On New Zero-Knowledge Arguments for Attribute-Based Group Signatures from Lattices

Abstract

Due to its emerging security and computational properties, lattice-based constructions are of prime concerns in recent research. Zero-knowledge evidences serve strongest security guarantees to cryptographic primitives. In this paper we formalize a new zero-knowledge argument (ZKA) suitable for lattice-based construction and employ it to security assurance of the proposed structure of attribute-based group signature on lattice assumption. To the best of our knowledge this paper proposes the first such construction.

Appendices

A Definitions

Discrete Gaussians. Let \(\mathtt {L}\) be a subset of \(\mathtt {\mathbb {Z}^{m}}\). For a vector \(\mathtt {c\in \mathbb {R}^m}\) and a positive \(\mathtt {\sigma \in \mathbb {R}}\), define

$$\begin{aligned} \mathtt {\rho _{s,c}(x)=\exp \left( -\pi \frac{\left\| x-c\right\| ^2}{s^2}\right) \quad \mathrm{and} \quad \rho _{s,c}(L)=\sum \limits _{x\in L}\rho _{s,c}(x)}. \end{aligned}$$

The discrete Gaussian distribution over \(\mathtt {L}\) with center \(\mathtt {c}\) and parameter \(\mathtt {s}\) is given by \(\mathtt {\mathcal { D}_{L,s,c}(y)=\frac{\rho _{s,c}(y)}{\rho _{s,c}(L)}}\), for all \(\mathtt {y\in L}\). The distribution \(\mathtt {\mathcal { D}_{L,s,c}}\) is usually defined over the lattice \(\mathtt {L=\Lambda _{q}^{\bot }(A)}\) for \(\mathtt {A\in \mathbb {Z}_{q}^{n\times m}}\).

The security of our construction and the underlying building blocks is based on the hardness of \(\mathtt {SIVP_{\tilde{\mathcal {O}}(n)}}\) and \(\mathtt {LWE}\) problems which we recall in the following two definitions.

B Non-interactive Zero-Knowledge Proof

A non-interactive proof system \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) for a relation R with setup consists of four PPT algorithms: a setup algorithm \(\mathcal {G}\), a common reference string (CRS) generation algorithm \(\mathcal {K}\), a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\). The setup algorithm outputs public parameters I and a commitment key ck. The CRS generation algorithm takes (I, ck) as input and outputs a CRS \(\varSigma \). The prover \(\mathcal {P}\) takes as input \((I,\varSigma ,x,\omega )\), where x is the statement and \(\omega \) is the witness, and outputs a proof \(\pi \). The verifier \(\mathcal {V}\) takes as input \((I,\varSigma ,x,\pi )\) and outputs 1 if the proof is acceptable and 0 otherwise. \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is non-interactive proof system for R if it has the following properties:

Completeness. A non-interactive proof is complete if an honest prover can convince an honest verifier whenever the statement belongs to the language and the prover holds a witness testifying to this fact. For all adversaries \(\mathcal {A}\) we have:

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); \varSigma \leftarrow \mathcal {K}(I,ck); (x,\omega )\leftarrow \mathcal {A}(I,\varSigma ):\\&\pi \leftarrow \mathcal {P}(I,\varSigma ,x,\omega ):\mathcal {V}(I,\varSigma ,x,\pi )=1\ \text {if}\ (I,x,\omega )\in R]=1. \end{aligned}$$

Soundness. A non-interactive proof is sound if it is impossible to prove a false statement x which is not an element of a language L. We say \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is perfectly sound if for all adversaries \(\mathcal {A}\) we have:

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); \varSigma \leftarrow \mathcal {K}(I,ck); (x,\pi )\leftarrow \mathcal {A}(I,\varSigma );\\&\quad \mathcal {V}(I,\varSigma ,x,\pi )=0\ \text {if}\ x\notin L]=1. \end{aligned}$$

Knowledge Extraction. We say that \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is a proof of knowledge for R if there exists a knowledge extractor \(\mathcal {E}=(\mathcal {E}_1,\mathcal {E}_2)\) with the following properties: For all PPT adversaries \(\mathcal {A}\) we have

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); \varSigma \leftarrow \mathcal {K}(I,ck): \mathcal {A}(I,\varSigma )=1]\\&=Pr[I\leftarrow \mathcal {G}(1^{\lambda }); (\varSigma ,\xi )\leftarrow \mathcal {E}_1(I,ck):\mathcal {A}(I,\varSigma )=1]. \end{aligned}$$

For all adversaries \(\mathcal {A}\) holds

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); (\varSigma ,\xi )\leftarrow \mathcal {E}_1(I,ck);(x,\pi )\leftarrow \mathcal {A}(I,\varSigma );\\&\omega \leftarrow \mathcal {E}_2(\varSigma ,\xi ,x,\pi ):\mathcal {V}(I,\varSigma ,x,\pi )=0\ \text {or }(I,x,\omega )\in R]=1. \end{aligned}$$

Zero-Knowledge. We say that \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is a composable NIZK proof if there exists a PPT simulator \((\mathcal {S}_1,\mathcal {S}_2)\) such that for all PPT adversaries \(\mathcal {A}\) we have

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); \varSigma \leftarrow \mathcal {K}(I,ck):\mathcal {A}(I,\varSigma )=1]\\&\approx Pr[I\leftarrow \mathcal {G}(1^{\lambda }); (\varSigma ,\tau )\leftarrow \mathcal {S}_1(I,ck):\mathcal {A}(I,\varSigma )=1], \end{aligned}$$

and for all adversaries \(\mathcal {A}\) holds:

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); (\varSigma ,\tau )\leftarrow \mathcal {S}_1(I,ck); (x,\omega )\leftarrow \mathcal {A}(I,\varSigma ,\tau );\\&\pi \leftarrow \mathcal {P}(I,\varSigma ,x,\omega ): \mathcal {A}(\pi )=1] \\&\approx Pr[(I,ck)\leftarrow \mathcal {G}(1^{\lambda }); (\varSigma ,\tau )\leftarrow \mathcal {S}_1(I,ck);\\&(I,x,\omega )\leftarrow \mathcal {A}(I,\varSigma ,\tau );\pi \leftarrow \mathcal {S}_2(I,\varSigma ,\tau ,x): \mathcal {A}(\pi )=1], \end{aligned}$$

where \(\mathcal {A}\) outputs \((I,x,\omega )\in R\). We obtain a strong notion of zero-knowledge, called composable zero-knowledge [15]. It implies standard zero-knowledge and is simpler to work with, because it separates the computational indistinguishability into two parts considering the CRS and the proofs respectively.

Simulation Soundness. We say that \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is simulation sound if a PPT adversary \(\mathcal { A}\) cannot prove false statements even if he have seen simulated proofs of arbitrary statements: For all PPT adversaries \(\mathcal {A}\) we have

$$\begin{aligned}&Pr[(I,ck)\leftarrow \mathcal {S}_1(1^{\lambda }); (x,\pi )\notin SQL\\&\wedge x \notin L and \mathcal {V}(I,x,\pi )=1]=\epsilon (\lambda ). \end{aligned}$$

C Preimage Sampling Function

In this section, we recall the notion of preimage sampling functions (PSF) introduced in [13]. The idea of that function is a combination of a trapdoor construction for integer lattices and an efficient discrete Gaussian sampling algorithm. Let \(\mathtt {\mathbf {A}\in \mathbb {Z}_{q}^{\nu \times \mu }}\) be a uniform matrix and \(\mathtt {\mathbf {T_A}}\) the corresponding basis for the lattice \(\mathtt {\Lambda ^{\bot }(\mathbf {A})}\), which can be used as a trapdoor for finding small non-zero solution \(\mathtt {\mathbf {e}\in \mathbb {Z}_{q}^{\mu }}\) of the equation \(\mathbf {Ae=0}\mod q\).

Definition 11

(PSF). Let \(\mathtt {\lambda }\) be a security parameter, \(\mathtt {\nu }\) a security dimension and \(\mathtt {\mu }\) a dimension of the lattice base. Let \(\mathtt {s\ge L\omega (\sqrt{\log m})}\) be some discrete Gaussian parameter. A PSF family consists of maps \(\mathtt {f_{A}: \mathbb {D}_{Z^{\mu },s}\rightarrow \mathbb {Z}_{q}^{\nu }}\) with the domain \(\mathtt {\mathbb {D}_{\mathbb {Z}_{q}^{\mu },s}=\{\mathbf {e}\in \mathbb {Z}^{\mu }:\left\| \mathbf {e}\right\| \le \sqrt{m}s\}\subseteq \mathbb {Z}^{\mu }}\) and is specified by the following four algorithms:

• \(\underline{\mathtt {TrapGen}\mathtt {(1^{\lambda })}}:\) On input security parameter \(\mathtt {1^{\lambda }}\) it outputs a uniform matrix \(\mathtt {\mathbf {A}\in \mathbb {Z}_{q}^{\nu \times \mu }}\) and a basis \(\mathtt {\mathbf {T_{A}}}\) of \(\mathtt {\Lambda ^{\bot }(\mathbf {A})}\) such that \(\mathtt {\left\| \mathbf {\tilde{T}_A}\right\| \le L}\), where \(\mathtt {L}\) is the circuit depth. The public parameters are \(\mathtt {(\mathbf {A},q)}\) and the preimage-sampling trapdoor is \(\mathtt {\mathbf {T_A}}\).

• \(\underline{\mathtt {EvalFun}\mathtt {(\mathbf {A},q,\mathbf {e})}}:\) On input public parameters \(\mathtt {(\mathbf {A},q)}\) and a point \(\mathtt {\mathbf {e}\in \mathbb {D}_{\mathbb {Z}_{q}^{\mu },s}}\), the algorithm outputs the image \(\mathtt {f_{\mathbf {A}}(\mathbf {e})=\mathbf {Ae}\mod q\in \mathbb {Z}_{q}^{\nu }}\).

• \(\underline{\mathtt {SampleDom}\mathtt {(\mathbb {I}^{\mu \times \mu },s)}}\): On input the identity matrix \(\mathtt {\mathbb {I}^{\mu \times \mu }}\) and a Gaussian parameter \(\mathtt {s}\), it outputs a vector \(\mathtt {\mathbf {e}\leftarrow \mathtt {SampleGaussian}(\mathbb {I}^{\mu \times \mu },s,0)}\), i.e. \(\mathtt {\mathbf {e}\sim \mathcal { D}_{\mathbb {Z}_{q}^{\mu },s}}\).

• (\(\mathtt {SampleGaussian}\mathtt {(\mathbb {I}^{\mu \times \mu },s,c)}\) algorithm works as follows. On input a basis \(\mathtt {\mathbf {I}^{\mu \times \mu }}\) for a Lattice \(\varLambda \subset \mathbb {R}^{\mu }\) a parameter \(\mathtt {s\ge \omega (\sqrt{m})}\) and a center \(\mathtt {\mathbf {c}\in \mathbb {R}^{\mu }}\), it outputs a lattice vector \(\mathtt {\mathbf {x}\in \Lambda }\), such that \(\mathtt {\mathbf {x}\sim \mathcal { D}_{\Lambda ,s,c}}\)).

• \(\underline{\mathtt {SamplePre}\mathtt {(\mathbf {A},q,\mathbf {T_A},s,\mathbf {u})}}\): On input public parameters \(\mathtt {(\mathbf {A},q)}\) and a trapdoor \(\mathtt {\mathbf {T_A}}\), a Gaussian parameter \(\mathtt {s}\) and a target image \(\mathtt {\mathbf {u}\in \mathbb {Z}_{q}^{n}}\), the algorithm samples \(\mathtt {\mathbf {e}\in \mathbb {D}_{\mathbb {Z}^{\mu },s}}\) from \(\mathtt {\mathcal { D}_{\mathbb {Z}^{\mu },s}}\), such that \(\mathtt {\mathbf {Ae}=\mathbf {u}(\mod q)}\). It first finds a solution \(\mathtt {\mathbf {c}\in \mathbb {Z}^{\mu }}\) in the linear system \(\mathtt {\mathbf {Ac}=\mathbf {u}(\mod q)}\).

  It samples a vector \(\mathtt {\mathbf {d}\leftarrow \mathtt {SampleGaussian}(\mathbf {T_A},s,-\mathbf {c})\sim \mathcal { D}_{\Lambda ^{\bot }(\mathbf {A},s,-\mathbf {c})}}\) and outputs vector \(\mathtt {\mathbf {e}=\mathbf {c}+\mathbf {d}\in \mathbb {Z}^{\mu }}\).

Lemma 1

There exists a PPT algorithm \(\mathtt {\mathtt {ExtBasis}}\), that takes as input a matrix \(\mathtt {\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}}\) and a basis \(\mathtt {\mathbf {T_A}}\) of \(\mathtt {\Lambda _{q}^{\bot }(\mathbf {A})}\), where \(\mathtt {\mathbf {A}\in \mathbb {Z}_{q}^{n\times m'}}\) is a submatrix of \(\mathtt {\mathbf {B}}\) and outputs a basis \(\mathtt {\mathbf {T_{B}}}\) of the extended lattice \(\mathtt {\Lambda _{q}^{\bot }(\mathbf {B})}\) with the property \(\mathtt {\left\| \widetilde{\mathbf {T}_{B}}\right\| \le \left\| \widetilde{\mathbf {T}_{A}}\right\| }\).

D Security Analysis of Theorem 3

Proof

In order to provide the proof of this theorem we are using the following lemmas:

Lemma 2

If the underlying public key encryption systems are IND-CCA secure and the NIZK proof is simulation sound and zero-knowledge, then our ABGSL scheme is fully-anonymous under the hardness of \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem.

Lemma 3

Our ABGS scheme is attribute anonymous under the hardness of \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem and if the underlying public key encryption scheme is IND-CCA secure and the underlying NIZK proofs is simulation-sound and computationally zero-knowledge provable.

Lemma 4

If the underlying public key encryption is IND-CCA secure, digital signature scheme is unforgeable against chosen message attacks and the NIZK proofs are simulation sound, then our ABGS scheme is fully-traceable under the hardness of \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem.

Due to page limit we only provide a sketch of Lemma 1. The full proof will be given in the full version of this paper.

Proof of Lemma 2. Let \(\mathcal { A}_\mathtt {{uan}}\) be an adversary against the user’s full-anonymity in the ABGSL scheme. We design an adversary \(\mathtt {\mathcal { B}_{\gamma }\in (\mathcal { B}_{SIVP},\mathcal { B}_{pke},\mathcal { B}_{sig})}\) against the \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem or against IND-CCA security of the underlying encryption scheme or against unforgeability of the underlying signature scheme, respectively. We show how to construct \(\mathcal { B}_{\gamma }\) to simulate \(\mathcal { A}_{uan}\).

Setup: Algorithm \(\mathtt {\mathcal { B}_{SIVP}}\) simulates public parameters and master secret key by first sampling the following vectors: \(\mathtt {\mathbf {a_{i}^{1},\ldots ,a_{i}^{\mu }}\in \left( \mathbb {Z}_{q}^{\nu }\right) ^{\mu }}\), where \(\mathtt {i\in [0,l]}\). It sets \(\mathtt {\mathbf {A}=[\mathbf {a_{0}^{1}}|\ldots |\mathbf {a_{0}^{\mu }}]}\) and analogously \(\mathtt {\mathbf {A_i}=[\mathbf {a_{i}^{1}}}\mathtt {|\ldots |\mathbf {a_{i}^{\mu }}]}\), for each \(\mathtt {i\in [1,l]}\). \(\mathcal { B}_{SIVP}\) samples for each \(i\in [l]\) a uniformly random matrix \(\mathtt {\mathbf {B}_i}\) and uses \(\mathtt {TrapGen}\) algorithm on input these matrices to generate \(msk=\mathbf {T_{A,i}}\). To simulate public and secret key of the underlying encryption scheme, \(\mathtt {\mathcal { B}_{pke}}\) runs its \(\mathtt {\mathtt {Setup}(1^{\lambda })}\) algorithm of Regev’s encryption scheme on input security parameter and outputs and a master secret key \(\mathtt {gmpk=\mathbf {B},gmsk=\mathbf {T_B}}\). \(\mathtt {\mathcal { B}_{pke}}\) forwards these values to \(\mathtt {\mathcal { A}_{uan}}\). In order to simulate secret and public keys of key issuing authorities, algorithm \(\mathtt {\mathcal { B}_{sig}}\) proceeds similarly to algorithm \(\mathtt {\mathcal { B}_{pke}}\) by running its own \(\mathtt {\mathtt {Setup}}\) algorithm and outputting \(\mathtt {sk_{kia}, pk_{kia}}\). The detailed description of the adversary \(\mathtt {\mathcal { A}_{uan}}\) is given in the following experiment:

• (1.) \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}(1^{\lambda })}\)

• (2.) \(\mathtt {(gmpk,gmsk)\leftarrow \mathtt {Setup}_e(1^{\lambda })}\)

• (3.) \(\mathtt {(pk_{kia},sk_{kia})\leftarrow \mathtt {Setup}_s(1^{\lambda })}\)

• (4.) \(\mathtt {(crs,R')\leftarrow \mathtt {SIM}(generate,\lambda )}\)

• (5.) Set \(\mathtt {gpk=(\lambda ,R',gmpk,pk_{kia},vk_{ots})}\)

For all users \(\mathtt {i\in [n]}\) run \(\mathtt {(pk_i,sk_i)\leftarrow \mathtt {Setup}_s(1^{\lambda })}\).

Compute \(\mathtt {cert_i\leftarrow \mathtt {Sign}(sk_{kia},\left\langle i,pk_i\right\rangle )}\). Make oracle queries to \(\mathcal { O}\mathtt {Setup}\) and \(\mathcal { O}\mathtt {Decrypt}\) of the public key encryption scheme.

Queries to \(\mathcal { O}\mathtt {ABGOpen}(\cdot ,\cdot )\): Whenever \(\mathtt {\mathcal { A}_{uan}}\) calls its opening oracle on input a message \(\mathtt {m}\) and a signature \(\sigma \), algorithm \(\mathtt {\mathcal { B}_{\gamma }}\) simulates these opening queries by first simulating the secret key of the group manager. In case the oracle’s output is \(\mathtt {m}\), it returns 1 to \(\mathcal { A}_{uan}\) adversary.

To simulate user’s attribute-based secret key, algorithm \(\mathtt {\mathcal { B}_{\gamma }}\) is invoked and proceeds as follows taking as input public parameters \(\mathtt {param}\) and the simulated master secret key \(\mathtt {msk=\{\mathbf {T_{A,i}}\}_{i\in [l]}}\). It chooses a random set of attributes it wants to be challenged on, \(\mathbb {A}_i=\{a_1,\ldots ,a_{\kappa }\}\), where \(\kappa \in [0,N-1]\). \(\mathcal { B}_{SIVP}\) associates each attribute \(a_{j}\) with a leaf of the Merkle-tree \(d_{j}\), where \(j\in [0,N-1]\) by assigning to each attribute \(a_j\) a binary string in \(\{0,1\}^{\nu }\) via the following computation \((\mathtt {bin\cdot \mathbf {A}_i\cdot \mathbf {u_{j}}\mod q})=\mathbf {d_{j}}\). Let \(\mathtt {R=(\mathbf {d}_{0},\ldots ,\mathbf {d}_{N-1})}\). \(\mathcal { B}_{SIVP}\) runs \(\mathtt {Tcalc}(R)\) to generate the complete tree and the values \(\mathtt {\mathbf {u,v}}\) for the hash function of the root node \(F_{0}(\mathbf {u,v})\). It uses the set \(\mathtt {R}\) and one of the tree leaves \(\mathtt {\mathbf {d}_j}\) as input of \(\mathtt {TWitness}\) algorithm to generates the witness of the zero-knowledge proof:

$$\begin{aligned}&\mathtt {w=\left( (j_1,\ldots ,j_l),(d_{j_1},f_{j_1}),\ldots ,(d_{j_l},f_{j_l}),(\mathbf {w}_{l},\ldots ,\mathbf {w}_{1})\right) \in \{0,1\}^{l}\times \{0,1\}^{2l}\times \{0,1\}^{l\nu \kappa }}, \end{aligned}$$

To simulate the valid credentials provided by the key issuing authority for each user i with k distinct attributes \(\mathtt {u_{j}^{(i)},j\in [k],i\in [N]}\), \(\mathcal { B}_{SIVP}\) first computes a sum of the different attributes and sets \(\mathbf {u}^{(i)}=\sum \limits _{j=1}^{k}\mathbf {u}_j^{(i)}\). It samples values \(\mathtt {\mathbf {z_{i}}}\) by running the algorithm \(\mathtt {\mathtt {SamplePre}(\mathbf {A_i,q,T_{A,i}},s,\mathbf {u}^{(i)})}\). It returns the attribute-based secret key \(usk[i]=\mathtt {sk_{\mathbb {A}_i}=(\mathbf {z}_{i},w^{(i)},\mathbf {d}^{(i)})}\), where the tuple \(\mathtt {\mathbf {d}^{(i)}=(d_{j_1}^{(i)},\ldots ,d_{j_k}^{(i)})}\), describes a set of attributes, \(\mathtt {\mathbb {A}_{i}}\) of an user \(\mathtt {i}\).

Challenge: When \(\mathtt {\mathcal { A}_{uan}}\) outputs \(\mathtt {(state,i_0,i_1,m)}\), it picks a bit \(\mathtt {b\in \{0,1\}}\) and computes a signature \(\mathtt {\sigma _b\leftarrow \mathtt {ABGSign}(param,usk[i_b],m,\Gamma )}\), simulator invokes its \(\mathtt {\mathcal { B}_{SIVP}}\), who randomly simulates two messages \(\mathtt {m_0,m_1}\).

Furthermore \(\mathcal { A}_{uan}\) invokes the \(\mathcal { B}_{ots}\) algorithm to simulates the keys of OTS scheme by running \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}}\). The verification key \(vk_{ots}\) will be a part of the NIZK proof. \(\mathtt {\mathcal { B}_{SIVP}}\) signs \(\mathtt {vk_{ots}}\) using simulated secret key \(\mathtt {usk[i]}\), where the secret key simulation is given by a random guess with probability \(1/|\mathcal { K}|\) with the key space \(\mathtt {\mathcal { K}}\). The guessing probability reduces \(\mathtt {\mathcal { B}_{\gamma }}\)s advantage to win the game. If the guess of the keys does not match with the real secret key, the simulation aborts. The signature procedure continues as follows: Taking \(\mathtt {K}\) and the verification key \(\mathtt {vk_{ots}}\) as a message, it runs encapsulation algorithm of the underlying DEM scheme, \(\mathtt {\hat{\sigma }=\mathtt {Encrypt}(vk_{ots})}\). Furthermore \(\mathtt {\mathcal { B}_{pke}}\) of the underlying encryption scheme is invoked, which outputs a ciphertext encrypting user’s certificate \(\mathtt {cert_{i_b}}\), and signature \(\mathtt {\hat{\sigma }}\), i.e. \(\mathtt {C\leftarrow \mathtt {Encrypt}(gmpk,\left\langle i_b,pk_{i_b},cert_{i_b},\hat{\sigma },R'\right\rangle )}\), where \(\mathtt {R'}\) is a randomness used in the NIZK proof. Finally taking as input a message m, verification key \(\mathtt {vk_{ots}}\), ciphertext C and the corresponding proof \(\mathtt {\pi }\), \(\mathtt {\mathcal { B}}_{sig}\) runs the signature algorithm of the underlying OTS scheme and outputs \(\mathtt {\sigma _{ots}\leftarrow \mathtt {Sign}(m,vk_{ots},C,\pi )}\). Furthermore, simulator runs the NIZK proof \(\pi _1\) from the ABS scheme to show the possession of a valid tuple \(\mathtt {(\mathbf {z_i}, \mathbf {d^{(i)}}, \mathbf {w^{(i)}}, \mathbf {x_i})}\). Furthermore, it proves that \(\mathtt {C}\) is an encryption of \(\mathtt {(j_1,\ldots ,j_l)}\) with random values \(\mathtt {\mathbf {x_i}}\). The final signature is equal to \(\mathtt {\Sigma =(C,\pi )}\). We note that whenever \(\mathtt {\mathcal { A}_{uan}}\) is submitting a query \(\mathtt {(C,\pi ')}\) to the opening oracle, simulator invokes its \(\mathtt {\mathcal { B}_{pke}}\) algorithm and forwards the query to its decryption oracle. Finally it outputs a bit \(\mathtt {b}\) and terminates the simulation.

Distinguisher for Zero-Knowledge. Distinguisher involved in the NIZK proof is given in the following description of the algorithm \(\mathtt {\mathcal { D}(choose,\lambda ,R')}\):

• (1.) \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}(1^{\lambda })}\)

• (2.) \(\mathtt {(gmpk,gmsk)\leftarrow \mathtt {Setup}_e(1^{\lambda })}\)

• (3.) \(\mathtt {(pk_{kia},sk_{kia})\leftarrow \mathtt {Setup}_s(1^{\lambda })}\)

• (4.) \(\mathtt {(crs,R')\leftarrow \mathtt {SIM}(generate,\lambda )}\)

• (5.) Set \(\mathtt {gpk=(\lambda ,R',gmpk,pk_{kia},vk_{ots})}\)

• End for:

• (a). \(\mathtt {(state,i_0,i_1,m^{*},vk_{ots}^{*},\Gamma ^{*})\leftarrow \mathcal { A}_{uan}^{\mathcal { O}\mathtt {ABGOpen}(\cdot )}(\cdot )}\);

• (b). \(\mathtt {b\in \{0,1\},R\in \{0,1\}^{\lambda }}\);

• (c). \(\mathtt {C^{*}\leftarrow \mathtt {Encrypt}(gmpk,\left\langle i_b,pk_{i_b},cert_{i_b},\hat{\sigma }^{*},R'\right\rangle )}\);

• (d). \(\mathtt {\sigma _{ots}\leftarrow \mathtt {Sign}_{ots}(m^{*},vk_{ots}^{*},C^{*},\pi ^{*})}\).

We note that distinguisher \(\mathtt {\mathcal { D}}\) can answer any queries submitted by \(\mathtt {\mathcal { A}_{uan}}\), because it is in possession of group manager’s secret key, which can be used to open the signatures. The output of the challenge phase is a signature given as \(\mathtt {(pk_e,pk_s,m,C)}\) together with a witness. In the second stage, distinguisher takes as input a proof \(\mathtt {\pi }\) and creates a group signature \(\mathtt {\Sigma =(C,\pi ,\sigma _{ots})}\) and outputs it to the adversary \(\mathtt {\mathcal { A}_{uan}}\). Finally, the distinguisher \(\mathtt {\mathcal { D}}\) outputs the same value as that one of the output of \(\mathtt {\mathcal { A}_{uan}}\).

Soundness of NIZK proof. In order to prove simulation soundness of the NIZK proof, we consider the following game where an adversary \(\mathtt {\mathcal { A}_{ss}}\) against simulation soundness of NIZK is playing against a challenger, who is represented by the adversary against our ABGS scheme:

• (1.) \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}(1^{\lambda })}\)

• (2.) \(\mathtt {(gmpk,gmsk)\leftarrow \mathtt {Setup}_e(1^{\lambda })}\)

• (3.) \(\mathtt {(pk_{kia},sk_{kia})\leftarrow \mathtt {Setup}_s(1^{\lambda })}\)

• (4.) \(\mathtt {(crs,R')\leftarrow \mathtt {SIM}(generate,\lambda )}\)

• (5.) Set \(\mathtt {gpk=(\lambda ,R',gmpk,pk_{kia},vk_{ots})}\)

• End for:

• (a). \(\mathtt {m^{*},\Gamma ^{*},\sigma ^{*}\leftarrow \mathcal { A}_{uan}^{\mathcal { O}\mathtt {ABGOpen}(param,gmsk,\cdot )}(param,msk,\cdot )}\);

• (b). \(\mathtt {C\leftarrow \mathtt {Encrypt}(pk_e,\left\langle i_b,pk_{i_b},cert_{i_b},\sigma _b,R'\right\rangle )}\);

• (c). \(\mathtt {\sigma _{ots}\leftarrow \mathtt {Sign}_{ots}(m^{*},vk_{ots}^{*},C^{*},\pi ^{*})}\);

• (d). \(\mathtt {\pi \leftarrow \mathtt {SIM}(prove,crs,param,m^{*},\sigma ^{*},sk_{\mathbb {A}},\Gamma ^{*})}\).

Make oracle queries to \(\mathcal { O}\mathtt {ABGKeyGen}\) to simulate user’s attribute-based secret key \(\mathtt {sk_{\mathbb {A}_i}}\).

Run \(\mathtt {\mathtt {Verify}(param,\sigma _{ots},\pi ,C)}\) of the NIZK proof. If \(\mathtt {\mathcal { A}_{uan}}\) outputs a valid tuple \(\mathtt {(\sigma _{ots},\pi ',C)}\), output \(\mathtt {(param,crs,\sigma _{ots},\pi ',C)}\).

Due to the page limit we provide only the final result of adversary’s success. For the detailed analysis of this proof, we refer to the later full version of this paper. Finally we conclude that the advantage of an adversary \(\mathtt {\mathcal { A}_{uan}}\) is given by the following combined inequation:

$$\begin{aligned} \mathtt {Adv_{\mathcal { A}_{uan},ABGS}^{U-ANO}\le Adv_{\mathcal { A}_{ss},ABGS}^{Sim-Sound}+Adv_{\mathcal { A}_{ind}PKE}^{IND-CCA}+Adv_{\mathcal { A}_{zk},NIZK}^{Zero-Knowledge}} \end{aligned}$$