A structure-preserving linearly homomorphic signature scheme with designated combiner

Our contributions

In this article, we first prove that there is a polynomial time adversary that can crack the secret information in LZZ22 through multiple signature queries. Then, the adversary is able to forge the signature corresponding to any message.

Secondly, we propose a new scheme, which has all the functions of LZZ22 and fixes the security problem by changing the secret information with the message by adding one hash operation and one exponential operation to the signature algorithm. Meanwhile, we detail how to apply our scheme to the proxy signature.

Finally, we run the signature forgery program of LZZ22 through experiments, and the results show that the time required to forge a signature is inversely proportional to the message dimension. We run the proposed scheme in the same experimental environment and compare it with other LHS schemes. The experimental results show that the signature algorithm and the verification algorithm of our scheme are efficient, and that the usage of system resources by our algorithm is low.

Related works

Desmedt (1993) introduced the concept of HS, and Johnson et al. (2002) introduced its formal definition and general framework in 2002. Afterward, many HS schemes appeared (Cheng et al., 2016; Li et al., 2018; SadrHaghighi & Khorsandi, 2016; Catalano, Fiore & Warinschi, 2014; Gorbunov, Vaikuntanathan & Wichs, 2015; Zhang, Jianping & Ting, 2012; Aranha & Pagnin, 2019), including one in which, LHS supports linear homomorphic operations on messages. However, the early LHS schemes lack strict security proof and are not practical. In 2009, Boneh et al. (2009) constructed the first provably secure LHS scheme under the random oracle model. In this scheme, each file is regarded as a linear vector subspace, and the source node signing the basis vectors of the subspace is equivalent to signing the whole file. Gennaro et al. (2010) proposed the first LHS scheme based on the RSA difficult problem. This scheme reduces the cost compared with the scheme in Boneh et al. (2009). To achieve the function of anti-quantum attacks, Boneh & Freeman (2011) proposed the first lattice-based LHS scheme in 2011. The security of the scheme is based on the SIS difficulty problem. The signature verification of the scheme is completed in the binary domain. Chen, Lei & Qi (2016) constructed the first LHS scheme based on the SIS difficulty problem under the standard model. This scheme can resist weak adversaries and provide weak context-hidden privacy. In 2018, Lin et al. (2018) constructed the first ID-based LHS scheme by introducing ID-based signature technology. This scheme uses the user’s identity ID as the public key, which avoids the disadvantage of difficult key management. Zhang et al. (2018) proposed a more efficient ID-based LHS scheme, Zhang18. However, their scheme does not augment the original vector, so it is not suitable for network coding. Moreover, ID-based LHS schemes suffer from key escrow problems. In 2021, Wu, Wang & Yao (2021) constructed a certificate-free LHS scheme Wu21 for network coding. Their scheme avoids both the certificate management problem and the key escrow problem.

Lin, Xue & Huang (2021) and Lin et al. (2017) proposed two LHSDC schemes to make the LHS scheme applicable in scenarios that need to designate a combiner or verifier, Lin17 and Lin21. The latter made up for the former’s lack of public verifiability. In both schemes, only the designated combiner has the right to combine the original signature. However, the combined signature structure in Lin, Xue & Huang (2021) and Lin et al. (2017) has changed, so that the combined signature can no longer be used as the input of the combination algorithm. In 2022, Li, Zhang & Zhang (2022) proposed the first SPS-LHSDC scheme LZZ22 based on the Lin21. In the SPS-LHSDC scheme, the combined signature has the same signature structure as the original signature, so it can still be used as the input of the combination algorithm. This function enables the SPS-LHSDC scheme to be used in certain scenarios. However, the scheme LZZ22 has a security problem.

Organization

The overall structure of the rest of this article is as follows. In the “Preliminaries” section, we introduce some preliminaries. In the “The Security Problem of LZZ22”, we analyze the security of LZZ22 and then construct a signature forgery algorithm for LZZ22. In “The proposed Scheme” section, we propose a new SPS-LHSDC scheme and prove the correctness and security of the scheme. In the “Application and Security Analysis” section, we first describe how to apply the scheme in this article to proxy signature, and then run the signature forgery experiment of LZZ22 and compared the efficiency of our scheme with four other LHS schemes. Finally, we summarize the full text and describe future research directions in the Conclusions.

Symmetric bilinear mapping

In 1991 Menezes, Vanstone & Okamoto (1991) proposed symmetric bilinear mapping which is defined as follows.

Let ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ be groups of order $q$. If a mapping $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ satisfies:

1. Calculability: $\mathrm{\forall }g\in {\mathbb{G}}_1$, solving $e\left(g,g\right)$ is efficient;

2. Bilinear: $\mathrm{\forall }a$, $b\in {\mathbb{Z}}_q$, $g\in {\mathbb{G}}_1$, all satisfy $e\left(g^a,g^b\right)=e(g,g{)}^{ab}$;

3. Non-degenerate: $\mathrm{\exists }g\in {\mathbb{G}}_1$, makes $e\left(g,g\right)\ne 1$.

The mapping is called symmetric bilinear mapping.

Definition 1: (computational Diffie-Hellman problem (CDH)) (Boneh, 1998). Given a triple $(g,g^a,g^b)$, where $g$ is the generator of ${\mathbb{G}}_1$, $a,b{\leftarrow }_R{\mathbb{Z}}_q^{\ast }$ are two unknown elements, solve $g^{ab}$.

Definition 2: (CDH assumption) (Boneh, 1998). If for any probabilistic polynomial-time (PPT) algorithm $\mathcal{A}$, the probability of solving the CDH problem is negligible, then it is difficult to solve the CDH problem in ${\mathbb{G}}_1$.

The augmented basis vector

In an LHS scheme, a file is usually divided into a set of $n$-dimensional original vectors ${\overline{\mathrm{v}}}_1,{\overline{\mathrm{v}}}_2,\dots ,{\overline{\mathrm{v}}}_m\in {\mathbb{Z}}_q^n$, where ${\overline{\mathrm{v}}}_i=\left(v_{i1},v_{i2},\dots ,v_{in}\right)$, $i\in \left\{1,2,\dots ,m\right\}$, $q$ is a large prime. To ensure that receivers in the network can recover this set of vectors, the set of original vectors will be augmented to ensure that they are linearly independent. The augmentation operation of this set of vectors is as follows (Boneh et al., 2009): For each $i\in \left\{1,2,\dots ,m\right\}$, let

(1) $${\mathrm{v}}_i=\left(v_{i1},\dots ,v_{in},v_{i\left(n+1\right)},\dots ,v_{i\left(n+m\right)}\right)\in {\mathbb{Z}}_q^N,$$where

(2) $$v_{i\left(n+j\right)}=\{\begin{array}{cc}1,j=i& \\ 0,j\ne i& \end{array}i,j=1,2,\dots ,m.$$

Among them, $N=n+m$, add a $m$-dimensional unit vector (the $i$-th bit of this unit vector is “ $1$”, and the rest bits are “ $0$”) after the basis vector ${\overline{\mathrm{v}}}_i$. This set of vectors after the augmentation operation becomes a set of basis vectors of the subspace to which the original file belongs due to its linear-independent property.

The formal definition of SPS-LHSDC

Definition 3: The SPS-LHSDC scheme consists of five PPT algorithms (Li, Zhang & Zhang, 2022):

• Setup $(1^{\lambda },N)\to (pp)$: The algorithm inputs the security parameter $1^{\lambda }$ and the dimension N, outputs the system public parameter $pp$;

• KeyGen $(pp)\to (sk,pk)$: The algorithm inputs $pp$ and outputs a private key $sk$ and the corresponding public key $pk$;

• Sign $(pp,s{k}_A,p{k}_B,id,{\mathrm{v}}_k)\to (\tau ,{\sigma }_k)$: The algorithm inputs $pp$, the signer’s private key $s{k}_A$, the combiner’s public key $p{k}_B$, file identifier $id$ and vector ${\mathrm{v}}_k$, and outputs the subspace label $\tau$ and signature ${\sigma }_k$;

• Combine $\left(pp,p{k}_A,s{k}_B,\tau ,{\left\{\left({\mathrm{v}}_k,{\sigma }_k,{\beta }_k\right)\right\}}_{k=1}^m\right)\to (\mathrm{v},\sigma )$: The algorithm inputs $pp$, $p{k}_A$, $s{k}_B$, $\tau$ and $m$ triples ${\left\{\left({\mathrm{v}}_k,{\sigma }_k,{\beta }_k\right)\right\}}_{k=1}^m$, where ${\beta }_k\in {\mathbb{Z}}_q^{*}$, outputs a message/signature pair $(\mathrm{v},\sigma )$;

• Verify $(pp,p{k}_A,\tau ,\mathrm{v},\sigma )\to (0,1)$: The algorithm inputs $pp$, $p{k}_A$, $\tau$, $\mathrm{v}$, and $\sigma$. If $\sigma$ is the legal signature of vector $\mathrm{v}$, the algorithm outputs 1; otherwise, the algorithm outputs 0.

Security analysis of the LZZ22

Li et al. used a similar method as Boneh et al. (2009) to prove that LZZ22 is secure against existential forgery on adaptively chosen subspace attacks under the random oracle model. However, the security model of the SPS-LHSDC scheme has one more type of forgery (Type 3 Forgery) than Boneh et al. (2009). Li, Zhang & Zhang (2022) actually only proves that the LZZ22 scheme can resist Type 1 Forgery and Type 2 Forgery. Type 3 Forgery exists in SPS-LHSDC because requires that no entity other than the designated combiner combine original signatures to generate a new signature. Type 3 Forgery without knowing the private key of the designated combiner, can obtain the signature of a new message. Below, we analyze the feasibility of Type 3 Forgery in LZZ22.

LZZ22 designates a combiner by binding the combiner’s public key to the signature algorithm. The signer then shares a secret information with the combiner through key negotiation. The secret information can make the signatures generated by the signer temporarily lose the homomorphic property. Therefore, other entities in the system cannot combine signatures, and the combiner who has the secret information can restore the homomorphic property of the signature, thereby obtaining the authority to combine signatures. Thus, the key to realizing the function of designating a combiner is that only the signer and the designated combiner have the secret information. An adversary that can decrypt the secret information in LZZ22 can pretend to be the designated combiner and make any combination of the original signatures to forge a new message/signature pair. Next, we explore a theoretical way to crack LZZ22’s secret information.

In LZZ22, the document will be divided into $m$ message vectors ${\left\{{\mathrm{v}}_i\right\}}_{i=1}^m$, where ${\mathrm{v}}_i=\left(v_{i1},v_{i2},\dots ,v_{i,m+n}\right)$, $i\in \left\{1,2,\dots ,m\right\}$, and the signer signs these message vectors, respectively. The signature corresponding to the $k$-th message vector is ${\sigma }_k={\left({\displaystyle {\prod }_{i=1}^n{g}_i^{v_{k,i}}}{\displaystyle {\prod }_{j=1}^m{H}_1{\left(\tau ,j\right)}^{v_{k,n+j}}}{u}_B\right)}^{a_A}$, where ${\left\{g_i\right\}}_{i=1}^n$ are the generators of $G_1$, $\tau$ is the subspace label, $H_1$ is a hash map: ${\left\{0,1\right\}}^{\ast }\to G_1$, $u_B$ is the public key of the designated combiner, $a_A$ is the private key of the signer. ${u_B}^{a_A}={u_A}^{a_B}=g^{a_A{a}_B}$, so ${u_B}^{a_A}$ is the secret information shared by the signer and the designated combiner. However, ${u_B}^{a_A}$ is a fixed value and can be obtained by division between two different signatures. If the adversary finds out the value of ${u_B}^{a_A}$, he obtains the authority to combine signatures, thereby forging a new message/signature pair.

Signature forgery

The specific requirements of Type 3 Forgery in the SPS-LHSDC security model (Li, Zhang & Zhang, 2022) are as follows:

• The adversary $\mathcal{A}$ does not know the private key of the combiner.

• $\mathcal{A}$ has queried the subspace V, that is, $\mathcal{A}$ knows a set of basis vectors ${\left\{{\mathrm{v}}_i\right\}}_{i=1}^m$ of subspace V and the corresponding signature ${\left\{{\sigma }_i\right\}}_{i=1}^m$.

• $\mathcal{A}$ generates a legal signature for a non-zero vector ${\mathrm{v}}^{\ast }$, and ${\mathrm{v}}^{\ast }$ must be obtained by a linear combination of ${\left\{{\mathrm{v}}_i\right\}}_{i=1}^m$.

According to the requirements of Type 3 Forgery and the security vulnerability of the LZZ22 scheme, if the adversary $\mathcal{A}$ wants to forge the signature ${\sigma }^{\ast }$ of a vector ${\mathrm{v}}^{\ast }$, $\mathcal{A}$ first needs to find the secret information $u_B^{a_A}$ shared by the signer and combiner by asking for two different signature values (Step 1). The adversary then represents the attempted forged vector ${\mathrm{v}}^{\ast }$ with a set of basis vectors ${\left\{{\mathrm{v}}_i\right\}}_{i=1}^m$ of subspace V (Step 2). Finally, the adversary, with the secret information $u_B^{a_A}$, will be able to assume the identity of the combiner and run the Combine in LZZ22 to obtain the legal signature of the vector ${\mathrm{v}}^{\ast }$ (Step 3). The specific steps are as follows:

Step 1: Queries the signature ${\sigma }_0$ of any message ${\mathrm{v}}_0$ and the signature ${\sigma }_{00}=\frac{{\sigma }_0^2}{u_B^{a_A}}$ of message $2{\mathrm{v}}_0$; get $u_B^{a_A}=\frac{{\sigma }_0^2}{{\sigma }_{00}}$.

Step 2: After querying the subspace V where the message ${\mathrm{v}}^{\ast }$ is located, a set of basis vector/signature pairs ${\left\{{\mathrm{v}}_i,{\sigma }_i\right\}}_{i=1}^m$ of the subspace V is obtained, and ${\mathrm{v}}^{\ast }$ can be decomposed into

(5) $${\mathrm{v}}^{\ast }=\sum _{i=1}^m{\beta }_i{\mathrm{v}}_i.$$

Step 3: Calculates ${\sigma }_i^{\ast }=\frac{{\sigma }_i}{u_B^{a_A}},i=1,2,\dots ,m$, respectively, and gets the signature corresponding to ${\mathrm{v}}^{\ast }$:

(6) $$\begin{array}{ll}{\sigma }^{*}& =\left(\prod _{i=1}^m{\sigma }_i^{*{\beta }_i}\right)\cdot u_B^{a_A}\\ & =\left({\displaystyle \prod _{i=1}^m{\left(\frac{{\sigma }_i{\sigma }_{00}}{{\sigma }_0^2}\right)}^{{\beta }_i}}\right)\cdot \frac{{\sigma }_0^2}{{\sigma }_{00}}.\end{array}$$

The correctness of the message/signature pair $({\mathrm{v}}^{\ast },{\sigma }^{\ast })$ is obvious. The key to the successful forgery above is that the adversary $\mathcal{A}$ finds out the secret information $u_B^{a_A}$ shared by the signer and the designated combiner. This type of forgery satisfies the condition of the Type 3 forgery.

In this section, we find that the root cause of the insecurity of the LZZ22 scheme is that the secret information ${u_B}^{a_A}$ shared by the signer and the specified combinator is a fixed value, and this fixed value can be easily separated from the signature. Our signature forgery approach can attack some digital signature schemes with the same characteristics: (1) some of the important information in the signature is a fixed value; (2) this fixed value can be derived by arithmetic among multiple signatures. In the next section, we propose a more secure scheme. Compared with the LZZ22 scheme, our scheme adds a hash function value of the message ${\mathbf{v}}_k$ to the index part of the secret information ${u_B}^{a_A}$. If the adversary wants to obtain the secret information, it will need to solve the discrete logarithm problem, so our scheme ensures the security of secret information.

Construction

The proposed scheme is composed of five algorithms, Setup is responsible for generating initialization parameters, KeyGen is responsible for generating public/private keys of the user and the designated combiner, Sign is run by the signer and is responsible for generating the original signature, Combine is run by the designated combiner and is responsible for generating the combined signature from the original signature. The Verify algorithm is responsible for verifying the legitimacy of all signatures. The details of each algorithm are as follows:

• Setup $(1^{\lambda },N)\to (pp)$: The algorithm inputs the security parameter $1^{\lambda }$ and a positive integer N, then:

  1) Two multiplicative cyclic groups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ with large prime $q$ are randomly selected, where $q>2^{\lambda }$, a bilinear mapping $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$.

  2) The generators $g,g_1,\dots g_N$ is randomly selected in the group ${\mathbb{G}}_1$.

  3) Selects two hash function $H_1:{\left\{0,1\right\}}^{\ast }\to {\mathbb{G}}_1$ and $H_2:{\mathbb{Z}}_q^N\to {\mathbb{Z}}_q^{*}$.

  4) Outputs system public parameter $pp=\left({\mathbb{G}}_1,{\mathbb{G}}_2,q,e,g,g_1,\dots g_N,H_1,H_2\right)$.

• KeyGen $(pp)\to (sk,pk)$: The algorithm inputs $pp$, when the signer runs the algorithm, randomly selects ${\alpha }_A\in {\mathbb{Z}}_q^{\ast }$ as the signer’s private key $s{k}_A$, and calculates $u_A=g^{{\alpha }_A}$ as the signer’s public key $p{k}_A$; when the designated combiner runs the algorithm, randomly selects ${\alpha }_B\in {\mathbb{Z}}_q^{\ast }$ as the designated combiner’s private key $s{k}_B$, calculates $u_B=g^{{\alpha }_B}$ as the public key $p{k}_B$ of the designated combiner.

• Sign $(pp,s{k}_A,p{k}_B,id,{\mathrm{v}}_k)\to (\tau ,{\sigma }_k)$: The algorithm inputs $pp$, $s{k}_A=a_A$, $p{k}_B=u_B$, the file identifier $id\in {\left\{0,1\right\}}^{\lambda }$ and the vector ${\mathrm{v}}_k\in {\mathbb{Z}}_q^N$, then outputs the subspace label $\tau =(id,p{k}_B)$ and the signature

  (7) $${\sigma }_k={\left(\prod _{i=1}^n{g}_i^{v_{k,i}}\prod _{j=1}^m{H}_1{\left(\tau ,j\right)}^{v_{k,n+j}}{u_B}^{H_2({\mathbf{v}}_k)}\right)}^{a_A}.$$

• Combine $\left(pp,p{k}_A,s{k}_B,\tau ,{\left\{\left({\mathrm{v}}_k,{\sigma }_k,{\beta }_k\right)\right\}}_{k=1}^m\right)\to (\mathrm{v},\sigma )$: The algorithm inputs $pp$, $p{k}_A=u_A$, $s{k}_B=a_B$, $\tau$, and $m$ triples ${\left\{\left({\mathrm{v}}_k,{\sigma }_k,{\beta }_k\right)\right\}}_{k=1}^m$, where ${\beta }_k\in {\mathbb{Z}}_q^{\ast }$. The designated combiner calculates and outputs:

  (8) $$v={\displaystyle \sum _{k=1}^m{\beta }_k{v}_k},$$ (9) $$\sigma =u_A^{a_B{H}_2\left(\mathbf{v}\right)}\prod _{k=1}^m{\left({\sigma }_k{(u_A^{a_B{H}_2\left({\mathbf{v}}_k\right)})}^{-1}\right)}^{{\beta }_k}.$$

• Verify $(pp,p{k}_A,\tau ,\mathrm{v},\sigma )\to (0,1)$: The algorithm inputs $pp$, $p{k}_A=u_A$, $\tau$, the vector $\mathrm{v}$, and the signature $\sigma$. If $e\left(\sigma ,g\right)=e\left(\prod _{i=1}^n{g}_i^{v_i}\prod _{j=1}^m{H}_1{\left(\tau ,j\right)}^{v_{n+j}}{u_B}^{H_2(\mathbf{v})},u_A\right)$ holds, the algorithm outputs 1; otherwise, it outputs 0.

Correctness

The correctness of the proposed scheme consists of two parts, namely the correctness of the signature algorithm and the correctness of the combination algorithm.

Security analysis

In this section, we use a game to prove the security of the scheme. Our general idea is to assume that there exists a PPT adversary $\mathcal{A}$ that can forge a message/signature pair of our scheme with a non-negligible probability $ϵ$. Then we will show that there exists another PPT algorithm $\mathcal{B}$, and that $\mathcal{B}$ can crack the CDH problem by interacting with $\mathcal{A}$ with another non-negligible probability ${ϵ}^{\mathrm{\prime }}$. According to the CDH assumption that there exists no PPT algorithm that can crack the CDH problem with a non-negligible probability, therefore, we conclude that there exists no PPT adversary $\mathcal{A}$ that can achieve forgery with a non-negligible probability, thus proving the security of this scheme. In our proof process, we first define the type of queries that adversary $\mathcal{A}$ is able to make (capabilities of $\mathcal{A}$) and the way $\mathcal{B}$ replies, and find the probability ${ϵ}_1$ that $\mathcal{B}$ is able to successfully simulate the system based on the way $\mathcal{B}$ replies (the probability that $\mathcal{B}$ has not given up the simulation). Then, assuming that $\mathcal{A}$ has output a valid forgery with probability $ϵ$, we find the probability ${ϵ}_2$ that $\mathcal{B}$ correctly outputs a solution to the CDH problem using the forgery of $\mathcal{A}$. Finally, if all of the above events hold true, we obtain the probability that $\mathcal{B}$ cracks the CDH problem as ${ϵ}^{\mathrm{\prime }}={ϵ}_1{ϵ}_2ϵ$. Since ${ϵ}_1$, ${ϵ}_2$, and $ϵ$ are not negligible, ${ϵ}^{\mathrm{\prime }}$ is not negligible. By the converse method, we conclude that PPT adversary $\mathcal{A}$ cannot crack our scheme with non-negligible probability $ϵ$. The specific proof process is as follows.

Theorem 1. If there is a PPT adversary $\mathcal{A}$ who can break the proposed scheme with a non-negligible probability $ϵ$, then there is another PPT algorithm $\mathcal{B}$ that can solve the CDH problem with a non-negligible probability ${ϵ}^{\mathrm{\prime }}\ge e^2(1-\frac{1}{q_s{q}_h})(1-\frac{1}{q})ϵ$, where $q_s$ and $q_h$, respectively represent the number of Sign Query and ${\mathit{H}}_1$ Query.

Proof. Suppose there is an adversary $\mathcal{A}$ that meets the above conditions, then we will construct another PPT algorithm $\mathcal{B}$, $\mathcal{B}$ will call $\mathcal{A}$ as a subroutine, and obtain $g^{ab}$ from the known public parameters $pp=(q,G_1,G_2,e,g)$ and $(g^a,g^b)$, where $g\in G_1;a,b{\leftarrow }_R{Z}_q^{\ast }$.

• Setup: $\mathcal{B}$ Selects a large integer N, then:

  1) Randomly selects $s_1,s_2,\dots ,s_N\in {\mathbb{Z}}_q^{*}$, calculates $g_j={\left(g^b\right)}^{s_j}$ for $j\in [1,N]$;

  2) Lets $p{k}_A=g^a=u_A$, publishes the parameter $pp=(q,G_1,G_2,e,g,g_1,g_2,\dots ,g_N)$;

  3) Sends $p{k}_A$ and $pp$ to $\mathcal{A}$.

• Combiner-Key Generation Query: $\mathcal{A}$ will initiate multiple queries. $\mathcal{B}$ denotes the $t$-th query as $(p{k}_B^{\left(t\right)},s{k}_B^{\left(t\right)})$, and guesses that the T-th query corresponds to the final forgery of $\mathcal{A}$. $\mathcal{B}$ creates a list $L_k$ to record this query, and each record in $L_k$ is $(t,p{k}_B^{\left(t\right)},s{k}_B^{\left(t\right)})$. When $\mathcal{A}$ initiates this query, then $\mathcal{B}$:

  1) If $t\ne T$, $\mathcal{B}$ selects $y_t{\leftarrow }_R{\mathbb{Z}}_q^{\ast }$ as the private key $s{k}_B^{\left(t\right)}$, then calculates and returns the corresponding public key $p{k}_B^{\left(t\right)}=g^{y_t}$ to $\mathcal{A}$;

  2) If $t=T$, $\mathcal{B}$ selects $y_t{\leftarrow }_R{\mathbb{Z}}_q^{\ast }$, lets the public key $p{k}_B^{\left(t\right)}=g^{b{y}_t}=u_B$. Neither $\mathcal{A}$ nor $\mathcal{B}$ knows the private key $s{k}_B^{\left(T\right)}$ corresponding to $p{k}_B^{\left(t\right)}$. $\mathcal{B}$ stores $\left(t,p{k}_B^{\left(t\right)},s{k}_B^{\left(t\right)}\right)$ into list $L_k$ and returns $p{k}_B^{\left(t\right)}$ to $\mathcal{A}$.

• Combiner Corruption Query: When $\mathcal{A}$ initiates this query, $\mathcal{A}$ sends a combiner’s public key $p{k}_B^{\left(t\right)}$ to $\mathcal{B}$. If $t=T$, $\mathcal{B}$ gives up the simulation, otherwise, $\mathcal{B}$ queries the list $L_k$ and returns $s{k}_B^{\left(t\right)}$ to $\mathcal{A}$.

• ${\mathit{H}}_1$ Query: $\mathcal{B}$ builds a list $L_H$ to record the ${\mathit{H}}_{\mathbf{1}}$ Query, and each record in $L_H$ is $(\tau ,{\left\{{\zeta }_i,H_1\left(\tau ,i\right)\right\}}_{i=1}^m)$. When $\mathcal{A}$ initiates this query, $\mathcal{A}$ sends the subspace label $\tau$ to $\mathcal{B}$, then $\mathcal{B}$:

  1) If $\tau$ has already been queried, $\mathcal{B}$ queries the list $L_H$ and returns ${\left\{H_1\left(\tau ,i\right)\right\}}_{i=1}^m$;

  2) Otherwise, $\mathcal{B}$ selects ${\zeta }_1,{\zeta }_2,\dots ,{\zeta }_m{\leftarrow }_R{\mathbb{Z}}_q^{*}$ and calculates $H_1\left(\tau ,i\right)={\left(g^b\right)}^{{\zeta }_i}$ for $i\in [1,m]$. $\mathcal{B}$ stores $\left(\tau ,{\left\{{\zeta }_i,H_1\left(\tau ,i\right)\right\}}_{i=1}^m\right)$ into list $L_H$ and returns ${\left\{H_1\left(\tau ,i\right)\right\}}_{i=1}^m$.

• Sign Query: $\mathcal{A}$ queries for the signatures of the subspace $V\subset {\mathbb{Z}}_q^N$, then $\mathcal{B}$:

  1) Selects $id{\leftarrow }_R{\left\{0,1\right\}}^{\lambda }$ and let the label of the vector subspace V be $\tau =(id,p{k}_B^{\left(t\right)})$. If $H_1\left(\tau ,\cdot \right)$ has already been queried, then $\mathcal{B}$ aborts the simulation;

  2) Lets $m=N-n$, calculates ${\zeta }_i=-{\sum }_{j=1}^n{s}_j{v}_{ij}$ for $i=1,\dots ,m$;

  3) Selects a value $z_i{\leftarrow }_R{\mathbb{Z}}_q^{\ast }$, lets $H_1\left(\tau ,i\right)=\frac{g^{z_i}{\left(g^b\right)}^{{\zeta }_i}}{p{k}_B^{\left(t\right)}}$;

  4) Calculates ${\sigma }_i=g^{a(z_i+H_2\left({\mathrm{v}}_i\right)-1)}$;

  5) Outputs label $\tau$ and signature ${\left\{{\sigma }_i\right\}}_{i=1}^m$.

• Combine Query: $\mathcal{A}$ sends $\left(p{k}_B^{\left(t\right)},\tau ,{\left\{{\beta }_i,{\mathrm{v}}_i,{\sigma }_i\right\}}_{i=1}^m\right)$ to $\mathcal{B}$, if $t=T$, then $\mathcal{B}$ gives up this simulation. Otherwise, then $\mathcal{B}$:

  1) Calculates $\mathrm{v}={\sum }_{i=1}^m{\beta }_i{\mathrm{v}}_i$;

  2) Calculates $\sigma =g^{s{k}_B^{\left(t\right)}{H}_2\left(\mathrm{v}\right)a}{\prod }_{i=1}^m{\left({\sigma }_i\cdot {(g^{s{k}_B^{\left(t\right)}{H}_2\left({\mathrm{v}}_i\right)a})}^{-1}\right)}^{{\beta }_i}$;

  3) Outputs label $\tau$ and message/signature pair $(\mathrm{v},\sigma )$.

• Output: In the above process, if $\mathcal{B}$ does not give up the simulation, the successful forgery of $\mathcal{A}$ means outputting a quadruple $(p{k}_B^{\ast },{\tau }^{\ast },{\mathrm{v}}^{\ast },{\sigma }^{\ast })$, where ${\mathrm{v}}^{\ast }\ne \mathbf{0}$, and Verify $\left(pp,p{k}_A,{\tau }^{\ast },{\mathrm{v}}^{\ast },{\sigma }^{\ast }\right)=1$. If ${\tau }^{\ast }$ has not appeared in the signature query, $\mathcal{B}$ computes and outputs $g^{ab}={\left(\frac{{\sigma }^{\ast }}{g^{a\left(y+H_2\left({\mathrm{v}}^{\ast }\right)-1\right)}}\right)}^{\frac{1}{\mathrm{s}\cdot {\mathrm{v}}^{\ast }}}$, where $\mathrm{s}=(s_1,\dots ,s_n,{\zeta }_1,\dots ,{\zeta }_m)$.

Below we prove that $\mathcal{B}$ successfully simulates the Setup, KeyGen, and Sign algorithm, and hash function $H_1$ without giving up the simulation. Since the Combine algorithm simulated by $\mathcal{B}$ runs completely according to the real algorithm, its correctness proof is ignored here.

Since $s_1,s_2,\dots ,s_N$ are randomly selected values, $g_1,g_2,\dots ,g_N$ are also random values, so $\mathcal{B}$ successfully simulates the algorithm Setup and KeyGen; and because ${\zeta }_1,{\zeta }_2,\dots ,{\zeta }_m$ are randomly selected values, the output of $H_1$ is also a random value, so $\mathcal{B}$ successfully simulates the hash function $H_1$. Below, we prove that $\mathcal{B}$ successfully simulates the Sign algorithm:

For the Sign algorithm, when the input parameter is $(pp,s{k}_A,p{k}_B^{\left(t\right)},id,\mathrm{v})$, where $s{k}_A=a,p{k}_B^{\left(t\right)}=u_B$, the corresponding real signature value is:

(12) $$\sigma ={\left(\prod _{i=1}^n{g}_i^{v_i}\prod _{j=1}^m{H}_1{\left(\tau ,j\right)}^{v_{n+j}}{u_B}^{H_2(\mathrm{v})}\right)}^a.$$

Substituting the query value $g_i={\left(g^b\right)}^{s_i},H_1\left(\tau ,j\right)=\frac{g^{z_j}{\left(g^b\right)}^{{\zeta }_j}}{u_B},u_B=g^{y_t}$ into the above formula, the result of the Sign Query is:

(13) $$\begin{array}{l}\begin{array}{ll}\sigma & ={\left({\displaystyle \prod _{i=1}^n{\left(g^b\right)}^{s_i{v}_i}}{\displaystyle \prod _{j=1}^m{\left(\frac{g^{z_j}{\left(g^b\right)}^{{\zeta }_j}}{u_B}\right)}^{v_{n+j}}}{g}^{y_t{H}_2\left(v\right)}\right)}^a\\ & ={\left(g^{b\left({\displaystyle {\sum }_{i=1}^n{s}_i{v}_i}+{\displaystyle {\sum }_{j=1}^m{\zeta }_j{v}_{n+j}}\right)}{g}^z{g}^{\left(H_2\left(v\right)-1\right)}\right)}^a\end{array}\\ \begin{array}{ll}& =g^{ab(s\cdot v)}{g}^{a(z+H_2\left(v\right)-1)}\\ & =g^{a(z+H_2\left(v\right)-1)}.\end{array}\end{array}$$

According to the construction of $\zeta$ in the Sign Query, $\mathrm{s}\cdot \mathrm{v}=0$ can be known, so the last equal sign in the above formula is established. It can be found that the output of the real signature algorithm Sign is consistent with the output of $\mathcal{B}$, so $\mathcal{B}$ successfully simulates the algorithm Sign.

Below we analyze the probability that $\mathcal{B}$ does not give up the simulation. Let $q_k,q_r,q_h,q_s,q_c$ denote the query number of Combiner-Key Generation Query, Combiner Corruption Query, ${\mathit{H}}_{\mathbf{1}}$ Query, Sign Query, and Combine Query, respectively. If $\mathcal{B}$ does not abandon the simulation, the following conditions need to be met during all queries:

1. The combiner public key corresponding to the final forged result of $\mathcal{A}$ was not used in $q_r$ times of Combiner Corruption Query initiated by $\mathcal{A}$, and this probability is $(1-\frac{1}{q_k}{)}^{q_r}$;

2. In the $q_s$ Sign Queries initiated by $\mathcal{A}$, none of the vector subspace labels used by $\mathcal{B}$ has been queried by $\mathcal{A}$ in ${\mathit{H}}_{\mathbf{1}}$ Query and this probability is $1-\frac{1}{q_s\cdot q_h}$;

3. In the $q_c$ Combine Queries initiated by $\mathcal{A}$, the public key of the combiner corresponding to the final forged result of $\mathcal{A}$ is not used, and the probability is $(1-\frac{1}{q_k}{)}^{q_c}$.

So the probability that $\mathcal{B}$ does not abandon the simulation is ${\left(1-\frac{1}{q_k}\right)}^{q_r}(1-\frac{1}{q_s\cdot q_h}){\left(1-\frac{1}{q_k}\right)}^{q_c}\ge e^2(1-\frac{1}{q_s\cdot q_h})$. Below we prove the correctness of the output of $\mathcal{B}$ when $\mathcal{B}$ does not give up on the simulation. Let $\mathcal{A}$ finally outputs the quadruple $(p{k}_B^{\ast },{\tau }^{\ast },{\mathrm{v}}^{\ast },{\sigma }^{\ast })$, and Verify $\left(pp,p{k}_A,{\tau }^{\ast },{\mathrm{v}}^{\ast },{\sigma }^{\ast }\right)=1$, then

(14) $$e\left({\sigma }^{\ast },g\right)=e\left(\prod _{i=1}^n{g}_i^{v_i^{\ast }}\prod _{j=1}^m{H}_1{\left(\tau ,j\right)}^{v_{n+j}^{\ast }}{u_B}^{H_2({\mathrm{v}}^{\ast })},u_A\right).$$

Substituting the query value $g_i={\left(g^b\right)}^{s_i},H_1\left({\tau }^{\ast },j\right)={\left(g^b\right)}^{{\zeta }_j},u_B=g^y$ into the above formula, we get

(15) $$\begin{array}{ll}e\left({\sigma }^{*},g\right)& =e\left(g^{b\left({\displaystyle {\sum }_{i=1}^n{s}_i{v}_i^{*}}+{\displaystyle {\sum }_{j=1}^m{\zeta }_j{v}_{n+j}^{*}}\right)}{g}^y{g}^{H_2\left(v^{*}\right)-1},u_A\right)\\ & =e\left(g^{ab(s\cdot v^{*})}{g}^{a(y+H_2\left(v^{*}\right)-1)},g\right).\end{array}$$

Therefore ${\sigma }^{\ast }=g^{ab(\mathrm{s}\cdot {\mathrm{v}}^{\ast })}{g}^{a(y+H_2\left({\mathrm{v}}^{\ast }\right)-1)}$, if $\mathrm{s}\cdot {\mathrm{v}}^{\ast }\ne 0$, then $g^{ab}={\left(\frac{{\sigma }^{\ast }}{g^{a\left(y+H_2\left({\mathrm{v}}^{\ast }\right)-1\right)}}\right)}^{\frac{1}{\mathrm{s}\cdot {\mathrm{v}}^{\ast }}}$. If $\mathrm{s}\cdot {\mathrm{v}}^{\ast }=0$, $\mathcal{B}$ will not output the value of $g^{ab}$ correctly. Event $\mathrm{s}\cdot {\mathrm{v}}^{\ast }=0$ occurs in the following three situations:

1. When the forgery of $\mathcal{A}$ belongs to the Type 1 Forgery. Since all values of $\mathrm{s}$ are randomly selected numbers in the space ${\mathbb{Z}}_q$, and ${\mathrm{v}}^{\ast }\ne \mathbf{0}$, so $\mathrm{s}\cdot {\mathrm{v}}^{\ast }$ is uniformly distributed in ${\mathbb{Z}}_q$, then $P\left(\mathrm{s}\cdot {\mathrm{v}}^{\ast }=0\right)=\frac{1}{q}.$

2. When the forgery of $\mathcal{A}$ belongs to the Type 2 Forgery. Since all values of $\mathrm{s}$ are randomly selected numbers in the space ${\mathbb{Z}}_q$, then $P\left(\mathrm{s}\cdot {\mathrm{v}}^{\ast }=0\right)=\frac{1}{q}$ in the same way.

3. When the forgery of $\mathcal{A}$ belongs to the Type 3 Forgery. All values of $\mathrm{s}$ are randomly selected numbers in space ${\mathbb{Z}}_{\mathbb{q}}$, ${\mathrm{v}}^{\ast }\in V-\{{\mathrm{v}}_1,{\mathrm{v}}_2,\dots ,{\mathrm{v}}_m\}$ and ${\mathrm{v}}^{\ast }\ne \mathbf{0}$, so the value of $\mathrm{s}\cdot {\mathrm{v}}^{\ast }$ is uniformly distributed in ${\mathbb{Z}}_{q-m}$, then $P\left(\mathrm{s}\cdot {\mathrm{v}}^{\ast }=0\right)=\frac{1}{q-m}$. Because of $q\gg m$, $P\left(\mathrm{s}\cdot {\mathrm{v}}^{\ast }=0\right)$ at this time is close to $\frac{1}{q}.$

In summary, the probability of event $\mathrm{s}\cdot {\mathrm{v}}^{\ast }\ne 0$ is $1-\frac{1}{q}.$ We set the probability that $\mathcal{A}$ successfully outputs a valid signature as $ϵ$, then $\mathcal{B}$ can correctly output the value of $g^{ab}$ with probability ${ϵ}^{\mathrm{\prime }}\ge e^2(1-\frac{1}{q_s\cdot q_h})(1-\frac{1}{q})ϵ$.

Since the CDH assumption is established, the probability ${ϵ}^{\mathrm{\prime }}$ of $\mathcal{B}$ correctly outputting $g^{ab}$ is negligible, so the probability $ϵ$ is negligible.