\chapter{Pairing-Based Dynamic Group Signatures} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages} \label{ch:sigmasig} %----------------------------------------------------------------------- \section{Building blocks} We use bilinear maps $e:\GG \times \Gh \to \GT$ over groups of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below. \defPairings* \defSXDH* \defSDL* \addcontentsline{tof}{section}{\protect\numberline{\thechapter} Briques de base} \subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk} \addcontentsline{tof}{section}{\protect\numberline{\thechapter} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS) may depend on the language for which proofs have to be generated. Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}. This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. In the description below, we assume that all algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric bilinear groups $(\GG,\Gh,\GG_T,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. In this setting the problem is to convince that $\boldsymbol v$ is a linear combination of the rows of a given $\mathbf{M}\in\GG^{t\times n}$. Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH. We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$. \begin{description} \item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] Given public parameters $\mathsf{cp}=(\GG,\Gh,\GG_T,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$. Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) \in \GG^t\times\Gh^{n+1}$. \item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol v}, \{\omega_i\}_{i=1}^t)$:] To prove that ${\boldsymbol v}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, for some witness $\omega_1,\ldots,\omega_t \in \Zp$, where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, parse $\mathsf{crs}$ as above and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$. \item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol v})$:] In order to simulate a proof for a vector ${\boldsymbol v} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $. \item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol v}, \pi)$:] Given $\pi \in \GG$ and ${\boldsymbol v}=(v_1,\dotsc,v_n)$, return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies $ 1_{\GG_T} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ \end{description} The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$. This requirement is compatible with our security proofs. \section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig} In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. Moreover, we show that their scheme remains unforgeable under the SXDH assumption. \begin{description} \item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$. \end{description} \begin{enumerate} \item Choose $\omega,a \sample \Zp$, and set $h=g^a$, $\Omega=h^{\omega}$. \item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$. \item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$ \begin{equation}\label{matrix-scal-sig} \mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} = \setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3} \left(\begin{array}{c|c|c|c} g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline \vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}} & \mathbf{1}_{{}_{\ell+1}}^\top \end{array}\right) , \end{equation} where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$. \item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. \bigskip \item[] The private key is $ \mathsf{sk}:=\omega $ and the public key is \begin{align*} \mathsf{pk}=\Bigl( \mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w) ,~\Omega=h^\omega,~\mathsf{crs} \Bigr). \end{align*} \end{enumerate} \begin{description} \item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given the private key $\mathsf{sk}=\omega$ and a message $\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute \begin{align*} \sigma_1 & = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & \sigma_2 & = g^{s}, & \sigma_3 & = h^{s} . \end{align*} Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that the following vector of $\GG^{2\ell+4}$ \begin{align} \label{eq:vector} (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) \end{align} is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot z_{\ell+2})^{s}.$ Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$. \item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$] parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$ if and only if \begin{align} \label{sig-ver-1} e(\Omega,\hat{g}_{2\ell+4})^{-1} = &~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber &~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) \\ \nonumber &~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) . \end{align} \end{description} The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ while the verification equation only involves a computation of 5 pairings. \begin{theorem} \label{th:eu-cma-1} The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GG_T)$. \end{theorem} \begin{proof} We will proceed as in~\cite{LPY15} to prove that the scheme of section~\ref{scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two kinds of signatures. \vspace{-0.1 cm} \begin{description} \item[Type A signatures:] These are real signatures: \begin{equation} \label{eq:rel-sig-A} \begin{aligned} \sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, & \sigma_2 &= g^s, \\ \pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot z_{\ell+2})^{s} ,& \sigma_3 &= h^s. \end{aligned} \end{equation} Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as \begin{equation} \label{eq:rel-sim-A} \begin{aligned} \pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad & \left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot \sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} . \end{aligned} \end{equation} \end{description} \smallskip \noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no restriction is given on $\pi$ beyond the fact that it should be a valid homomorphic signature on vector~\eqref{eq:vector}. \smallskip \begin{description} \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and compute: \begin{equation*} \begin{gathered} (\sigma_1,\sigma_2,\sigma_3) =( g^{\omega'} \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, ~ g^s, ~ h^{s+s_1}), \end{gathered} \label{eq:rel-sig-B} \end{equation*} The QA-NIZK proof $\pi$ is computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$. \end{description} \smallskip We consider a sequence of games. In Game $i$, $S_i$ denotes the event that $\adv$ produces a valid signature $\sigma^\star$ on $M^\star$ such that $(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that $\adv$ produces a Type $\mathrm{A}'$ signature. \begin{description} \item[Game 0:] This is the real game. The challenger $\bdv$ produces a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to $\adv$. Then $\adv$ makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$ answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$ sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$ and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$. \item[Game 1:] We change the way $\bdv$ answers signing queries. The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs using $\mathsf{tk}$ as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated proofs for true statements, and then their distribution remains unchanged. We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge \neg E_1]$. Lemma~\ref{le:type-a-sig} states that the event $S_1 \wedge \neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge \neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now to upper-bound the probability $\Pr[S_1 \wedge E_1]$. \item[Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $2.k$, the challenger returns a Type B signature for the first $k$ queries. At the last $Q - k$ signature queries, the challenger answers a type $A$ signature. \cref{le:type-b-sig} ensures that \[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\] is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$. \end{description} In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$ forgery even if it only obtains type B signatures during the game. Nevertheless, lemma~\ref{le:final-forgery} shows that a type $\mathrm{A}'$ forgery in Game $2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have $\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by \begin{multline*} \advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\ < (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right). \end{multline*} \end{proof} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{lemma} \label{le:type-a-sig} In \textbf{Game 1}, if the DDH assumption holds in $\Gh$, $\adv$ can only output a type $A'$ forgery. \end{lemma} \begin{proof} Let $\adv$ be an attacker that does not output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing problem that reduces from DDH as explained in~\cite{LPJY13}. Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as \[ \ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega) \in \GG^{2\ell + 4}. \] If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row space of $\mathbf{M}$. Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\hat\GG,\GG_T,p)$, a matrix ${\mathbf{M}}$ as in (\ref{matrix-scal-sig}) and a common reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$. After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$. Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key: \begin{align*} \mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr). \end{align*} Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly running the $\Sign$ algorithm, in particular, it does not need to know $\mathsf{tk}$ to do this. When $\adv$ halts, it outputs $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that $\ssigma$ is not in the row space of $\mathbf{M}$. Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be witness-samplable. \end{proof} \begin{lemma} \label{le:type-b-sig} If DDH holds in $\GG$, for each $k \in \{1,\ldots, Q \}$, $\adv$ produces a type $A'$ forgery with negligibly different probabilities in \textbf{Game $\boldsymbol{2.k}$} and \textbf{Game $\boldsymbol{2.(k-1)}$}. \end{lemma} % \begin{proof} Let us assume there exists an index $k \in \{1, \ldots, Q\}$ and an adversary $\adv$ that outputs a Type $\mathrm{A}'$ forgery with smaller probability in Game $2.k$ than in Game $2.(k-1)$. We build a DDH distinguisher $\bdv$. \medskip \\ Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta = g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$ and sets $\Omega = h^\omega$ as well as: \[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \] % in order to have the discrete logs of $v_i$ and $w$. \medskip % \\ The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$ as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$. \smallskip Then, queries are answered depending on their index~$j$:\\ \textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator to computes $\pi$. \noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs. \noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$ embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$ depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, and $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $ Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$. \smallskip If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is a Type A signature with $s=b$. If $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$, we have: \begin{align*} \sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\ & = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\ \sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad \sigma_3 = h^{b+c} \end{align*} Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w + \sum_{i=1}^\ell b_{v_i}m_i$ is uniform and independent of $\adv$'s view, $\sigma$ is distributed as a Type B signature if $\eta = g^{a(b+c)}$. When $\adv$ terminates, it outputs a couple $(m_1^\star\cdots m_\ell^\star, \sigma^\star)$ that has not been queried during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a Type $\mathrm{A}'$ forgery or not. To this end, it tests if the equality: \begin{equation} \label{eq:verif-proof} \sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star} \end{equation} is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs $0$ and rather bets that $\eta \in_R \GG$. To see why this test allows recognizing Type $\mathrm{A}'$ forgeries, we remark that $\sigma^\star$ is of the form: \begin{align*} \sigma^\star_2 & = g^s , & \sigma^\star_3 & = h^{s + s_1} , & \sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s , \end{align*} and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$ meaning that Type $\mathrm{B}$ forgery passes the test with the same probability. %\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if %$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then %have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell %b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with %probability $1/p$. From the entire game, and assuming a forgery which passes the test, we have the following linear system: %On the other hand, the information that $\adv$ can infer about %$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$ %during the game amounts to the first %$\ell + 2$ rows of the right-hand-side member in the following linear system: \[ \left( \bgroup \def\arraystretch{1.5} \begin{array}{c|c} \mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline \boldsymbol{0}_{\ell + 1}^{\top} & ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline \boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1) \end{array} \egroup \right) \cdot % \begin{pmatrix} % 1 & & & a & & \\ % & \ddots & & & \ddots & \\ % & & 1 & & & & a \\ % & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\ % & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac % \end{pmatrix} \cdot \begin{pmatrix} a_{v_1} \\ \vdots \\ a_{v_\ell} \\ a_w\\ b_{v_1} \\ \vdots \\ b_{v_\ell} \\ b_w \end{pmatrix} = \begin{pmatrix} \log_g(v_1) \\ \vdots \\ \log_g(v_\ell) \\ \log_g(w) \\ \omega' - \omega \\ s_0 \end{pmatrix} \] where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$ is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when $c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about $(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$ during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$ can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$. To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$ (\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage. \end{proof} \begin{lemma} \label{le:final-forgery} In \textbf{Game $\boldsymbol{2.Q}$}, a PPT adversary outputting a type $A'$ forgery would contradict the DDH assumption in $\GG$: $ \Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda).$ \end{lemma} \begin{proof} We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega = h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g \sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes $ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$, $\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$ as in step 3-4 of the key generation algorithm, then sends the public key $ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to $\adv$. %\begin{multline*} % pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, % \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr) %\end{multline*} \noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle signing queries. We recall that during the game, signing queries are answered by returning a Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the $\omega = \log_h(\Omega)$ which is part of the CDH challenge. The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures, it will necessarily output a Type $\mathrm{A}'$ forgery $\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$ unless the DDH assumption does not hold in $\GG$. This event thus allows $\bdv$ to compute \[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\] which contradicts the DDH assumption in $\GG$. \end{proof} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%