Further Lower Bounds for Structure-Preserving Signatures in Asymmetric Bilinear Groups

. Structure-Preserving Signatures (SPSs) are a useful tool for the design of modular cryptographic protocols. Recent series of works have shown that by limiting the message space of those schemes to the set of Diﬃe-Hellman (DH) pairs, it is possible to circumvent the known lower bounds in the Type-3 bilinear group setting thus obtaining the shortest signatures consisting of only 2 elements from the shorter source group. It has been shown that such a variant yields eﬃciency gains for some cryptographic constructions, including attribute-based signatures and direct anonymous attestation. Only the cases of signing a single DH pair or a DH pair and a vector from Z p have been considered. Signing a vector of group elements is required for various applications of SPSs, especially if the aim is to forgo relying on heuristic assumptions. Example applications where it is required to sign a vector of group elements include group, attribute-based and proxy signatures, and k-times anonymous authentication. An open question is whether such an improved lower bound also applies to signing a vector of (cid:96) > 1 messages. We answer this question negatively for schemes existentially unforgeable under an adaptive chosen-message attack (EUF-CMA) whereas we answer it positively for schemes existentially unforgeable under a random-message attack (EUF-RMA) and those which are existentially unforgeable under a combined chosen-random-message attack (EUF-CMA-RMA). The latter notion is a leeway between the two former notions where it allows the adversary to adaptively choose part of the message to be signed whereas the remaining part of the message is chosen uniformly at random by the signer. Another open question is whether strongly existentially unforgeable under an adaptive chosen-message attack (sEUF-CMA) schemes with 2-element signatures exist. We answer this question negatively, proving it is impossible to construct sEUF-CMA schemes with 2-element signatures even if the signature consists of elements from both source groups. On the other hand, we prove that sEUF-RMA and sEUF-CMA-RMA schemes with 2-element (unilateral) signatures are possible by giving constructions for those notions.

Related Work.The notion was coined by Abe et al. [4] but earlier constructions conforming to the definition were given by [37,36].The notion has been extensively studied.Constructions in the Type-3 setting (cf.Section 2.1) include [4,5,32,7,21,38,34,35].The vast majority of those constructions rely on security proofs in the generic group model [47,46].Abe et al. [5] proved that signatures of schemes over Type-3 bilinear groups must contain at least 3 elements, which must include elements from both source groups, and require at least 2 PPEs for verification.This ruled out the existence of schemes with unilateral signatures, i.e.where all signature's components are from one of the source groups.
Constructions relying on non-interactive assumptions were given by [20,2,17,3,42,43,41,9,31]. Abe et al. [6] proved that it is impossible to base the security of an optimal Type-3 scheme (i.e. with 3-element signatures) on non-interactive intractability assumptions.This in essence means that schemes based on noninteractive assumptions cannot be as efficient as their counterparts relying on interactive assumptions or those proven secure directly in the generic group model.More recently, Abe et al. [1] proved lower bounds for schemes signing bilateral messages and based on non-interactive intractability assumptions.
Ghadafi [33] gave a randomizable scheme yielding 3-element unilateral signatures and requiring the evaluation of 2 PPEs, excluding the cost for checking the well-formedness of the message, to verify signatures.His scheme can only sign a single Diffie-Hellman (DH) (cf.Section 2.1) pair.In terms of signature size, signatures of his scheme are shorter than those of optimal schemes for unilateral messages.More recently, Ghadafi [34] gave constructions for a single DH pair yielding signatures consisting of only 2 elements from the shorter source group and requiring besides checking the well-formedness of the message, the evaluation of a single PPE for verification.He argued that restricting the message space to the set of DH pairs does not restrict applicability of the schemes and used direct anonymous attestation [16], which is a protocol deployed in practice, and attribute-based signatures [44] as an example.Even though [34] gave a partially structure-preserving scheme which can sign a vector of field elements along the single DH pair, it was left as an open problem to investigate the case of structurepreserving signatures for a vector of group elements.More recently, Ghadafi [35] gave EUF-CMA constructions for a vector of DH pairs with 2-element bilateral signatures.
Constructions in the Type-2 setting (where there is an efficiently computable unidirectional homomorphism between the source groups) were given in [8,21,13,1].
Fully structure-preserving schemes where even the secret key consists of only group elements from the source groups were recently given by [10,38,49].
Motivation & Contribution.Many applications of SPSs require signing a vector of group elements.For instance, consider the case when certifying the public keys of encryption or signature schemes.This is, for instance, required for constructing various variants of anonymous signatures, including group signatures [22], attribute-based signatures [44], proxy signatures [45], k-times anonymous authentication [48], and direct anonymous attestation [16].This is particularly important when the aim is to dispense with relying on random oracles as in such cases one cannot use standard signature schemes which hinder the structure of the message, e.g. by hashing or requiring knowledge of their discrete logarithm.Therefore, the design of efficient SPS schemes for a vector of messages would have implications for various applications.SPS schemes on DH pairs have rendered themselves as a tool to get around the known lower bounds for SPS schemes thus improving efficiency without being too restrictive as they suffice for many applications of SPS schemes.Examples of where SPS schemes on DH pairs provide better efficency than optimal SPS schemes on unilateral messages include [34,24].Also, as argued by [34], optimal SPS schemes on DH pairs outperform some widely used non-structure-preserving schemes in terms of efficiency.
A first intriguing open question is whether EUF-CMA SPS schemes for a vector of group elements with 2-element unilateral signatures are possible.We answer this question negatively by proving the impossibility of the existence of such schemes.However, we show that EUF-RMA and EUF-CMA-RMA (cf.Section 2.2) schemes are possible.The latter is a leeway between EUF-RMA and EUF-CMA where it allows the adversary to adaptively choose some part of the message whereas the remaining part of the message is chosen uniformly at random by the signer.While EUF-RMA and EUF-CMA-RMA are both weaker notions than EUF-CMA since unlike the latter, they restrict part of the message to being chosen uniformly at random, we argue that EUF-CMA-RMA may suffice to replace EUF-CMA for some applications.Consider, for instance, κ-times anonymous authentication schemes [45], where an authority provides users with κ credentials which allow them to anonymously authenticate themselves κ times.The underlying idea for some of the existing constructions is that the credential is a signature by the authority on the user's public key/ID along with a random element chosen by the authority.For instance, we envisage that EUF-CMA-RMA security can be ideal for such applications since part of the message is adaptively chosen by the adversary, whereas the remaining part of the message is a random element chosen by the authority.
Another open question is whether strongly existentially unforgeable schemes under an adaptive chosen-message attack (sEUF-CMA) with 2-element (whether unilateral or bilateral) signatures exist.Strong unforgeability is essential for some applications of SPSs, e.g. in e-cash where deterring or preventing doublespending of coins is desirable, or in constrained anonymous credential systems where it is not desirable to give users the ability to derive further credentials from a given one.Optimal Type-3 sEUF-CMA SPS schemes for unilateral messages, e.g.[21,7,38], have a lower bound of 3-element bilateral signatures, thus, investigating whether the improved lower bound that exploits a special structure of the message also applies to strong unforgeability would have implications for applications of SPSs requiring strong unforgeability.We prove that sEUF-CMA schemes with 2-element signatures are not possible.This holds even if the signature is bilateral.On the other hand, we show that sEUF-RMA and sEUF-CMA-RMA schemes with 2-element (unilateral) signatures exist by giving constructions.
Our results highlight a gap between random-message/combined chosen-randommessage security and chosen-message security in this setting.
Paper Organization.We provide some preliminary definitions in Section 2. In Section 3 we prove the impossibility of the existence of EUF-CMA schemes for a vector of > 1 messages with 2-element unilateral signatures.In Section 4 we prove the impossibility of the existence of sEUF-CMA schemes with 2-element signatures regardless of whether the signatures are unilateral or bilateral.Finally, in Section 5 we construct a sEUF-CMA-RMA scheme for a vector of messages with 2-element unilateral signatures.
Notation.We write y = A(x; r) when algorithm A on input x and randomness r outputs y.We write y ← A(x) for the process of setting y = A(x; r) where r is sampled at random.We also write y ← S for sampling y uniformly at random from a set S. A function ν(.) : N → R + is negligible (in n) if for every polynomial p(.) and all sufficiently large values of n, it holds that ν(n) < 1 p(n) .By PPT we mean running in probabilistic polynomial time in the relevant security parameter.We use [k] to denote the set {1, . . ., k}.

Preliminaries
In this section we provide some preliminary definitions.

Bilinear Groups
A bilinear group is a tuple P := (G, H, T, p, G, H, e) where G, H and T are groups of a prime order p, and G and H generate G and H, respectively.The function e is a non-degenerate bilinear map e : G × H −→ T. We refer to G and H as the source groups whereas we refer to T as the target group.We use multiplicative notation for all the groups.For clarity we will accent elements of H with ˜.We let G × := G \ {1 G } and H × := H \ {1 H }. We limit our attention to the efficient Type-3 setting [30], where G = H and there is no efficiently computable homomorphism between the source groups in either direction.We assume there is an algorithm BG that on input a security parameter κ, outputs a description of bilinear groups.
The message space of the schemes we consider is the set of elements of the subgroup GH of G × H defined as the image of the map ψ : x −→ (G x , Hx ) for x ∈ Z p .One can efficiently test whether (M, Ñ ) ∈ GH by checking e(M, H) = e(G, Ñ ) • Such pairs were called Diffie-Hellman pairs in [27,4].An important observation here is that techniques used for batch verification, e.g.[14,19], can be applied when verifying the well-formedness of a vector of Diffie-Hellman pairs.This reduces the cost for verifying a vector of pairs from 2 pairings to 2 pairings.

Digital Signatures
A digital signature scheme DS over a bilinear group P generated by BG for a message space M consists of the following algorithms: KeyGen(P): On input P, this algorithm outputs a pair of signing/verification keys (sk, vk).Sign(sk, m): On input the secret signing key sk and a message m ∈ M, this algorithm outputs a signature σ on m.Verify(vk, m, σ): On input the verification key vk, a message m ∈ M and a signature σ, this algorithm outputs 0/1 indicating the invalidity/validity of σ on m w.r.t.vk.

Definition 1 (Correctness).
A signature scheme DS over a bilinear group generator BG is (perfectly) correct if for all κ ∈ N: A signature scheme is said to be existentially unforgeable if it is hard to forge a signature on a new message that has not been signed before where the adversary may see signatures on other messages before outputting her forgery.We distinguish between adaptive chosen-message (EUF-CMA), random-message (EUF-RMA) and combined chosen-random-message (EUF-CMA-RMA) variants of existential unforgeability as defined below.
Definition 2 (EUF-CMA).A signature scheme DS over a bilinear group generator BG is Existentially Unforgeable under an adaptive Chosen-Message Attack if for all κ ∈ N for all PPT adversaries A, the following is negligible (in κ): where Q Sign is the set {m i } q i=1 of messages queried to Sign.
Strong Existential Unforgeability under an adaptive Chosen-Message Attack (sEUF-CMA) is defined similarly and requires that the adversary cannot even output a new signature on a message that was queried to the sign oracle.
Definition 3 (EUF-RMA).A signature scheme DS over a bilinear group generator BG is Existentially Unforgeable under a Random-Message Attack if for all κ ∈ N for all PPT adversaries A, the following is negligible (in κ): where Sign uniformly samples a message m from M and returns m and a signature σ on it, and Q Sign is the set {m i } q i=1 of messages returned by Sign.
Strong Existential Unforgeability under a Random-Message Attack (sEUF-RMA) is defined similarly and requires that the adversary cannot even output a new signature on a message that was chosen by Sign.
The following variant lies in between the two previous notions where it allows the adversary to adaptively choose some part of the message whereas the remaining part of the message is chosen uniformly at random by the sign oracle.
Definition 4 (EUF-CMA-RMA).A signature scheme DS over a bilinear group generator BG for a message space M = M C × M R is Existentially Unforgeable under a combined Chosen-Random-Message Attack if for all κ ∈ N for all PPT adversaries A, the following is negligible (in κ): where when queried on a message m i ∈ M C , Sign uniformly samples a message m i from M R and returns m i and a signature σ on (m i , m i ), and Q Sign is the set {(m i , m i )} q i=1 of pairs queried to Sign.Strong Existential Unforgeability under a combined Chosen-Random-Message Attack (sEUF-CMA-RMA) requires that the adversary cannot even output a new signature on a message pair on which she has obtained a signature from Sign.

Structure-Preserving Signatures
Structure-preserving signatures [4] are signature schemes defined over bilinear groups where the messages, the verification key and signatures are all group elements from either or both source groups, and verifying signatures only involves deciding group membership of the signature components and evaluating PPEs of the form of Equation (1).
where A i ∈ G and Bj ∈ H are group elements appearing in P, m, vk, σ, whereas c i,j ∈ Z p are public constants.Generic Signer.We refer to a signer that can only decide group membership, evaluate the bilinear map e, compute the group operations in groups G, H and T, and compare group elements as a generic signer.
3 Impossibility of generic-signer EUF-CMA SPS Schemes for a vector of > 1 Messages with 2-element Unilateral Signatures Ghadafi [34] constructed optimal EUF-CMA SPS schemes for a single DH pair with 2-element unilateral signatures.An intriguing open question is whether there exist EUF-CMA SPS schemes for a vector of > 1 DH pairs with 2element unilateral signatures.We remark that [35] gave schemes for a vector of > 1 DH pairs with 2-element bilateral signatures.Since elements of one of the source groups have size twice of those from the opposite source group, the size of the signatures of the schemes in [35] is equivalent to 3-element unilateral signatures from the shorter source group.We start by proving the following theorem which is a generalization of Lemma 1 from [8] for SPS schemes for unilateral messages.
Theorem 1.A generic-signer EUF-RMA SPS scheme for a vector of ≥ 1 DH pairs must have for any message vector superpolynomially many potential signatures.
Proof.Since the signer is generic, the signature σ = (R, S) ∈ G n × H ñ on the message vector (M i , Mi ) i=1 is computed via entry-wise exponentiation as Let's assume for contradiction that a scheme has a polynomial number of potential signatures.This means there is a polynomial set {(α i , α i,1 , . . ., α i, , for some polynomial ploy corresponding to the list of potential signatures.Now given signatures σ 1 = (R 1 , S1 ) and σ 2 = (R 2 , S2 ) on (random) DH vectors (M 1 , M 1 ) and (M 2 , M 2 ), respectively, we have with probability 1 poly(κ) 2 that those signatures were constructed using the same vector α i , α i,1 , . . ., α i, , β i , β i,1 , . . ., β i, for some i ∈ [ploy(κ)].Thus, we have that This means such a scheme is not EUF-RMA secure against an adversary which makes 2 signing queries.
We now proceed to proving the impossibility of the existence of genericsigner EUF-CMA (against q > 1 sign queries) SPS schemes for a vector of > 1 messages with 2-element unilateral signatures.We prove that such schemes even for the simpler case where = 2 cannot exist.
Theorem 2. There is no generic-signer EUF-CMA (against q > 1 sign queries) SPS scheme for a vector of 2 DH pairs with 2-element unilateral signatures.
Proof.We start by proving the following lemma regarding the number of verification equations required for schemes with 2-element signatures.
Lemma 1.One verification equation (excluding the cost for verifying the wellformedness of the messages) is sufficient for a generic-signer SPS scheme with 2-element signatures.
Proof.Assume a scheme has 2 verification equations.Both equations must pose non-trivial constraint on the signature components as otherwise we can reduce them to a single equation.Since each verification equation must involve at least 1 signature component, we have 3 cases: • Both equations involve both signature components: This means we have 2 quadratic/linear equations in the discrete logarithm of the signature components.Such an equation system have at most 4 distinct solutions implying that there are at most 4 potential signatures for the message vector which contradicts the proof of Theorem 1.
for some multivariate polynomials α i, , α i , β i,1 , β i,1 , β i,2 , β i,2 ∈ Z p [x, y] for i ∈ {1, 2}.Note that none of those polynomials has a term in m 1 or m 2 , i.e. they are independent of the messages.Thus, it is infeasible for a generic signer to compute a non-trivial signature component where its discrete logarithm s i contains a message m i (for any i ∈ {1, 2}) in a term in the denominator.This means that we must have that the verification equation does not contain the pairings e(S i , Mj ) for all j ∈ [2] and some i ∈ [2], i.e. either S 1 or S 2 is independent of the messages as otherwise this would mean that m i appears in the denominator of one of the signature components.Let's assume WLOG that S 1 is independent of the messages, i.e. the verification equation does not contain the pairings e(S 1 , Mi ) for i = 1, 2. This means the scheme has a verification equation of the form of Equation ( 2).
A generic signer (who does not know the discrete logarithms m 1 and m 2 of the messages) cannot produce a signature component whose discrete logarithm has a term with any of the monomials: m 2 1 , m 1 m 2 , or m 2 2 .Thus, WLOG we can also assume that the verification equation does not contain a pairing of the form e(M i , Mj ) for all i, j ∈ [2], i.e. u i,j = 0 for all i, j ∈ [2].This means the scheme has a verification equation of the form of Equation ( 3).
Lemma 2 below proves that a scheme with a verification equation of the form of Equation ( 3) is not EUF-CMA against an adversary that makes 2 chosenmessage sign queries, whereas Lemma 3 proves that even if we consider a scheme with a verification equation of the form of Equation (2), such a scheme is not EUF-CMA against an adversary that makes 3 chosen-message sign queries, which concludes the proof of the theorem.
Lemma 2. A SPS scheme for 2 DH pairs with a verification equation of the form of Equation ( 3) is not EUF-CMA against 2 (non-adaptive) chosen-message sign queries.
We can now compute a forgery . This is a valid signature and we have that This concludes the proof.
The following corollary follow from Theorem 2.
Corollary 1.There is no generic-signer EUF-CMA SPS scheme for a vector of > 1 DH pairs with 2-element unilateral signatures.
4 Impossibility of sEUF-CMA (against q > 1 sign queries) SPS Schemes with 2-Element Signatures Optimal sEUF-CMA SPS schemes for unilateral messages, e.g.[5,7], have a lower bound of 3 elements for the signature size where 1 element at least must be from group H. Also, there are EUF-CMA SPS schemes (for DH pairs) with 2-element signatures, e.g.[34,35].An intriguing open question is whether it is possible to construct sEUF-CMA SPS schemes with 2-element (unilateral/bilateral) signatures.We prove in Theorem 3 that such schemes are impossible.In Section 5 we show that sEUF-RMA and sEUF-CMA-RMA with 2-element (unilateral) signatures are possible by giving concrete constructions.
Having proved that sEUF-CMA schemes with 2-element signatures cannot exist, the remaining hope to construct sEUF-CMA SPS schemes with signatures shorter than those of optimal sEUF-CMA SPS schemes for unilateral messages is to investigate the existence of schemes with 3-element unilateral signatures.Ghadafi [34] proved the impossibility of the existence of sEUF-CMA SPS schemes with unilateral signatures regardless of the number of group elements in the signature.His result was only proven in the restricted setting where the verification key is also unilateral, i.e. all elements of the verification key lie in the same source group.We strengthen his result by proving the impossibility of the existence of sEUF-CMA SPS schemes with unilateral signatures even if we allow the verification key and public parameters (if any) to be bilateral.In essence, this means the most efficient sEUF-CMA SPS scheme in terms of signature size must have at least 3 elements in the signature which must be bilateral which matches optimal sEUF-CMA SPS schemes for unilateral messages.
If one is willing to impose restrictions on the messages the adversary can query to the sign oracle, sEUF-CMA schemes with 2-element signatures are possible.For instance, Ghadafi [34] gave a sEUF-CMA scheme with 2-element unilateral signatures under the restriction that the adversary can obtain at most a single signature on any message.Theorem 3.There is no generic-signer sEUF-CMA (against q > 1 sign queries) SPS scheme with 2-element signatures.
Proof.Lemma 1 proved that 1 PPE, excluding the cost for verifying the wellformedness of the messages, is sufficient for verifying signatures of a genericsigner SPS scheme.The following 2 lemmata complete the proof, where the first deals with the case of bilateral signatures whereas the second deals with unilateral signatures.Lemma 4.There is no generic-signer sEUF-CMA (against q > 1 sign queries) SPS scheme with 2-element bilateral signatures.
Proof.Let's WLOG assume that the signature is of the form σ = (S 1 , S2 ) ∈ G × H, whereas the verification key (including any public parameters) is of the form (X, Ỹ ) ∈ G n × H n .
A generic signer (who does not know the discrete logarithm m of the message (M, M )) computes the signature as Note that none of those polynomials has a term in m.Without knowledge of the discrete logarithm of the message m, it is infeasible for a generic signer to compute a non-trivial signature component where its discrete logarithm s i contains the message m in a term in the denominator.Thus, we must have that either e(S 1 , M ) or e(M, S2 ) does not feature in the verification equation.WLOG let's assume that e(S 1 , M ) does not appear in the verification equation.The proof for the other case where e(M, S2 ) does not appear in the verification equation is similar.
Such a scheme would have a verification equation of the following form: We have 3 cases as follows: • For some i ∈ [n ], c i = 0: After getting a signature σ = (S 1 , S2 ) on a (random) message (M, M ), fix any i ∈ [n ] where c i = 0, we can compute a new signature σ * = (S * 1 , S * 2 ) on the random message (M, M ) as follows: The new signature is a valid forgery and we have σ * = σ for any γ ∈ Z × p .
• c i = 0 for all i ∈ [n ] but d = 0: After getting a signature σ = (S 1 , S2 ) on a (random) message (M, M ), we can compute a new signature σ * = (S * 1 , S * 2 ) on the random message (M, M ) as follows: The new signature is a valid forgery and we have that σ * = σ for any γ ∈ Z × p \ {1}.• c i = 0 for all i ∈ [n ] and d = 0: This means the verification equation does not involve the component S 1 and hence the signature consists of only 1 element.In other words, the verification equation is a linear equation in s 2 (the discrete logarithm of S2 ).This means for any message there is exactly 1 potential signature and as proved Theorem 1 such a scheme is not EUF-RMA secure against q > 1 sign queries.In particular, by assuming WLOG that f = 0 (since a generic signer cannot compute a signature where the denominator contains the discrete logarithm of the message m) and k = 0 (since a generic signer cannot compute a signature which has a degree > 1 of the discrete logarithm of the message m), anyone can compute a forgery on a new message given two signatures σ 1 = S1,2 and σ 2 = S2,2 on any two random messages (M 1 , M1 ) and (M 2 , M2 ), respectively.Thus, such a scheme is not secure against an adversary which makes 2 random-message queries.We remark that even if we allow k = 0, one can forge a signature on a new message after 3 chosen-message queries.This concludes the proof.Lemma 5.There is no generic-signer sEUF-CMA (against q > 1 sign queries) SPS scheme with 2-element unilateral signatures. 1roof.WLOG let's count any public parameters (if any) as part of the verification key vk.Such a scheme would have signatures of the form σ = (S 1 , S 2 ) ∈ G 2 , a verification key of the form (X, Y ) ∈ G n × H n , and a verification equation of the following form: As proved by Theorem 1, for the scheme to be EUF-RMA secure (against q > 1 sign queries), it must have superpolynomially many potential signatures.After obtaining any 2 distinct signatures σ = (S 1 , S 2 ) and σ = (S 1 , S 2 ) on any message (M, M ) in the message space, we have that ) is with overwhelming probability a new valid signature on (M, M ) for any γ ∈ Z × p \ {1}.
This concludes the proof.
5 sEUF-CMA-RMA Scheme for Diffie-Hellman Vectors Here we construct a sEUF-CMA-RMA scheme with 2-element unilateral signatures for the message space M = M C × M R where M C = GH and M R = GH η for any η ≥ 1.This also implies the existence of sEUF-RMA schemes with 2-element unilateral signatures.
Remark 1.Note that we can set Y 1 = G which means the size of the verification key can be reduced by one group element.
Security of the Scheme.Correctness of the scheme follows by inspection and is straightforward to verify.The following theorem proves sEUF-CMA-RMA security of the scheme.
Theorem 4. The scheme is sEUF-CMA-RMA secure in the generic group model.
Proof.We proceed by proving that no linear combinations which represent Laurent polynomials (of degrees ranging from −1 to 2 after q sign queries) in the discrete logarithms of the group elements the adversary sees in the game correspond to a forgery on a new message.At the start of the game, the only elements in H the adversary sees are H, W1 , W2 which correspond to the discrete logarithms 1, w 1 , w 2 , respectively, whereas the only elements in G the adversary sees are G, X, Y 1 , . . ., Y η , U which correspond to the discrete logarithms 1, x, y 1 , . . ., y η , u, respectively.
Note that the only elements of H the q sign queries return are the uniformly random parts of the message { M i,j } for i ∈ [q] and j ∈ [η].Thus, at the i-th sign query on the message (M i , Ñi ) ∈ GH, m i and n i the discrete logarithms of M i and Ñi , respectively, can only be linear combinations of the discrete logarithms of the elements in G and H, respectively, the adversary sees up to that point of time.Thus, we have Since for all i ∈ [q], we must have that (M i , Ñi ) ∈ GH, i.e. m i = n i , we have: If the message is well-formed, then at the i-th sign query, the adversary will receive a signature of the form σ i = (r i , s i ), where s i is of the following form: At the end of the game (after at most q sign queries), we must have Similarly, since the adversary can only construct her forgery as linear combinations of the Laurent polynomials she sees in the game, we have at the end of the game that r * and s * must be linear combinations of the Laurent polynomials in G. Thus, we have: Since by the verification equation we must have that: m * j y j + u Thus, we must have that: There is no term of the form uw1 w2 on the LHS, so we must have that for all i ∈ [q] that g ri = 0. Also, for all i ∈ [η], there are no terms of the form xw 1 , y i w 1 , uw 1 or w 1 on the LHS so we must have that c r = 0, d ri = 0 for all i ∈ [η], b r = 0 and a r = 0. Thus, we have: There are no terms on the RHS with any of the monomials w 2 , uw 2 , xw 2 , y i w 2 for any i ∈ [η], r i w 2 for any i ∈ [q], or m i,j w 2 for any i ∈ [q] and j ∈ [η].Thus, we must have that a s = 0, b s = 0, c s = 0, d si = 0 for all i ∈ [η], f si = 0 for all i ∈ [q] , and for all i ∈ [q] and all j ∈ [η] that e si,j = 0. Thus, we have: There are no terms of the form m i,j w 1 for any i ∈ [q] and any j ∈ [η] on the LHS.Thus, we must have that e ri,j = 0 for all i ∈ [q] and all j ∈ [η] and hence we must have that: g si = 1 and we must have that there is at least one value of g si = 0. Also, by the term r i w 1 we have that g si = f ri for all i ∈ [q].Note that m i,j for all i ∈ [q] and all j ∈ [η] on the LHS are all chosen uniformly at random by the sign oracle.Also, there is no term on the LHS containing the monomial m i,j r k for any k = i.Thus, we cannot have for any i, j ∈ [q] where i = j that f ri = 0 and f rj = 0.This means we must have for some i ∈ [q] that: g si = 1 and for all i ∈ [q] that g si = f ri .Thus, we must have: By the monomial x, we must have that m * = m i , whereas by the monomial y j we must have that m i,j = m j * for all j ∈ [η].The above also means we have r * = r i and s * = s i .This means (r * , s * ) is not a valid forgery.
Remark 2. The proof holds even if we have that y 1 = 1 which means we can reduce the size of the verification by eliminating 1 group element.This concludes the proof.

a s w 2 + b s uw 2 + c s xw 2 + η i=1 d si y i w 2 ef si r i w 2 + q i=1 gu w 2 m * + η i=1 m i * + w 1 + m * x + η i=1 m i * y i + u
si,j m i,j w 2 + q i=1 si m i (r i + x)+ η j=1 m i,j (r i + y j ) + r i w 1 + u = a r + b r u + c r x + i (r i + x) + η j=1 m i,j (r i + y j ) + r i w 1 +

a s w 2 +d si y i w 2 ef si r i w 2 + q i=1 gf ri r i m * + η i=1 m i * + w 1 +
b s uw 2 + c s xw 2 + η i=1 si,j m i,j w 2 + q i=1 si m i (r i + x) + η j=1 m i,j (r i + y j ) + r i w 1 + u m * x + η i=1 m i * y i + u

gf
si m i (r i + x) + n j=1 m i,j (r i + y j ) + r i w 1 + u ri r i m * + η i=1 m i * + w 1 + m * x + η i=1 m i * y i + u

gf
si m i (r i + x) + η j=1 m i,j (r i + y j ) + r i w 1 + u ri r i w 1 + m * x + η i=1 m i * y i + uBy the term u we have that q i=1

g
si m i (r i + x) + g si η j=1 m i,j (r i + y j ) + g si r i w 1 + g si u =f ri r i m * + f ri r i η i=1 m i * + f ri r i w 1 + m * x + η i=1 m i * y i + uSince we must have that q i=1 (r i + y j ) + r i w 1 + u = r i m * + r i η i=1 m i * + r i w 1 + m * x + η i=1 m i * y i + u

•
One equation involves both signature components whereas the other equation involves only one signature component: This means one equation is quadratic/linear involving both signature components, whereas the remaining equation is linear in one of the signature components.By substituting the value of the signature component in the linear equation into the other equation we end up with one verification equation that is sufficient for verifying the signature.•Each verification equation involves a single signature component: Since the other constants (the verification key, the public parameters (if any) and the messages) are fixed, we have that each verification equation is a linear equation in one of the signature components, i.e. each equation is a linear equation in one unknown.Thus, there is exactly 1 potential signature for the message vector which contradicts the proof of Theorem 1.Now let's assume WLOG that the signature is of the form σ = (S 1 , S 2 ) ∈ G 2 , whereas the verification key is of the form (X, Ỹ ) ∈ G n × H n .The proof for the case where σ = ( S1 , S2 ) ∈ H 2 is similar.A generic signer (who does not know the discrete logarithms m 1 and m 2 of the messages (M 1 , M1 ) and (M 2 , M2 ), respectively) computes the signature as S