Formalizing Group Blind Signatures and Practical Constructions without Random Oracles

. Group blind signatures combine anonymity properties of both group signatures and blind signatures and oﬀer privacy for both the message to be signed and the signer. Their applications include multi-authority e-voting and distributed e-cash systems. The primitive has been introduced with only informal deﬁnitions for its required security properties. We oﬀer two main contributions: ﬁrst, we provide foundations for the primitive where we present formal security deﬁnitions oﬀering various ﬂavors of anonymity relevant to this setting. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security deﬁnitions. Our second main contribution is a generic construction that yields practical schemes with round-optimal signing and constant-size signatures. Our constructions permit dynamic and concurrent enrollment of new members, satisfy strong security requirements, and do not rely on random oracles. In addition, we introduce some new building blocks which may be of independent interest.


Introduction
Background.Traditional group signatures, introduced by Chaum and van Heyst [19], allow a member of a group to sign a message anonymously on behalf of the group while ensuring that a recipient of the signature cannot identify the group member who signed the message.However, there exists an entity called the Opener who possesses a special key that allows him to revoke anonymity and reveal the identity of the signer in the case of a dispute.A Blind Signature (BS), introduced by Chaum [18], allows a user to obtain a signature on a hidden message without the signer learning the message in question.The security of a blind signature scheme [34,44] requires that the user is unable to fake new signatures for new messages (unforgeability) and that the signer does not learn the message he is signing nor be able to link a signature to the protocol run where it was obtained (blindness).A Group Blind Signature (GBS), introduced by Lysyanskaya and Zulfikar [37], combines the properties of both a group signature scheme and a blind signature scheme and therefore it maintains the anonymity of the signer as well as the message to be signed.
Group blind signatures are useful for many applications such as distributed e-cash systems where, for instance, it is required that a digital coin neither reveals the identity of its holder nor that of the issuing bank/branch.Another example is in a multi-authority e-voting system where it is required that the vote is certified by a governing authority without revealing either the actual value of the vote or the identity of the certifying authority/branch.Motivation.Currently there is no formally defined security model for the primitive and hence it is important to provide formal security definitions that include the details of all the security experiments needed to capture the required security properties.Providing such a model would allow for proving the security of constructions formally and more rigorously.Some of the previous constructions assumed that the exact security definitions of group signatures directly translate into this setting.However, such an assumption is erroneous due to the signing protocol in this case being blind which is different from the group signature case where the message is public.For instance, one needs to ensure the existence of some mechanism to prevent the adversary from breaking anonymity by outputting a message-signature pair different from the one it got from interacting with the challenge oracle as we discuss later in the definition of the anonymity property.Also, the blindness definition should capture the case that different group members might collude to break blindness which is again different from the blind signature case where there is only one signer and signatures cannot be traced.
In addition, existing constructions [37,41] require random oracles [8] and involve many rounds of interaction in the signing phase (some relying on interactive divertible proofs of knowledge [10]) and hence requiring that the signing authority remains online throughout the signing process.The schemes we propose have a round-optimal signing phase and their security does not require any idealized assumptions.Therefore, they are more suitable for practical applications.
Related Work.The concept of group blind signatures was first introduced by Lysyanskaya and Zulfikar [37], where it was mainly used to design a distributed e-cash system in which digital coins could be issued by different banks.While there exist a number of group signature schemes, e.g.[16,7,13,4,14,31], only a few group blind signature schemes exist in the literature [37,41].
The subtlety one faces when designing group blind signatures lies in the dual privacy requirement.On the one hand, the signer needs to hide his identity and parts of the signature that could identify him (i.e.anonymity of the signer requirement).On the other hand, the user wants to hide the message and parts of the signature which could lead to a linkage between a signature and its sign request (i.e. the blindness requirement).The schemes in [37] are based on variants of the Camenisch-Stadler group signature [16] and their security requires random oracles.Other schemes, e.g.[41], use divertible zero-knowledge proofs [10,42] to realize those conflicting anonymity requirements.A divertible proof allows a mediator to use a proof it got from a party to prove a statement to a third party.Constructions that rely on such proofs require many rounds of interaction in the signing protocol and/or the Fiat-Shamir transformation [21] to eliminate the interaction and hence lying in the random oracle model.
Our Contribution.Our first contribution is the formalization of the security requirements for the primitive.In the process, we identify and address some subtle issues which arise when defining the different security notions.
Our second contribution is a generic construction which yields practical schemes in the standard model.We provide two example instantiations of the construction, the first of which is solely based on non-interactive complexity assumptions that are falsifiable [39].The second instantiation is more efficient but makes use of an interactive assumption.All our constructions are round-optimal, yield constant-size signatures, and allow for members of the group to join dynamically and concurrently.Moreover, their security is proven in the standard model.We start by showing how to construct CPA-anonymous schemes and then outline how they can be extended to provide full anonymity.We also provide a proof of security for our constructions.
Paper Organization.The rest of the paper is organized as follows: In Section 2, we give some preliminary definitions.In Section 3, we define dynamic group blind signatures.We present the security model for dynamic group blind signatures in Section 4. We present the building blocks we use in Section 5.In Section 6, we present our constructions and provide a proof of their security.In Section 7, we outline how we can achieve full anonymity as well as other instantiations.Finally, we conclude the paper in Section 8.

Bilinear Groups
Bilinear groups are a set of three groups G 1 , G 2 and G T , of prime order p, along with a bilinear map (a deterministic function) ê.We will use multiplicative notation for all the groups although usually G 1 and G 2 are chosen to be additive groups.We let G × := G \ {1 G } and write G 1 := G 1 , G 2 := G 2 , for two explicitly given generators G 1 and G 2 .
We define P := (p, G 1 , G 2 , G T , ê, G 1 , G 2 ) to be the set of pairing group parameters.The function ê must be bilinear where xy .We also require that the value ê(G 1 , G 2 ) generates G T and that the function ê is efficiently computable.Following [25], we categorize pairings into three distinct types (other types are possible, but the following three are the main ones utilized in practical protocols).
-Type-1: This is the symmetric pairing setting in which -Type-3: Again G 1 = G 2 , but now there is no known efficiently computable isomorphism.
In the remainder of the paper, we will assume that all three groups are cyclic and that there is an algorithm BGrpSetup which takes as input a security parameter λ and produces a description of bilinear groups P.

Complexity Assumptions
Definition 1. Symmetric External Diffie-Hellman (SXDH) Assumption: In Type-3 pairings, the Decisional Diffie-Hellman (DDH) problem is believed to be hard in both groups G 1 and G 2 .
To present the next assumption, we define the subgroup Ĝ of G 1 × G 2 as the image of the map γ : Note that if we are given an element (A, B) ∈ G 1 × G 2 we can efficiently test whether (A, B) ∈ Ĝ by testing whether ê(A, G 2 ) = ê(G 1 , B).The following new assumption is a variant of the standard LRSW assumption [36].It is similar to a number of blind-variants of the LRSW assumption, in that the adversary has an oracle for group elements and outputs "signatures" on group elements as opposed to elements in Z p [20].In addition, we assume that the elements being "signed" are in Ĝ, as opposed to either G 1 or G 2 .Apart from this latter change, the assumption is similar to prior blind-LRSW assumptions [29,20].
Definition 2 (Dual Hidden-LRSW (DH-LRSW) Assumption).Consider the following experiment.A challenger picks x, y ∈ Z p and then computes X := G x 2 , Y := G y 2 .The tuple (X, Y ) is given to an adversary A which has access to an oracle O X,Y (•).The oracle on input ) where a ← Z * p .
We let Q denote the set of queries (M 1 , M 2 ) passed to the oracle O X,Y (•).The adversary eventually terminates by outputing a tuple (M * 1 , M * 2 , A * , B * , C * , D * ).We say the output of BGrpSetup satisfies the DH-LRSW assumption if all PPT adversaries A have a negligible advantage Adv DH-LRSW A (λ) in the above game, where the advantage is defined as follows: Note that the output from the oracle can be checked to be valid by checking whether Also, note that only the M 1 component of the pair of values (M 1 , M 2 ) used as input to the oracle are actually used.However, the fact that the oracle returns ⊥ if (M 1 , M 2 ) ∈ Ĝ is crucial to our security proof in the generic group model, since it implies that the adversary learns nothing if he cannot produce the pair in Ĝ; which intuitively implies that he "knows" the preimage of the pair under the map γ.Likewise the output from the adversary must be a pair (M * 1 , M * 2 ) ∈ Ĝ for a similar reason.To justify the hardness of this assumption, we prove it holds in the generic group model [50,38] in Appendix C.

Definition 3 (AWFCDH Assumption).
This assumption was introduced in [23].We describe this assumption in asymmetric bilinear groups.Given for an arbitrary b ∈ Z p .
The next assumption was introduced in [23] and is a variant of the q-SDH assumption [12].
for x ← Z p , and q − 1 tuples

Defining Dynamic Group Blind Signatures
The parties involved in a group blind signature are: an authority called the Issuer who controls who can join the group, an authority called the Opener who can revoke the anonymity of the signer by opening signatures and revealing who signed them.A number of signers Signer i each of which has a unique identity and can sign on behalf of the group once they have joined the group.External users User i which can ask for messages to be blindly signed by members of the group.In our definition, we do not require that users (i.e.entities who request signatures) are traceable (unless the identifying information is embedded in the messages themselves) and thus we do not assign keys to them.However, the model can be extended to provide this functionality.A group blind signature scheme GBS is a tuple of polynomial-time algorithms GBS := (GKg, SKg, Join, Issue , Obtain, Sign , GVf, Open, Judge), which are defined as follows: -GKg: Is run by some trusted third party (TTP) which takes as input a security parameter λ ∈ N and generates the group public key gpk, the Issuer's key ik and the Opener's key ok.The secret keys ik and ok are then securely transmitted to the respective authorities.-SKg: Is run by a potential group member Signer i , to generate his pair of personal secret/public keys (ssk[i], spk[i]) prior to requesting to join the group.We assume that the public key table spk is publicly accessible (possibly via some PKI).-Join(gpk, i, ssk[i]), Issue(ik, i, spk[i]) : Is an interactive protocol between a signer Signer i and the Issuer.
After a successful completion of this protocol, Signer i becomes a member of the group.If successful, the final state of the Issue algorithm is stored in the registration table at index i (i.e.reg[i]) while that of the Join algorithm is stored in gsk[i].We assume that the communication in this interactive protocol takes place over a secure (i.e.private and authentic) channel.We also assume that the protocol is initiated by a call to Join.
-Obtain(gpk, m), Sign(gsk[i]) : Is an interactive protocol between a user User and an anonymous member of the group.If the protocol completes successfully, User obtains a blind signature Σ on the message m without members of the group learning what the message was or the user learning which group member produced the signature.If any of the parties abort, User outputs ⊥.This protocol is initiated by a call to Obtain.-GVf(gpk, m, Σ): Is a deterministic algorithm which takes as input the group public key gpk, a message m and a group blind signature Σ and outputs 1 if Σ is a valid signature on the message m, or 0 otherwise.-Open(gpk, ok, reg, m, Σ): Is a deterministic algorithm in which the Opener uses his key ok to identify the identity i of the signer form the group blind signature Σ and produces a proof τ attesting to this claim.-Judge(gpk, i, spk[i], m, Σ, τ ): This is a deterministic algorithm which takes as input an index i and returns 1 if the group blind signature Σ was produced by the group member Signer i or 0 otherwise.

Security of Dynamic Group Blind Signatures
In defining the security model, we build on the security models used for group signatures [7,9].We assume that the group manager is divided into two separate entities: the Issuer and the Opener.The security properties we require from a dynamic group blind signature GBS are: correctness, anonymity, traceability, non-frameability, and blindness.The security of group blind signatures is formulated via a set of experiments in which the adversary has access to a set of oracles.In those experiments, a set of global lists are maintained.The lists are: HSL is a set of honest signers; CSL is a set of corrupt signers whose keys have been chosen by the adversary and whose states have been learned by the adversary; BSL is a set of bad signers whose secret keys have been revealed to the adversary; CLA is a set containing the identities of the challenge signers used when calling the challenge oracle in the anonymity game; CLB is a list containing pairs of challenge message-signature in the blindness game; a table reg where the element i in this table contains the registration information of the group member Signer i ; a table spk where spk[i] contains the personal public key of the group member Signer i .The lists HSL, CSL, BSL, CLA and CLB are empty at initialization, whereas the entries of the tables reg and spk are initialized to .The set of oracles the adversary has access to in the experiments are defined as follows, the details are shown in Figure 1.
- -OSign(i): This is an interactive oracle (i.e. the adversary must engage in an interaction with this oracle).
After a successful interaction with this oracle, the adversary obtains a blind signature by group member Signer i on a message of its choice.-CH b (i 0 , i 1 ): This oracle is a left-right oracle for defining anonymity and is only called once.The adversary sends a couple of identities (i 0 , i 1 ) and interacts with this oracle in order to produce a blind signature on a message m by the group member Signer i b for b ← {0, 1}.-Open(m, Σ): This oracle allows the adversary to ask for signatures to be opened by revealing the identity of the group member who signed them.
We define the security properties as follows, where we use a set of experiments as shown in Figure 2 in which the adversary has access to the previously defined oracles.

Correctness
A dynamic group blind signature scheme GBS is correct if: all correctly produced signatures are accepted by the GVf algorithm, the Opener is always able to identify the honest group member who produced a signature and the Judge algorithm always accepts the decision made by the Opener.
More formally, a group blind signature scheme GBS is correct if for all λ ∈ N, all PPT adversaries A have a negligible advantage Adv Corr GBS,A (λ) where the advantage is defined as follows:

Anonymity
A dynamic group blind signature scheme GBS is anonymous if the adversary is unable to tell which group member produced a signature.We require that given two signers of its choice, the adversary cannot tell which of the two signers produced a signature.We provide the adversary with strong capabilities, for instance, it can fully corrupt the Issuer and can ask for signers' personal secret keys/group signing keys to be revealed including the two signers it chooses for the challenge which ensures security against full key exposure.The only restriction we impose on the adversary is that it may not query the Open oracle on the signature it is being challenged on.
As is the case with the definition of anonymity for group signatures, we distinguish between CPAanonymity and Full Anonymity (FA).In CPA-anonymity [13] (which is analogous to IND-CPA security for public-key encryption schemes [28]), the adversary is not given access to an Open oracle that revokes the anonymity of signatures by returning the identity of the group member who produced them.
On the contrary, in full anonymity [9] (which is analogous to IND-CCA2 security for public-key encryption schemes [45]), the adversary can ask Open queries on any signature except the one it is being challenged on at any stage of the game.One can also consider a weaker non-adaptive variant of full anonymity which we refer to as Weaker Full Anonymity (WFA) (which is analogous to IND-CCA1 security for public-key encryption schemes [40]) in which the adversary can only ask Open queries before it calls the challenge oracle.
The issue with defining full anonymity for group blind signatures is that the signing protocol is a blind one and unlike in group signatures, the challenge message-signature pair is only revealed by the adversary (playing the role of the user) at the end of the signing interaction with the CH b oracle.Therefore, it is problematic to identify the signature the adversary obtained from interacting with the CH b oracle.An adversary can trivially break anonymity by revealing a bogus message-signature pair different from the one it got from interacting with the CH b oracle and then at a later stage asks the Open oracle to open the original challenge signature.Note that the adversary's knowledge of the secret keys of the challenge group members used in calling the challenge oracle makes the adversary capable of signing on behalf of those members.
The First Attempt.To catch the adversary if it returns a bogus challenge signature, one could use the Opener's key known the challenger running the game.Assume that the adversary runs in 3 respective modes (find, obtain, and guess).In the obtain phase, the adversary interacts with the challenge oracle but access to the the Open oracle is disabled.At the end of the obtain phase, the adversary must either output the challenge signature or opts not to.In the former case, the challenger opens the signature and verifies that the signer indeed matches the one used by the CH b oracle.If the signer does not match the one used by the CH b oracle, the game aborts.In the guess phase, the adversary is re-granted access to the Open oracle providing that it is not queried on the challenge signature.If the adversary opts not to output the challenge signature, access to the Open oracle remains disabled in the guess phase.
Although the above definition seems reasonable for strongly unforgeable signing protocols, unfortunately, it might be problematic to use in practice.That is because the requirement that the returned signature is compared against the signer used by the CH b oracle might be hard to fulfill in practice as usually in the security proof one would be reducing an attack against anonymity to an attack against a property of another primitive which might not permit such an operation.
The Definition.In the definition we propose (shown in Figure 2), if the adversary queries the Open oracle on a signature that opens to a signer in the challenge list, the oracle returns a special symbol instead of returning the identity of the signer.This restriction, which is similar to that used for IND-RCCA security [17] for encryption schemes, ensures that the Open oracle does not open a challenge signature.In the game, -If all of the following conditions are satisfied Then Return 1 Else Return 0: • GVf(gpk, m j , Σ j ) = 1 for all j ∈ [1, l + 1].
• A interacted with OSign(id) no more than l times.
• ∀i, j where 1 - -Let Σ b and Σ 1−b be the outputs of the honest Obtain algorithm after interactions on m b and m 1−b , respectively.The definition is appropriate even for the case where the final signature is weakly unforgeable, i.e. given a signature on a message, anyone can generate a new signature on the same message without knowledge of the signing key.WLOG in order to simplify the resulting security proofs, we only allow the adversary a single invocation of the challenge oracle.We show in Appendix A that this is sufficient by showing a reduction from an adversary that invokes the challenge oracle polynomially many times to one which is allowed a single invocation.
Our definition of anonymity also captures unlinkability of signatures.If an adversary can link signatures by the same signer, it can break our notion of anonmity.Note that the adversary in our definition is allowed to learn the secret keys of any group member including the challenge signers it uses in calling the CH b oracle.Thus, it can produce signatures on behalf of any group member.Therefore, unlike [37], we do not define unlinkability as a separate requirement.
Formally, a dynamic group blind signature scheme GBS is anonymous if for all λ ∈ N, all PPT adversaries A have a negligible advantage Adv Anon GBS,A (λ) where the advantage is defined as follows:

Traceability
A dynamic group blind signature scheme GBS is traceable if it is always the case that the Opener is able to identify the signer when given a message/signature pair.Also, the honest Opener is able to produce a proof for his claim that will be accepted by the Judge algorithm.Note that in the traceability experiment, we require that the Issuer is honest because a dishonest Issuer will always be able to create dummy signers whose signatures cannot be traced and for that reason the adversary in the traceability game is not given the Issuer's key.In addition, we require that the Opener is partially but not fully corrupt because a fully corrupt Opener can simply refuse to open signatures.Formally, a dynamic group blind signature scheme GBS is traceable if for all λ ∈ N, all PPT adversaries A have a negligible advantage Adv T race GBS,A (λ) where the advantage is defined as follows:

Non-Frameability
A dynamic group blind signature scheme GBS is non-frameable if it is impossible to prove that a particular group member produced a signature unless this group member himself has indeed produced the signature.
To capture this, we use a similar definition to that used for the unforgeability of blind signatures [34,44].
The adversary wins if it outputs l + 1 signatures on l + 1 distinct messages all signed by the same honest group member but the adversary only asked for l signatures by that group member.This requirement should hold even if both the Opener and the Issuer are fully corrupt and that is the reason why we give A access to both ik and ok keys.Formally, a dynamic group blind signature scheme GBS is non-frameable if for all λ ∈ N, all PPT adversaries A have a negligible advantage Adv N on−F rame GBS,A (λ) where the advantage is defined as follows:

Blindness
A dynamic group blind signature scheme GBS is blind if the adversary is unable to tell which message it is signing.Also, the adversary cannot link a signature to the protocol run via which it was obtained.In blind signatures [34], blindness is defined via a game in which the adversary freely chooses two messages (and possibly the signing/verification keys, e.g.[1]), and then after interacting with an honest Obtain oracle that requests signatures on those two messages in an arbitrary order (unknown to the adversary), the adversary wins if it correctly guesses the order in which the two messages were signed.
In the context of group blind signatures, things are a bit different as the group contains more than one signer.To capture the case that group members (including the Issuer) might collude to break blindness, the adversary is allowed to use different (possibly corrupt) keys in producing the challenge signatures.This definition would then also imply the anonymity requirement, i.e. if a malicious signer from the group can recognize a signature he has produced then he can trivially break blindness.Also, unlike [52] which necessitates that the group must be static, we only require that both challenge signatures verify w.r.t. the same group public key.Otherwise, the adversary can trivially break blindness.
In the definition (shown in Figure 2), we equip the adversary with strong capabilities such as corrupting the Issuer as well as corrupting and/or learning the personal secret key/group signing key of any group member.However, the adversary is denied access to the Opener's key.Again, as was the case with the anonymity definition, one can consider different variants where the adversary can ask open queries at the different stages with the exception that it is not allowed to ask open queries on either of the two challenge signatures.Otherwise, blindness can be trivially broken.In CPA-Blindness, the adversary is not granted access to the Open oracle.On the other hand, in Full Blindness (FB), the adversary is granted access to the Open oracle both before and after the challenge phase.When defining full blindness, if security is w.r.t.weak unforgeability then the Open oracle returns a special symbol if the signature is on either challenge message.On the other hand, when security is w.r.t.strong unforgeability, the restriction imposed on the the Open oracle is that it may not open the signature if the message-signature pair matches either of the challenge message-signature pairs.
We require that if either of the challenge interactions does not finish successfully (i.e. if either Σ 0 =⊥ or Σ 1 =⊥), then the adversary is not informed about the other signature.
Formally, a dynamic group blind signature scheme GBS is blind if for all λ ∈ N, all PPT adversaries A have a negligible advantage Adv Blind GBS,A (λ) where the advantage is defined as follows: Finally, we note that in [35] the authors used a different approach for capturing blindness in the context of blind ring signatures (i.e. group blind signatures which have neither an opener nor an issuer).In their definition, the adversary is required to only participate in one interaction to produce one challenge signature on either of the two messages it has chosen (without the adversary knowing which message being signed).The adversary then is asked to guess the message being signed relying only on the information it gathered from the interaction, i.e. without knowledge of the resulting challenge signature.While it is clear that such a game captures the requirement that a signer cannot learn the message it is signing, it is unclear how this definition captures the requirement that a signer should also not be able to link signatures to the protocol runs where they were obtained.

Tools Used
In this section, we present the building blocks we use in our constructions.

A New Structure-Preserving Signature Scheme
We introduce a new variant of the CL signature scheme [15] which we refer to as (NCL).It signs group elements and it is structure-preserving [3].The unforgeability of the new scheme is proven under the DH-LRSW assumption.The scheme is given by the following triple of algorithms.Given the description of bilinear groups P output by BGrpSetup(1 λ ). -NCLKeyGen(P): - Theorem 1. Assuming the DH-LRSW assumption holds, the NCL signature scheme is existentially unforgeable against adaptive chosen-message attacks.
Proof.It is straightforward to see that the unforgeability of the signature scheme reduces to breaking the DH-LRSW assumption.

Groth-Sahai(GS) Proofs
In [32,33] Groth and Sahai presented a way to construct non-interactive witness-indistinguishable and zeroknowledge proofs in the CRS model.Groth-Sahai proofs can be instantiated under different security assumptions but since as noted by [27] the most efficient Groth-Sahai proofs are those instantiated under the SXDH assumption, we will be focusing on this instantiation.The equations one can prove with the GS proof system are as follows where in the description . ., x m , y 1 , . . ., y n ∈ Z p are the secret variables (hence underlined) and -Pairing Product Equation (PPE): -Multi-Scalar Multiplication Equation in G 1 (MSME1): -Multi-Scalar Multiplication Equation in G 2 (MSME2): -Quadratic Equation (QE) in Z p : The proof system can be instantiated in two settings: the binding setting which yields perfectly sound proofs and the hiding setting which yields perfectly witness indistinguishable/perfectly zero-knowledge proofs.The proof system consists of the algorithms GS := (GSSetup, GSProve, GSVerify, GSExtract, GSSimSetup, GSSimProve).
GSSetup takes as input the description of bilinear groups P and outputs a binding reference string crs and a trapdoor information xk which allows for witness extraction.GSProve takes as input a set of equations, the string crs and a witness and produces a proof Ψ for the satisfiability of the equations.For clarity, we will underline the elements of the witness to distinguish them from public constants.GSVerify takes as input a set of equations, a CRS, a proof Ψ and outputs 1 if the proof is valid or 0 otherwise.In the rest of the paper we will omit the set of equations from the input to the GSVerify algorithm.GSExtract takes as input a binding reference string crs, a valid proof Ψ and the extraction key xk and outputs the witness used in the proof.GSSimSetup takes as input the description of bilinear groups P and outputs a simulated string, crs sim , and a trapdoor key tr that allows to simulate proofs.GSSimProve takes as input a simulated CRS, crs sim , and the simulation key tr and produces a simulated proof Ψ sim .The security of the proof system requires that strings crs and crs sim are indistinguishable and that simulated proofs are indistinguishable from proofs generated by an honest prover.
The proof system has the following properties: -Prefect Completeness: On a correctly generated CRS, crs, and a valid proof Ψ , the algorithm GSVerify always accepts the proof.-Perfect Soundness: On a correctly generated CRS, crs, it is impossible to generate a proof unless the equations are satisfiable (i.e.unless the prover knows a witness).-Composable Witness-Indistinguishability: The CRS crs output by GSSetup is computationally indistinguishable from the CRS crs sim output by GSSimSetup.We also have for any PPT adversary A that is given crs sim and is allowed to choose any statement y and two distinct witnesses w 0 and w 1 for the statement y that - where (w, y) output by A satisfy (w, y) ∈ R.
Randomizable GS Proofs.As noted by [5], GS proofs can be re-randomized by re-randomizing the underlying GS commitments and updating the proofs accordingly so that we obtain fresh proofs that are unlinkable to the original ones.The re-randomization is done without knowledge of neither the witness concealed in the commitments or the associated randomness.We define an algorithm GSRandomize which takes as input a CRS crs and a proof Ψ and outputs a proof Ψ which is a randomized version of the proof Ψ .
-Re-randomizability of GS proofs [5]: We have for all PPT adversaries (A 1 , A 2 ), the following probability is negligbly close to 1/2 Pr   (crs, xk) ← GSSetup(P); (w, y, Ψ, state find ) ← A 1 (crs); As shown in [5], GS proofs have composable randomizability, where randomizability holds even if we switch to the hiding setting and give the adversary the simulation trapdoor key tr.
In Appendix B, we show how the GS proof system is instantiated in the SXDH setting.

Blind Signatures
Blind signatures as introduced by Chaum [18] allow a user to obtain signatures on messages hidden from the signer.The signing protocol in these schemes is interactive Obtain(pk, m), Sign(sk) between a user who knows a message m and a signer who possesses a secret signing key sk.If the protocol is completed successfully, the user obtains a signature σ on the message m.
The standard security model for blind signatures [34,44] consists of two properties: blindness and unforgeability.Intuitively, blindness says that an adversarial signer cannot learn the message being signed and he is unable to match a signature to the protocol run where it was obtained.On the other hand, unforgeability deals with an adversarial user whose goal is to obtain l + 1 distinct message/signature pairs given only l interactions with the honest signer.
In [23,2], the authors presented a blind signature scheme whose unforgeability reduces to the AWFCDH and q-ADHSDH assumptions.The scheme uses GS proofs and is akin to the idea used in Fischlin's generic construction [22].The signer signs a commitment to the message.However, unlike the generic construction, the user transforms the signature on the commitment to the message into a signature on the message itself instead of proving that he knows a signature on a commitment to the message as in Fischlin's construction.In addition, the user proves knowledge of the message and the randomness used in the commitment when requesting a signature.The message space of the scheme is Exploiting some properties of this blind signature scheme, we will show later how this scheme can be used to hide the identity of the signer while signing hidden messages.The blind signature scheme is given in Figure 3.
Choose c, r ← Z p and compute

Our Constructions
In this section we present our constructions.We start by listing the techniques we use and then give a general overview of our generic construction before presenting two example instantiations of the construction.

Techniques Used
We identify and make use of a number of observations and desired properties the building blocks we use have, which allows us to construct a practical dynamic group blind signature scheme that has a round-optimal signing protocol and yet does not rely on random oracles.We summarize the observations as follows: -We exploit the fact that GS proofs are re-randomizable [5] and given a proof Ψ , we can compute a new fresh proof Ψ ← GSRandomize(crs, Ψ ) even without knowing the witnesses used in Ψ .The new proof Ψ is unlinkable to the original proof Ψ .-Groth-Sahai proofs are independent of any public terms (i.e.public monomials) in the equations being proved. 2 Thus, given a witness-indistinguishable GS proof, Ψ , (i.e. one for an equation with a nontrivial public right-hand side τ ), we can later (even without knowing the original witnesses in the proof) transform Ψ into a related witness-indistinguishable/zero-knowledge proof Ψ by splitting the public right-hand side τ into a set of witnesses and adding them to the list of witness in the original proof.
One can construct GS NIZK proofs for pairing product equations (Equation 1) if either t T is trivial (i.e. t T = 1) or if one can factor t T by finding It is the latter case that applies to our construction as the user knows how to open the commitment to the message and therefore can factor t T .This will become clearer when we present our construction.-Another observation which is of independent interest and is analogous to [24] (Lemma 4 for PPE equations), we prove the following lemma for multi-scalar multiplication equations in Appendix D.2.
Lemma 1.Let ((C z , C A ), Ψ ) be a GS proof for the equation The same argument holds for quadratic equations over Z p where exponentiation of the public right-hand side is replaced by multiplication.-The blind signatures we use are a set of GS proofs of knowledge of values satisfying pairing product equations which allow us to take advantage of the above properties of GS proofs.

Overview of the Constructions
The General Idea.In Fischlin's generic construction for blind signatures [22], the user sends a commitment to the message to the signer, who in turn returns a signature on the commitment.The user then computes the blind signature by providing a NIZK proof of knowledge of the signature and the commitment s.t. the signature is valid on the commitment and the commitment is to the message in question.Now assume in the above framework we want to hide the signer's identity from the user.So instead of sending the signature on the user's commitment (to the message) in the clear, the signer sends a proof of knowledge of such a signature and his verification key to the user.If the proofs used are re-randomizable and transformable in the sense of Observation 1 from Section 6.1, where in the equations used in the signer's proofs, the terms involving the commitment are public, then the user can re-randomize the proofs and transform them to hide the commitment to the message and compute the final blind signature.Unforgeability follows from that of Fischlin's framework, blindness also follows from that of the framework plus the rerandomizability of the proofs, and the anonymity of the signer is ensured by the hiding properties of the proofs.Thus, we obtain blind signatures while the signer remain anonymous.
What remains is to extend the signer-anonymous blind signature to the group setting by requiring a compatible signature scheme to certify signer's keys when they join the group, and also providing an anonymity revocation mechanism for the Opener.The Construction.We base our signing protocol on the blind signature scheme from [2] (cf. Figure 3), which uses Groth-Sahai proofs and has the required properties needed for our construction.However, the same methodology can similarly be applied to other Groth-Sahai based instantiations of Fischlin's construction satisfying the properties required for our paradigm, e.g. the instantiation by Abe et al. in [3].
In order to issue membership certificates (i.e.credentials) for new group members, we can use any signature scheme that can sign group elements.We will use the prefix CERT for the signature scheme used by the Issuer in generating the membership certificates.
The Issuer gets the secret signing key sk CERT for the CERT signature scheme.Each potential group member Signer i would have created his pair of personal secret/public keys (ssk[i], spk[i]) prior to joining the group.When requesting to join the group, Signer i generates a pair of secret signing/public verification keys (sk i , pk i ) for the blind signature scheme.To stop a corrupt Issuer from framing group members, we ask that the group member signs his verification key pk i with his personal secret key ssk[i], the resulting signature sig i will be used as a proof when verifying the Opener's claim.We will use the CERT scheme for this purpose as well.Thus, WLOG we assume that the key pair (ssk[i], spk[i]) is a valid pair for the CERT scheme.
The Issuer first verifies the signature sig i and if it is valid, he issues a signature on pk i using the CERT signature scheme and his secret issuing key ik.Upon successful completion of the Join, Issue protocol, Signer i 's secret group signing key gsk[i] is (sk i , pk i , cert i ), where cert i is the Issuer's signature on pk i .The registration information for Signer i is set to reg[i] := (pk i , sig i ).
The group public key gpk contains the public key of the CERT signature scheme, the public values used in the blind signature scheme and two GS reference strings crs 1 and crs 2 , which are used in constructing GS proofs used in the first and second rounds of the signing protocol, respectively.Note that although we could use the same GS reference string for both rounds, we use separate strings because we believe this provides extra functionality such as preventing the opener from revoking the anonymity of the message in the signing phase or to allow for having a different opener for revoking anonymity of the message if needed.To open signatures, the Opener is given the extraction key for the GS proof system.
The signing protocol Obtain, Sign between an external user who knows a secret message (M 1 , M 2 ) ∈ G 1 × G 2 and an anonymous group member Signer i who possesses a secret group signing key gsk[i] consists of two rounds.In the first round, the user commits to the message using Pedersen commitment Co := T q • M 1 for some random q ← Z p and computes Q i := G q i for i=1,2.He then sends the commitment Co along with GS proofs of knowledge Ψ to prove that: the commitment Co is indeed to the message M 1 and that the message and the randomness pairs are well-formed.
In the second round of the protocol, Signer i verifies the GS proofs and if they are valid, produces a signature using the blind signature scheme defined in Figure 3.The signature σ on the commitment Co contains the components (H, C 1 , C 2 , R 1 , R 2 ).Now since we require that the signer remains anonymous, we hide the parts of the signature which identify the signer.Thus, the signer commits to his membership certificate cert i , his public verification key pk i and the components (H, C 1 , C 2 ) of the signature σ.Note that the components R 1 and R 2 of σ do not identify the signer and hence at this phase we can send them in the clear to the user.The signer's response consists of GS proofs Ω to prove that: the signer has a valid certificate he got from the Issuer on his public verification key pk i , his public verification key pk i is well-formed, and the signature was produced by the owner of public key pk i , and the components R 1 , R 2 of σ.
The user first verifies the GS proofs Ω.If they are valid, the user first re-randomizes those proofs using the algorithm GSRandomize.The new proofs are unlinkable to the original ones.Note here that the last equation proven in , where Co and R 2 are public at this stage and hence not part of the witness.
The user then updates the components R 1 and R 2 to include the randomness used in the commitment (by computing R and then decomposes the commitment and transforms the proof for the last equation in Ω into a proof based on the message M 1 instead of the commitment Co by adding the value R 2 to the witness.The transformation is done without knowledge of H, C 2 or S 2 .The proof is now for the equation ê(H, , where H, S 2 , C 2 and R 2 are parts of the witness.In addition, the user adds to Ω a new GS proof to prove that R 1 and R 2 hide the same exponent.The final signature Σ is a set of GS proofs of knowledge Ω to prove that: the group member has a valid credential from the Issuer, his public key is well-formed and the blind signature verifies w.r.t.his key.
To open a signature, the Opener uses his secret extraction key to extract the verification key pk, the signature σ and the membership certificate cert from the proofs.Besides those, the Opener returns the index i of the group member and the signature sig in support of his claim.The Judge algorithm can verify the correctness of the Opener's decision by verifying those components and checking that the group member has indeed signed the key pk with his secret key ssk[i].The construction is illustrated in Figure 4. Next we present two example instantiations of the construction.The first instantiation is less efficient but its security relies solely on non-interactive assumptions which are falsifiable [39].The second instantiation is more efficient as it makes use of the new efficient structure-preserving signature scheme that we construct but at the expense of basing traceability on an interactive complexity assumption.Both constructions achieve CPA-anonymity and we outline in Section 7 how to extend them to achieve full anonymity.

Instantiation I
In this construction we will use the asymmetric automorphic signature scheme (AFPV) (underlying the blind signature scheme in Figure 3) from [23], which has the extra beneficial property of being able to sign its own public keys, to instantiate the CERT scheme.Although this will result in a less efficient construction than Instantiation II in Section 6.4, we get the bonus of basing the security of the construction on non-interactive complexity assumptions which are falsifiable [39].

Instantiation II
To get better efficiency, we instantiate the CERT scheme using the new NCL scheme (Section 5.1).Since in our construction, the final group blind signature hides the components of the certificate and hence one cannot directly verify that the certificate is non-trivial (i.e. that A = 1 G1 ), we require that the signer additionaly proves this statement.Otherwise, the adversary can create untraceable signatures by faking trivial certificates.We suggest two re-randomizable proofs in Appendix D to achieve this.Despite the need for this extra proof, this construction is still more efficient than construction I.

Efficiency Analysis
Assuming that GS proofs are instantiated in the SXDH setting, we get the following efficiency: Instantiation I.The final signature consists of seven GS proofs Ω = (Ω i ) 7 i=1 : proofs (Ω 1 , Ω 2 , Ω 3 ) to prove that the member has a valid membership certificate, proof Ω 4 to prove that his key is well-formed and proofs (Ω 5 , Ω 6 , Ω 7 ) to prove that the blind signature verifies w.r.t.his public key.All of those proofs are quadratic PPE proofs and hence each of size 2 Thus, the total size of the proofs is 28 The total number of GS commitments used in those proofs are 7 commitments in group G 2  1 and 5 commitments in group G 2 2 and therefore the total size of the signature is 42 . Two of those proofs (i.e.proofs Ω 1 and Ω 3 ) are for linear equations where all elements of the witness lie in the same group.Thus, we have 2 for i = 1, 3 and hence the total size of the proofs is 22 The total number of GS commitments used in those proofs are 8 commitments in group G 2  1 and 4 commitments in group G 2 2 and therefore the total size of the signature is 38

Security Analysis
Here we prove the security of our constructions.
Theorem 2. The generic construction in Figure 4 is a secure group blind signature scheme providing that the CERT scheme is unforgeable, the GS proof system is sound, hiding (i.e.witness-indistinguishable/zeroknowledge) and re-randomizable and the blind signature scheme is secure (i.e.unforgeable and blind).
Abort if pk i = pk j for any j or ê(S1, G2) = ê(G1, S2). 2 The transformation is done without knowledge of the original witness of the proof.
Adversary A 1 gets as its input the public key pk CERT of the CERT scheme from its game.It then runs the GKg algorithm and initiates GS proofs in the binding setting (i.e.crs 2 is chosen to be a binding CRS), except that the Issuer's public key pk CERT is set to be its own input.
When calling B, A 1 sends gpk and ok.All B's queries are answered as in Figure 1 except the following queries: -AddS and SndToI: Here A 1 simulates the Issuer, where it forwards pk i := (S i,1 , S i,2 ) to its sign oracle and uses the output of the oracle as the certificate cert i for group member Signer i .
Finally, when B outputs its signature Σ, adversary A 1 extracts the certificate cert and the verification key pk := (S 1 , S 2 ) from the signature Σ and returns ((S 1 , S 2 ), cert) as its forgery in its game.
Clearly, if B wins its game then A 1 breaks the unforgeability of the CERT signature scheme since having a group blind signature produced by a signer who has not joined the group corresponds to a forgery in the CERT unforgeability game.Lemma 4. The construction is non-frameable if the blind signature scheme is unforgeable (i.e.If assumptions AWFCDH and q-ADHSDH hold and GS proofs are sound) and the CERT signature scheme (used for producing sig upon joining the group) is unforgeable.
Proof.We prove that where n(λ) is a polynomial in λ representing the maximum number of honest group members adversary B creates during the game.By the perfect soundness of GS proofs, we have that Adv Soundness

GS,A3
(λ) = 0. Also, the signature scheme BS−DS used in the signing protocol and the CERT signature scheme used for producing the signature sig upon joining are unforgeable and therefore adversaries against the unforgeability of those schemes have a negligible advantage.Thus, we have that Adv U nf org BS−DS,A1 (λ) ≤ ν(λ), Adv U nf org CERT,A2 (λ) ≤ ν(λ) and therefore have that Adv N on−F rame GBS,B (λ) ≤ ν(λ).The details of the security proof for the unforgeability of the underlying blind signature scheme can be found in [23].We will construct an adversary A 1 that launches a successful chosen-message attack against the unforgeability of the signature scheme BS−DS underlying the blind signature scheme where A 1 uses B as an oracle to achieve its goal.Adversary A 1 has access to a sign oracle SSign(sk, •) in its unforgeability game.It starts out by running the algorithm GKg to generate the group public key gpk, where it initiates GS proofs in the binding setting (i.e.crs 2 is chosen to be a binding CRS).Then it calls B on input gpk, the Issuer's key ik := sk CERT , and the Opener's key ok := xk 2 .
Let j be the identity of t th honest signer B creates, where t ∈ [1, n(λ)].Adversary A 1 guesses that j is the identity of the group member B will attempt to frame.All B's queries are answered as in Figure 1 except the following queries: -SndToS: For all honest group members Signer i , A 1 will generate the personal secret/public keys (ssk[i], spk[i]) itself.Adversary A 1 will also generate all the signing/verification keys (sk i , pk i ) for all honest group members except for Signer j where pk j is set to the public key that A 1 gets from its SSign oracle in its unforgeability game and thus sk j =⊥ because it corresponds to the secret key available to A 1 's SSign oracle which is unknown to A 1 .-SSK: Is answered as in Figure 1 with the exception that B is not allowed to ask the query SSK(j) i.e. it cannot ask for the secret signing key of the group member it intends to frame.-OSign: For a group member Signer i where i = j, A 1 will use gsk [i]  We now turn to constructing an adversary A 2 that launches a successful chosen-message attack against the unforgeability of the signature scheme CERT used for producing the signature sig in the Join protocol.Adversary A 2 has access to a sign oracle SSign(sk, •) in its unforgeability game.It starts out by running the algorithm GKg to generate the group public key gpk, where it initiates GS proofs in the binding setting (i.e.crs 2 is chosen to be a binding CRS).Adversary A 2 calls B on input gpk, the Issuer's key ik := sk CERT , and the Opener's key ok := xk 2 .Again, A 2 guesses that j is the identity of the group member that B will attempt to frame.All B's queries are answered as in Figure 1 except the following queries: -SndToS: For all honest group members Signer i , A 2 will generate the signing/verification keys (sk i , pk i ).
It also generates the personal secret/public keys (ssk[i], spk[i]) and the signatures sig i for all honest members except for member j whose signature sig j is obtained by a call to the SSign(sk, •) oracle A 2 has access to.The key spk[j] is set to the public key A 2 obtains from its game and thus ssk[j] =⊥ because it corresponds to the secret key available to A 2 's SSign oracle which is unknown to A 2 .
Finally, when B outputs a successful forgery, adversary A 2 aborts if the framed group member is different from the one it has guessed.Otherwise, A 2 returns (pk * , sig * ) as its answer in its unforgeability game.By the unforgeability of the CERT scheme, we have that Adv U nf org CERT,A2 (λ) ≤ ν(λ).We conclude that Adv N on−F rame GBS,B (λ) ≤ ν(λ) and hence the group blind signature scheme is non-frameable.
Lemma 5.The construction is blind providing that the GS proof system is hiding and re-randomizable, the Pedersen commitment (used in the first round of the signing protocol) is hiding and that the SXDH assumption holds.
Proof.We prove that By the perfect witness-indistinguishability/zero-knowledge of GS proofs in the hiding setting, we have that Adv Hiding GS,A1 (λ) = 0. Also, the commitment used in the first round of the signing protocol, the Pedersen commitment scheme, is perfectly hiding, and therefore we also have Adv Hiding Pedersen,A2 (λ) = 0. Furthermore, we have by the security of GS proofs (i.e. the security of the SXDH assumption [33]) that an adversary has a negligible advantage in telling apart a binding CRS from a hiding one and therefore this only negligibly changes B's success probability.Thus, the scheme is blind.
In this game, the adversary plays the role of a signer in the group.In the CPA-version of the scheme, adversary B is not granted access to the Open oracle (for the same reason we mentioned in the proof for anonymity).
Note that the commitments, Co b and Co 1−b , B sees in the first round are Pedersen commitments which are perfectly hiding and have identical distributions.Moreover, by making proof Ψ zero-knowledge, we can simulate all the proofs that the user sends to the signer and hence we can build an adversary against the hiding property of Pedersen commitment (i.e.adversary A 2 that wins the security game in Figure 6) where

Adv Hiding
Pedersen,A2 (λ Also, by switching crs 1 and crs 2 to hiding strings, the proofs B sees are distributed uniformly and hence again Fig. 6.Security experiment for Pedersen commitment scheme's hiding property if B can break the blindness of the group blind signature scheme, we can construct an adversary A 1 that uses B (in a similar game to that used in Figure 5(b)) to break the witness-indistinguishability/zero-knowledge properties of GS proofs by distinguishing between different witnesses A 1 gets from its Prove oracle.
Note that even if the malicious signer dishonestly chooses the randomness it uses in the GS commitments, the new proofs after the re-randomization process by the user are independent of those sent by the signer and hence they cannot be linked.Moreover, the re-randomized proofs are indistinguishable from fresh proofs generated for the same statements.Thus, the scheme is blind.

Achieving Full Anonymity
Since GS proofs are not simulation-sound and hence when instantiated in the hiding setting we can no longer apply the GSExtract algorithm to extract the witness used in the proof.This means that whenever there is a need to simulate the proofs, the Opener can no longer answer Open queries.To achieve full anonymity where the Opener can always respond to Open queries, we need an extractable simulation-sound proof system [46,47] which allows for extraction while simulating.
Alternatively, we can use an IND-CCA secure encryption scheme to encrypt the signature σ and add an extra GS proof to prove that the encrypted signature is the same as that used as a witness in the other proofs.In this case, the Opener gets the decryption key for the encryption scheme which allows him to decrypt any ciphertext and hence recover the underlying signature from its encryption if he cannot extract it from GS proofs.It appears that the encryption scheme we require has to be re-randomizable but yet the IND-CCA security contradicts re-randomizability of ciphertexts which in some way considered a form of malleability.However, there exist a number of encryption schemes with properties that seem to suffice for this purpose, e.g.[30,43].

Conclusion
We have presented a formal security model for dynamic group blind signatures which allows for obtaining rigorous proofs of security.In doing so, we have identified and remedied a number of issues which were not considered by previous constructions.
We have also presented new schemes whose security does not rely on random oracles.All our schemes have a concurrent joining protocol, a round-optimal signing protocol and yield signatures of a constant-size.We have also proved the security of our constructions.
In answering B's challenge queries, A randomly chooses i ← [1, n(λ)], all challenge queries j < i are answered using gsk i0 .The i-th challenge query is answered using A's challenge oracle and the rest challenge queries are answered using gsk i1 .The rest of B's queries are answered using the oracles available to A.
Adversary A keeps an independent list CLA containing all the signers it uses in simulating the challenge oracle for B. Every time B asks an Open query, A looks up the identity returned by its own Open oracle in this list and returns (⊥, ⊥) if either the identity exists in the list or the answer of the Open oracle was (⊥, ⊥).Otherwise, A returns whatever was returned by its own Open query.
. Since i is chosen uniformly at random from the set [1, n(λ)], we have for every Thus, we have By the above two equations, we have

B SXDH Instantiation of the GS Proof System
Here we show how GS proofs are instantiated under the SXDH assumption.Let P ) be a bilinear group in which SXDH assumption holds.We set 2 and B T := G 4 T , all with operations performed componentwise.We let Since the underlying pairing ê is bilinear, it follows that the map F is also bilinear.To generate the CRS, the trusted party chooses a i , t i ← Z p for i = 1, 2 and computes -GSSetup: Generates a binding key by setting U i,2 := U ti i,1 := (U i , V i ).The extraction key is xk := (a 1 , a 2 ).-GSSimSetup: Generates a hiding key by setting U i,2 := U The CRS is then the set where U i := {U i,1 , U i,2 }.Under the SXDH assumption, one cannot tell a binding CRS from a hiding CRS.

GS Commitments.
We define the maps -Committing to Exponents: To commit to x ∈ Z p , randomly choose τ x ← Z p and compute C x ← GScomm i (x, τ x ) := ι i (x) • U τx i,1 ∈ B i .GSExtract then extracts the witness from a commitment C = (G c1 i , G c2 i ) by computing c 2 − a i • c 1 .Note that the algorithm needs to solve discrete logarithm to be able to extract a witness from a commitment to an exponent.
The proof is constructed by first committing to each element in the witness list and then constructing a proof Ψ := (θ, π) ∈ B 1 × B 2 for the satisfiability of each equation.Proofs for linear equations are simpler and consist of only one of the two elements and not both.The size of the proof includes the proof itself and the associated commitments.
For more details about the proof system we refer the reader to [33].

C DH-LRSW in the Generic Group Model
Here we show that the DH-LRSW assumption holds in the generic group model [50,38].
Theorem 3. Let A denote an adversary in the generic group model against the DH-LRSW assumption.Assume A in this game makes q G group operation queries, q P pairing queries, and q O queries to the DH-LRSW oracle O DH-LRSW .The probability of adversary A winning the DH-LRSW game is bounded by ≤ (q G +q P +4q O +4) 2 •4 p , where p is the (prime) order of the generic groups.
Proof.A challenger B interacts with adversary A in the game in which A is given access to a set of oracles.Adversary A interacts with those oracles via group handles.We also define three random encoding functions ξ i : G i −→ {0, 1} * for i = 1, 2, T where ξ i maps elements from group G i into random strings.The challenger keeps three lists G 1 , G 2 , G T which contain pairs of the form (σ, P ) where σ is a "random" encoding of the group element (i.e.σ is an output of the map ξ i ) and P is some polynomial in F p [X, Y, A 1 , . . ., A q O ].
To each list we associate an Update operation, that takes as input the specific list G i and a polynomial P .The function Update(G i , P ) searches the list for a pair whose second component is equal to P , if it finds one, it returns the first component as a result.Otherwise, a new random encoding σ, distinct from all other elements used so far is chosen, and the pair (σ, P ) is added to the list G i .The value σ is then returned.Note that at no point A gets access to the second element in the pairs.
The challenger starts the game by calling: Update(G 1 , 1), Update(G 2 , 1), Update(G 2 , X) and Update(G 2 , Y ).The oracles used in the game are defined as follows: -Group Operations: Oracles O 1 , O 2 and O T allow A access to the group operations, via subtraction/addition operations.On a call to O i (σ 1 , σ 2 ) B searches list G i for pairs of the form (σ 1 , P 1 ) and (σ 2 , P 2 ).If both exist, B returns the output of Update(G i , P 1 ± P 2 ).Otherwise, it returns ⊥.Note that exponentiation operations can be performed by calls to the group operation oracles.
-Pairing Operation: Oracle O P allows A to perform pairing operations.On a call to O P (σ 1 , σ 2 ), B searches the list G 1 for the pair (σ 1 , P 1 ), and the list G 2 for the pair (σ 2 , P 2 ).If both exist, B returns the output of Update(G T , P 1 • P 2 ).Otherwise, it returns ⊥. -DH-LRSW Oracle: The adversary may make up to q O queries of the form O DH-LRSW (σ 1 , σ 2 ).
The challenger searches list G 1 for a pair (σ 1 , P 1 ) and list G 2 for a pair (σ 2 , P 2 ).If they do not exist or P 1 = P 2 , B returns ⊥.Otherwise, it executes the following operations, where A i , X and Y are indeterminants: Returning the tuple (σ Ai , σ Bi , σ Ci , σ Di ) to A.
At the end of the game, the total number of non-constant polynomials contained in the three lists G 1 , G 2 and G T after A has made its q O queries to the DH-LRSW oracle is bounded from above by t = q G + q P + 4q O + 4.
Using the above oracles, we can simulate the entire run of the adversary where the adversary may make no decision which depends on the particular encoding of group elements used.
The Adversary Output: Eventually, A will output a tuple (σ A , σ B , σ C , σ D , σ M1 , σ M2 ), where σ A , σ B , σ C , σ D and σ M1 are on list G 1 while σ M2 is on list G 2 .We let P A , P B , P C , P D , P M1 , P M2 denote the polynomials associated with these encodings.
For the output of A to be correct, it must correspond to a solution to the DH-LRSW problem, so these output polynomials can be assumed to satisfy, for some assignment (x, y, a 1 , . . ., a q O ) ∈ F 2+q O p to the variables (X, Y, A 1 , . . ., A q O ), the equations P D = X • (P A + P C ) (7) From this we wish to derive a contradiction, i.e. conclude that the adversary cannot solve the DH-LRSW assumption in the GGM.To do so we need to first ensure that these polynomial identities cannot hold identically, i.e. irrespective of any particular assignment (x, y, a 1 , . . ., a q O ) ∈ F 2+q O p to the variables (X, Y, A 1 , . . ., A q O ).
Let (M 1,i , M 2,i ) denote the ith query to the DH-LRSW oracle, where we discount queries which return ⊥.It is easy to see that the only polynomials on the list G 2 are linear combinations of the terms 1, X and Y we see that we must have P M2,i = r i + s i • X + t i • Y .Since we have P M1,i = P M2,i , this implies that the above polynomials must also appear on the list G 1 .However, it is also clear that there is no operation in G 1 which we create a polynomial with a monomial term of X, nor one of Y .Thus, we can conclude that all queries to the DH-LRSW oracle correspond to elements whose polynomials are a constant term of the form P M1,i = P M2,i = r i .By a similar argument, we can also deduce that the output of the adversary corresponds to polynomials with P M1 = P M2 = r.Note, this is precisely where we use the property that the oracle will return ⊥ unless the input query lies in Ĝ.
Since the queries are for constant polynomials only, we see that the only polynomials which can appear on the list G 1 are of the form where v 0 , v 1,i , v 2,i , v 3,i ∈ F p .

Fig. 1 .
Fig. 1.Oracles used in the security experiments for dynamic group blind signatures

Fig. 2 .
Fig. 2. Security experiments for dynamic group blind signatures

-
Committing to Group Elements: To commit to X ∈ G i , choose τ X ← Z p × Z p and compute C X ← GScomm i (X, τ X ) := ι i (X) • U i τx ∈ B i .GSExtract then extracts the witness from a commitment C = (C 1 , C 2 ) ∈ B i by computing C 2 • C −ai 1 .

M in ): The adversary can use this oracle to engage in the Join − Issue protocol with the honest, Issue-executing Issuer. -SndToS(i, M in ): This oracle models the scenario that the adversary has corrupted the Issuer. The adver- sary uses this oracle to engage in the Join − Issue protocol with an honest, Join-executing Signer. -ReadReg(i): The adversary can call this oracle to obtain the content of entry reg[i]. -ModifyReg(i, val): The adversary can call this oracle to modify the content of entry reg
AddS(i): The adversary can use this oracle to add an honest signer Signer i to the group.-CrptS(i, pk): The adversary can use this oracle to create a new corrupt signer Signer i , where Signer i 's public key spk[i] is chosen by the adversary.This oracle is usually called in preparation for calling the The adversary can call this oracle to obtain both the personal secret key ssk[i] and the group signing key gsk[i] of group member Signer i .
to generate the group blind signature Σ.For a group member Signer i where i = j, A 1 will forward the request to its SSign oracle and gets σ back and then generates the rest of the group blind signature Σ itself.It then forwards the signature Σ to B.Finally, when B outputs its l+1 signatures, adversary A 1 aborts if the framed group member is different from the one it has guessed.Otherwise, A 1 uses the extraction key xk 2 to extract the extra signature σ *