thesis/chap-sigmasig.tex

\chapter{Pairing-Based Dynamic Group Signatures}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
\label{ch:sigmasig}


%-----------------------------------------------------------------------
\section{Building blocks}

We  use bilinear maps $e:\GG \times \Gh \to \GT$ over
groups  of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below.

\defPairings*

\defSXDH*

\defSDL*

\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Briques de base}
\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces}  \label{sse:sigmasig-qa-nizk}
\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Argument NIZK quasi-adaptatif pour un sous-espace linéaire}

Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string  (CRS)
may depend on the language for which proofs have to be generated. 
Formal definitions are given in \cite{JR13,LPJY14,KW15}.  %Appendix~\ref{QA-NIZK}.  

This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. 
In the description below, we assume that all 
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric 
bilinear groups $(\GG,\Gh,\GG_T,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
In this setting the problem is to convince that $\boldsymbol v$ is a linear combination of the rows of a given 
$\mathbf{M}\in\GG^{t\times n}$.

Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH.
We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$.

\begin{description}
\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] 
  Given public parameters $\mathsf{cp}=(\GG,\Gh,\GG_T,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$.
  Then, choose $\hat{g_z}  \sample  \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ 
	and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$.  
	Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and
  output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) 
	\in \GG^t\times\Gh^{n+1}$. 

\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol v}, \{\omega_i\}_{i=1}^t)$:] 
  To prove that ${\boldsymbol v}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, 
	for some witness $\omega_1,\ldots,\omega_t \in \Zp$,
	where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, 
	parse $\mathsf{crs}$ as above
	and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$.
 
\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol v})$:] 
  In order to simulate a proof for a vector  ${\boldsymbol v} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, 
	output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $.

\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol v}, \pi)$:] 
  Given $\pi \in \GG$ and ${\boldsymbol v}=(v_1,\dotsc,v_n)$, 
	return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies
  $ 1_{\GG_T} =  e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $  
\end{description}

The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. 
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
This requirement is compatible with our security proofs.

\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}

In  \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme 
 implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme 
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. 
Moreover, we show that their scheme remains unforgeable under the SXDH assumption.  

\begin{description}
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ 
  of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$. 
\end{description}
\begin{enumerate}
\item Choose $\omega,a \sample \Zp$,
   and set $h=g^a$,
  $\Omega=h^{\omega}$.
\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$.  
\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$  
  \begin{equation}\label{matrix-scal-sig} 
    \mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} = 
    \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}  
    \left(\begin{array}{c|c|c|c} 
    g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline  
	  \vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}} 
	  & \mathbf{1}_{{}_{\ell+1}}^\top 
	  \end{array}\right) ,
  \end{equation}
  where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} 
  to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. 
	\bigskip
\item[]
The  private key is $ \mathsf{sk}:=\omega $ and the  public key is  
\begin{align*}
  \mathsf{pk}=\Bigl(
    \mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
    ,~\Omega=h^\omega,~\mathsf{crs}
  \Bigr).
\end{align*}
\end{enumerate}

\begin{description}
\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given 
the private key $\mathsf{sk}=\omega$ and a message 
$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute 
\begin{align*}
  \sigma_1 & 
  = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & 
  \sigma_2 & = g^{s},   &    \sigma_3 & = h^{s} .
\end{align*}
Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that 
the following vector of $\GG^{2\ell+4}$
\begin{align} \label{eq:vector}
  (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,  
  \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) 
\end{align}
is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of  $\pi  = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot 
  z_{\ell+2})^{s}.$ 

Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.

\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$] 
  parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$ 
	if and only if 
	\begin{align} \label{sig-ver-1}
		e(\Omega,\hat{g}_{2\ell+4})^{-1}  =
    &~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber
		&~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} )  \\ \nonumber
		&~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) .
	\end{align}

\end{description}

The signature on $\ell$ scalars thus only consists of  4 elements in $\GG$ 
while the verification equation only involves a computation of 5 pairings.

\begin{theorem} \label{th:eu-cma-1}
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GG_T)$.
\end{theorem}

\begin{proof}
   We will proceed as in~\cite{LPY15} to prove that the scheme of 
  section~\ref{scal-sig} is secure under chosen-message attacks.  Namely we will consider a sequence of hybrid games involving two
  kinds of signatures. \vspace{-0.1 cm}

  \begin{description}
    \item[Type A signatures:] These are real signatures:
      \begin{equation} \label{eq:rel-sig-A}
        \begin{aligned}
          \sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, &
          \sigma_2 &= g^s, \\
          \pi  &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot 
          z_{\ell+2})^{s} ,& 
          \sigma_3 &= h^s.
        \end{aligned}
      \end{equation}
  Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ 
  is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as 
  \begin{equation}
    \label{eq:rel-sim-A}
    \begin{aligned}
    \pi &=  \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad & 
    \left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot
    \sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} . 
    \end{aligned}
  \end{equation}
  \end{description} \smallskip

  \noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of
  Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no
  restriction is given on $\pi$ beyond the fact that it should be a valid
  homomorphic signature on vector~\eqref{eq:vector}.
  \smallskip

  \begin{description}
    \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and 
      compute:
      \begin{equation*}
        \begin{gathered}
          (\sigma_1,\sigma_2,\sigma_3) =( g^{\omega'} \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, ~ g^s, ~ h^{s+s_1}),
        \end{gathered}
        \label{eq:rel-sig-B}
      \end{equation*}
       The QA-NIZK proof $\pi$ is
      computed  as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using   $\omega \in \Zp$.
  \end{description}
  \smallskip

 
 We consider a sequence of games. 
  In Game $i$,   $S_i$ denotes the event that   $\adv$
  produces a valid signature $\sigma^\star$ on   $M^\star$ such that
  $(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that
  $\adv$ produces a Type $\mathrm{A}'$ signature.

  \begin{description}
    \item[Game 0:] This is the real  game. The challenger $\bdv$ produces
      a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to   $\adv$. Then $\adv$
      makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$
      answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$
      sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$ 
      and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.

    \item[Game 1:] We change the way $\bdv$ answers signing queries.
      The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs
      using $\mathsf{tk}$
      as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated
      proofs for true statements, and then their distribution remains unchanged.
       We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
      \neg E_1]$. 
			 Lemma~\ref{le:type-a-sig} states 
			 			 that the event $S_1 \wedge
      \neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge
      \neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now
      to upper-bound the probability $\Pr[S_1 \wedge E_1]$.

    \item[Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $2.k$, the
      challenger returns a Type B signature for the first $k$ queries. At the
      last $Q - k$ signature queries, the challenger answers a type $A$
      signature.  \cref{le:type-b-sig} ensures that
      \[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\]
      is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.  
  \end{description}

  In Game $2.Q$, we know that if   SXDH   holds, $\adv$ can only output a type $\mathrm{A}'$
  forgery even if it only obtains type B signatures during the game.
  Nevertheless,  lemma~\ref{le:final-forgery} shows 
	that a type $\mathrm{A}'$ forgery in Game
  $2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have
  $\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by 
  \begin{multline*}
    \advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right)   + \advantage{\DDH}{\GG}(\lambda) \\
     <   (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right). 
  \end{multline*} 
\end{proof}



 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\begin{lemma} \label{le:type-a-sig}
  In \textbf{Game 1}, if the DDH assumption holds in $\Gh$, $\adv$ can only output   a type $A'$
  forgery.
\end{lemma}

\begin{proof}
  Let $\adv$ be an attacker  that does not
  output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the 
	Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing
  problem that reduces from DDH as explained in~\cite{LPJY13}.
  Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as 
  \[
    \ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega) 
    \in \GG^{2\ell + 4}.
  \]
  If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row
  space of $\mathbf{M}$.

  Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\hat\GG,\GG_T,p)$, a matrix ${\mathbf{M}}$ as in 
	(\ref{matrix-scal-sig}) and a common 
	reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the 
	QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. 
	The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
	After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
	Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
  \begin{align*}
    \mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr). 
  \end{align*}

  Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly
  running the $\Sign$ algorithm, in particular, it does not need to know $\mathsf{tk}$ to do this.

  When $\adv$ halts, it outputs  $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that  $\ssigma$ is not in the row space of $\mathbf{M}$.
  Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the
  scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be 
	witness-samplable. 
\end{proof}

\begin{lemma} \label{le:type-b-sig}
If DDH holds in $\GG$, for each $k \in
  \{1,\ldots, Q \}$, $\adv$ produces a type $A'$ forgery with negligibly different probabilities in \textbf{Game $\boldsymbol{2.k}$} and \textbf{Game $\boldsymbol{2.(k-1)}$}.
\end{lemma}
%
\begin{proof}
  Let us assume there exists an index $k \in \{1, \ldots, Q\}$ and an adversary $\adv$ that outputs a
  Type $\mathrm{A}'$ forgery with   smaller probability in Game $2.k$ than in Game
  $2.(k-1)$. We build a DDH distinguisher $\bdv$. \medskip
  \\
  Algorithm $\bdv$ takes in   $(g^a, g^b, \eta) \in \GG^3$, where $\eta =
  g^{a(b+c)}$, and  decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It
    picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$
  and sets $\Omega = h^\omega$ as well as:
  \[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \]
 % in order to have the discrete logs of $v_i$ and $w$. \medskip
 % \\
  
	The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and
  computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$   
	as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$.
  \smallskip
	
  Then, queries are answered  depending on their index~$j$:\\
  \textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
  \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator
  to computes $\pi$.

  \noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
  Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows
  and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs.

  \noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$
  embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$
  depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some  $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, 
  and
  $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $   
  Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
  \smallskip

  If $\eta = g^{ab}$, the $k$-th  signature $\sigma$ is
  a Type A signature with $s=b$. If $\eta = g^{a(b+c)}$ for some   $c
  \in_R \Zp$, we have:
  \begin{align*}
      \sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\
               & = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\
      \sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad
      \sigma_3 = h^{b+c} 
  \end{align*}
  Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w +
  \sum_{i=1}^\ell b_{v_i}m_i$ is uniform  and independent of $\adv$'s view, $\sigma$ is
  distributed as a Type B signature if $\eta = g^{a(b+c)}$.

  When $\adv$ terminates, it outputs a couple $(m_1^\star\cdots m_\ell^\star, \sigma^\star)$ that has not been queried
  during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a
  Type $\mathrm{A}'$ forgery or not.  To this end, it tests if the equality:
  \begin{equation} \label{eq:verif-proof}
    \sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star} 
  \end{equation}
  is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs
  $0$ and rather bets that $\eta \in_R \GG$.

  To see why this test allows recognizing Type $\mathrm{A}'$ forgeries,
  we remark that $\sigma^\star$ is of the form: 
  \begin{align*}
    \sigma^\star_2 & = g^s , &
    \sigma^\star_3 & = h^{s + s_1} , &
    \sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s ,
  \end{align*}
  and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that 
	$s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills
	relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$
	meaning that Type $\mathrm{B}$ forgery passes the test with the same probability.
	
  %\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if
  %$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then
  %have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell
  %b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with
  %probability $1/p$.

  From the entire game, and assuming a forgery which passes the test, we have the following linear system:
  %On the other hand, the information that $\adv$ can infer about
  %$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
  %during the game amounts to the first
  %$\ell + 2$ rows of the right-hand-side member in the following linear system:
  \[
    \left(
    \bgroup
    \def\arraystretch{1.5}
    \begin{array}{c|c}
      \mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline
      \boldsymbol{0}_{\ell + 1}^{\top} &  ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline
      \boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1) 
    \end{array}
    \egroup
    \right) \cdot
%    \begin{pmatrix}
%      1 & & & a & & \\
%      & \ddots & & & \ddots & \\
%      & & 1 & & & & a \\
%      & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\
%      & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac
%    \end{pmatrix} \cdot
    \begin{pmatrix}
      a_{v_1} \\   \vdots \\   a_{v_\ell} \\     a_w\\
      b_{v_1} \\   \vdots \\   b_{v_\ell} \\     b_w
    \end{pmatrix} 
		=
    \begin{pmatrix}
    \log_g(v_1) \\   \vdots \\   \log_g(v_\ell) \\   \log_g(w) \\
    \omega' - \omega \\    s_0
    \end{pmatrix}
  \]
  where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$ 
	is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when 
	 $c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about
  $(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
  during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that 
	this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension 
	at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$
	can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others 
	as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$.
	
	To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to 
  output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$ 
  (\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage. 
	 
\end{proof}

\begin{lemma} \label{le:final-forgery}
  In \textbf{Game $\boldsymbol{2.Q}$}, a PPT adversary outputting a type $A'$ forgery would contradict
  the DDH assumption in $\GG$:
  $ \Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda).$
\end{lemma}

\begin{proof}
  We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at
  least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega =
  h^\omega)$ and computes $g^\omega$. To generate  $\mathsf{pk}$, $\bdv$ picks $\hat g
  \sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes 
  $ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates 
	$\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$,
  $\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z,  \{\hat g_i\}_{i=1}^{2\ell + 4})$
  as in step 3-4 of the key generation algorithm, then sends the  public key 
	$ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to  $\adv$.
  %\begin{multline*}
  %  pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, 
  %  \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) 
  %\end{multline*}

  \noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle
  signing queries. We recall that during the game,  signing queries are answered by returning a
  Type B signature so that,  using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the
  $\omega = \log_h(\Omega)$ which is part of the CDH challenge.

  The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures,
  it will necessarily output a Type $\mathrm{A}'$ forgery
  $\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$
  unless the DDH assumption does not hold in $\GG$. 
 This event thus allows $\bdv$ to compute  
 \[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\]
  which contradicts the DDH assumption in $\GG$.
\end{proof}



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%