More Eﬃcient Structure-Preserving Signatures - Or: Bypassing the Type-III Lower Bounds

. Structure-preserving signatures are an important cryptographic primitive that is useful for the design of modular cryptographic protocols. It has been proven that structure-preserving signatures (in the most eﬃcient Type-III bilinear group setting) have a lower bound of 3 group elements in the signature (which must include elements from both source groups) and require at least 2 pairing-product equations for veriﬁcation. In this paper, we show that such lower bounds can be circumvented. In particular, we deﬁne the notion of Unilateral Structure-Preserving Signatures on Diﬃe-Hellman pairs (USPSDH) which are structure-preserving signatures in the eﬃcient Type-III bilinear group setting with the message space being the set of Diﬃe-Hellman pairs, in the terminology of Abe et al. (Crypto 2010). The signatures in these schemes are elements of one of the source groups, i.e. unilateral, whereas the veriﬁcation key elements’ are from the other source group. We construct a number of new structure-preserving signature schemes which bypass the Type-III lower bounds and hence they are much more eﬃcient than all existing structure-preserving signature schemes. We also prove optimality of our constructions by proving lower bounds and giving some impossibility results. Our contribution can be summarized as follows:

Related Work.The term "structure-preserving signature" was put forward by Abe et al. [3] but earlier schemes conforming to the definition were given by Groth [32] and Green and Hohenberger [31].The notion has received a significant amount of attention from the cryptographic community and many results regarding proving lower bounds for the design of such schemes as well as new schemes meeting those lower bounds have been published in the literature.Abe et al. [3] constructed structure-preserving signature schemes based on non-interactive intractability assumptions which work in the different bilinear group settings.Abe et al. [4] showed that a signature of a structure-preserving scheme in the Type-III bilinear group setting (cf.Section 2.1) must have at least 3 group elements and require at least 2 pairing-product equations to be verified.They also proved that the signature must contain elements from both source groups which rules out the existence of unilateral signatures (i.e.signatures whose all components are elements of one of the source groups).They gave optimal constructions and proved their security in the generic group model [42,40].Abe et al. [5] proved that it is impossible to base the security of a scheme with signatures consisting of 3 group elements in the Type-III setting on non-interactive intractability assumptions.In essence, their result proves that in the Type-III setting, the only way to meet the 3 group element lower bound is to either employ interactive intractability assumptions or resort to direct proofs in the generic group model.Ghadafi [28] gave a structure-preserving variant of the Camenisch-Lysyanskaya signature scheme [17] in the Type-III setting that is based on an interactive assumption.Abe et al. [7] gave a scheme in the Type-II setting (where there is an efficiently computable isomorphism from the second source group to the first) with signatures consisting of only 2 group elements.Chatterjee and Menezes [20] revisited the work of [7] and showed that Type-III constructions outperform their Type-II counterparts.They also gave constructions in Type-III setting meeting the 3 group element lower bound.Barthe et al. [10] gave optimal constructions of structure-preserving signatures in Type-II setting.Constructions relying on standard assumptions (such as DLIN and DDH) were given by [18,1,16,2,36,38].It is well known that schemes based on standard assumptions are much less efficient than their counterparts relying on non-standard assumptions or those proven directly in the generic group model.Recently, Ghadafi [29] gave a randomizable scheme with signatures consisting of 3 elements from the first source group which can also be regarded as a unilateral structure-preserving signature scheme on Diffie-Hellman pairs.Verification in his scheme requires, besides checking the well-formedness of the message, the evaluation of 2 pairing-product equations.Abe et al. [8] and Groth [33] recently gave fully structure-preserving schemes where even the secret key consists of only group elements.
Our Contribution.After defining unilateral structure-preserving signatures on Diffie-Hellman pairs, our contribution can be summarized as follows:- • We construct two new randomizable structure-preserving signature schemes that are existentially unforgeable against a chosen message attack.Our schemes yield signatures consisting of only two group elements from the first short source group and hence our signatures are at least half the size of the shortest existing Type-III structure-preserving signature scheme.Our schemes also outperform the very recent scheme in [29].Verifying signatures in our schemes requires, besides checking the wellformedness of the message, the evaluation of a single pairing-product equation.The total number of pairings required for verification in our schemes are 4 (1 of which is offline, i.e. can be precomputed) and 3, respectively.In both schemes, depending on the application, the number of pairing evaluations can be reduced by 1 since in both schemes two pairings in the equation share the same left-hand side argument.Our first construction has a feature that permits controlled randomizability (combined unforgeability) which might be of independent interest.
• We give a strongly unforgeable CMA-secure one-time USPSDH scheme with 1 element signatures.We also give different variants which sign vectors of messages while maintaining the same signature size.• We give a strongly unforgeable one-time CMA-secure scheme for unilateral messages in the Type-III setting that matches the best existing optimal scheme in every respect.• We investigate some lower bounds and prove some impossibility results for USPSDH schemes.Our (in)feasibility and lower bound results include the following: i) The impossibility of strongly existentially unforgeable schemes that are secure against an adversary that makes more than a single signing query.This implies that only one-time USPSDH schemes can have strong existential unforgeability against a chosen message attack.ii) A lower bound of 2 group element signatures for schemes that are secure against a random message attack for more than a single signing query.In essence, this means that all of our constructions are optimal.iii) A lower bound of 2 group elements for the verification key of optimal schemes.This applies even when the adversary is restricted to a single random message signing query.In essence, this means that our constructions are optimal in every respect.• We give an optimal fully randomizable CMA-secure partially structure-preserving scheme that simultaneously signs a Diffie-Hellman pair and a vector in Z k p .• As a by-product, we give efficient instantiations of randomizable weakly blind signatures [12] which do not rely on random oracles and which are more efficient than existing constructions.The latter is a building block that is used, for instance, in the design of direct anonymous attestation protocols [15,12].
Why are USPSDH schemes interesting?From our results, it is clear that USPSDH signature schemes outperform other variants of structure-preserving signatures since they yield shorter signatures and require less verification overhead since as we show, they circumvent the lower bounds in the Type-III setting.It is particularly interesting when the signatures are from the first short source group as the bit size of the elements of that group is at least half the size of those of the second source group.Note that all existing structure-preserving signatures for unilateral messages require a minimum of 3 group elements in the signature one of which at least must be from the second source group.While traditional structure-preserving signatures (on unilateral messages), those in Type-III in particular, have shorter messages, since message components of those schemes lie in one of the source groups and not in both, this is a small price to pay to get smaller signatures and more efficient verification.We stress that the size of messages in USPSDH schemes is still much shorter than schemes in the Type-II setting and those in Type-I based on finite fields of large characteristics.The latter is recommended as a replacement to bilinear groups based on finite fields of small characteristics following the recent advancement, e.g.[13,30], in solving discrete logarithm in the latter setting.
Note that even though one needs to check the well-formedness of the message when verifying a USPSDH signature, such a check only needs to be performed once when verifying multiple signatures on the same message.Consider, for example, attribute-based signatures [39] where the signer needs to prove that she has multiple attributes from (possibly different) attribute authorities.The same applies to applications requiring a user to prove that she has multiple tokens/credentials/certificates from an authority or possibly different authorities.
In addition, such schemes work well in association with the popular (but less efficient) automorphic structure-preserving signature scheme of Abe et al. [25,3] (whose message and verification key spaces lie in the message space of USPSDH schemes).The Abe et al. automorphic scheme [25,3] has been used in constructing many cryptographic protocols, which include group signatures [22], anonymous credentials [25], and e-cash systems.Therefore, USPSDH schemes could lead to more practical instantiations of many cryptographic protocols, including direct anonymous attestation [15], which is a protocol deployed in practice.
Consider, for instance, an application where the user needs to prove (using the Groth-Sahai proof system [34]) possession of n signatures on some message (e.g.her verification key/identity/pseudonym) possibly from different signers.Since the best existing Type-III scheme requires at least 2 PPE equations to verify each individual signature, this would incur a total cost of 2n Groth-Sahai proofs.On the other hand, using, for example, any of our optimal USPSDH schemes, one would only need n + 1 Groth-Sahai proofs which is significantly better.Also, signatures of our schemes consist of only two group elements from the first short source group.
We compare in Table 1, the efficiency of our two new CMA secure schemes with existing schemes in the Type-III setting.In the last column of the table, we give two different estimations (separated by the word "OR") for the total number of pairings required for verification.The first estimation (which precedes the word "OR") combines pairings which share an input, i.e. collecting like terms, (which serves to reduce the number of pairings,) whereas the second estimation counts the pairings separately.Numbers superscripted with † are the number of pairings that can be precomputed.Since the well-formedness of the message only needs to be verified once when verifying multiple signatures on the same message, we do not count such cost for schemes whose message space is GH, i.e. the set of Diffie-Hellman pairs, refer to Section 2.1.For all schemes listed, public parameters do not include the default group generators G and H.
We remark that our schemes even compete with standard non-structure-preserving signatures.For instance, our schemes are more efficient than the Camenisch-Lysyanskaya signature scheme [17] and Waters' scheme [43] in the Type-III setting [19].Also, the size of our signatures and the verification key are the same as those of the recent (non-structure-preserving) scheme by Pointcheval and Sanders [41].
Table 1.Efficiency comparison between our optimal CMA secure schemes and existing schemes in the Type-III setting Paper Organization.In Section 2, we give some preliminary definitions.In Section 3, we define unilateral structure-preserving signatures on Diffie-Hellman pairs.In Sections 4 & 5, we present constructions of optimal signature schemes and prove their security.In Sections 6 & 7, we present constructions of optimal one-time signature schemes and prove their security.In Section 8, we prove some lower bounds and give some impossibility results.In Section 9, we give an optimal CMA-secure partially structurepreserving scheme that simultaneously signs a Diffie-Hellman pair and a vector in Z k p .We give some example applications of our schemes in Section 10.
Notation.We write y = A(x; r) when the algorithm A on input x and randomness r outputs y.We write y ← A(x) for the process of setting y = A(x; r) where r is sampled at random.We also write y ← S for sampling y uniformly at random from a set S. A function ν(.) : N → R + is negligible (in n) if for every polynomial p(.) and all sufficiently large values of n, it holds that ν(n) <1 p(n) .By PPT we mean running in probabilistic polynomial time in the relevant security parameter.By [k], we denote the set {1, . . ., k}.We will use capital letters for group elements and small letters for field elements.

Preliminaries
In this section we provide some preliminary definitions.

Bilinear Groups
A bilinear group is a tuple P := (G, H, T, p, G, H, ê) where G, H and T are groups of a prime order p, and G and H generate G and H, respectively.The function ê is a non-degenerate bilinear map ê : G×H −→ T. For clarity, elements of H will be accented with ˜.We use multiplicative notation for all the groups.We let G × := G \ {1 G } and H × := H \ {1 H }. In this paper, we work in the efficient Type-III setting [27], where G = H and there is no efficiently computable isomorphism between the groups in either direction.We assume there is an algorithm BGSetup that on input a security parameter λ, outputs a description of bilinear groups.
The message space of the signature schemes we consider is the set of elements of the subgroup GH of G × H defined as the image of the map Definition 2 (Symmetric External Diffie-Hellman (SXDH) Assumption).Given a bilinear group P := (G, H, T, p, G, H, ê), the SXDH assumption requires that the DDH assumption holds in both groups G and H.

Digital Signatures
A digital signature scheme over a bilinear group P generated by BGSetup for a message space M is a tuple DS := (KeyGen, Sign, Verify) whose definitions are: • KeyGen(P) this randomized algorithm takes as input a bilinear group P and outputs a pair of secret/verification keys (sk, vk).• Sign(sk, m) takes as input a secret key sk and a message m ∈ M, and outputs a signature σ.
where Q Sign is the set of messages queried to Sign.
We consider schemes which are re-randomizable (i.e.weakly unforgeable) in the sense that given a signature on a message m, anyone without knowledge of the signing key, can compute a new signature on the same message.A desirable property for such class of schemes is that randomized signatures are indistinguishable from fresh signatures on the same message.Thus, we define an algorithm Randomize which on input (vk, m, σ), with σ being a valid signature on m, outputs a new signature σ on m. : We say the scheme has Perfect Randomizability when ν(λ) = 0. Note that the above definition of randomizability is stronger than the variant where the signature σ * is generated by the challenger rather than the adversary herself.When it is even infeasible for the adversary to output a new signature on a message that was queried to the sign oracle, we say the scheme is Strongly Existentially Unforgeable against adaptive Chosen Message Attack (sEUF-CMA).
A weaker variant of existential unforgeability, i.e.Existential Unforgeability against a Random Message Attack (EUF-RMA), is similar to the above definition but on each call to the sign oracle, the oracle samples a message uniformly at random from the message space and returns the message and a signature on it.
In one-time signatures, the adversary is restricted to a single signing query.

Structure-Preserving Signatures
Structure-preserving signatures [3] are signature schemes defined over bilinear groups where the messages, the verification key and signatures are all group elements and verifying signatures only involves deciding group membership of the signature components and evaluating pairing-product equations of the form of equation 1.
where A i ∈ G and Bj ∈ H are group elements appearing in P, m, vk, σ, whereas c i,j ∈ Z p are constants.Generic Signer.In a bilinear group based signature scheme, we refer to a signer that can only decide group membership, evaluate the bilinear map ê, compute the group operations in groups G, H and T, and compare group elements as a generic signer.

Randomizable Weakly Blind Signatures
A randomizable weakly blind signature scheme [12] is similar to a standard blind signature scheme [21] but unlike the latter, in the former the signer never gets to see the signed message.A randomizable blind signature scheme BS (with a two-move signature request phase) is a tuple of polynomial-time algorithms BS := (Setup BS , KeyGen BS , Request BS , Issue BS , Verify BS , Randomize BS ).All algorithms (bar Setup BS ) are assumed to take as (implicit) input a parameter set param BS output by Setup BS .
• KeyGen BS (param BS ) outputs a verification/secret key pair (vk BS , sk BS ) for the signer.
• (Request 0 BS , Issue 1 BS , Request 1 BS ) is an interactive protocol between a user and a signer.The protocol is initiated by the user by calling Request 0 BS (vk BS , m) to obtain a value ρ 0 and some state information st 0 R (which is assumed to contain the message m).Then the signer and user execute, respectively, where σ is a signature on the message m (or the reject symbol ⊥).
We write σ ← Request BS (vk BS , m), Issue BS (sk BS ) for the output of correct running of this protocol on the given inputs.• Verify BS (vk BS , m, σ) outputs 1 if σ is a valid signature on m and 0 otherwise.
• Randomize BS (vk BS , σ) given a signature σ on an unknown message m, produces another valid signature σ on the same message.
The security of randomizable weakly blind signatures [12] requires the following: Definition 6 (Correctness).A randomizable weakly blind signature scheme is (perfectly Definition 7 (Unforgeability).A randomizable weakly blind signature scheme is unforgeable if for all λ ∈ N, all PPT adversaries A have a negligible advantage in the game in Fig. 1.
− Return 0 if any of the following holds.Otherwise, Return 1: • A called its oracle more than n times.Definition 8 (Weak Blindness).A randomizable weakly blind signature scheme is weakly blind if for all λ ∈ N, all PPT adversaries A have a negligible advantage in the game in Fig. 2.

Groth-Sahai Proofs
Groth-Sahai (GS) proofs [34] are non-interactive proofs in the CRS model.We will use GS proofs that are secure under the SXDH assumption and that prove knowledge of witnesses to pairing-product equations of the form All underlined variables are part of the witness whereas the rest of the values are public constants.The language for these proofs is of the form L := {statement | ∃ witness : E(statement, witness) holds } where E(statement, •) is a set of pairing-product equations.The system is defined by a tuple of algorithms (GSSetup, GSProve, GSVerify, GSExtract, GSSimSetup, GSSimProve).GSSetup takes as input the description of a bilinear group P and outputs a binding reference string crs and an extraction key xk.GSProve takes as input the string crs, a set of equations statement and a witness, and outputs a proof Ω for the satisfiability of the equations.GSVerify takes as input a set of equations, a string crs and a proof Ω and outputs 1 if the proof is valid, and 0 otherwise.GSExtract takes as input a binding crs, the extraction key xk and a valid proof Ω, and outputs the witness used for the proof.GSSimSetup, on input a bilinear group P, outputs a hiding string crs Sim and a trapdoor key tr that allows to simulate proofs.GSSimProve takes as input crs Sim , a statement and the trapdoor tr and produces a simulated proof Ω Sim without a witness.The distributions of strings crs and crs Sim are computationally indistinguishable and simulated proofs are indistinguishable from proofs generated by an honest prover.The proof system has perfect completeness, (perfect) soundness, composable witness-indistinguishability/composable zero-knowledge.We refer to [34] for the formal definitions and the details of the instantiations.
We remark that there exist schemes, e.g.[28,29] which conform to the above requirements.Also, there are schemes, e.g.[25,3], which satisfy the first requirement but not the second.
The following lemma proves that our impossibility results and lower bound proofs in the next section hold even if one allows the verification key and public parameters (other than the group generator) to be from the same source group as the signature components.
Lemma 1. Having a verification key component or a public parameter (other than the group generator) in the same group as the signature is redundant.
Proof.Let us consider the case where the signature is of the form σ = (S 1 , . . ., S k ) ∈ G k whereas the verification key vk = (X 1 , . . ., X n , Ỹ1 , . . ., Ỹn ) ∈ G n × H n .The proof for the opposite case where the groups are transposed is similar.
Since X i 's are in same group as S j 's (for all possible choices of i and j), the verification equations cannot have any pairing of the form ê(S i , X j ).Thus, the only pairings that X i can feature in in the verification equations are: ê(X i , Ñ ), ê(X i , H) or ê(X i , Ỹj ).In the first case, the pairing is equivalent to ê(M, Hxi ) where x i is the discrete logarithm of X i to the base G. Thus, we can replace X i by Xi := Hxi .In the latter two cases, we can WLOG move the result of the pairing to the right-hand side of the verification equation and relax Equation (1) to allow the right-hand side to be Z T instead of 1 T .

Optimal CMA-Secure Scheme I
We give here a (weakly) existentially unforgeable against adaptive chosen-message attack signature scheme with signatures consisting of two elements from group G.Besides checking membership of the message in GH, verifying a signature only requires the evaluation of 1 pairing-product equation with 4 pairings in total 1 of which can be precomputed.Depending on the application, the number of pairings can be further reduced to 3 pairings one of which can be precomputed since two of the pairings share the same left-hand side argument.
Given the description of Type-III bilinear groups P output by BGSetup(1 λ ), the scheme is as follows: • KeyGen(P): Select x, y ← Z × p .Set sk := (x, y) and vk := ( X, Ỹ ) := ( Hx , Hy ) ∈ H 2 .• Sign(sk, (M, Ñ )): To sign a message (M, Ñ ) ∈ GH, select r ← Z p , and set • Verify(vk, (M, Ñ ), σ = (R, S)): Return 1 iff R, S ∈ G, (M, Ñ ) ∈ GH, and the following holds: Note that the signing algorithm can be performed even without knowledge of the exponent x if one has the element X := G x ∈ G (instead of x ∈ Z p ) as part of the secret key sk.
Correctness of the scheme follows by inspection and is straightforward to verify.The signature is weakly unforgeable.For instance, given two distinct signatures σ 1 = (R 1 , S 1 ) and σ 2 = (R 2 , S 2 ) on a message (M, Ñ ), one can without knowledge of the signing key compute a new signature σ = (R , S ) on the same message by computing e.g.(R : ). Theorem 1.The structure-preserving signature scheme is existentially weakly unforgeable against a chosen-message attack in the generic group model.
Proof.Since the adversary is generic, it can only produce linear combinations of the signatures' elements, verification key elements and public parameters in each of the source groups.The linear combinations represent Laurent polynomials in the discrete logarithm of those elements.We will prove that no linear combinations produce Laurent polynomials corresponding to a forgery on a message that was not queried to the sign oracle.
Public elements in H are H, X, Ỹ which correspond to the discrete logarithms 1, x and y, respectively.Thus, this means that at the it-h sign query on (M i , Ñi ), Ñi can only be a linear combination of H are X, Ỹ , thus, we have . Thus, we have After q signing queries, (m * , n * ), which is the discrete logarithm of the forged message (M * , Ñ * ) must be of the form Since we must have (M * , Ñ * ) ∈ GH, i.e. m * = n * , We must have b n = c n = 0 and b mi = c mi = 0 for all i ∈ [q] and a m = a n .Thus, we have Similarly, the forgery (R * , S * ) can only be a linear combination of the group elements from G, i.e. a linear combination of G, {R i } q i=1 and {S i } q i=1 and therefore we have For the forgery to be a valid signature, r * and s * must satisfy s * y = r * x + r * m * + 1.Therefore, we must have Thus, we must have Note that there is no term in y, r i y on the right-hand side so we must have a s = 0, and b s,i = 0 for all i, so There is no term in x y on the left-hand side so c r,i = 0 for all i.Also, since there is no term in x on the left-hand side, we also have a r = 0. Thus, we have The monomial r i x implies c s,i = b r,i for all i, whereas the monomial r i implies c s,i m i = b r,i m * .Since we have c s,i = b r,i , this means we have m * = m i for some i.Hence, the signature (R * , S * ) is on a message pair (M i , Ñi ) that was queried to the sign oracle and thus is not a forgery on a new message.

Randomizability/Strong Unforgeability
We prove the following theorem regarding the randomizability/strong unforgeability of the above signature scheme.Theorem 2. The scheme is strongly existentially unforgeable against an adversary that queries the signing oracle on each message once at most.Proof.Following from the proof of Theorem 1, we have for the adversary forgery to be valid, we must have: Let J be the subset of {1, . . ., q} containing indices of the signatures on the message m * that was obtained from the signing oracle, i.e.J is the set of indices of the queries on message m * .Let R m * = {R i } i∈J and S m * = {S i } i∈J .From the left-hand side of (3), it is clear that S * can only be a linear combination of elements of the set S m * .Similarly, R * can only be a linear combination of elements of the set R m * .Since the adversary is restricted to at most a single signing query on each message, we have 0 a forgery on the message m * , which was not queried to the signing oracle, would contradict Theorem 1. Now, for (3) to hold, we must have c s,i = 1 which implies b r,i = 1 and thus r * = r i and the signature is that that was obtained from the sign oracle.
Let us now define the randomization algorithm Randomize for the above scheme as follows: • Randomize vk, (M, Ñ ), {σ i = (R i , S i )} 2 i=1 : For any two distinct signatures σ 1 and σ 2 on the message (M, Ñ ), i.e.R 1 = R 2 , satisfying Verify(vk, (M, Ñ ), To obtain a new signature σ on (M, Ñ ), choose a ← Z p and compute b = 1 − a (which satisfies Theorem 3. Randomized signatures are perfectly indistinguishable from fresh signatures on the same message. Proof.In the Sign algorithm, r is chosen uniformly at random from Z p , whereas in the Randomize algorithm, a (resp.b) is also chosen uniformly at random from Z p .Moreover, for any possible r ∈ Z p such that R = G r , there is a ∈ Z p such that r = ar 1 + (1 − a)r 2 for any r 1 , r 2 ∈ Z p satisfying r 1 = r 2 .Therefore, the distribution of signatures output by the Randomize algorithm is identical to that of signatures output the Sign algorithm.

Combined Unforgeability for Messages
The notion of structure-preserving signature schemes with combined unforgeability [33] (similarly to selectively randomizable schemes [6]), are signature schemes where the same scheme can allow (at the discretion of the signer) either strongly unforgeable signature or ones that can be re-randomized.
We proved that in our scheme the only way to obtain a new signature on the same message is by linear combination of distinct signatures on the same message.One can exploit this feature so that the signer can decide which messages signatures upon which can be re-randomized and which cannot which might be useful for some applications.For those messages to be restricted, the signer only allows a single signing query on them, whereas for those signatures upon which can be re-randomized, the signing oracle returns at least two distinct signatures σ = (R, S) and σ = (R , S ) satisfying R = R .

Optimal CMA-Secure Scheme II
We give here an efficient publicly re-randomizable structure-preserving scheme that is existentially unforgeable against adaptive chosen-message attack.The scheme yields signatures with two group elements from group G.
Besides checking membership of the message in GH, verifying a signature, requires 1 PPE equation with 3 pairings in total or 2 pairings and 1 point addition since 2 of the 3 pairings required share the same left argument.When verifying a signature, we additionally need to check that R ∈ G × (i.e.R ∈ G\{1 G }).
Remark 2. Again, the signing algorithm can be performed even without knowledge of the exponent x if one has the element X := G x ∈ G (instead of x ∈ Z p ) as part of the secret key sk.Also, note that the component R of the signature is information-theoretically independent of the message and hence even when proving knowledge of a signature on the message, one can reveal this component of the signature after re-randomizing it.
Correctness of the scheme follows by inspection and is straightforward to verify.The scheme is perfectly randomizable as the distribution of re-randomized signatures is identical to that of fresh signatures on the same message.
Theorem 4. The structure-preserving signature scheme is existentially weakly unforgeable against a chosen-message attack in the generic group model.
Proof.Public elements in H are H, X, Ỹ which correspond to the discrete logarithms 1, x and y, respectively.We note that our proof of security only relies on the forgery being a valid element of GH.In other words, the scheme is still secure even if the adversary queries the scheme on arbitrary messages from G for which it does not know the corresponding message component in H.
During the it-h signing query on (M i , Ñi ), Ñi can only be a linear combination of H are X, Ỹ , thus, we have Similarly, M i can only be a linear combination of G, {R j } i−1 j=1 , {S j } i−1 j=1 .Thus, we have After q signing queries, (m * , n * ), which is the discrete logarithm of the forged message (M * , Ñ * ), must be of the form Since we must have n * = m * for the forgery to be a valid element of GH, we have Similarly, the signature (R * , S * ) have the form For the forgery to be a valid signature, s * and r * must satisfy s * y = r * x + r * m * .So we must have Thus, we must have Note that there is no term in y or r i y on the right-hand side, so we must have a s = 0, b s,i = 0 for all i, Thus, we have There is no term rix 2 y on the left-hand side so c r,i = 0 for all i.Also, since no term in x on the left-hand side, we also have a r = 0. Thus, we have The monomial r i x implies c s,i = b r,i for all i.Since we require that R * ∈ G × , we must have r * = 0 and therefore we must have at least a single value of c s,i = b r,i = 0. Now the monomial r i implies c s,i m i = b r,i m * which means m * = m i for some i.Thus, the signature (R * , S * ) is on a message pair (M i , Ñi ) that was queried to the sign oracle and thus is not a forgery.

Optimal CMA-Secure One-Time Signature Schemes
We give here a (strongly) existentially unforgeable one-time signature scheme that is secure against a chosen-message attack with one-element signatures.Besides checking membership of the message in GH, verification requires the evaluation of a single PPE equation with 3 pairings in total one of which can be pre-computed when verifying multiple signatures (under different keys) on the same message.Alternatively, verification can be performed by evaluating only 2 pairings and one point addition since two pairings share the same left-hand side argument.
We will show in Section 7 that the same scheme can also be used as a one-time structure-preserving signature scheme for messages in G (resp.H) by replacing the pairing ê(G, Ñ ) in the PPE verification equation by ê(M, H).This essentially yields a new one-time signature scheme for unilateral messages in the Type-III setting matching the optimal one-time scheme in [6] in every respect.
Correctness of the scheme follows by inspection and is straightforward to verify.The signning algorithm is deterministic and therefore for any message there is only 1 potential signature.We prove the following theorem.
Theorem 5.The one-time structure-preserving signature scheme is strongly existentially unforgeable against a one-time chosen-message attack in the generic group model.
Proof.We show that the linear combinations the generic adversary can produce out of the combinations of the elements of the signatures, verification key and public parameters in each of the source groups, cannot correspond to Laurent polynomials representing a valid forgery.Public elements in H are H, X, Ỹ which correspond to the discrete logairthms 1, x and y, respectively.Thus, this means that the message (M, Ñ ) queried to the sign oracle Ñ can only be a linear combination of H, X and Ỹ .After 1 signing queries, the message the adversary forges a signature on must be in the form Similarly, the signature σ * = S * must have the form For the forgery to be a valid signature, s * must satisfy s * y = x + m * .Therefore, we must have Thus, we must have There is no term in y on the right-hand side so we must have a s = 0. Thus, we have By the monomial x, we have b s = 1.For the two sides to be equal, we must have b s m = m * .Since we have b s = 1, it means we must have m * = m.This means the forgery is on the same message queried to the sign oracle.
• Sign(sk, (M, Ñ ) 1 , . . ., (M, Ñ ) k ): To sign a vector of messages (M, Ñ ) 1 , . . ., • Verify(vk, (M, Ñ ) 1 , . . ., (M, Ñ ) k , σ): Return 1 iff σ ∈ G, (M, Ñ ) i ∈ GH, and the following holds: Correctness of the scheme follows by inspection and is straightforward to verify.The scheme being deterministic ensures that for any vector of messages there is only 1 potential signature.The following theorem proves that a one-time chosen-message adversary has a negligible probability in producing a signature on a vector of messages different from the one it queried its sign oracle on.Theorem 6.The scheme is strongly existentially unforgeable against a one-time chosen-message attack.
Proof.Let A be an adversary that breaks the unforgeability of the scheme.We use A to construct an adversary B that breaks the strong existential unforgeability of the single-message one-time scheme in Section 6.
Adversary B gets vk = ( X, Ỹ ) from its game and has a single-message one-time signing oracle.B constructs its verification key by choosing x 2 , . . ., x k ← Z × p and computing Xi := Hxi , for i = 2, . . ., k.It then forwards its verification key vk * := ( X, X2 , . . ., Xk , Ỹ ) to A. When queried on the message Ñ xi i and forwards (M, Ñ ) to its own sign oracle and returns the resultant signature σ to A. Eventually, when A returns its forgery σ * on a message vector (M * , Ñ * ) 1 , . . ., Ñ * i xi and returns σ * and the message (M * , Ñ * ) as its forgery in its game.Clearly, if A wins its game, B wins its game with the same probability.

Signing Messages in
The scheme in Section 6.1 can also be used to sign messages in GH × G k−1 .The scheme is as follows, where the KeyGen algorithm is the same as that in Section 6.1: • Sign sk, (M, Ñ ), (M 1 , . . ., M k−1 ) : To sign a vector of messages (M, Ñ ), and the following holds: Correctness of the scheme follows by inspection and is straightforward to verify.The scheme being deterministic ensures that for any vector of messages there is only 1 potential signature.Since the messages (M 1 , . . ., M k−1 ) do not have corresponding components in H, we cannot use a reduction to the scheme in Section 6 as we did in Theorem 6.Alternatively, the following theorem proves that the scheme is secure in the generic group model.Theorem 7. The scheme is strongly existentially unforgeable against a one-time chosen-message attack.
Proof.We show that the linear combinations the generic adversary can produce out of the combinations of the signatures' elements, verification key elements and public parameters in each of the source groups, cannot correspond to Laurent polynomials representing a valid forgery.Public elements in H are H, X1 , . . ., Xk , Ỹ which correspond to the discrete logairthms 1, x 1 , . .., x k and y, respectively.The message on which the adversary forges a signature σ * = S * can only be of the form Since we require that (M * , Ñ * ) ∈ GH, we must have m * = n * = a m .Similarly, the signature σ * = S * must have the form For the forgery to be a valid signature, s * must satisfy Therefore, we must have So we must have There is no term in y on the right-hand side so we must have a s = 0, Thus, we have By the monomial x 1 , we have b s = 1.For the two sides to be equal, we must have b s m = m * and b s m i−1 x i = m * i−1 x i for all i = 2, . . ., k.Since we have b s = 1, it means we must have m * = m and m i−1 = m * i−1 for all i = 2, . . ., k.This means the forgery is on the same vector queried to the sign oracle.

Optimal One-Time Scheme for Unilateral Messages
As mentioned earlier, the previous one-time signature scheme can be used to sign unilateral messages, i.e. messages in G k .Thus, we obtain a one-time structure-preserving scheme for a vector of unilateral messages matching the optimal scheme in the Type-III setting [6] in every respect.By transposing the groups, one can similarly sign messages in H k .The scheme is as follows: • KeyGen(P): Select x 1 , . . ., x k , y ← Z × p .Set sk := (x 1 , . . ., x k , y) and vk := ( X1 , . . ., Xk , Ỹ ) := ( Hx1 , . . .Hx k , Hy ) ∈ H k+1 .
• Sign sk, (M 1 , . . ., M k ) : To sign a vector of messages k, and the following holds: Efficiency.To sign a vector G k , the verification key consists of k + 1 group elements from group H. Signing requires k + 1 exponentiations in G, whereas verification requires 1 pairing-product equation involving k + 2 pairings.The signature consists of a single group element from G (regardless of the length of the vector to be signed).Those costs are identical to those in the optimal one-time scheme in the Type-III setting in [6].
Correctness of the scheme follows by inspection and is straightforward to verify.The scheme being deterministic ensures that for any vector of messages there is only 1 potential signature.The proof for the following theorem, which proves the existential unforgeability of the scheme against a chosen-message attack in the generic group model, is very similar to the proof of Theorem 7.For completeness, we give the proof in Appendix A. Theorem 8.The scheme is strongly existentially unforgeable against a one-time chosen-message attack.

Lower Bounds & Impossibility Results for USPSDH Schemes
In this section we investigate some lower bounds and prove some impossibility results for USPSDH Schemes.Our proofs are general and do not require the right-hand side of the verification equations to be Z T = 1 T .

Impossibility of Strongly Unforgeable CMA Secure Schemes
We prove here that there exists no generic-signer USPSDH scheme that is strongly existentially unforgeable against an adversary that makes q > 1 chosen message signing queries.We note, however, that there exist such schemes that are RMA secure or where, for instance, we do not allow the adversary to query the sign oracle on the same message more than once.Theorem 9.There is no generic-signer USPSDH scheme that is strongly unforgeable against a chosen message attack for q > 1 queries.
Proof.Let us consider the case where the signature σ = (S 1 , . . ., S k ) ∈ G k whereas the verification key vk = ( X1 , . . ., Xn ) ∈ H n .The proof for the opposite case where the groups are transposed is similar.Such a scheme would have a number of verification equations of the form of Equation ( 4).

Impossibility of a Single Group Element Signature
The following theorem proves that there is no generic-signer USPSDH scheme with signatures consisting of 1 group element that is unforgeable against a random message attack for more than 1 signing query.The only exception are one-time signatures (in which the adversary is only allowed to make a single signing query).
Theorem 10.There is no generic-signer USPSDH scheme with 1 group element signatures that is unforgeable against a random message attack for q > 1 signing queries.
Proof.Let us consider the case where the signature σ = S ∈ G, whereas the verification key vk = ( X1 , . . ., Xn ) ∈ H n .The proof for the opposite case where the groups are transposed is similar.
We start by proving the following lemma which proves that it is redundant for a USPSDH scheme (for a single Diffie-Hellman pair) with 1 group element signatures to require more than one verification equation (not counting the equation needed to verify the well-formedness of the message).
Lemma 2. One verification equation is sufficient for verifying a one-element signature.
Proof.Such a signature scheme would have verification equations of the form of Equation (5).ê(S, Xi ) ai,e ê(M, Xi ) bi,e ê(S, Ñ ) ce ê(M, Ñ ) de = Z e T Each of those equations is a (non-trivial) equation that is linear in S. Thus, we can compute a single non-trivial equation linear in S (which uniquely determines S) by a linear combination of all those verification equations and use such an equation for verification.If there is no such linear combination of the verification equations, they must be linearly dependent which means some of them are redundant.Thus, by excluding those, we can again reduce them to a single equation that is linear in S.
Now note that for the signature scheme to be (perfectly) correct (and publicly verifiable), the signature on the message must verify using the (fixed) verification key and (fixed) public parameters (if any).By taking the discrete logarithms of the group elements in the (single) verification equation, we can write the verification equation as The verification equation is a linear equation in s (the discrete logarithm of the signature S).Note that such a signature is not defined if n i=1 a i x i + cm = 0.This means there exists at most one potential signature for the message.For the sake of contradiction, assume that for a message (M, Ñ ) there exists two different signatures σ = S and σ = S .Since the scheme is perfectly correct, we have By subtracting Equation ( 8) from Equation ( 7), we get which implies that s = s which is a contradiction.Since the signing algorithm is generic, a signature σ i on a message (M i , Ñi ) is of the form σ i = M α i • G β for some (fixed) α, β ∈ Z p .Now given signatures σ 1 and σ 2 on a pair of distinct random messages (M 1 , Ñ1 ), (M 2 , Ñ2 ), respectively.We have we obtain a valid forgery on the message (M * , Ñ * To see that the forgery is a valid signature, we have This implies that at least two group elements are required in the signature for the scheme to be existentially unforgeable against a random message attack that uses q > 1 signing queries. Remark 4. Note that since we are considering a random message attack (which is weaker than a chosen message attack) and hence here the signer rather than the adversary chooses the messages when answering signing queries.Also, note that unlike in the Type-II bilinear group setting, in the Type-III setting there is no efficiently computable isomorphism between the groups.One way that the signer picks a random message (M, Ñ ) is, for instance, by randomly choosing m ← Z p and computing (M, Ñ ) := ψ(m), the signer then performs signing generically, i.e. without exploiting knowledge of the exponent m.Alternatively, one can envisage a separate message sampling algorithm that does the above and returns (M, Ñ ) to the signer who in turn performs the generic signing algorithm.
Alternative Proof for Theorem 10.Our proof below relies on eliminating some terms from the verification equation which are redundant for a generic-signer scheme as it is hard for a generic signer, who does not know the discrete logarithm of the message, to produce a non-trivial signature whose verification equation uses any of the eliminated terms.Refer to the discussion in Section 8.5 for details.
Proof.Again, let us consider the case where the signature σ = S ∈ G, whereas the verification key vk = ( X1 , . . ., Xn ) ∈ H n .The proof for the opposite case where the groups are transposed is similar.We first argue that since we are only considering generic signers, it is sufficient to consider a single verification equation of the form of Equation ( 10) instead of Equation (5).
Since the signing algorithm is generic, s (the discrete logarithm of the signature S) cannot have a degree > 1 of m (the discrete logarithm of the message).This means that the verification equation cannot have the monomial ê(M, Ñ ) d where d = 0 as that would require that s have a degree > 1 of m which would require knowledge of the discrete logarithm m.So we can WLOG assume that d = 0. Similarly, since m cannot appear in a term in the denominator in s when viewing s as a rational function as that would also require knowledge of the discrete logarithm m, the verification equation cannot have a monomial ê(S, Ñ ) c for c = 0 either.Therefore, we can WLOG assume that c = 0. We remark here that all existing structure-preserving signature schemes in all bilinear group settings conform to the assumptions we are using.Again, refer to Section 8.5 for further justification.Thus, we end up with two cases: • Degree of m = 0: This means that S is independent of the message and hence the same signature σ is valid on any other message (M , Ñ ) ∈ GH where (M , Ñ ) = (M, Ñ ).• Degree of m = 1: By taking the discrete logarithms of the group elements in Equation ( 10), we can write the verification equation as Given signatures σ 1 = S 1 on a random message (M 1 , Ñ1 ) and σ 2 = S 2 on a random message (M 2 , Ñ2 ), by choosing γ ← Z p , we can compute a valid signature σ * = S * (i.e. that satisfies the verification equation in ( 10)) on the message (M ) by computing . Since the messages (M 1 , Ñ1 ) and (M 2 , Ñ2 ) are chosen uniformly at random, we have an overwhelming probability that (M * , Ñ * ) / ∈ {(M 1 , Ñ1 ), (M 2 , Ñ2 )} and thus σ * is a valid forgery on a new message.

Lower Bound on the Size of the Verification Key for Optimal One-Time Signatures
In Section 6 we have seen that a one-time USPSDH scheme can have signatures consisting of a single group element.Here we investigate lower bounds for the size of the verification for optimal generic-signer one-time USPSDH schemes.
We prove that a generic-signer EUF-RMA secure one-time USPSDH scheme with one element signatures must have a verification key with at least two group elements (excluding the default group generators G and H).The result proves that our (strongly existentially CMA unforgeable) construction in Section 6 is optimal in every respect.WLOG, when proving the following theorem, we assume that any public group elements (other than the group generators G and H) part of the public parameters (if any) are counted as part of the verification key.
Theorem 11.A generic-signer one-time USPSDH scheme (with one element signatures) that is unforgeable against a random message attack must have a verification key with at least 2 elements.
Proof.Let us consider the case where the signature σ = S ∈ G whereas the verification key vk = X ∈ H.The proof for the opposite case where the groups are transposed is similar.A USPSDH scheme with a one-element verification key and a one-element signature have a (single) verification equation (not counting the equation needed to check well-formedness of the message) of the form of Equation (12).
Note that a generic signer computes the signature S as S := M α • G β for some α, β ∈ Z p .Our proof strategy is to first eliminate some terms which can not be computed by a generic signer from the verification equation in (12) which serves to simplify the proof.Note that without knowledge of the discrete logarithm of the message, it is hard for a generic signer to construct a non-trivial signature S where its discrete logarithm s contains the message m in a term in the denominator.Similarly, it is hard for a generic signer without knowledge of the discrete logarithm of the message to construct a signature that contains a term with degree > 1 in m.Therefore, we can WLOG assume that u = v = 0 in Equation (12).We remark here that all existing structure-preserving signature schemes (in all bilinear group settings) conform to the assumption we are making.Refer to Section 8.5 for more discussion on why such assumptions (which serve to simplify the proof) do not affect the generality of our proof.We now show that any USPSDH scheme with a verification equation of the form of Equation ( 13) cannot be secure.
Since the verification key (and the public parameters) contain only X, G, and H, we have Z T = ê(G, H) e ê(G, X) f .Note that the exponents a, b, c, d, e, f ∈ Z p are all public and hence known to the adversary.By taking the discrete logarithms of the group elements in the verification equation, we can write the verification equation as Note here if a = b = 0, the equation is independent of the signature S. Similarly, if c = d = 0, the verification equation is independent of the message (M, Ñ ).Therefore, neither of those cases should occur as otherwise it is obvious that such a scheme is not secure.We now have four cases as follows: • Case bc = ad: In this case, given a signature σ = S on a random message (M, Ñ ), pick any α ← Z p \ {1} and let • S is a valid signature on the message M * , Ñ * := G α • M, Hα • Ñ for any α ∈ Z × p .This concludes the proof.

Lower Bound on the Size of the Verification Key for Optimal USPSDH Schemes
We have seen that an optimal USPSDH scheme must have two elements in the signature.We prove that our schemes in Sections 4 & 5 are also optimal w.r.t. to the size of the verification key.More precisely, we prove in the following theorem that there exists no USPSDH scheme with two element signatures and one verification equation (not counting the cost of checking the well-formedness of the message) that is unforgeable against a one-time random message attack.Again, WLOG, when proving the following theorem, we assume that any public group elements (other than the default group generators G and H) part of the public parameters (if any) are counted as part of the verification key.
(M * , Ñ * ) := G µ , Hµ .This is a valid forgery as long as we can find µ such that bdµ + cd − au = 0. We will deal with the latter case below.
In the second case (which we refer to hereafter as type II forgery), given a signature σ = (R, S) on a random message (M, Ñ ), we obtain a solution of the form α m ,β m , α r , β r , γ r , α s , β s , γ s , δ s := From the above, it is clear that we can find a forgery on a new message unless cd = au and either b = 0 or d = 0, which we now address.
• Case d = 0 and cd = au: Note here that since d = 0, we must have u = 0 as otherwise we are in the second trivial forgery case.Since cd = au and d = 0 it follows that a = 0. Note here that since a = d = 0 we must have that either f = 0 or v = 0 as otherwise we are in the third trivial forgery case (i.e. the verification equation is independent of the verification key).We have two cases as follows: • Case v = 0: We can, for example, obtain a type I forgery by computing for any µ ∈ Z p .• Case f = 0: We can, for example, obtain a type II forgery by computing for any µ ∈ Z × p and ν ∈ Z p .
• Case b = 0 and cd = au: We deal with two subcases as follows: • Case cd = au = 0: Since here we have b = 0, it must be the case that either v = 0 or w = 0 as otherwise we are in case 4 of trivial forgery cases.Note here that we have d = 0 and u = 0, We deal with 2 subcases as follows * Case uv = dw: We can obtain a type I forgery by computing α m , β m , α r , β r , γ r , α s , β s , γ s , δ s := de − f u dw − uv , 0, µ, 0, 0, euv − cuvµ + cdwµ − f uw u(uv − dw) , 0, 0, 0 , for any µ ∈ Z p .Also, we can obtain a type II forgery by computing for any µ ∈ Z p \ {1} and ν ∈ Z p .* Case uv = dw: Note here that v = 0, w = 0, and d = 0. We can obtain a type II forgery by computing for any (µ, ν) ∈ Z p × Z × p \ {(0, 1)} and ξ ∈ Z p .
• Case cd = au = 0: If d = u = 0 we are in case 2 of the trivial forgeries.If c = a = 0, we are in case 1 of trivial forgeries (i.e. the one-element signature case).We are left with two cases as follows: * Case c = u = 0: We deal with 2 subcases as follows: • Case w = 0: We can obtain a type I forgery by computing α m , β m , α r , β r , γ r , α s , β s , γ s , δ s := e w , 0, µ, 0, 0, f w − ev − awµ dw , 0, 0, 0 , for any µ ∈ Z p .Also, we can obtain a type II forgery by computing for any µ ∈ Z p \ {1}, ν ∈ Z p .• Case w = 0: Note here that d = 0 as otherwise we are in case 2 of trivial forgeries.We can obtain a type II forgery by computing for any (µ, ν) ∈ Z p × Z × p \ {(0, 1)}, ξ ∈ Z p .* Case d = a = 0: Note here that u = 0 as otherwise we are in case 2 of trivial forgeries.We have two subcases as follows: • Case v = 0: We can obtain a type I forgery by computing This concludes the proof.

Further Discussion
In some of our lower bound proofs, we relied on eliminating some terms (i.e.pairings) from the verification equation.As mentioned earlier, all existing structure-preservation signature schemes in all 3 bilinear group settings conform to those assumptions.In this section, we provide further justification that such assumptions are inevitable.
As an example, consider a one-time USPSDH scheme with a one-element signature σ = S ∈ G, a one-element verification key X ∈ H and a single verification equation of the form of Equation ( 17 Note that when verifying a signature in the above example, one also needs to verify that the message (M, Ñ ) is well-formed, i.e. (M, Ñ ) ∈ GH.The above example can in some sense be viewed as a USPSDH scheme analogous to the weak Boneh-Boyen Signature [14].The example above is a secure one-time USPSDH scheme against a random message attack in the generic group model (as long as the verification key is not given in G).As can be seen, the verification key of such a scheme is a single group element, however, such a scheme does not contradict our lower bound proofs as there is no way a generic signer can produce the signature σ without knowing the discrete logarithm of the message.We note here that one can also use, for example, a similar argument against the lower bound proofs for the Type-II bilinear group setting in [7].For instance, Theorem 4 in [7] proved that a Type-II structure-preserving signature scheme for messages in H with one-element signatures cannot have a verification key with a single group element.For the sake of illustration, consider a scheme in the Type-II setting for messages M ∈ H with a signature σ = S ∈ H, a verification key X ∈ G and a single verification equation of the form of Equation ( 18) ê(X, S)ê(Ψ ( M ), S) = ê(G, H), (18) where Ψ : H → G is an isomorphism.Such a scheme is a secure one-time structure-preserving signature scheme against a random message attack in the Type-II setting in the generic group model.However, again, this should not be considered as a contradiction to Theorem 4 in [7] as it is infeasible for a generic signer to produce such signatures without knowing the discrete logarithm of the message.As a second example, consider a USPSDH scheme with a single group element signature σ = S ∈ G, a verification key X, Ỹ , Z ∈ H and a single verification equation of the form of Equation ( 19) Such a scheme is a secure USPSDH scheme against a random message attack in the generic group model.Nevertheless, this does not contradict our results as such a signature cannot be produced by a generic signer who does not know the discrete logarithm of the message (M, Ñ ).Again, one can give a similar counterexample for the Type-II setting proved in [7].Consider a structure-preserving signature scheme in the Type-II setting for messages M ∈ H with a single group element signature σ = S, a verification key X, Y, Z ∈ G and a single verification equation of the form of Equation ( 20 Such a scheme is a secure scheme against a random message attack in the generic group model in the Type-II setting.However, since signatures of this scheme cannot be produced by a generic signer, such a scheme should not be regarded as a contradiction to Theorem 5 in [7].
9 Optimal CMA-Secure Partially Structure-Preserving Signature Scheme for a Vector of Messages We do not know how to construct a USPSDH scheme with optimal signatures (i.e. two group elements) and a single verification equation that can sign a vector of Diffie-Hellman pairs.However, we give here an optimal signature scheme (with two group element signatures and a single verification equation) that simultaneously signs a Diffie-Hellman pair and a vector from Z k p , i.e. the message space of the scheme is GH × Z k p .We call such a variant partially structure-preserving since other than allowing some components of the messages to be signed to not be group elements, the scheme satisfies the rest of the conditions required by the definition of structure-preserving signatures.In particular, the signatures, the verification key and part of the message are all group elements, and verification only requires the evaluation of pairing-product equations.
Given the description of Type-III bilinear groups P output by BGSetup(1 λ ), the scheme is as follows: • KeyGen(P): Select x, y 1 , . . ., y k , z ← Z × p .Set X := Hx , Ỹi := Hyi for all i ∈ [k], Z := Hz .Set sk := (x, y 1 , . . ., y k , z) and vk := ( X, Ỹ1 , . . ., Ỹk , Z). those used in [11,29], which were used for constructing the first instantiations of DAA which do not rely on random oracles.The obtained weakly blind signature (See Fig. 3) yields signatures of size 2|G| and require only 1 PPE equations (2 pairings in total) to verify.That our instantiation is more efficient than those in [11,29] is obvious as the underlying signature scheme we use is more efficient than those used [11,29].
In the construction, we use the following languages for the zero-knowledge proofs in the signing protocol for the user and signer, respectively: Note that all equations in the above are of the form that one gets zero-knowledge Groth-Sahai proofs for.For simplicity, the languages above do not spell out the details of the auxiliary simulation-enabling equations.
The proof of the following theorem is provided in Appendix B.
Theorem 14.Assuming the SXDH assumption holds and the structure-preserving signature scheme from Section 5 is existentially unforgeable, the weakly blind signature scheme in Fig. 3 is secure.
Similarly, the signature σ * = S * must have the form For the forgery to be a valid signature, s * must satisfy s * y = x 1 + m * 1 + k i=2 m * i x i .Therefore, we must have So we must have There is no term in y on the right-hand side so we must have a s = 0, Thus, we have By the monomial x 1 , we have b s = 1.For the two sides to be equal, we must have b s m 1 = m * 1 and b s m i x i = m * i x i for all i = 2, . . ., k.Since we have b s = 1, it means we must have m * 1 = m 1 and m i = m * i for all i = 2, . . ., k.This means the forgery is on the same vector queried to the sign oracle.

B Proof of Theorem 14
Correctness of the construction follows from that of the signature scheme and the perfect completeness of Groth-Sahai proofs.Unforgeability and weak blindness are proven by the following two lemmata, respectively.
Lemma 3. The weakly blind signature scheme in Fig. 3 is unforgeable if the structure-preserving signature scheme in Section 5 is existentially unforgeable, N IZK 1 (used by the user to produce π) is sound and N IZK 2 (used by the signer to produce Ω) is zero-knolwedge.
Proof.We instantiate crs 1 used for N IZK 1 as a binding crs and hence N IZK 1 is perfectly sound, whereas crs 2 is instantiated as a hiding string and hence we can simulate proof Ω.By the security of N IZK 2 , an adversary has a negligible advantage in distinguishing between the two settings.Using an adversary A that breaks the unforgeability of the blind signature scheme, we construct an adversary B against the unforgeability of the structure-preserving signature scheme.B gets the verification key vk = ( X, Ỹ ) from its game which it forwards to A. B has access to a sign oracle in its game.To answer a signature query on a message, B uses the extraction key of N IZK 1 to extract the witness Ñ and forwards (M, Ñ ) (which, by the soundness of N IZK 1 , is a valid Diffie-Hellman pair) to its sign oracle to get a signature σ = (R, S).B then simulates the proof Ω (since it does know the exponent r used in the signature and hence cannot produce the element R).B returns σ = (R, S), Ω to A.
Eventually, when A outputs its n + 1 message-signature pairs, B returns the extra pair that it did not query its oracle on as its forgery.
By the existential unforgeability of the signature scheme, we have that this only happens with a negligible probability.
This concludes the proof.
Lemma 4. The weakly blind signature scheme in Fig. 3 is weakly blind if N IZK 1 is zero-knowledge, N IZK 2 is sound and the DDH assumption holds in group G.

3
Unilateral Structure-Preserving Signatures on Diffie-Hellman Pairs We define Unilateral Structure-Preserving Signatures on Diffie-Hellman Pairs (USPSDH) as structurepreserving signatures with the following extra conditions on top of those required by traditional structurepreserving signatures (cf.Section 2.4): i) Messages are of the form (M, Ñ ) ∈ GH ⊂ G × H. ii) Signatures are either of the form σ = (S 1 , . . ., S k ) ∈ G k , whereas the verification key is of the form vk = ( Ỹ1 , . . ., Ỹn ) ∈ H n or signatures are of the form σ = ( S1 , . . ., Sk ) ∈ H k , whereas the verification key is of the form vk