots ,\varSigma _n)\). Let \(\theta \) be a transcript defined as \(\theta := ( VK , \varvec{M}, \varvec{\varSigma })\). A transcript \(\theta \) is valid and witness as \(1 = \mathcal{V}(\theta )\) if \(1 = \mathcal{V}( VK ,M_i,\varSigma _i)\) for all \(i=1,\dots ,n\). (\(\mathcal{V}\) is supposed to reject if \( TstVk ( VK ) \ne 1\)).

In security proofs by reduction, it is often the case that the algorithm does not actually hold the secret key but has some crucial information to simulate signatures. We model such information as a witness of a binary relation \({\varPsi }(\theta , \varpi )\) that we call a crucial relation and define as follows.

Definition 2

(Crucial Relation). Let \(\textsf {Sig}= (\mathcal{C}, \mathcal{K}, \mathcal{S}, \mathcal{V})\) be a signature scheme and \( TstVk \) be a key verification algorithm for \(\textsf {Sig}\). A binary relation \({\varPsi }:\{0,1\}^* \times \{0,1\}^* \rightarrow \{0,1\}\) is a crucial relation for \(\textsf {Sig}\) w.r.t. a class of algorithms \( \texttt {Cls} \) and \(n>0\) if the following properties are provided.

Uniqueness: For every \(\theta := ( VK ,\varvec{M},\varvec{\varSigma })\) s.t. \(1=\mathcal{V}(\theta )\), there exists exactly one (polynomial size) \(\varpi \) fulfilling \(1 = {\varPsi }(\theta ,\varpi )\).

Extractability: For any \(\mathcal{R}\in \texttt {Cls} \), there exists \(\mathcal{E}\in \texttt {PPT} \) s.t., for any \( VK \in \{0,1\}^*\) s.t. \(1 \leftarrow TstVk (1^\lambda , VK )\), and any arbitrary string \(\varphi \) in \(1^{\lambda } || \{0,1\}^*\), probability

$$\begin{aligned} \Pr \left[ \begin{array}{l} \varvec{M}{\leftarrow }\mathsf {Msp}^n \\ \varvec{\varSigma }\leftarrow \mathcal{R}(\varphi , \varvec{M}; \gamma )\\ \varpi \leftarrow \mathcal{E}(\varphi , \varvec{M}; \gamma )\\ \theta := ( VK ,\varvec{M},\varvec{\varSigma }) \end{array}\, : \, \begin{array}{l} 1=\mathcal{V}(\theta )\, \wedge \,\\ 1 \ne {\varPsi }(\theta ,\varpi ) \end{array} \right] \end{aligned}$$
(3)

is negligible in \(\lambda \). The probability is taken over the choice of \(\varvec{M}\) and random coin \(\gamma \) given to \(\mathcal{R}\) and \(\mathcal{E}\).

Usefulness: There exists an algorithm \(\mathcal {B}\in \texttt {PPT} \) s.t., for any \(\theta := ( VK ,\varvec{M},\varvec{\varSigma })\) and \(\varpi \) that satisfies \({\varPsi }(\theta ,\varpi )=1\), the following probability is not negligible in \(\lambda \).

$$\begin{aligned} \Pr \left[ \begin{array}{l} (M,\varSigma )\leftarrow \mathcal {B}(\theta ,\varpi ) \end{array} \, : \, \begin{array}{l} M\not \in \varvec{M}\,\,\wedge \, \\ 1=\mathcal{V}( VK ,M,\varSigma ) \end{array} \right] \end{aligned}$$
(4)

The intuition behind extractability is that whenever \(\varphi \) is helpful for \(\mathcal{R}\) to compute valid signatures, the extractor \(\mathcal{E}\) should be successful in extracting \(\varpi \) from \(\varphi \). This must hold even for a non-legitimate \( VK \) as long as it is functional with respect to the verification. For an \(\mathcal{R}\) which is successful in producing a valid \(\theta \) only with negligible probability, \(\mathcal{E}\) can be an empty algorithm.

Theorem 8 of [5]. If a crucial relation for a signature scheme exists w.r.t. algebraic algorithms, then there exists no algebraic black-box reduction from the EUF-CMA security of the signature scheme to any non-interactive algebraic problems over groups where the discrete logarithm problem is hard.

3 Tight Lower Bound for Bilateral Messages in Type-III

Theorem 1

Any structure preserving signature scheme over asymmetric bilinear groups that yields signatures consisting of 2 or less group elements in either of the source groups and \(\ell \) group elements in the other (for every \(\ell \le 3\)), cannot have an algebraic black-box reduction for the EUF-CMA security to non-interactive hardness assumptions if pseudo-random functions exist and the discrete logarithm problem is hard in both source groups.

Let \(\mathcal {SIG}_{\tau ,\ell }\) be the set of all structure preserving signature schemes in Type-III whose signature consists of at most \(\tau \) group elements from one source group and at most \(\ell \) elements from the other source group. We prove Theorem 1 by proving the following lemma and applying Theorem 8 of [5]. Note that the absence of morphisms between source groups is used in the proof via the algebraic model where the source group elements returned by any algebraic algorithm depend only on the elements from the same source group that were given to the algorithm as input.

Lemma 1

For every \(\ell \le 3\) and every scheme in \(\mathcal {SIG}_{2,\ell }\), there exists a crucial relation.

The proof of Lemma 1 will be given by explicitly presenting a crucial relation (Definition 3) and showing that it satisfies the three required properties: uniqueness, extractability and usefulness (Lemma 2). Our proof is valid for arbitrary values of \(\ell \) except for arguing extractability in one sub-case, when the condition \(\ell \le 3\) is required. When analyzing Lemma 1 we will consider, without loss of generality, the case where our scheme has signatures in \(\mathbb {G}_1^2 \times \mathbb {G}_2^\ell \).

Before starting, we establish some useful notation for expressing signatures schemes in \(\mathcal {SIG}_{2,\ell }\). These notation will be used throughout the proofs.

Observe that in every structure preserving signature scheme with signature space \(\mathbb {G}_1^2 \times \mathbb {G}_2^\ell \), the j-th verification equation can be written in the following form:

$$\begin{aligned}&e(R, U_1^{(j)} N^{d_1^{(j)}} \prod \nolimits _{i=1}^{\ell } T_i^{a_i^{(j)}} )\, e(S, U_2^{(j)} N^{d_2^{(j)}}\prod \nolimits _{i=1}^{\ell } T_i^{b_i^{(j)}})\, \nonumber \\&\qquad \qquad e(M, U_3^{(j)} N^{d_3^{(j)}}\prod \nolimits _{i=1}^{\ell } T_i^{c_i^{(j)}})\, e(V_0^{(j)}, N)\, \prod \nolimits _{i=1}^{\ell }e(V_i^{(j)}, T_i)\, = Z^{(j)} \end{aligned}$$
(5)

where \((M,N) \in \mathbb {G}_1\times \mathbb {G}_2\) is a message, \(V_0^{(j)} \in \mathbb {G}_1\), for every \(i \in \{1,2,3\}\), \(V_i^{(j)} \in \mathbb {G}_1\), \(U_i^{(j)} \in \mathbb {G}_2\), and \(Z^{(j)} \in \mathbb {G}_T\) are elements in the verification key, and \((R,S,T_1,\dots ,T_\ell ) \in \mathbb {G}_1^2\,\times \,\mathbb {G}_2^\ell \) is a signature. Note that exponents \(d_k^{(j)}, a_i^{(j)}, b_i^{(j)}, c_i^{(j)}\) for \(k \in \{1,2,3\}\), \(i \in \{1,\dots ,\ell \}\) are determined by the description of the scheme.

Note that, to show the impossibility, it is sufficient to consider messages in \(\mathbb {G}_1\times \mathbb {G}_2\) rather than its vector form. Also, observe that we allow arbitrary \(Z^{(j)} \in \mathbb {G}_T\) in every verification equation j, for more generality. These are usually set to \(1_{\mathbb {G}_T}\) in the strict definition of structure preserving signatures.

We denote the discrete-log of a group element w.r.t. the default generator by its small-case letter. For instance, \(M =G^{m}\) and \(N = H^{n}\). For elements R and S in a signature, we consider a special representation of the form \(R = G^{\varphi _r} M^{\alpha _r}\), \(S = G^{\varphi _s} M^{\alpha _s}\) for some \(\varphi _r, \alpha _r, \varphi _s, \alpha _s\) in \(\mathbb {Z}_p\). Now, by expressing the j-th verification Eq. (5) in the exponent, we have:

(6)

By thinking of the j-th verification Eq. (6) as a polynomial in m, we have the following equation:

(7)

Claim 1

If the discrete-logarithm problem over \(\mathbb {G}_1\) is hard, for all equations j, every coefficient of (7) as polynomial in m must be zero.

Proof

We refer to the full version of this paper for a proof [1].    \(\square \)

Accordingly, for every verification equation j, the following two equations are fulfilled.

(8)
(9)

Now, we focus on message N. Let \(T_i = H^{\gamma _i} N^{\beta _i}\), i.e., \(t_i = \gamma _i + \beta _i n\). Note that, for each verification equation j, we can rewrite the relations (8) and (9) as polynomials in n by collecting the corresponding terms:

(10)
(11)

Now, for verification equation j we introduce the following more compact notation:

With a similar argument as the one used in Claim 1, we can argue that if Eqs. (10) and (11) hold, then they must hold as polynomials in n if the discrete logarithm problem is hard. Therefore, if the above equations hold, we must have:

$$\begin{aligned}&{A_{j}^{\beta }\alpha _r + B_{j}^{\beta }\alpha _s + C_{j}^{\beta } =0} \end{aligned}$$
(12)
$$\begin{aligned}&{A_{j}^{\gamma }\alpha _r + B_{j}^{\gamma }\alpha _s + C_{j}^{\gamma } = 0} \end{aligned}$$
(13)
$$\begin{aligned}&{A_{j}^{\beta }\varphi _r + B_{j}^{\beta }\varphi _s + V_{j}^{\beta } =0} \end{aligned}$$
(14)
$$\begin{aligned}&{A_{j}^{\gamma }\varphi _r + B_{j}^{\gamma }\varphi _s + V_{j}^{\gamma } =0} \end{aligned}$$
(15)

We say a verification equation j is degenerate if \(A_{j}^{t} = B_{j}^{t} = C_{j}^{t} = V_{j}^{t} = 0\). Note that, \(A_{j}^{t} = A_{j}^{\gamma } + n A_{j}^{\beta }\) and the same occurs for B, C and V. In general, if an equation j is degenerate, it must hold

$$\begin{aligned} A_{j}^{\gamma } = A_{j}^{\beta } = B_{j}^{\gamma } = B_{j}^{\beta } = C_{j}^{\gamma } = C_{j}^{\beta } = V_{j}^{\gamma } = V_{j}^{\beta } = 0 \end{aligned}$$

if dlog is hard (this can be shown by a similar analysis as in Claim 1).

Finally, for every pair of verification equations, say j and k, we define the determinant \(\mathtt{Dt}_{j,k}(n,t_1,\dots ,t_\ell )\) as:

$$\begin{aligned} \mathtt{Dt}_{j,k}(n,t_1,\dots ,t_\ell ) \,&:= \, A_{j}^{t} B_{k}^{t} - A_{k}^{t} B_{j}^{t} \\&= \, (A_{j}^{\gamma } + nA_{j}^{\beta })(B_{k}^{\gamma } + nB_{k}^{\beta }) - (A_{k}^{\gamma } + nA_{k}^{\beta })(B_{j}^{\gamma } + nB_{j}^{\beta }) \end{aligned}$$

Hereafter we use the same conventions for matrix-representations of linear maps on finite-dimensional spaces. The rank of a matrix is defined to be the dimension of the vector space generated by its columns/rows. Given two vectors \(\varvec{v},\varvec{w}\) over \(\mathbb {Z}_p^{n}\), we say they are linearly dependent or proportional, denoted by \(\varvec{v} \equiv \varvec{w}\) if and only if there exist scalars \(\rho ,\delta \in \mathbb {Z}_p\) (not both null), s.t. \(\rho \varvec{v} = \delta \varvec{w}\).

We prepared the notation to define a crucial relation for \(\textsf {Sig}\in \mathcal {SIG}_{2,\ell }\). We first provide some intuition about how it is defined and why.

Intuition About the Crucial Relation. The algebraic extractor associated to the reduction provides coefficients of a linear combination, linking the group elements returned by the reduction and the group elements that it received. It turns out, that if the discrete logarithm problem is hard, these coefficients must satisfy certain additional properties. When developing the crucial relation, one thinks of how to embed these coefficients in the witness, since they result extremely useful for creating a forgery. For example, knowing the pair \((\alpha _r,\alpha _s)\) that was used by the reduction to create \(R = G^{\varphi _r}M^{\alpha _r}\) and \(S = G^{\varphi _s}M^{\alpha _s}\), a new signature can be created on a different message (see the full version of this paper for details). However, these coefficients cannot just be included in the witness. It is required that they are unique in some sense. Otherwise, using them to build a signature could potentially give extra information to the reduction. The biggest challenge when defining the crucial relation is finding cases in which we can argue usefulness and uniqueness at the same time.

Definition 3

(Crucial Relation for \(\mathsf {Sig} \in \mathcal {SIG}_{2,\ell }\) for \(\ell \le 3\)). For signature scheme \(\textsf {Sig}= (\mathcal{C}, \mathcal{K}, \mathcal{S}, \mathcal{V})\) in \(\mathcal {SIG}_{\tau ,\ell }\), and its transcript \(\theta \), let \((R,S,T_{1},\dots ,T_{\ell })\) be the first signature in \(\theta \) for message (MN). For witness \(\varpi \in (\mathbb {Z}_p\cup \bot )^{\ell +2}\), the relation \({\varPsi }(\theta ,\varpi )\) is defined by the following algorithm:

  1. 1.

    If \(\theta \) is invalid, return 0.

  2. 2.

    If there exist jk s.t. \(\mathtt{Dt}_{j,k}(n,t_1,\dots ,t_\ell ) \ne 0\). Let \(\alpha _r, \alpha _s \in \mathbb {Z}_p\) satisfy Eq. (8) for such jk. If \(\varpi = (\alpha _r,\alpha _s,\bot ,\dots ,\bot )\) then return 1, else return 0.

  3. 3.

    If there exists a verification equation, j, s.t. one and only one of the following the expressions \(A_{j}^{t}\) and \(B_{j}^{t}\) is zero. Let j be the index of the first equation that satisfies the previous condition. If \(A_{j}^{t} = 0\) and \(\varpi = (0,\alpha _s,\bot ,\dots ,\bot )\) where \(B_{j}^{t} \alpha _s + C_{j}^{t} = 0\) then return 1, else if \(B_{j}^{t} = 0\) and \(\varpi = (\alpha _r,0,\bot ,\dots ,\bot )\) where \(A_{j}^{t} \alpha _r + C_{j}^{t} = 0\) then return 1, else return 0.

  4. 4.

    If all verification equations are degenerate, i.e. for all j, \(A_{j}^{t} = B_{j}^{t} = C_{j}^{t} = V_{j}^{t} = 0\), if \(\varpi = (\bot ,\dots ,\bot )\) return 1, else return 0.

  5. 5.

    If there exists \(\beta = (\beta _1,\dots ,\beta _\ell ) \in \mathbb {Z}_p^\ell \) s.t. for \(\gamma _i = t_i - n\beta _i\) for \(i \in \{1,\dots ,\ell \}\) and every pair of verification equations jk the following vectors in \(\mathbb {Z}_p^8\) are proportional:

    $$ \left( \begin{array}{cccccccc} A_{j}^{\beta }&\,\, B_{j}^{\beta }&\,\, C_{j}^{\beta }&\,\, V_{j}^{\beta }&\,\, A_{j}^{\gamma }&\,\, B_{j}^{\gamma }&\,\, C_{j}^{\gamma }&\,\, V_{j}^{\gamma } \end{array} \right) \equiv \left( \begin{array}{cccccccc} A_{k}^{\beta }&\,\, B_{k}^{\beta }&\,\, C_{k}^{\beta }&\,\, V_{k}^{\beta }&\,\, A_{k}^{\gamma }&\,\, B_{k}^{\gamma }&\,\, C_{k}^{\gamma }&\,\, V_{k}^{\gamma } \end{array} \right) $$

    where, for non-degenerate equations j it holds, \(A_j^{\beta }B_{j}^{\gamma } - A_{j}^{\gamma }B_{j}^{\beta } \ne 0\). If \(\varpi = (\alpha _r,\alpha _s,\bot ,\dots ,\bot )\) satisfying \(A_{j}^{\beta } \alpha _r + B_{j}^{\beta } \alpha _s + C_{j}^{\beta } = 0\) and \(A_{j}^{\gamma } \alpha _r + B_{j}^{\gamma } \alpha _s + C_{j}^{\gamma } = 0\) for every verification equation j, then return 1, else return 0.

  6. 6.

    If there exists a non-degenerate equation j s.t. there exist coefficients \(\mu _1,\mu _2,\mu _3 \in \mathbb {Z}_p\), which are publicly computable and verify

    $$\begin{aligned} \left( \begin{matrix}u_1^{(j)}&d_1^{(j)}&a_1^{(j)}&\dots&a_\ell ^{(j)}\end{matrix}\right) \mu _1 +\left( \begin{matrix}u_2^{(j)}&d_2^{(j)}&b_1^{(j)}&\dots&b_\ell ^{(j)}\end{matrix}\right) \mu _2 +\left( \begin{matrix}u_3^{(j)}&d_3^{(j)}&c_1^{(j)}&\dots&c_\ell ^{(j)}\end{matrix}\right) \mu _3 = \varvec{0} \end{aligned}$$

    if it can be found \(\mu _3 \ne 0\) then

    if \(\varpi = (\bot ,\dots ,\bot )\) then return 1           otherwise, return 0

    else (when \(\mu _3\) must be 0), go to clause 8.

  7. 7.

    If there exists \(\beta = (\beta _1,\dots ,\beta _\ell ) \in \mathbb {Z}_p^\ell \) s.t. for every j, \(A_{j}^{\beta } = 0 \,\wedge \, B_{j}^{\beta } = 0 \,\wedge \, C_{j}^{\beta } = 0 \,\wedge \, V_{j}^{\beta } = 0\), if \(\varpi = (\beta _1, \dots , \beta _\ell )\) then return 1, else return 0.

  8. 8.

    In any other case, if \(\varpi = (\alpha _r,0,\bot ,\dots ,\bot )\) s.t., if we set \(\alpha _s = 0\), for every equation j, it holds \(A_{j}^{t}\alpha _r + B_{j}^{t}\alpha _s + C_{j}^{t} = 0\) then return 1, else return 0.

Lemma 2

For every \(\ell \le 3\), \({\varPsi }\) is a crucial relation for every \(\textsf {Sig}\in \mathcal{SIG}_{2,\ell }\) w.r.t. algebraic algorithms and a message sampler choosing messages uniformly.

Proof

We show that \({\varPsi }\) has uniqueness as defined for a crucial relation. Proofs for usefulness and extractability are also technically interesting but due to the space restriction, we refer to [1] for more details.

Let k be the total number of verification equations. When analyzing scheme \(\textsf {Sig}\in \mathcal{SIG}_{2,\ell }\), we will assume without loss of generality that \(\textsf {Sig}\) is s.t.

$$\begin{aligned} {\small \mathrm{rank} \left( \begin{array}{ccccccccc} a_1^{(1)} &{} b_1^{(1)} &{} c_1^{(1)} &{} v_1^{(1)} &{} \dots &{} a_1^{(k)} &{} b_1^{(k)} &{} c_1^{(k)} &{} v_1^{(k)} \\ &{} &{} &{} &{} \vdots &{} &{} &{} &{} \\ a_\ell ^{(1)} &{} b_\ell ^{(1)} &{} c_\ell ^{(1)} &{} v_\ell ^{(1)} &{} \dots &{} a_\ell ^{(k)} &{} b_\ell ^{(k)} &{} c_\ell ^{(k)} &{} v_\ell ^{(k)} \\ \end{array} \right) = \ell } \end{aligned}$$
(16)

First note that the assumption is reasonable for \(\ell = 1\). Otherwise the scheme would be completely trivial. For other values of \(\ell \), the scheme admits a transformation that makes one of the \(T's\) disappear (because one of the rows of the above matrix could be expressed as a linear combination of the others) and thus, \(\textsf {Sig}\) would belong to \(\mathcal{SIG}_{2,\ell -1}\) which is captured by the same crucial relation instantiated for \(\ell -1\). The proof is presented for a generic \(\ell \) and we will only use the restriction \(\ell \le 3\) to argue extractability for clause 7.

Uniqueness. To argue uniqueness we show that every valid transcript \(\theta \) admits one and only one witness \(\varpi \) s.t. \(1 = {\varPsi }(\theta ,\varpi )\). First, note that every valid \(\theta \) falls in one of the clauses 2–8 (clause 8 accepts every \(\theta \) that did not fall in an earlier clause). We analyze clause by clause the uniqueness of \(\varpi \) in case \(\theta \) fall in it.

Assume that \(\theta \) falls into clause 2, i.e., for some (jk), \(\mathtt{Dt}_{j,k}(n,t_1,\dots ,t_\ell ) \ne 0\). Note that, there can only exist a unique pair \((\alpha _r,\alpha _s)\) satisfying Eq. (8) for both j and k, because \(\mathtt{Dt}_{j,k}(n,t_1,\dots ,t_\ell ) \ne 0\). That makes the witness unique.

When \(\theta \) falls in clause 3, let j be the first verification equation for which one and only one of \(A_{j}^{t}\), \(B_{j}^{t}\) is zero. Uniqueness holds because if \(A_{j}^{t} = 0\) then \(B_{j}^{t} \ne 0\) and there exists exactly one \(\alpha _s\) s.t. \(B_{j}^{t}\alpha _s + C_{j}^{t} = 0\). On the other hand, if \(A_{j}^{t} \ne 0\), there exists exactly one \(\alpha _r\) satisfying \(A_{j}^{t}\alpha _r + C_{j}^{t} = 0\).

In case of clauses 4 or 6, uniqueness holds immediately.

For clause 5, it is clear that in case of existing a valid witness, it must be unique. That is because, due to \(A_{j}^{\beta }B_{j}^{\gamma } - A_{j}^{\gamma }B_{j}^{\beta } \ne 0\), there exists exactly one pair \((\alpha _r, \alpha _s)\) satisfying \(A_{j}^{\beta } \alpha _r + B_{j}^{\beta } \alpha _s + C_{j}^{\beta } = 0\) and \(A_{j}^{\gamma } \alpha _r + B_{j}^{\gamma } \alpha _s + C_{j}^{\gamma } = 0\) as clause 5 requires. However, we need to show that this \((\alpha _r, \alpha _s)\) exists, independently of the \(\beta \) that has been chosen (as long as the \(\beta \) satisfies the conditions of the clause). To do so, we consider a different vector of \(\beta \), defined by \(\beta _i' = \beta _i + \delta _i\) (we denote \(\gamma _i' = t_i' - n \beta _i'\)) for \(i \in \{1,\dots ,\ell \}\) and we prove that the value of \((\alpha _r, \alpha _s)\) must be the same. Because \(A_j^{\beta }B_{j}^{\gamma } - A_{j}^{\gamma }B_{j}^{\beta } \ne 0\), the equations we can give a explicit formula for \((\alpha _r, \alpha _s)\) satisfying the equations \(A_{j}^{\beta } \alpha _r + B_{j}^{\beta } \alpha _s + C_{j}^{\beta } = 0\) and \(A_{j}^{\gamma } \alpha _r + B_{j}^{\gamma } \alpha _s + C_{j}^{\gamma } = 0\) for some j. That is,

$$\begin{aligned} \alpha _r = \frac{B_{j}^{\gamma }C_{j}^{\beta } - B_{j}^{\beta }C_{j}^{\gamma }}{A_{j}^{\gamma }B_{j}^{\beta } - A_{j}^{\beta }B_{j}^{\gamma }} \qquad \qquad \qquad \alpha _s = \frac{A_{j}^{\beta }C_{j}^{\gamma } - A_{j}^{\gamma }C_{j}^{\beta }}{A_{j}^{\gamma }B_{j}^{\beta } - A_{j}^{\beta }B_{j}^{\gamma }} \end{aligned}$$

Now, assume that \(\alpha _r\) and \(\alpha _s\) are derived from the same equations induced by a different \(\beta \), i.e., \(\beta ' = \beta + \delta \). Expanding the equations and rearranging terms, we can express the above equation as (we omit indices j for simplicity)

$$\begin{aligned} \alpha _r = \frac{B_{j}^{\gamma }C_{j}^{\beta } - B_{j}^{\beta }C_{j}^{\gamma } - n \varDelta _1 + \varDelta _2}{A_{j}^{\gamma }B_{j}^{\beta } - A_{j}^{\beta }B_{j}^{\gamma } -n \varDelta _3 + \varDelta _4} \end{aligned}$$

where

Our goal is to show that \(\alpha _r\) is unique and therefore, increments \(-n\varDelta _1 + \varDelta _2\) and \(-n\varDelta _3 + \varDelta _4\) are zero. Observe that, the new \(\beta '\) must also satisfy the equation

which also satisfies . Assume that \(\alpha _r,\alpha _s\) is not unique, in that case, it must be

which leads to and observe that the previous expression corresponds to \(\varDelta _3\). A similar analysis, using the following equations (from the requirements of clause 5):

leads to and observe that the previous expression corresponds to \(\varDelta _4\). By a similar analysis, it can be shown that the increments in the numerator of \(\alpha _r\) are zero and eventually, that the same thing occurs for \(\alpha _s\).

If \(\theta \) falls into clause 7, and the witness \(\varpi \) satisfies \({\varPsi }\), it must be \(\varpi = (\beta _1,\dots ,\beta _\ell )\), with \(A_{j}^{\beta } = 0 \,\wedge \, B_{j}^{\beta } = 0 \,\wedge \, C_{j}^{\beta } = 0 \,\wedge \, V_{j}^{\beta } = 0\). Or equivalently, \((\beta _1,\dots ,\beta _\ell )\) is a solution of the following linear system

$$ \left( \begin{array}{ccc} \beta _1&\dots&\beta _\ell \end{array} \right) \mathsf{M} = \left( \begin{array}{cccccccccc} -d_1^{(1)}&-d_2^{(1)}&-d_3^{(1)}&-v_0^{(1)}&-d_1^{(2)}&\dots&-d_1^{(k)}&-d_2^{(k)}&-d_3^{(k)}&-v_0^{(k)} \end{array} \right) $$

where \(\mathsf{M}\) is the matrix from Eq. (16). Because the rank of \(\mathsf{M}\) is \(\ell \), there exists at most one solution to the system and therefore, the witness is unique.

For arguing about the missing clause, 8, we prove the following Claim.

Claim 2

Any transcript \(\theta \) that did not fall in clause 5 or before is s.t. all Eq. (12)\(^{(*)}\) are be proportional between them and to all Eq. (13)\(^{(*)}\) (when considering them as linear equations in \(\alpha _r, \alpha _s\)).

Proof

Assume that the groups of Eqs. (12)\(^{(*)}\) and (13)\(^{(*)}\) are not proportional. We show that \(\theta \) should have fallen into clause 5 or earlier.

Note that at this point (and because we did not enter in clause 3), for every pair of verification equations jk the determinant \(\mathtt{Dt}_{j,k}(n,t_1,\dots ,t_\ell )\) is zero. Also note that, if we consider as before, \(t_i = \gamma _i + n \beta _i\) for every \(i \in \{1,\dots ,\ell \}\), such a determinant can be seen as a degree-2 polynomial in n,

$$\begin{aligned} n^2(A_j^{\beta }B_{k}^{\beta } - A_{k}^{\beta }B_{j}^{\beta }) + n\,(A_{j}^{\beta }B_{k}^{\gamma } - A_{k}^{\gamma }B_{j}^{\beta } \, + \, A_{j}^{\gamma }B_{k}^{\beta }-A_{k}^{\beta }B_{j}^{\gamma }) + (A_{j}^{\gamma }B_{k}^{\gamma }-A_{k}^{\gamma }B_{j}^{\gamma }) \end{aligned}$$

which is zero for every pair jk. In a similar way as done in the proof of Claim 1, we can prove that \(\mathtt{Dt}_{j,k}(n,t_1, \dots , t_\ell )=0\) happens only if every coefficient of the above polynomial in n is zero (otherwise, \(\mathcal{R}\) can be used to solve the discrete-logarithm problem in \(\mathbb {G}_2\)). We therefore have

$$\begin{aligned}&{A_j^{\beta }B_{k}^{\beta } - A_{k}^{\beta }B_{j}^{\beta } = 0} \end{aligned}$$
(17)
$$\begin{aligned}&{A_{j}^{\gamma }B_{k}^{\gamma }-A_{k}^{\gamma }B_{j}^{\gamma } = 0} \end{aligned}$$
(18)
$$\begin{aligned}&{A_{j}^{\beta }B_{k}^{\gamma } - A_{k}^{\gamma }B_{j}^{\beta } \, + \, A_{j}^{\gamma }B_{k}^{\beta }-A_{k}^{\beta }B_{j}^{\gamma } = 0} \end{aligned}$$
(19)

Let \((\mathsf {x})^{(j)}\) denote equation \((\mathsf {x})\) w.r.t. j-th verification equation. Equation (17) implies that, when considering the relations (12)\(^{(j)}\) for all j as equations in \(\alpha _r,\alpha _s\), they are all proportional. The same happens with Eq. (13)\(^{(j)}\) due to (18).

First, note that if all verification equations are degenerate, we would have entered in clause 4. On the other hand, if there is just one non-degenerate verification equation the condition on clause 5 holds and we would have fallen in there. Now, pick two non-degenerate equations, say (jk). Note that, since \(A_j^{\beta }B_{k}^{\beta } = A_{k}^{\beta }B_{j}^{\beta }\) and they are non-degenerate, there must exist a constant \(\rho \in \mathbb {Z}_p\) s.t. \(A_j^{\beta } = \rho A_{k}^{\beta }\) and \(B_{j}^{\beta } = \rho B_{k}^{\beta }\). Analogously, since \(A_j^{\gamma }B_{k}^{\gamma } = A_{k}^{\gamma }B_{j}^{\gamma }\) and they are non-degenerate, there exists a constant \(\delta \in \mathbb {Z}_p\) s.t. \(A_j^{\gamma } = \delta A_{k}^{\gamma }\) and \(B_{j}^{\gamma } = \delta B_{k}^{\gamma }\). Now, substituting in Eq. (19) we have

$$\begin{aligned} \rho A_{k}^{\beta }B_{k}^{\gamma } - A_{k}^{\gamma }\rho B_{k}^{\beta } \, + \, \delta A_{k}^{\gamma }B_{k}^{\beta }-A_{k}^{\beta } \delta B_{k}^{\gamma } = (\rho - \delta )(A_{k}^{\beta }B_{k}^{\gamma } - A_{k}^{\gamma }B_{k}^{\beta }) = 0 \end{aligned}$$
(20)

Because the groups of Eqs. (12)\(^{(*)}\) and (13)\(^{(*)}\) are not proportional between them, it must be \((A_{k}^{\beta }B_{k}^{\gamma } - A_{k}^{\gamma }B_{k}^{\beta }) \ne 0\) for any pair of non-degenerate equations jk, and thus, it must be \(\rho -\delta = 0\). Therefore, the linear factor between Eq. (12)\(^{(j)}\) and (12)\(^{(k)}\) is the same as the linear factor between Eq. (13)\(^{(j)}\) and (13)\(^{(k)}\). With similar techniques, it can be shown that in this situation happens between A and C and so on. In fact, it must hold

$$ \left( \begin{array}{cccccccc} A_{j}^{\beta }&\,\, B_{j}^{\beta }&\,\, C_{j}^{\beta }&\,\, V_{j}^{\beta }&\,\, A_{j}^{t}&\,\, B_{j}^{t}&\,\, C_{j}^{t}&\,\, V_{j}^{t} \end{array} \right) \equiv \left( \begin{array}{cccccccc} A_{k}^{\beta }&\,\, B_{k}^{\beta }&\,\, C_{k}^{\beta }&\,\, V_{k}^{\beta }&\,\, A_{k}^{t}&\,\, B_{k}^{t}&\,\, C_{k}^{t}&\,\, V_{k}^{t} \end{array} \right) $$

for any pair of non-degenerate verification equations jk. If j or k are degenerate, the above equations hold and the transcript \(\theta \) would have entered in clause 5.

Therefore, if clause 8 is reached, all equations in (12)\(^{(*)}\) must be proportional to all Eq. (13)\(^{(*)}\).    \(\square \)

At this point, we know that all equations of the form \(A_{j}^{\beta } \alpha _r + B_{j}^{\beta }\alpha _s + C_{j}^{\beta } = 0\) are proportional between them for all j (looking at them as linear equations in \(\alpha _r, \alpha _s\)) and they are all proportional to \(A_{j}^{\gamma } \alpha _r + B_{j}^{\gamma } \alpha _s + C_{j}^{\gamma } = 0\) for all j. This implies that they are also all proportional to \(A_{j}^{t} \alpha _r + B_{j}^{t}\alpha _s + C_{j}^{t} = 0\) for every j.

Pick a non-degenerate equation, say \(j^{*}\). If \(\alpha _r, \alpha _s\) satisfy this equation, they satisfy them all. On the other hand, because it is non-degenerate, \(A_{j^*}^{t} \ne 0\) and therefore, there exists a unique value \(\alpha _r \in \mathbb {Z}_p\) s.t. \(A_{j^*}^{t} \alpha _r + B_{j^*}^{t}\cdot 0 + C_{j^*}^{t} = 0\). Therefore, the witness is unique in this branch.    \(\square \)

From Theorem 1, the following corollary is immediate. It implies that at least six group elements are necessary as claimed in Table 1.

Corollary 1

If there exists a structure preserving signature scheme that signs bilateral messages over Type-III bilinear groups and its EUF-CMA security is proved by algebraic black-box reductions to a non-interactive problem, then its signature must include at least 6 group elements.

It is worth to point out that the above result brings new insights to the case of unilateral messages in Type-III under non-interactive assumptions. Recall that the 4-element construction in [5] outputs signatures in \(\mathbb {G}_1^3 \times \mathbb {G}_2\) for messages in \(\mathbb {G}_1\). It was unknown whether other structures such as \(\mathbb {G}_1^2 \times \mathbb {G}_2^2\) are possible. Corollary 1 states that \(\mathbb {G}_1^3 \times \mathbb {G}_2\) is the only possible choice and it justifies the optimality of the construction from [5].

The following corollary restricts the number of schemes for bilateral messages with signatures in \(\mathbb {G}_1^2\,\times \,\mathbb {G}_2^\ell \) for arbitrary \(\ell \), by imposing a condition without which it would be easy to argue extractability for clause 7.

Corollary 2

If \(\textsf {Sig}\) is a signature scheme for messages \((M,N) \in \mathbb {G}_1\times \mathbb {G}_2\) with signature elements \((R,S,T_1,\dots ,T_{\ell }) \in \mathbb {G}_1^2 \times \mathbb {G}_2^{\ell }\) is proven EUF-CMA under a non-interactive assumption, it must be s.t. all the k verification equations satisfy:

$$\begin{aligned} \mathrm{rank} \left( \begin{array}{ccccccc} d_1^{(1)} &{} d_2^{(1)} &{} d_3^{(1)} &{} \quad \dots &{} \quad d_1^{(k)} &{} d_2^{(k)} &{} d_3^{(k)} \\ a_1^{(1)} &{} b_1^{(1)} &{} c_1^{(1)} &{} \quad \dots &{} \quad a_1^{(k)} &{} b_1^{(k)} &{} c_1^{(k)} \\ &{} &{} &{} \quad \vdots &{} &{} &{} \\ a_\ell ^{(1)} &{} b_\ell ^{(1)} &{} c_\ell ^{(1)} &{} \quad \dots &{} \quad a_\ell ^{(k)} &{} b_\ell ^{(k)} &{} c_\ell ^{(k)} \\ \end{array} \right) < \ell \end{aligned}$$

4 Lower Bounds in Type-II

In Type-II, there are three cases, i.e., (1) messages exist only in \(\mathbb {G}_1\), (2) messages exist only in \(\mathbb {G}_2\), and (3) messages exist in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\). Below, we give a bound for the first case. Note that it directly implies a lower bound for bilateral messages (case 3) as well.

Theorem 2

Any structure preserving signature scheme over Type-II groups with message space \(\mathcal{{M}} \subset \mathbb {G}_1\) that yields signatures consisting of 3 group elements cannot have an algebraic black-box reduction from the EUF-CMA security to non-interactive hardness assumptions if pseudo-random functions exist and the discrete logarithm problem is hard in \(\mathbb {G}_1\).

Let \(M \in \mathbb {G}_1\) be a message and \((R, S, T_1, \ldots , T_{\ell })\) be a signature. We first consider two extreme cases where signatures include elements from one group. If \((R,S,T_1, \ldots , T_{\ell }) \in \mathbb {G}_1^{2 + \ell }\), the verification equations are in the form of \(e(R, U_1)\, e(S, U_2)\, e(M, U_3)\, \prod ^{\ell }_{j=1} e(T_j, U_{3+j})\, =Z\) where \(U_i\) and Z are public-keys. Thus, given two signatures on two messages, one can easily obtain a valid signature on a new message by linearly combining two messages and signatures. Therefore, such signatures are vulnerable to random message attacks.

We now consider the case where the number of signature elements in \(\mathbb {G}_1\) is at most 2. Say, \((R, S) \in \mathbb {G}_1^2\), \(T_1, \ldots , T_{\ell } \in \mathbb {G}_2^{\ell }\). Let \(\mathcal {SIG}_{\ell }\) be the set of all structure preserving signature schemes whose signature consists of 2 group elements from \(\mathbb {G}_1\) and other \(\ell \) elements from \(\mathbb {G}_2\). We denote by \(\tilde{A}\) the group element in \(\mathbb {G}_1\) that was mapped from \(A \in \mathbb {G}_2\).

Theorem 2 is shown by combining our Lemma 3 with Theorem 8 from [5].

Lemma 3

For every scheme in \(\mathcal {SIG}_{\ell }\), there exists a crucial relation.

Proof

According to [6], at least 2 verification equations are required in Type-II for secure signature with \((R, S) \in \mathbb {G}_1^2\), \(T_1, \ldots , T_{\ell } \in \mathbb {G}_2^{\ell } \in \mathcal {SIG}_{\ell }\). Observe that in every structure preserving signature scheme with signature space \(\mathbb {G}_1^2 \times \mathbb {G}_2^{\ell }\), the j-th verification equation can be written in the following form, where \(M \in \mathbb {G}_1\) is a message, \(U_i^{(j)},V_i^{(j)}\) are elements in \( VK \), \(a_i^{(j)}, b_i^{(j)}, c_i^{(j)}, d_i^{(j)} \in \mathbb {Z}_p\) for \(i = 1,\dots ,\ell \) are public parameters, and \((R, S, T_1, \ldots , T_{\ell }) \in \mathbb {G}_1^2 \times \mathbb {G}_2^{\ell }\) are signatures,

$$\begin{aligned} e(R, U_1^{(j)}\,\prod \nolimits ^{\ell }_{i=1} T_i^{a_i^{(j)}})&\, e(S, U_2^{(j)}\,\prod \nolimits ^{\ell }_{i=1} T_i^{b_i^{(j)}})\, e(M, U_3^{(j)} \,\prod \nolimits ^{\ell }_{i=1} T_i^{c_i^{(j)}}) \nonumber \\ {}&\prod \nolimits ^{\ell }_{j=1} \,\prod \nolimits ^{\ell }_{i=1} e(\tilde{T}_j, T_i^{d_i^{(j)}})\, \prod \nolimits ^{\ell }_{i=1} e(V_i^{(j)},\,T_i)\, =Z^{(j)}. \end{aligned}$$
(21)

Note that, to show the impossibility, it is sufficient to consider a single-element message in \(\mathbb {G}_1\) rather than its vector form.

For elements \(R, S, T_i\) (\(i = 1,\dots ,\ell \)) in a signature, we consider a special representation of the form \(R = G^{\varphi _r} M^{\alpha _r},\, S = G^{\varphi _s} M^{\alpha _s},\, T_i = H^{\varphi _{t_i}}\) for some \(\varphi _r, \alpha _r, \varphi _s, \alpha _s, \varphi _{t_i}\) in \(\mathbb {Z}_p\). Now, consider Eq. (21) in the exponent:

(22)

By considering (22) as a polynomial in m, it can be shown that

(23)

if the discrete logarithm problem is hard in \(\mathbb {G}_1\). We denote by \(\mathtt{Dt}_{j,k}(t_1, \ldots , t_{\ell })\) the determinant of Eq. (23) for j and \(k \ne j\), when considered as polynomials in \((\alpha _r, \alpha _s)\). There exists a unique solution \((\alpha _r, \alpha _s)\) if and only if \(\mathtt{Dt}_{j,k}(t_1, \ldots , t_{\ell }) \ne 0\). Let \(\theta \) denote a transcript \(\theta := ( VK , (M^{(1)},R^{(1)},S^{(1)},T_1^{(1)}, \ldots , T_{\ell }^{(1)}), \ldots ,(M^{(n)},R^{(n)},S^{(n)}, T_1^{(n)}, \ldots , T_{\ell }^{(n)}))\). We construct a crucial relation for \(\textsf {Sig}\in \mathcal {SIG}_{\ell }\).

Definition 4

(Crucial Relation for \(\mathsf {Sig} \in \mathcal {SIG}_{\ell }\)). Let \(\varpi := (\omega _1,\omega _2)\) and given \(\theta \), let \((R,S,T_1,\ldots ,T_{\ell })\) be the first signature in \(\theta \), for message M. The relation \({\varPsi }(\theta ,\varpi )\) is decided as follows.

  1. 1.

    If \(\theta \) is invalid, return 0.

  2. 2.

    Else if there exist verification equations j and k s.t. \(\mathtt{Dt}_{j,k}(t_1, \ldots , t_{\ell }) \ne 0\),

    • if \(\varpi = (\alpha _r, \alpha _s)\) where \(\alpha _r\) and \(\alpha _s\) satisfy (23) for both verification equations j and k, return 1,

    • else return 0.

  3. 3.

    Else if \(\varpi = (\bot ,\bot )\) then return 1, else return 0.

Lemma 4

The relation \({\varPsi }\) in Definition 4 is a crucial relation for any \(\textsf {Sig}\in \mathcal {SIG}_{\ell }\) w.r.t. algebraic algorithms and a message sampler choosing M uniformly.

We show that the relation \({\varPsi }\) in Definition 4 satisfies usefulness, omitting proofs for uniqueness and extractability (see [1] for further details).

Usefulness. Given \(\varpi = (\alpha _r, \alpha _s) \in \mathbb {Z}_p^2\), we forge a signature on arbitrary fresh message as follows:

Choose \(\hat{M} \in \mathbb {G}_1\) randomly. Compute \((M^{\star },\,R^{\star },\,S^{\star },\,T_1^{\star }, \ldots , T_{\ell }^{\star }) = (M \cdot \hat{M}, R \cdot \hat{M}^{- \alpha _r},\, S \cdot \hat{M}^{- \alpha _s},\, T_1, \ldots , T_{\ell }) \) and output \({ (R^{\star },\,S^{\star },\,T_1^{\star },\ldots ,T_{\ell }^{\star })}\) as a forgery for \(M^{\star }\). Since it uses the actual \(\alpha _r\) and \(\alpha _s\) that were used by the reduction, it constitutes a valid signature because it satisfies (21) for every verification equation.

On the other hand, if \(\varpi = (\bot ,\bot )\), it means that Eq. (23) is proportional (as an equation in \(\alpha _r\) and \(\alpha _s\)) for every verification equation j. We say a verification equation is degenerate if . Otherwise, it is called non-degenerate. Note that, if \(T_1,\ldots ,T_{\ell }\) are reused, if a non-degenerate verification equation holds for certain MRS, all verification equations will also hold (because they are all proportional). This observation allows us to define the following forgery:

Pick a non-degenerate verification equation j s.t. . Compute \({{M}^{\star }} = M\cdot \big (U_1^{(j)}\prod _{i=1}^{\ell }\tilde{T}_{i}^{a_i^{(j)}}\big )^{-1}\) and \({{R}^{\star }} = R\cdot \big (U_3^{(j)}\prod _{i=1}^{\ell }\tilde{T}_{i}^{c_i^{(j)}}\big )\). Observe that \(({{R}^{\star }},S,T_1,\ldots ,T_{\ell })\) is a valid signature for \({{M}^{\star }}\): it satisfies the non-degenerate equation j and, because it reuses \(T_1,\ldots ,T_{\ell }\), it must satisfy all the others too.

If no non-degenerate verification equation satisfies the previous condition, pick one, say j, s.t. . Analogously, compute \({{M}^{\star }} = M\cdot \big (U_2^{(j)}\prod _{i=1}^{\ell }\tilde{T}_{i}^{b_i^{(j)}}\big )^{-1}\) and \({{S}^{\star }} = S\cdot \big (U_3^{(j)}\prod _{i=1}^{\ell }\tilde{T}_{i}^{c_i^{(j)}}\big )\) and observe that \((R,{{S}^{\star }},T_1,\ldots , T_{\ell })\) is a valid signature for \({{M}^{\star }}\).

Finally, if the above is not possible, all verification equations are degenerate for such \(T_1,\ldots ,T_{\ell }\). In that case, \((*,*,T_1,\ldots ,T_{\ell })\) is a valid signature for every message in \(\mathbb {G}_1\), where placeholders \(*\) can be filled with arbitrary \(\mathbb {G}_1\) elements.    \(\square \)

The above implies that constructions with signature elements \(R \in \mathbb {G}_1\) and \(S, T_1, \ldots , T_{\ell -1} \in \mathbb {G}_2\) are impossible. Additionally, we can say that no secure SPS based on non-interactive assumption with all signature elements in \(\mathbb {G}_2\) can exist.

5 Discussion and Open Problems

On the Tightness of Our Bound for Type-III. We have shown that 6 elements are necessary and the construction from [5] shows that 6 elements are also sufficient. This construction requires 3 signature elements in every source group. A small remaining question would be whether a construction is possible with 2 elements on one side and 4 elements on the other. Our Corollary 2 gives necessary conditions on the shape of the verification equations of such a scheme.

On Constructions Over Type-II Groups. We next discuss the current status of constructions in the setting marked as \(\dagger \), \(\ddagger \), \(\S \) in Table 1 and (non-)optimality of the lower bounds obtained in this paper.

  • (\(\dagger \) Bilateral messages, interactive assumptions). The optimal scheme for unilateral messages in \(\mathbb {G}_1\) (and the scheme in Type-I) from [8] cannot be straightforwardly used for signing bilateral messages since the scheme can sign only a single group element. The best existing scheme for this setting is the 7-element scheme in [3] originally designed for Type-I groups. It can be securely used for bilateral messages in Type-II groups since the construction and security proofs do not use the symmetry of the pairing, and the underlying q-type assumption is justified in the Type-I generic group model where an efficient morphism from \(\mathbb {G}_2\) to \(\mathbb {G}_1\) does exist. To close the gap between lower and upper bounds in this setting, finding a 3-element scheme that signs messages consisting of two group elements in \(\mathbb {G}_1\) is desired.

  • (\(\ddagger \) Unilateral messages in \(\mathbb {G}_1\) and bilateral messages, q-type assumptions). The 7-element scheme from [3] is not known to be optimal, since the current lower bound is 4. We want to note that some straightforward approaches to get closer to the lower bound fail: First, observe that the 4-element scheme [4] based on a q-type assumption cannot be used, because it is defined over Type-III bilinear groups and the assumption does not hold in the Type-II setting. Second, the technique of converting a SPS scheme from an interactive to a non-interactive assumption by using the first group element in a message as a random element in a signature (as used in [4, 6, 15]) does not work because the existing 3-element scheme [8] based on an interactive assumption has a limited message space consisting only of one group element. Closing the gap in this case remains as an open problem.

  • (\(\S \) All message types, static assumptions). The construction in [22] instantiated with the DLIN assumption can be adapted to Type-II groups. It yields in signatures with 9 group elements for messages consisting of an arbitrary (but preliminary fixed) number of group elements in \(\mathbb {G}_1\), and hence can be used to sign unilateral messages in \(\mathbb {G}_2\) or bilateral messages as well. To the best of our knowledge, that is currently the smallest scheme (according to the signature size) and it is still far from our lower bound of 4 signature elements.

On the Possibility of Showing a Lower Bound for Unilateral Messages in \(\mathbb {G}_2\) in Type-II Groups. The authors of [6] have constructed a SPS scheme over Type-II groups for messages in \(\mathbb {G}_2\) based on a non-interactive assumption, with 3 signature elements. This gives an upper bound of 3, while there is a lower bound of 2. Extrapolating from known lower bounds in different settings, it is natural to conjecture that 3-element construction is indeed optimal in this case. However, the fact that secure constructions with a single verification equation exist in Type-II, makes our techniques inapplicable for this case. Finding a scheme with 2 signature elements in this setting or proving that 3 group elements are needed remains as an open problem. We conjecture that a 2-element construction based on non-interactive assumptions does not exist and lean towards the optimality of 3 signature elements.