Multi-theorem Preprocessing NIZKs from Lattices

Abstract

Non-interactive zero-knowledge (NIZK) proofs are fundamental to modern cryptography. Numerous NIZK constructions are known in both the random oracle and the common reference string (CRS) models. In the CRS model, there exist constructions from several classes of cryptographic assumptions such as trapdoor permutations, pairings, and indistinguishability obfuscation. However, at the time of the initial publication of this work, we did not have constructions of NIZKs from standard lattice assumptions. In this work, we take an initial step toward constructing multi-theorem NIZKs for general \(\mathsf {NP}\) languages from standard lattice assumptions by considering a relaxation to the preprocessing model and a new model we call the designated-prover model. In the preprocessing model, a setup algorithm generates secret proving and verification keys for the prover and the verifier, respectively. In the designated-prover model, the proving key is secret, but the verification key is public. In both settings, the proving key is used to construct proofs and the verification key is used to check proofs. Finally, in the multi-theorem setting, both the proving and verification keys should be reusable for an unbounded number of theorems without compromising soundness or zero-knowledge. Previous constructions of NIZKs in the preprocessing model that rely on weaker assumptions like one-way functions or oblivious transfer are only secure in a single-theorem setting. Thus, constructing multi-theorem NIZKs in these relaxed models does not seem to be inherently easier than constructing them in the CRS model. In this work, we first construct a multi-theorem preprocessing NIZK argument from context-hiding homomorphic signatures. In fact, the construction is a designated-prover NIZK. We also show that using homomorphic commitments, we can get statistically sound proofs in the preprocessing and designated-prover models. Together with lattice-based instantiations of homomorphic signatures and commitments, we obtain the first multi-theorem NIZKs in the preprocessing and designated-prover models from standard lattice assumptions. Finally, we show how to generalize our construction to obtain a universally composable NIZK (UC-NIZK) in the preprocessing model from standard lattice assumptions. Our UC-NIZK relies on a simple preprocessing protocol based on a new primitive we call blind homomorphic signatures.

Appendices

Appendix A Lattice Preliminaries

In this section, we describe known results for lattice-based cryptography that we use for constructing blind homomorphic signatures and UC-secure preprocessing NIZKs (Appendix B).

Norms for vectors and matrices Throughout this work, we will always use the \(\ell _\infty \)-norm for vectors and matrices. This means that for a vector \(\mathbf {x}\), the norm \({ \Vert \mathbf {x} \Vert }\) is the maximal absolute value of an element in \(\mathbf {x}\). Similarly, for a matrix \(\mathbf {A}\), \({ \Vert \mathbf {A} \Vert }\) is the maximal absolute value of any of its entries. If \(\mathbf {x}\in \mathbb {Z}_{q}^n\) and \(\mathbf {A}\in \mathbb {Z}_{q}^{n \times m}\), then \({ \Vert \mathbf {x}^T \mathbf {A} \Vert } \le n \cdot { \Vert \mathbf {x} \Vert } \cdot { \Vert \mathbf {A} \Vert }\).

Learning with errors We first review the learning with errors (LWE) assumption [130]. Let \(n,m,q \in \mathbb {N}\) be positive integers and \(\chi \) be a noise distribution over \(\mathbb {Z}_q\). In the \(\mathsf {LWE}(n,m,q,\chi )\) problem, the adversary’s goal is to distinguish between the two distributions

$$\begin{aligned} (\mathbf {A}, \mathbf {A}^T \mathbf {s}+ \mathbf {e}) \quad \text {and} \quad (\mathbf {A}, \mathbf {u}) \end{aligned}$$

where \(\mathbf {A}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^{n \times m}\), \(\mathbf {s}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^n\), \(\mathbf {e}\leftarrow \chi ^m\), and \(\mathbf {u}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^m\).

When the error distribution \(\chi \) is a \(\beta \)-bounded discrete Gaussian distribution,¹⁵ and under mild assumptions on the modulus q, the \(\mathsf {LWE}(n,m,q,\chi )\) problem is as hard as approximating certain worst-case lattice problems such as \(\mathsf {GapSVP}\) and \(\mathsf {SIVP}\) on n-dimensional lattices to within a \(\tilde{O}(n \cdot q/\beta )\) factor by a quantum algorithm [130].¹⁶ Similar reductions of LWE to the classical hardness of approximating worst-case lattice problems are also known [5, 31, 115, 116, 121].

Short integer solutions We also review the short integers solution (SIS) assumption [9]. Let \(n,m,q,\beta \in \mathbb {N}\) be positive integers. In the \(\mathsf {SIS}(n, m, q, \beta )\) problem, the adversary is given a uniformly random matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\) and its goal is to find a vector \(\mathbf {u}\in \mathbb {Z}_q^m\) with \(\mathbf {u}\ne \mathbf {0}\) and \({ \Vert \mathbf {u} \Vert } \le \beta \) such that \(\mathbf {A}\mathbf {u}= \mathbf {0}\).

For any \(m = \mathsf {poly}(n)\), \(\beta > 0\), and any sufficiently large \(q \ge \beta \cdot \mathsf {poly}(n)\), solving the \(\mathsf {SIS}(n,m,q,\beta )\) problem is as hard as approximating certain worst-case lattice problems such as \(\mathsf {GapSVP}\) and \(\mathsf {SIVP}\) on n-dimensional lattices to within a \(\beta \cdot \mathsf {poly}(n)\) factor [9, 114, 117, 118]. It is also implied by the hardness of the LWE problem.

The gadget matrix We define the “gadget matrix” \(\mathbf {G}= \mathbf {g}\otimes \mathbf {I}_n \in \mathbb {Z}_q^{n \times n \cdot { \lceil \log q \rceil }}\) where \(\mathbf {g}= (1, 2, 4, \ldots , 2^{{ \lceil \log q \rceil } - 1})\). We define the inverse function \({\mathbf {G}^{-1}}:\mathbb {Z}_q^{n \times m} \rightarrow \mathbb {Z}_q^{n { \lceil \log q \rceil } \times m}\) which expands each entry \(x \in \mathbb {Z}_q\) in the input matrix into a column of size \({ \lceil \log q \rceil }\) consisting of the bits of the binary representation of x. To simplify the notation, we always assume that \(\mathbf {G}\) has width m (in our construction, \(m = \Theta (n \log q)\)). Note that this is without loss of generality since we can always extend \(\mathbf {G}\) by appending zero columns. For any matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\), we have that \(\mathbf {G}\cdot {\mathbf {G}^{-1}}(\mathbf {A}) = \mathbf {A}\).

Lattice trapdoors Although solving the SIS problem for a uniformly random matrix \(\mathbf {A}\) is believed to be hard, with some auxiliary trapdoor information (e.g., a set of short generating vectors for the lattice induced by \(\mathbf {A}\)), the problem becomes easy. Lattice trapdoors have featured in many applications and have been extensively studied [10, 14, 86, 113, 116]. Since the specific details of the constructions are not essential for understanding this work, we just recall the main properties that we require in the following theorem.

Theorem A.1

(Lattice Trapdoors [10, 14, 86, 113, 116])

Fix a security parameter \(\lambda \) and lattice parameters n, q, m, and a norm bound \(\beta \) where \(m = O(n \log q)\) and \(\beta = O(n \sqrt{\log q})\). Then, there exists a tuple of efficient algorithms \((\mathsf {TrapGen}, \mathsf {Sample}, \mathsf {SamplePre})\) with the following properties:

• \(\mathsf {TrapGen}(1^\lambda ) \rightarrow (\mathbf {A}, \mathsf {td})\): On input the security parameter \(\lambda \), the trapdoor generation algorithm outputs a rank-n matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\) and a trapdoor \(\mathsf {td}\).

• \(\mathsf {Sample}(\mathbf {A}) \rightarrow \mathbf {U}\): On input a matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n \times m}\), the sampling algorithm returns a matrix \(\mathbf {U}\in \mathbb {Z}_q^{m \times m}\).

• \(\mathsf {SamplePre}(\mathbf {A}, \mathbf {V}, \mathsf {td}) \rightarrow \mathbf {U}\): On input a matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\), a target matrix \(\mathbf {V}\in \mathbb {Z}_q^{n \times m}\), and a trapdoor \(\mathsf {td}\), the preimage sampling algorithm outputs a matrix \(\mathbf {U}\in \mathbb {Z}_q^{m \times m}\).

• The above algorithms satisfy the following properties. Take \((\mathbf {A}, \mathsf {td}) \leftarrow \mathsf {TrapGen}(1^\lambda )\). Then,

  1. 1.

     For \(\mathbf {U}\leftarrow \mathsf {Sample}(\mathbf {A})\), we have \({ \Vert \mathbf {U} \Vert } \le \beta \).

  2. 2.

     For any \(\mathbf {V}\in \mathbb {Z}_q^{n \times m}\) and \(\mathbf {U}\leftarrow \mathsf {SamplePre}(\mathbf {A}, \mathbf {V}, \mathsf {td})\), we have \(\mathbf {A}\mathbf {U}= \mathbf {V}\) and \({ \Vert \mathbf {U} \Vert } \le \beta \).

  3. 3.

     For \((\mathbf {A}, \mathsf {td}) \leftarrow \mathsf {TrapGen}(1^\lambda )\), \(\mathbf {A}' \mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^{n \times m}\), \(\mathbf {U}\leftarrow \mathsf {Sample}(\mathbf {A})\), \(\mathbf {V}= \mathbf {A}\mathbf {U}\), \(\mathbf {V}' \mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^{n \times m}\), and \(\mathbf {U}' \leftarrow \mathsf {SamplePre}(\mathbf {A}, \mathbf {V}', \mathsf {td})\), we have

     $$\begin{aligned} \mathbf {A}{\mathop {\approx }\limits ^{s}}\mathbf {A}' \quad \quad \text {and} \quad \quad (\mathbf {A}, \mathsf {td}, \mathbf {U}, \mathbf {V}) {\mathop {\approx }\limits ^{s}}(\mathbf {A}, \mathsf {td}, \mathbf {U}', \mathbf {V}'). \end{aligned}$$

Traditionally, lattice trapdoors consist of a set of short generating vectors of the lattice that is induced by a public SIS matrix \(\mathbf {A}\). In this work, we make use of an alternative form of lattice trapdoors called a \(\mathbf {G}\)-trapdoor formalized in [116]. A \(\mathbf {G}\)-trapdoor of a matrix \(\mathbf {A}\in \mathbb {Z}_q^{n \times m}\) consists of a full-rank, low-norm matrix \(\mathbf {R}\in \mathbb {Z}_q^{m \times m}\) satisfying the relation \(\mathbf {A}\mathbf {R}= \mathbf {G}\). These types of trapdoor matrices have additional statistical properties that we use in our blind homomorphic signature constructions in Sects. 2.1 and Appendix B.2. We summarize these properties in the following theorem.

Theorem A.2

(Lattice Sampling [1, 28, 55, 113, 116])

Fix a security parameter \(\lambda \) and lattice parameters n, q, m, and a norm bound \(\beta \), where \(m = O(n \log q)\) and \(\beta = O(n \sqrt{\log q})\). Then, in addition to the algorithms \((\mathsf {TrapGen}, \mathsf {Sample}, \mathsf {SamplePre})\) from Theorem A.1, there exists a pair of algorithms \((\mathsf {SampleLeft}, \mathsf {SampleRight})\) with the following properties:

• \(\mathsf {SampleLeft}(\mathbf {A}, \mathbf {B}, \mathbf {R}, \mathbf {v}, \beta ^*) \rightarrow \mathbf {u}\): On input matrices \(\mathbf {A}, \mathbf {B}\in \mathbb {Z}_q^{n \times m}\), a matrix \(\mathbf {R}\in \mathbb {Z}_q^{m \times m}\) (trapdoor of \(\mathbf {A}\)), a target vector \(\mathbf {v}\in \mathbb {Z}_q^n\), and a norm bound \(\beta ^*\), \(\mathsf {SampleLeft}\) returns a vector \(\mathbf {u}\in \mathbb {Z}_q^{2m}\).

• \(\mathsf {SampleRight}(\mathbf {A}, \mathbf {B}, \mathbf {U}, \mathbf {v}, \beta ^*) \rightarrow \mathbf {u}\): On input matrices \(\mathbf {A}, \mathbf {B}\in \mathbb {Z}_q^{n \times m}\), a matrix \(\mathbf {U}\in \mathbb {Z}_q^{m \times m}\), a target vector \(\mathbf {v}\in \mathbb {Z}_q^n\), and a norm bound \(\beta ^*\), \(\mathsf {SampleRight}\) returns a vector \(\mathbf {u}\in \mathbb {Z}_q^{2m}\).

• The algorithms above satisfy the following properties. For any rank-n matrices \(\mathbf {A}, \mathbf {B}\in \mathbb {Z}_q^{n \times m}\) and a target vector \(\mathbf {v}\in \mathbb {Z}_q^n\), we have:

  1. 1.

     Let \(\mathbf {R}\in \mathbb {Z}_q^{m \times m}\) be any matrix satisfying \(\mathbf {A}\mathbf {R}= \mathbf {G}\) and \({ \Vert \mathbf {R} \Vert } \cdot \omega (m \sqrt{\log m}) \le \beta ^*\le q\). Then, for \(\mathbf {u}_0 \leftarrow \mathsf {SampleLeft}(\mathbf {A}, \mathbf {B}, \mathbf {R}, \mathbf {v}, \beta ^*)\), we have that \([\mathbf {A}~|~\mathbf {B}] \cdot \mathbf {u}_0 = \mathbf {v}\) and \({ \Vert \mathbf {u}_0 \Vert } \le \beta ^*\).

  2. 2.

     Let \(\mathbf {U}\in \mathbb {Z}_q^{m \times m}\) be any matrix satisfying \(\mathbf {A}\mathbf {U}+ \mathbf {G}= \mathbf {B}\) and \({ \Vert \mathbf {U} \Vert } \cdot \omega (m \sqrt{\log m}) \le \beta ^*\le q\). Then, for \(\mathbf {u}_1 \leftarrow \mathsf {SampleRight}(\mathbf {A}, \mathbf {B}, \mathbf {U}, \mathbf {v}, \beta ^*)\), we have that \([\mathbf {A}~|~\mathbf {B}] \cdot \mathbf {u}_1 = \mathbf {v}\) and \({ \Vert \mathbf {u}_1 \Vert } \le \beta ^*\).

  3. 3.

     The distributions of \(\mathbf {u}_0, \mathbf {u}_1\) above are statistically indistinguishable.

GSW homomorphic operations In this work, we use the homomorphic structure from the fully homomorphic encryption (FHE) scheme by Gentry, Sahai, and Waters [94]. Since we do not require the specific details of the homomorphic operations, we summarize the properties we need in the theorem below. In the language of FHE, the algorithm \(\mathsf {EvalPK}\) corresponds to homomorphic evaluation over ciphertexts, while \(\mathsf {EvalU}\) corresponds to homomorphic evaluation over the encryption randomness.

Theorem A.3

(GSW Homomorphic Operations [15, 36, 94, 95])

Fix a security parameter \(\lambda \), lattice parameters n, q, m, a norm bound \(\beta \), a depth bound d, and a message length \(\ell \), where \(m = O(n \log q)\) and \(\beta \cdot m^{O(d)} < q\). Then, there exists a pair of efficient deterministic algorithms \((\mathsf {EvalPK}, \mathsf {EvalU})\) with the following properties:

• \(\mathsf {EvalPK}(\mathbf {V}_1, \ldots , \mathbf {V}_\ell , C) \rightarrow \mathbf {V}_C\): On input matrices \(\mathbf {V}_1, \ldots , \mathbf {V}_\ell \in \mathbb {Z}_q^{n \times m}\) and a circuit \(C :\{0,1\}^\ell \rightarrow \{0,1\}\) of depth at most d, \(\mathsf {EvalPK}\) returns an evaluated matrix \(\mathbf {V}_C \in \mathbb {Z}_q^{n \times m}\).

• \(\mathsf {EvalU}\big ((\mathbf {V}_1, x_1, \mathbf {U}_1), \ldots , (\mathbf {V}_\ell , x_\ell , \mathbf {U}_\ell ), C \big ) \rightarrow \mathbf {U}_C\): On input tuples \((\mathbf {V}_i, x_i, \mathbf {U}_i)\), where \(\mathbf {V}_i \in \mathbb {Z}_q^{n \times m}\), \(x_i \in \{0,1\}\), and \(\mathbf {U}_i \in \mathbb {Z}_q^{m \times m}\) for all \(i \in [\ell ]\), and a circuit \(C :\{0,1\}^\ell \rightarrow \{0,1\}\), \(\mathsf {EvalU}\) returns an evaluated matrix \(\mathbf {U}_C \in \mathbb {Z}_q^{m \times m}\).

• For all circuits \(C :\{0,1\}^\ell \rightarrow \{0,1\}\) of depth at most d, and all matrices \(\mathbf {A}, \mathbf {V}_1, \ldots , \mathbf {V}_\ell \in \mathbb {Z}_q^{n \times m}\), inputs \(x_1, \ldots , x_\ell \in \{0,1\}\), and matrices \(\mathbf {U}_1, \ldots , \mathbf {U}_\ell \in \mathbb {Z}_q^{m \times m}\) where

  $$\begin{aligned} \mathbf {A}\mathbf {U}_i + x_i \cdot \mathbf {G}= \mathbf {V}_i \quad \forall i \in [\ell ], \end{aligned}$$

  and \({ \Vert \mathbf {U}_i \Vert } \le \beta \), the \(\mathsf {EvalPK}\) and \(\mathsf {EvalU}\) algorithms satisfy the following property. For \(\mathbf {V}_C \leftarrow \mathsf {EvalPK}(\mathbf {V}_1, \ldots , \mathbf {V}_\ell , C)\), and \(\mathbf {U}_C \leftarrow \mathsf {EvalU}( (\mathbf {V}_1, x_1, \mathbf {U}_1), \ldots , (\mathbf {V}_\ell , x_\ell , \mathbf {U}_\ell ), C )\), we have that

  $$\begin{aligned} \mathbf {A}\mathbf {U}_C + C(x) \cdot \mathbf {G}= \mathbf {V}_C \quad \text { and } \quad { \Vert \mathbf {U}_C \Vert } \le \beta \cdot m^{O(d)} < q. \end{aligned}$$

1.1 A.1 Homomorphic Commitments from Lattices

In this section, we recall the construction of homomorphic commitments from [96, Appendix B].

Construction A.4

(Homomorphic Commitments from LWE [96]) Fix a security parameter \(\lambda \), lattice parameters \(n,m,q,\chi \), and a norm bound \(\beta \). Let \(\mathcal {X}= \{0,1\}^\ell \) and \(\mathcal {Y}= \{0,1\}\). Let \(\mathcal {C}_\lambda \) be a class of Boolean circuits on \(\ell \)-bit inputs. We define \(\Pi _{\mathsf {HC}}= (\mathsf {PrmsGen}, \mathsf {Commit}, \mathsf {Eval}, \mathsf {Verify})\) as follows:

• \(\mathsf {PrmsGen}(1^\lambda )\): On input the security parameter \(\lambda \), the setup algorithm samples a matrix \(\tilde{\mathbf {A}}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^{(n-1) \times m}\), a secret vector \(\tilde{\mathbf {s}}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^{n-1}\), an error vector \(\mathbf {e}\leftarrow \chi ^m\), and sets

  $$\begin{aligned} \mathbf {A}= \left( \begin{array}{c} \tilde{\mathbf {A}}\\ \tilde{\mathbf {s}}^T \tilde{\mathbf {A}}+ \mathbf {e}^T \end{array} \right) \in \mathbb {Z}_q^{n \times m}. \end{aligned}$$

  In addition, it samples a random target matrix \(\mathbf {D}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_{q}^{n \times m}\). It outputs \(\mathsf {crs}= (\mathbf {A}, \mathbf {D})\).

• \(\mathsf {Commit}(\mathsf {crs}, x)\) On input the string \(\mathsf {crs}= (\mathbf {A}, \mathbf {D})\) and a message \(x \in \{0,1\}^\ell \), the commit algorithm samples random matrices \(\mathbf {U}_1, \ldots , \mathbf {U}_\ell \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}^{m \times m}\) and defines the commitments

  $$\begin{aligned} \mathbf {V}_i = \mathbf {A}\mathbf {U}_i + x_i \cdot \mathbf {G}\in \mathbb {Z}_q^{n \times m}. \end{aligned}$$

  It outputs the commitment \(c = (\mathbf {V}_1, \ldots , \mathbf {V}_\ell )\) and the opening \(t = (\mathbf {U}_1, \ldots , \mathbf {U}_\ell )\).

• \(\mathsf {Eval}(C, \mathsf {crs}, x, c, t)\): On input a circuit \(C :\{0,1\}^\ell \rightarrow \{0,1\}\), a string \(\mathsf {crs}= (\mathbf {A}, \mathbf {D})\), a message \(x \in \{0,1\}^\ell \), a commitment \(c = (\mathbf {V}_1, \ldots , \mathbf {V}_\ell )\), and an opening \(t = (\mathbf {U}_1, \ldots , \mathbf {U}_\ell )\), the evaluation algorithm computes \(\mathbf {U}_C \leftarrow \mathsf {EvalU}((\mathbf {V}_1, x_1, \mathbf {U}_1), \ldots , (\mathbf {V}_\ell , x_\ell , \mathbf {U}_\ell ))\). Then it outputs

  $$\begin{aligned} t' = \mathbf {U}_C^* \leftarrow \mathsf {SampleRight}(\mathbf {A}, \mathbf {A}\mathbf {U}_C + (2 \cdot C(x) - 1) \cdot \mathbf {G}, \mathbf {U}_C, \mathbf {D}, \beta ). \end{aligned}$$

• \(\mathsf {Verify}(C, \mathsf {crs}, y, c, t)\): On input a circuit \(C :\{0,1\}^\ell \rightarrow \{0,1\}\), a string \(\mathsf {crs}= (\mathbf {A}, \mathbf {D})\), a value \(y \in \{0,1\}\), a commitment \(c = (\mathbf {V}_1, \ldots , \mathbf {V}_\ell )\), and an opening \(t = \mathbf {U}_C^*\), the verification algorithm first computes \(\mathbf {V}_C \leftarrow \mathsf {EvalPK}(\mathbf {V}_1, \ldots , \mathbf {V}_\ell , C)\). Then it output 1 if and only if \({ \Vert \mathbf {U}_C^* \Vert } \le \beta \) and \([\mathbf {A}~|~ \mathbf {V}_C + (y - 1) \cdot \mathbf {G}] \cdot \mathbf {U}_C^* = \mathbf {D}\)

Appendix B Universally Composable NIZKs

Oftentimes, we would like to use NIZKs in conjunction with MPC protocols (for instance, to bootstrap semi-honest security to malicious security [82]). In this section, we show how our techniques yield a universally composable NIZK in the preprocessing model from standard lattice assumptions. In addition, we describe an efficient protocol (in the UC model) to implement the preprocessing procedure responsible for generating the proving and verification keys for our NIZK construction. We note that while the prover and the verifier can always run a (malicious-secure) two-party computation protocol (e.g., [110]) to generate the proving and verification keys for the preprocessing NIZK, generic MPC protocols are often costly and require making non-black-box use of the underlying homomorphic signature scheme. In this section, we develop a more direct method using a new notion called blind homomorphic signatures and then show how to leverage blind homomorphic signatures to obtain a UC-NIZK in the preprocessing model.

1.1 B.1 The Universal Composability Framework

We begin by briefly reviewing the universal composability (UC) framework. We refer to [38] for the full details. The description here is adapted from the presentation in [119, Appendix A] and [93, Appendix A]. Readers familiar with UC security can safely skip this section, and we only include it for completeness.

The UC framework We work in the standard universal composability framework with static corruptions. The UC framework defines an environment \(\mathcal {Z}\) (modeled as an efficient algorithm) that is invoked on the security parameter \(1^\lambda \) and an auxiliary input \(z \in \{0,1\}^*\). The environment oversees the protocol execution in one of the two possible experiments:

• The ideal-world execution involves dummy parties \({\tilde{P}}_1, \ldots , {\tilde{P}}_n\), an ideal adversary \(\mathcal {S}\) (also called a “simulator”) who may corrupt some of the dummy parties, and an ideal functionality \(\mathcal {F}\).

• The real-world execution involves parties \(P_1, \ldots , P_n\) (modeled as efficient algorithms) and a real-world adversary \(\mathcal {A}\) who may corrupt some of the parties.

In both cases, the environment \(\mathcal {Z}\) chooses the inputs for the parties, receives the outputs from the uncorrupted parties, and can interact with the real-/ideal-world adversaries during the protocol execution. At the end of the protocol execution, the environment outputs a bit, which is defined to be the output of the experiment. More precisely, we define the following random variables:

• Let \(\textsc {ideal}_{\mathcal {F}, \mathcal {S}, \mathcal {Z}}(1^\lambda , z)\) be the random variable for the output of the environment \(\mathcal {Z}\) after interacting with the ideal-world execution with adversary \(\mathcal {S}\), the functionality \(\mathcal {F}\) on security parameter \(\lambda \) and input z. We write \(\textsc {ideal}_{\mathcal {F}, \mathcal {S}, \mathcal {Z}}\) to denote the ensemble \(\{ \textsc {ideal}_{\mathcal {F}, \mathcal {S}, \mathcal {Z}}(1^\lambda ,z) \}_{\lambda \in \mathbb {N}, z \in \{0,1\}^*}\).

• Let \(\textsc {real}_{\Pi , \mathcal {A}, \mathcal {Z}}(1^\lambda , z)\) denote the random variable for the output of the environment \(\mathcal {Z}\) after interacting with the real-world execution with adversary \(\mathcal {A}\) and parties running a protocol \(\Pi \) on security parameter \(\lambda \) and input z. We write \(\textsc {real}_{\Pi , \mathcal {A}, \mathcal {Z}}\) to denote the ensemble \(\{ \textsc {real}_{\Pi , \mathcal {A}, \mathcal {Z}}(1^\lambda , z) \}_{\lambda \in \mathbb {N}, z \in \{0,1\}^*}\).

Definition B.1

Fix \(n \in \mathbb {N}\), let \(\mathcal {F}\) be an n-ary functionality, and \(\Pi \) be an n-party protocol. We say that the protocol \(\Pi \)securely realizes\(\mathcal {F}\) if for all efficient adversaries \(\mathcal {A}\), there exists an ideal adversary \(\mathcal {S}\) such that for all efficient environments \(\mathcal {Z}\), we have that

$$\begin{aligned} \textsc {real}_{\Pi , \mathcal {A}, \mathcal {Z}} {\mathop {\approx }\limits ^{c}}\textsc {ideal}_{\mathcal {F}, \mathcal {S}, \mathcal {Z}}. \end{aligned}$$

Hybrid protocols Hybrid protocols are protocols where, in addition to communicating as usual in the standard model of execution, the parties have access to (multiple copies of) an ideal functionality. More precisely, in a protocol execution in the \(\mathcal {F}\)-hybrid model (where \(\mathcal {F}\) denotes an ideal functionality), the parties may give inputs and receive outputs from an unbounded number of copies of \(\mathcal {F}\). The different copies of \(\mathcal {F}\) are differentiated using a session ID (denoted sid). All of the inputs to each copy of \(\mathcal {F}\) and the outputs from each copy of \(\mathcal {F}\) have the same session ID. We can correspondingly extend Definition B.1 to define the notion of a protocol \(\Pi \) securely realizing a functionality \(\mathcal {G}\) in the \(\mathcal {F}\)-hybrid model.

The universal composition operation We now define the universal composition operation and state the universal composition theorem. Let \(\rho \) be an \(\mathcal {F}\)-hybrid protocol, and let \(\Pi \) be a protocol that securely realizes \(\mathcal {F}\) (Definition B.1). The composed protocol \(\rho ^\Pi \) is the protocol where each invocation of the ideal functionality \(\mathcal {F}\) in \(\rho \) is replaced by a fresh invocation of the protocol \(\Pi \). Specifically, the first message sent to each copy of \(\mathcal {F}\) (from any party) is replaced with the first message of \(\Pi \) (generated with the same input and \(\textsf {sid}\) associated with the particular copy of \(\mathcal {F}\)). Each output value generated by a copy of \(\Pi \) is treated as a message received from the corresponding copy of \(\mathcal {F}\). Note that if \(\Pi \) is a \(\mathcal {G}\)-hybrid protocol (where \(\mathcal {G}\) is an arbitrary ideal functionality), then \(\rho ^\Pi \) is also a \(\mathcal {G}\)-hybrid protocol.

The universal composition theorem Let \(\mathcal {F}\) be an ideal functionality. In its general form, the universal composition theorem [38] states that if \(\Pi \) is a protocol that securely realizes \(\mathcal {F}\), then for any \(\mathcal {F}\)-hybrid protocol \(\rho \) that securely realizes \(\mathcal {G}\), the composed protocol \(\rho ^\Pi \) securely realizes \(\mathcal {G}\). We state the formal theorem below:

Theorem B.2

(Universal Composition [38, Corollary 15])

Let \(\mathcal {F}, \mathcal {G}\) be ideal functionalities, and let \(\Pi \) be a protocol that securely realizes \(\mathcal {F}\). If \(\rho \) securely realizes \(\mathcal {G}\) in the \(\mathcal {F}\)-hybrid model, then the composed protocol \(\rho ^\Pi \) securely realizes \(\mathcal {G}\).

UC functionalities Next, we review the ideal common reference string (CRS), oblivious transfer (OT), and zero-knowledge (ZK) functionalities that we use in this work.

The CRS functionality The common reference string (CRS) functionality \(\mathcal {F}_{\textsc {crs}}^{\mathcal {D}}\) (parameterized by an efficiently sampleable distribution \(\mathcal {D}\)) samples and outputs a string from \(\mathcal {D}\). The formal specification from [60] is as follows (Fig. 1):

Fig. 1

\(\mathcal {F}_{\textsc {crs}}^{\mathcal {D}}\) functionality [60]

Throughout this section, when we say there exists a “protocol in the CRS model,” we specifically refer to a universally composable protocol in the \(\mathcal {F}_{\textsc {crs}}^{\mathcal {D}}\)-hybrid model (for some choice of distribution \(\mathcal {D}\) determined by the specific protocol).

The OT functionality The oblivious transfer (OT) functionality \(\mathcal {F}_{\textsc {ot}}^{s}\) (parameterized by the message length s) is a two-party functionality between a sender \(\mathbf {S}\) and a receiver \(\mathbf {R}\). The sender’s input consists of two messages \(x_0, x_1 \in \{0,1\}^s\) and the receiver’s input consists of a bit \(b \in \{0,1\}\). At the end of the protocol execution, the receiver learns \(x_b\) (and nothing else), and the sender learns nothing. These requirements are captured by the OT functionality \(\mathcal {F}_{\textsc {ot}}^{s}\) from [58] defined as follows (Fig. 2):

Fig. 2

\(\mathcal {F}_{\textsc {ot}}^{s}\) functionality [58]

For simplicity of notation, we define a block-wise OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\) where the sender’s input consists of \(\ell \) pairs of messages \(\{ (x_{i,0}, x_{i,1}) \}_{i \in [\ell ]}\) and the receiver’s input consists of \(\ell \) bits \(b_1, \ldots , b_\ell \). At the end of the protocol execution, the receiver learns the messages \(x_{1,b_1}, \ldots , x_{\ell ,b_\ell }\) (and nothing else), and the sender learns nothing. The block-wise OT functionality can be securely realized from the standard OT functionality \(\mathcal {F}_{\textsc {ot}}^{s}\) via the universal composition theorem [38] (Fig. 3).

Fig. 3

\(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\) functionality

The ZK functionality The zero-knowledge (ZK) functionality is a two-party functionality between a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\). The prover is able to send the functionality a description of an \(\mathsf {NP}\) relation \(\mathcal {R}\), a statement x to be proved along with a witness w. The functionality forwards the relation and the statement x to the verifier if and only if \(\mathcal {R}(x, w) = 1\). Our definition is inherently multi-theorem; namely, the prover can prove arbitrarily many statements (possibly with respect to different \(\mathsf {NP}\) relations). We distinguish between different proof subsessions by associating a unique subsession ID \(\textsf {ssid}\) with each subsession. Our definition is adapted from the one given in [58] (Fig. 4).

Fig. 4

\(\mathcal {F}_{\mathsf {ZK}}\) functionality

The general UC functionality Let \(f :(\{0,1\}^{\ell _{\mathrm {in}}})^n \rightarrow (\{0,1\}^{\ell _{\mathrm {out}}})^n\) be an arbitrary n-input function. The general UC functionality \(\mathcal {F}_f\) is parameterized with a function f and described in Fig. 5. Our presentation is adapted from that in [93].

Fig. 5

General UC functionality \(\mathcal {F}_f\)

1.2 B.2 Blind Homomorphic Signatures

We now define the ideal blind homomorphic signature functionality \(\mathcal {F}_{\textsc {bhs}}\). Our definition builds upon existing definitions of the ideal signature functionality \(\mathcal {F}_{\textsc {sig}}\) by Canetti [39] and the ideal blind signature functionality \(\mathcal {F}_{\textsc {blsig}}\) by Fischlin [71]. To simplify the presentation, we define the functionality in the two-party setting, where there is a special signing party (denoted \(\mathbf {S}\)) and a single receiver who obtains the signature (denoted \(\mathbf {R}\)). While this is a simpler model than the multi-party setting considered in [39, 71], it suffices for the applications we describe in this work.

Ideal signature functionalities The \(\mathcal {F}_{\textsc {sig}}\) functionality from [39] essentially provides a “registry service” where a distinguished party (the signer) is able to register message–signature pairs. Moreover, any party that possesses the verification key can check whether a particular message–signature pair is registered (and thus constitutes a valid signature). The ideal functionality does not impose any restriction on the structure of the verification key or the legitimate signatures and allows the adversary to choose those values. In a blind signature scheme, the signing process is replaced by an interactive protocol between the signer and the receiver, and the security requirement is that the signer does not learn the message being signed. To model this, the \(\mathcal {F}_{\textsc {blsig}}\) functionality from [71] asks the adversary to provide the description of a stateless algorithm \(\mathsf {IdealSign}\) in addition to the verification key to the ideal functionality \(\mathcal {F}_{\textsc {blsig}}\). For blind signing requests involving an honest receiver, the ideal functionality uses \(\mathsf {IdealSign}\) to generate the signatures. The message that is signed (i.e., the input to \(\mathsf {IdealSign}\)) is not disclosed to either the signer or the adversary. This captures the intuitive requirement that the signer does not learn the message that is signed in a blind signature scheme. Conversely, if a corrupt user makes a blind signing request, then the ideal functionality asks the adversary to supply the signature that could result from such a request.

Capturing homomorphic operations In a homomorphic signature scheme, a user possessing a signature \(\sigma \) on a message x should be able to compute a function g on \(\sigma \) to obtain a new signature \(\sigma ^*\) on the message g(x). In turn, the verification algorithm checks that \(\sigma ^*\) is a valid signature on the value g(x) and importantly that it is a valid signature with respect to the function g. Namely, the signature is bound not only to the computed value g(x) but also to the function g.¹⁷ To extend the ideal signature functionality to support homomorphic operations on signatures, we begin by modifying the ideal functionality to maintain a mapping between function–message pairs and signatures (rather than a mapping between messages and signatures). In this case, a fresh signature \(\sigma \) (say, output by the blind signing protocol) on a message x would be viewed as a signature on the function–message pair \((f_{\mathsf {id}}, x)\), where \(f_{\mathsf {id}}\) here denotes the identity function. Then, if a user subsequently computes a function g on \(\sigma \), the resulting signature \(\sigma ^*\) should be viewed as a signature on the new pair \((g \circ f_{\mathsf {id}}, g(x)) = (g, g(x))\). In other words, in a homomorphic signature scheme, signatures are bound to a function–message pair, rather than a single message.

Next, we introduce an additional signature evaluation operation to the ideal functionality. There are several properties we desire from our ideal functionality:

• The ideal signature functionality allows the adversary to decide the structure of the signatures, so it is only natural that the adversary also decides the structure of the signature output by the signature evaluation procedure.

• Signature evaluation should be compatible with the blind signing process. Specifically, the receiver should be able to compute on a signature it obtained from the blind signing functionality, and moreover, the computation (if requested by an honest receiver) should not reveal to the adversary on which signature or message the computation was performed.

• The computed signature should also hide the input message. In particular, if the receiver obtains a blind signature on a message x and later computes a signature \(\sigma ^*\) on g(x), the signature \(\sigma ^*\) should not reveal the original (blind) message x.

To satisfy these properties, the ideal functionality asks the adversary to additionally provide the description of a stateless signature evaluation algorithm \(\mathsf {IdealEval}\) (in addition to \(\mathsf {IdealSign}\)). The ideal functionality uses \(\mathsf {IdealEval}\) to generate the signatures when responding to evaluation queries. We capture the third property (that the computed signatures hide the input message to the computation) by setting the inputs to \(\mathsf {IdealEval}\) to only include the function g that is computed and the output value of the computation g(x). The input message x is not provided to \(\mathsf {IdealEval}\).

Under our definition, the signature evaluation functionality takes as input a function–message pair \((f_{\mathsf {id}}, x)\), a signature \(\sigma \) on \((f_{\mathsf {id}}, x)\) (under the verification key \(\mathsf {vk}\) of the signature scheme), and a description of a function g (to compute on x). The output is a new signature \(\sigma ^*\) on the pair (g, g(x)). That is, \(\sigma ^*\) is a signature on the value g(x) with respect to the function g. When the evaluator is honest, the signature on (g, g(x)) is determined by \(\mathsf {IdealEval}(g, g(x))\) (without going through the adversary). As discussed above, \(\mathsf {IdealEval}\) only takes as input the function g and the value g(x), and not the input; this means that the computed signature \(\sigma ^*\) hides all information about x other than what is revealed by g(x). When the evaluator is corrupt, the adversary chooses the signature on (g, g(x)), subject to basic consistency requirements.¹⁸ Once an evaluated signature is generated, the functionality registers the new signature \(\sigma ^*\) on the pair (g, g(x)). Our definition implicitly requires that homomorphic evaluation be non-interactive. Neither the adversary nor the signer is notified or participates in the protocol.

Preventing selective failures In our definition, the functionalities \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\) must either output \(\bot \) on all inputs, or output \(\bot \) on none of the inputs. This captures the property that a malicious signer cannot mount a selective failure attack against an honest receiver, where the function of whether the receiver obtains a signature or not in the blind signing protocol varies depending on its input message. In the case of the blind signing protocol, we do allow a malicious signer to cause the protocol to fail, but this failure event must be independent of the receiver’s message. We capture this in the ideal functionality by allowing a corrupt signer to dictate whether a blind signing execution completes successfully or not. However, the corrupt signer must decide whether a given protocol invocation succeeds or fails independently of the receiver’s message.

Simplifications and generalizations In defining our ideal blind homomorphic signature functionality, we impose several restrictions to simplify the description and analysis. We describe these briefly here and note how we could extend the functionality to provide additional generality. Note that all of the applications we consider (Appendix B.7) only require the basic version of the functionality (Fig. 6), and not its generalized variants.

• One-time signatures. The ideal blind homomorphic signature functionality supports blind signing of a single message. Namely, the ideal blind signing functionality only responds to the first signing request from the receiver and ignores all subsequent requests. Moreover, the ideal functionality only supports signature evaluation requests after a signature has been successfully issued by the ideal signing functionality. We capture this via a \(\mathsf {ready}\) flag that is only set at the conclusion of a successful signing operation. We can relax this single-signature restriction, but at the cost of complicating the analysis.

• Single-hop evaluation. Our second restriction on the ideal blind homomorphic signature functionality is we only consider “single-hop” homomorphic operations: That is, we only allow homomorphic operations on fresh signatures. In the ideal functionality, we capture this by having the signature evaluation functionality ignore all requests to compute on function–message pairs (f, x) where \(f \ne f_{\mathsf {id}}\) is not the identity function. A more general definition would also consider “multi-hop” evaluation where a party can perform arbitrarily many sequential operations on a signature. The reason we present our definition in the simpler single-hop setting is because existing constructions of homomorphic signatures [96] (which we leverage in our construction) do not support the multi-hop analog of our definition. This is because under our definition, the ideal evaluation functionality essentially combines the homomorphic evaluation with the context-hiding transformation in standard homomorphic signature schemes. The current homomorphic signature construction [96] does not support homomorphic computation after performing context-hiding and so cannot be used to realize the more general “multi-hop” version of our functionality. For this reason, we give our definition in the single-hop setting.

We give the formal specification of the ideal blind homomorphic signature functionality \(\mathcal {F}_{\textsc {bhs}}\) in Fig. 6.

Fig. 6

\(\mathcal {F}_{\textsc {bhs}}\) functionality

1.3 B.3 Generalized Homomorphic Signatures

Our construction of blind homomorphic signatures from standard homomorphic signatures (Appendix B.6) will impose some additional structural requirements on the underlying scheme. In this section, we present a more general schema (compared to Definition 2.3) that we will use to construct blind homomorphic signatures. Suppose the message space for the homomorphic signature scheme consists of \(\ell \)-tuples of elements over a set \(\mathcal {X}\) (e.g., the case where \(\mathcal {X}= \{0,1\}\) corresponds to the setting where the message space consists of \(\ell \)-bit strings). Then, we require that the public parameters \(\vec {\mathsf {pk}}\) of the scheme can be split into a vector of public keys \(\vec {\mathsf {pk}}= (\mathsf {pk}_1, \ldots , \mathsf {pk}_\ell )\). In addition, a (fresh) signature on a vector \(\vec {x}\in \mathcal {X}^\ell \) can also be written as a tuple of \(\ell \) signatures \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _\ell )\) where \(\sigma _i\) can be verified with respect to the verification key \(\mathsf {vk}\) and the \(i^{\mathrm {th}}\) public key \(\mathsf {pk}_i\) for all \(i \in [\ell ]\). In our description below, we often use vector notation to simplify the presentation.

Definition B.3

(Homomorphic Signatures [22, 96]) A homomorphic signature scheme with message space \(\mathcal {X}\), message length \(\ell \in \mathbb {N}\), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\), where each \(\mathcal {C}_\lambda \) is a collection of functions from \(\mathcal {X}^\ell \) to \(\mathcal {X}\), is defined by a tuple of algorithms \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) with the following properties:

• \(\mathsf {PrmsGen}(1^\lambda , 1^\ell ) \rightarrow \vec {\mathsf {pk}}\): On input the security parameter \(\lambda \) and message length \(\ell \), the parameter generation algorithm returns a set of \(\ell \) public keys \(\vec {\mathsf {pk}}= (\mathsf {pk}_1, \ldots , \mathsf {pk}_\ell )\).

• \(\mathsf {KeyGen}(1^\lambda ) \rightarrow (\mathsf {vk}, \mathsf {sk})\): On input the security parameter \(\lambda \), the key generation algorithm returns a verification key \(\mathsf {vk}\), and a signing key \(\mathsf {sk}\).

• \(\mathsf {Sign}(\mathsf {pk}_i, \mathsf {sk}, x_i) \rightarrow \sigma _i\): On input a public key \(\mathsf {pk}_i\), a signing key \(\mathsf {sk}\), and a message \(x_i \in \mathcal {X}\), the signing algorithm returns a signature \(\sigma _i\). Vector variant: For \(\vec {\mathsf {pk}}= (\mathsf {pk}_1, \ldots , \mathsf {pk}_\ell )\) and \(\vec {x}= (x_1, \ldots , x_\ell ) \in \mathcal {X}^\ell \), we write \(\mathsf {Sign}(\vec {\mathsf {pk}}, \mathsf {sk}, \vec {x})\) to denote component-wise signing of each message. Namely, \(\mathsf {Sign}(\vec {\mathsf {pk}}, \mathsf {sk}, \vec {x})\) outputs signatures \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _\ell )\) where \(\sigma _i \leftarrow \mathsf {Sign}(\mathsf {pk}_i, \mathsf {sk}, x_i)\) for all \(i \in [\ell ]\).

• \(\mathsf {PrmsEval}(C, \vec {\mathsf {pk}}') \rightarrow \mathsf {pk}_C\): On input a function \(C :\mathcal {X}^\ell \rightarrow \mathcal {X}\) and a collection of public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_\ell ')\), the parameter evaluation algorithm returns an evaluated public key \(\mathsf {pk}_C\). Vector variant: For a circuit \(C :\mathcal {X}^\ell \rightarrow \mathcal {X}^{k}\), we write \(\mathsf {PrmsEval}(C, \vec {\mathsf {pk}}')\) to denote component-wise parameter evaluation. Namely, let \(C_1, \ldots , C_k\) be functions such that \(C(x_1, \ldots , x_\ell ) = \big ( C_1(x_1, \ldots , x_\ell ), \ldots , C_{k}(x_1, \ldots , x_\ell ) \big )\). Then, \(\mathsf {PrmsEval}(C, \vec {\mathsf {pk}}')\) evaluates \(\mathsf {pk}_{C_i} \leftarrow \mathsf {PrmsEval}(C_i, \vec {\mathsf {pk}}')\) for \(i \in [k]\), and outputs \(\mathsf {pk}_C = (\mathsf {pk}_{C_1}, \ldots , \mathsf {pk}_{C_{k}})\).

• \(\mathsf {SigEval}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma }) \rightarrow \sigma \): On input a function \(C :\mathcal {X}^\ell \rightarrow \mathcal {X}\), public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_\ell ')\), messages \(\vec {x}\in \mathcal {X}^\ell \), and signatures \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _\ell )\), the signature evaluation algorithm returns an evaluated signature \(\sigma \). Vector variant: We can define a vector variant of \(\mathsf {SigEval}\) analogously to that of \(\mathsf {PrmsEval}\).

• \(\mathsf {Hide}(\mathsf {vk}, x, \sigma ) \rightarrow \sigma ^*\): On input a verification key \(\mathsf {vk}\), a message \(x \in \mathcal {X}\), and a signature \(\sigma \), the hide algorithm returns a signature \(\sigma ^*\). Vector variant: For \(\vec {x}= (x_1, \ldots , x_k)\) and \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _k)\), we write \(\mathsf {Hide}(\mathsf {vk}, \vec {x}, \vec {\sigma })\) to denote component-wise evaluation of the hide algorithm. Namely, \(\mathsf {Hide}(\mathsf {vk}, \vec {x}, \vec {\sigma })\) returns \((\sigma ^*_1, \ldots , \sigma ^*_k)\) where \(\sigma ^*_i \leftarrow \mathsf {Hide}(\mathsf {vk}, x_i, \sigma _i)\) for all \(i \in [k]\).

• \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}\), a message \(x \in \mathcal {X}\), and a signature \(\sigma \), the verification algorithm either accepts (returns 1) or rejects (returns 0). Vector variant: For a collection of public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_{k}')\), messages \(\vec {x}= (x_1, \ldots , x_{k})\), and signatures \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _{k})\), we write \(\mathsf {Verify}(\vec {\mathsf {pk}}', \mathsf {vk}, \vec {x}, \vec {\sigma })\) to denote applying the verification algorithm to each signature component-wise. In other words, \(\mathsf {Verify}(\vec {\mathsf {pk}}', \mathsf {vk}, \vec {x}, \vec {\sigma })\) accepts if and only if \(\mathsf {Verify}(\mathsf {pk}_i', \mathsf {vk}, x_i, \sigma _i)\) accepts for all \(i \in [k]\).

• \(\mathsf {VerifyFresh}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}\), a message \(x \in \mathcal {X}\), and a signature \(\sigma \), the fresh verification algorithm either accepts (returns 1) or rejects (returns 0). Vector variant: We can define a vector variant of \(\mathsf {VerifyFresh}\) analogously to that of \(\mathsf {Verify}\).

• \(\mathsf {VerifyHide}(\mathsf {pk}, \mathsf {vk}, x, \sigma ^*) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}\), a message \(x \in \mathcal {X}\), and a signature \(\sigma ^*\), the hide verification algorithm either accepts (returns 1) or rejects (returns 0). Vector variant: We can define a vector variant of \(\mathsf {VerifyHide}\) analogously to that of \(\mathsf {Verify}\).

Correctness We now state the correctness requirements for a homomorphic signature scheme. Our homomorphic signature syntax has three different verification algorithms. The standard verification algorithm \(\mathsf {Verify}\) can be used to verify fresh signatures (output by \(\mathsf {Sign}\)) as well as homomorphically evaluated signatures (output by \(\mathsf {SigEval}\)). The hide verification algorithm \(\mathsf {VerifyHide}\) is used for verifying the signatures that are output by the context-hiding transformation \(\mathsf {Hide}\), which may be structurally different from the signature output by \(\mathsf {Sign}\) or \(\mathsf {SigEval}\). Finally, we have a special verification algorithm \(\mathsf {VerifyFresh}\) that can be used to verify signature output by \(\mathsf {Sign}\) (before any homomorphic evaluation has taken place). While \(\mathsf {Verify}\) subsumes \(\mathsf {VerifyFresh}\), having a separate \(\mathsf {VerifyFresh}\) algorithm is useful for formulating a strong version of evaluation correctness. We now state our correctness definitions. First, we have the standard correctness requirement of any signature scheme. Specifically, signature output by the honest signing algorithm should verify according to both \(\mathsf {Verify}\) and \(\mathsf {VerifyFresh}\).

Definition B.4

(Signing Correctness)

A homomorphic signature scheme \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}\) satisfies signing correctness if for all \(\lambda \in \mathbb {N}\), messages \(\vec {x}\in \mathcal {X}^\ell \), and setting \(\vec {\mathsf {pk}}\leftarrow \mathsf {PrmsGen}(1^\lambda , 1^\ell )\), \((\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\), \(\vec {\sigma }\leftarrow \mathsf {Sign}(\vec {\mathsf {pk}}, \mathsf {sk}, \vec {x})\), we have

$$\begin{aligned} \Pr [ \mathsf {Verify}(\vec {\mathsf {pk}}, \mathsf {vk}, \vec {x}, \vec {\sigma }) = 1] = 1 \quad \text {and} \quad \Pr [ \mathsf {VerifyFresh}(\vec {\mathsf {pk}}, \mathsf {vk}, \vec {x}, \vec {\sigma }) = 1] = 1. \end{aligned}$$

Evaluation correctness Next, we require that if one applies the honest signature evaluation algorithm \(\mathsf {SigEval}\) to valid fresh signatures (namely, signatures that are accepted by \(\mathsf {VerifyFresh}\)), then the resulting signature verifies according to \(\mathsf {Verify}\) (with respect to the corresponding evaluated public key). This is a stronger definition than the usual notion of evaluation correctness from [96], which only requires correctness to hold when \(\mathsf {SigEval}\) is applied to the signature output by the honest signing algorithm \(\mathsf {Sign}\). In our definition, correctness must hold against all signatures deemed valid by \(\mathsf {VerifyFresh}\) (with respect to an arbitrary public key \(\mathsf {pk}\) and verification key \(\mathsf {vk}\)), which may be a larger set of signatures than those that could be output by \(\mathsf {Sign}\). This notion of correctness will be useful in our construction of (malicious-secure) blind homomorphic signatures in Appendix B.2.

Definition B.5

(Evaluation Correctness) A homomorphic signature scheme \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}\), \(\mathsf {KeyGen}\), \(\mathsf {Sign}\), \(\mathsf {PrmsEval}\), \(\mathsf {SigEval}\), \(\mathsf {Hide}\), \(\mathsf {Verify}\), \(\mathsf {VerifyFresh}\), \(\mathsf {VerifyHide})\) with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) (where each \(\mathcal {C}_\lambda \) is a collection of functions from \(\mathcal {X}^\ell \) to \(\mathcal {X}\)) satisfies evaluation correctness if for all \(\lambda \in \mathbb {N}\), all public keys \(\vec {\mathsf {pk}}\), all verification keys \(\mathsf {vk}\), and all messages \(\vec {x}\in \mathcal {X}^\ell \), the following properties hold:

• Single-Hop Correctness: For all \(C \in \mathcal {C}_\lambda \) and all signatures \(\vec {\sigma }\) where \(\mathsf {VerifyFresh}(\vec {\mathsf {pk}}, \mathsf {vk}, \vec {x}, \vec {\sigma }) = 1\), if we set \(\mathsf {pk}_C \leftarrow \mathsf {PrmsEval}(C, \vec {\mathsf {pk}})\) and \(\sigma \leftarrow \mathsf {SigEval}(C, \vec {\mathsf {pk}}, \vec {x}, \vec {\sigma })\), then

  $$\begin{aligned} \Pr [\mathsf {Verify}(\mathsf {pk}_C, \mathsf {vk}, C(\vec {x}), \sigma ) = 1] = 1. \end{aligned}$$

• Multi-Hop Correctness: For any collection of functions \(C_1, \ldots , C_\ell \in \mathcal {C}_\lambda \) and \(C' :\mathcal {X}^\ell \rightarrow \mathcal {X}\), define the composition \((C' \circ \vec {C}) :\mathcal {X}^\ell \rightarrow \mathcal {X}\) to be the mapping \(\vec {x}\mapsto C' (C_1(\vec {x}), \ldots , C_\ell (\vec {x}))\). If \((C' \circ \vec {C}) \in \mathcal {C}_\lambda \), then for any set of signatures \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _\ell )\) where \(\mathsf {Verify}(\mathsf {pk}_{C_i}, \mathsf {vk}, x_i, \sigma _i) = 1\), \(\mathsf {pk}_{C_i} \leftarrow \mathsf {PrmsEval}(C_i, \vec {\mathsf {pk}})\) for all \(i \in [\ell ]\), and \(y \leftarrow C' (C_1(\vec {x}), \ldots , C_\ell (\vec {x}))\), we have that

  $$\begin{aligned}&\Pr [\mathsf {Verify}(\mathsf {PrmsEval}(C', (\mathsf {pk}_{C_1}, \ldots , \mathsf {pk}_{C_\ell })), \mathsf {vk}, y,\\&\quad \mathsf {SigEval}(C', (\mathsf {pk}_{C_1}, \ldots , \mathsf {pk}_{C_\ell }), \vec {x}, \vec {\sigma })) = 1] = 1. \end{aligned}$$

Hiding correctness Finally, we require that the hide algorithm also produces valid signatures. Similar to the case of evaluation correctness, we require that correctness holds whenever \(\mathsf {Hide}\) is applied to any valid signature accepted by \(\mathsf {Verify}\) (which need not coincide with the set of signatures output by an honest execution of \(\mathsf {Sign}\) or \(\mathsf {SigEval}\)). This is essentially the definition in [96].

Definition B.6

(Hiding Correctness) A homomorphic signature scheme \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}\), \(\mathsf {KeyGen}\), \(\mathsf {Sign}\), \(\mathsf {PrmsEval}\), \(\mathsf {SigEval}\), \(\mathsf {Hide}\), \(\mathsf {Verify}\), \(\mathsf {VerifyFresh}\), \(\mathsf {VerifyHide})\) with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}\) satisfies hiding correctness if for all \(\lambda \in \mathbb {N}\), all public keys \(\mathsf {pk}\), verification keys \(\mathsf {vk}\), messages \(x \in \mathcal {X}\), and all signatures \(\sigma \) where \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) = 1\), we have that

$$\begin{aligned} \Pr [ \mathsf {VerifyHide}\big (\mathsf {pk}, \mathsf {vk}, x, \mathsf {Hide}(\mathsf {vk}, x, \sigma ) \big ) = 1] = 1. \end{aligned}$$

Unforgeability Next, we define unforgeability. At a high level, we require that no efficient adversary who only possesses signatures \(\sigma _1, \ldots , \sigma _\ell \) on messages \(x_1, \ldots , x_\ell \) can produce a signature \(\sigma _y\) that is valid with respect to a function C where \(y \ne C(x_1, \ldots , x_\ell )\).

Definition B.7

(Unforgeability) Fix a security parameter \(\lambda \). Let \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) be a homomorphic signature scheme with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\), where each \(\mathcal {C}_\lambda \) is a collection of functions on \(\mathcal {X}^\ell \). Then, for an adversary \(\mathcal {A}\), we define the unforgeability security experiment \(\mathsf {Expt}_{\mathcal {A},\Pi _{\mathsf {HS}}}^{\mathsf {uf}}(\lambda , \ell )\) as follows:

1. 1.

   The challenger begins by generating public keys \(\vec {\mathsf {pk}}\leftarrow \mathsf {PrmsGen}(1^\lambda , 1^\ell )\) and a signature verification key \((\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\). It gives \(\vec {\mathsf {pk}}\) and \(\mathsf {vk}\) to \(\mathcal {A}\).

2. 2.

   The adversary \(\mathcal {A}\) submits a set of messages \(\vec {x}\in \mathcal {X}^\ell \) to be signed.

3. 3.

   The challenger signs the messages \(\vec {\sigma }\leftarrow \mathsf {Sign}(\vec {\mathsf {pk}}, \mathsf {sk}, \vec {x})\) and sends the signatures \(\vec {\sigma }\) to \(\mathcal {A}\).

4. 4.

   The adversary \(\mathcal {A}\) outputs a circuit C, a message \(\vec {x}^*\), and a signature \(\vec {\sigma }^*\).

5. 5.

   The output of the experiment is 1 if \(C \in \mathcal {C}_\lambda \), \(\vec {x}^* \ne C(\vec {x})\), and \(\mathsf {VerifyHide}(\mathsf {pk}_C, \mathsf {vk}, \vec {x}^*, \vec {\sigma }^*) = 1\), where \(\mathsf {pk}_C \leftarrow \mathsf {PrmsEval}(C, \vec {\mathsf {pk}})\). Otherwise, the output of the experiment is 0.

We say that a homomorphic signature scheme \(\Pi _{\mathsf {HS}}\) satisfies unforgeability if for all efficient adversaries \(\mathcal {A}\),

$$\begin{aligned} \Pr [ \mathsf {Expt}_{\mathcal {A},\Pi _{\mathsf {HS}}}^{\mathsf {uf}}(\lambda , \ell ) = 1 ] = \mathsf {negl}(\lambda ). \end{aligned}$$

Remark B.8

(Selective Unforgeability)

We can also define a weaker notion of unforgeability called selective unforgeability where the adversary commits to the messages \(\vec {x}\in \mathcal {X}^\ell \) at the start of the experiment before it sees the public keys \(\vec {\mathsf {pk}}\) and the verification key \(\mathsf {vk}\). In Sect. B.4, we describe a simplified variant of the [96] construction that satisfies this weaker notion of selective unforgeability. In Appendix B.5, we give the full construction from [96] that satisfies the definition of adaptive unforgeability from Definition B.7.

Context-hiding The context-hiding property roughly says that if a user evaluates a function C on a message–signature pair \((\vec {x}, \vec {\sigma })\) to obtain a signature \(\sigma _{C(\vec {x})}\), and then runs the hide algorithm on \(\sigma _{C(\vec {x})}\), the resulting signature \(\sigma _{C(\vec {x})}^*\) does not contain any information about \(\vec {x}\) other than what is revealed by C and \(C(\vec {x})\). Previous works such as [96] captured this notion by requiring that there exists an efficient simulator that can simulate the signature \(\sigma _{C(\vec {x})}^*\) given just the signing key \(\mathsf {sk}\),¹⁹ the function C, and the value \(C(\vec {x})\). Notably, the simulator does not see the original message \(\vec {x}\) or the signature \(\sigma _{C(\vec {x})}\)

While this is a very natural notion of context-hiding, it can be difficult to satisfy. The homomorphic signature construction by Gorbunov et al. [96] satisfies selective unforgeability (Remark B.8) and context-hiding. Gorbunov et al. also give a variant of their construction that achieves adaptive unforgeability; however, this scheme does not simultaneously satisfy the notion of context-hiding. Nonetheless, the adaptively secure scheme from [96] can be shown to satisfy a weaker notion of context-hiding that suffices for all of our applications (and still captures all of the intuitive properties we expect from context-hiding). Specifically, in our weaker notion of context-hiding, we allow the simulator to also take in some components of the original signatures \(\sigma _{C(\vec {x})}\), provided that those components are independent of the value that is signed.²⁰

To formalize this notion, we first define the notion of a decomposable homomorphic signature scheme. In a decomposable homomorphic signature scheme, any valid signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\) can be decomposed into a message-independent component \(\sigma ^{\mathsf {pk}}\) that contains no information about the signed message and a message-dependent component \(\sigma ^{\mathsf {m}}\).

Definition B.9

(Decomposable Homomorphic Signatures) Let \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) be a homomorphic signature scheme with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\). We say that \(\Pi _{\mathsf {HS}}\) is decomposable if the signing and evaluation algorithms can be decomposed into a message-independent and a message-dependent algorithm as follows:

• The signing algorithm \(\mathsf {Sign}\) splits into a pair of algorithms \((\mathsf {SignPK}, \mathsf {SignM})\):

  1. –

     \(\mathsf {SignPK}(\mathsf {pk}_i, \mathsf {sk}) \rightarrow \sigma ^{\mathsf {pk}}_i\): On input a public key \(\mathsf {pk}_i\) and a signing key \(\mathsf {sk}\), the \(\mathsf {SignPK}\) algorithm outputs a message-independent component \(\sigma ^{\mathsf {pk}}_i\).

  2. –

     \(\mathsf {SignM}(\mathsf {pk}_i, \mathsf {sk}, x_i, \sigma ^{\mathsf {pk}}_i) \rightarrow \sigma ^{\mathsf {m}}_i\): On input a public key \(\mathsf {pk}_i\), a signing key \(\mathsf {sk}\), a message \(x_i \in \mathcal {X}\), and a message-independent component \(\sigma ^{\mathsf {pk}}_i\), the \(\mathsf {SignM}\) algorithm outputs a message-dependent component \(\sigma ^{\mathsf {m}}_i\).

  The actual signing algorithm \(\mathsf {Sign}(\mathsf {pk}_i, \mathsf {sk}, x_i)\) then computes \(\sigma ^{\mathsf {pk}}_i \leftarrow \mathsf {SignPK}(\mathsf {pk}_i, \mathsf {sk})\) and \(\sigma ^{\mathsf {m}}_i \leftarrow \mathsf {SignM}(\mathsf {pk}_i, \mathsf {sk}, x_i, \sigma ^{\mathsf {pk}}_i)\). The final signature is the pair \(\sigma _i = (\sigma ^{\mathsf {pk}}_i, \sigma ^{\mathsf {m}}_i)\).

• The evaluation algorithm \(\mathsf {SigEval}\) splits into a pair of algorithms: \((\mathsf {SigEvalPK}, \mathsf {SigEvalM})\):

  1. –

     \(\mathsf {SigEvalPK}(C, \vec {\mathsf {pk}}', \vec {\sigma }^{\mathsf {pk}}) \rightarrow \sigma ^{\mathsf {pk}}\): On input a circuit \(C \in \mathcal {C}_\lambda \), public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_\ell ')\), and message-independent signature components \(\vec {\sigma }^{\mathsf {pk}}= (\sigma ^{\mathsf {pk}}_1, \ldots , \sigma ^{\mathsf {pk}}_\ell )\), the \(\mathsf {SigEvalPK}\) algorithm outputs a message-independent component \(\sigma ^{\mathsf {pk}}\).

  2. –

     \(\mathsf {SigEvalM}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma }) \rightarrow \sigma ^{\mathsf {m}}\): On input a circuit \(C \in \mathcal {C}_\lambda \), public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_\ell ')\), messages \(\vec {x}\in \mathcal {X}^\ell \), and signatures \(\vec {\sigma }\), the \(\mathsf {SigEvalM}\) algorithm outputs a message-dependent component \(\sigma ^{\mathsf {m}}\).

  The signature evaluation algorithm \(\mathsf {SigEval}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma })\) first parses \(\vec {\sigma }= (\vec {\sigma }^{\mathsf {pk}}, \vec {\sigma }^{\mathsf {m}})\), computes \(\sigma ^{\mathsf {pk}}\leftarrow \mathsf {SigEvalPK}(C, \vec {\mathsf {pk}}', \vec {\sigma }^{\mathsf {pk}})\), \(\sigma ^{\mathsf {m}}\leftarrow \mathsf {SigEvalM}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma })\), and returns \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\).

To formalize context-hiding, we require that there exists a simulator that can simulate the output of the hide algorithm given only the secret signing key \(\mathsf {sk}\), the function C, the output \(C(\vec {x})\), and the message-independent component of the signature \(\sigma ^{\mathsf {pk}}_{C(\vec {x})}\). We give the formal definition below:

Definition B.10

(Context-Hiding Against Honest Signers)

Fix a security parameter \(\lambda \). Let \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) be a decomposable homomorphic signature scheme (Definition B.9) with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\), where each \(\mathcal {C}_\lambda \) is a collection of functions from \(\mathcal {X}^\ell \) to \(\mathcal {X}\). For a bit \(b \in \{0,1\}\), a simulator \(\mathcal {S}\) and an adversary \(\mathcal {A}\), we define the weak context-hiding security experiment against an honest signer \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\textsf {ch-honest}}(\lambda ,b)\) as follows:

1. 1.

   The challenger begins by generating a signing and verification key \((\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\) and sends \((\mathsf {vk}, \mathsf {sk})\) to \(\mathcal {A}\).

2. 2.

   The adversary \(\mathcal {A}\) can then submit (adaptive) queries to the challenger where each query consists of a public key \(\mathsf {pk}\), a message \(x \in \mathcal {X}\), and a signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\). On each query, the challenger first checks that \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) = 1\). If this is not the case, then the challenger ignores the query and replies with \(\bot \). Otherwise, the challenger proceeds as follows:

   • If \(b = 0\), the challenger evaluates \(\sigma ^*\leftarrow \mathsf {Hide}(\mathsf {vk}, x, \sigma )\) and sends \(\sigma ^*\) to \(\mathcal {A}\).

   • If \(b = 1\), the challenger computes \(\sigma ^*\leftarrow \mathcal {S}(\mathsf {pk}, \mathsf {vk}, \mathsf {sk}, x, \sigma ^{\mathsf {pk}})\). It sends \(\sigma ^*\) to \(\mathcal {A}\).

3. 3.

   Finally, \(\mathcal {A}\) outputs a bit \(b' \in \{0,1\}\), which is also the output of the experiment.

We say that a homomorphic signature scheme \(\Pi _{\mathsf {HS}}\) satisfies context-hiding against an honest signer if there exists an efficient simulator \(\mathcal {S}\) such that for all efficient adversaries \(\mathcal {A}\),

$$\begin{aligned} \big | \Pr [\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\textsf {ch-honest}}(\lambda ,0) = 1] - \Pr [\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\textsf {ch-honest}}(\lambda ,1) = 1] \big | = \mathsf {negl}(\lambda ). \end{aligned}$$

Context-hiding against malicious signers Typically, context-hiding is defined with respect to an honest signer that generates the signing and verification keys using the honest key generation algorithm \(\mathsf {KeyGen}\). However, when constructing blind homomorphic signatures (Appendix B.2) with security against malicious signers, the assumption that the keys are correctly generated no longer makes sense. Hence, we need a stronger security property that context-hiding holds even if the signing and verification keys for the homomorphic signature scheme are maliciously constructed.

Definition B.10 does not satisfy this stronger notion of context-hiding because the challenger samples \((\mathsf {vk}, \mathsf {sk})\) using the honest \(\mathsf {KeyGen}\) algorithm, and the simulator is provided the (honestly generated) signing key \(\mathsf {sk}\). The natural way to extend Definition B.10 to achieve security against malicious signers is to allow the adversary to choose the verification key \(\mathsf {vk}\) and signing key \(\mathsf {sk}\). However, this is too restrictive because the adversary could potentially cook up signatures that verify under \(\mathsf {vk}\), and yet, there is no natural notion of a signing key. To circumvent this issue, we introduce a stronger notion of context-hiding that holds against any party with the capability to sign messages. More concretely, we require the existence of a simulator that can extract a simulation trapdoor\(\mathsf {td}\) from any admissible set of valid message–signature pairs. This trapdoor information \(\mathsf {td}\) replaces the signing key \(\mathsf {sk}\) as input to the simulator.

In our construction of homomorphic signatures (Construction B.13), we say that a pair of messages \((\tilde{x}_0, {\tilde{\sigma }}_0)\) and \((\tilde{x}_1, {\tilde{\sigma }}_1)\) is admissible if \(\tilde{x}_0 \ne \tilde{x}_1\) and \({\tilde{\sigma }}_0\) and \({\tilde{\sigma }}_1\) are valid signatures of \(\tilde{x}_0\) and \(\tilde{x}_1\), respectively (with the same public components). Intuitively, our definition captures the fact that context-hiding holds against any signer, as long as they are able to produce or forge valid signatures on distinct messages \(\tilde{x}_0\) and \(\tilde{x}_1\) under some verification key \(\mathsf {vk}\). Note that this definition subsumes Definition B.10, since any signer with an honestly generated signing key can sign arbitrary messages of its choosing.

Definition B.11

(Context-Hiding)

Fix a security parameter \(\lambda \). Let \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) be a decomposable homomorphic signature scheme (Definition B.9) with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\), where each \(\mathcal {C}_\lambda \) is a collection of functions from \(\mathcal {X}^\ell \) to \(\mathcal {X}\). For a bit \(b \in \{0,1\}\), a simulator \(\mathcal {S}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\), and an adversary \(\mathcal {A}\), we define the context-hiding security experiment \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\textsf {ch}}(\lambda , b)\) as follows:

1. 1.

   At the start of the experiment, \(\mathcal {A}\) submits a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}\), and two message–signature pairs \((\tilde{x}_0, {\tilde{\sigma }}_0)\), \((\tilde{x}_1, {\tilde{\sigma }}_1)\) where \(\tilde{x}_0, \tilde{x}_1 \in \mathcal {X}\) and \(\tilde{x}_0 \ne \tilde{x}_1\) to the challenger.

2. 2.

   The challenger parses the signatures as \({\tilde{\sigma }}_0 = ({\tilde{\sigma }}^{\mathsf {pk}}_0, {\tilde{\sigma }}^{\mathsf {m}}_0)\) and \({\tilde{\sigma }}_1 = ({\tilde{\sigma }}^{\mathsf {pk}}_1, {\tilde{\sigma }}^{\mathsf {m}}_1)\), and checks that \(\tilde{x}_0 \ne \tilde{x}_1\), \({\tilde{\sigma }}^{\mathsf {pk}}_0 = {\tilde{\sigma }}^{\mathsf {pk}}_1\), and that \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, \tilde{x}_0, {\tilde{\sigma }}_0) = 1 = \mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, \tilde{x}_1, {\tilde{\sigma }}_1)\). If this is not the case, then the experiment halts with output 0. Otherwise, the challenger invokes the simulator \(\mathsf {td}\leftarrow \mathcal {S}^\mathsf {Ext}(\mathsf {pk}, \mathsf {vk}, (\tilde{x}_0, {\tilde{\sigma }}_0), (\tilde{x}_1, {\tilde{\sigma }}_1))\).

3. 3.

   The adversary \(\mathcal {A}\) can then submit (adaptive) queries to the challenger where each query consists of a public key \(\mathsf {pk}'\), a message \(x \in \mathcal {X}\), and a signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\). For each query, the challenger checks that \(\mathsf {Verify}(\mathsf {pk}', \mathsf {vk}, x, \sigma ) = 1\). If this is not the case, then the challenger ignores the query and replies with \(\bot \). Otherwise, it proceeds as follows:

   • If \(b = 0\), the challenger evaluates \(\sigma ^*\leftarrow \mathsf {Hide}\big (\mathsf {vk}, x, (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}}) \big )\) and sends \(\sigma ^*\) to \(\mathcal {A}\).

   • If \(b = 1\), the challenger computes \(\sigma ^*\leftarrow \mathcal {S}^\mathsf {Gen}(\mathsf {pk}', \mathsf {vk}, \mathsf {td}, x, \sigma ^{\mathsf {pk}})\). It provides \(\sigma ^*\) to \(\mathcal {A}\).

4. 4.

   Finally, \(\mathcal {A}\) outputs a bit \(b' \in \{0,1\}\), which is also the output of the experiment.

We say that a homomorphic signature scheme \(\Pi _{\mathsf {HS}}\) satisfies context-hiding if there exists an efficient simulator \(\mathcal {S}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\) such that for all efficient adversaries \(\mathcal {A}\),

$$\begin{aligned} \big | \Pr [\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 0) = 1] - \Pr [\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1) = 1] \big | = \mathsf {negl}(\lambda ). \end{aligned}$$

Compactness The final property that we require from a homomorphic signature scheme is compactness. Roughly speaking, compactness requires that given a message–signature pair \((\vec {x}, \vec {\sigma })\), the size of the signature obtained from homomorphically evaluating a function C on \(\vec {\sigma }\) depends only on the size of the output message \(\left| C(\vec {x}) \right| \) (and the security parameter) and is independent of the size of the original message \(\left| \vec {x} \right| \).

Definition B.12

(Compactness)

Fix a security parameter \(\lambda \). Let \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) be a homomorphic signature scheme with message space \(\mathcal {X}\), message length \(\ell \), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\), where each \(\mathcal {C}_\lambda \) is a collection of Boolean circuits from \(\mathcal {X}^\ell \) to \(\mathcal {X}\) of depth at most \(d = d(\lambda )\). We say that \(\Pi _{\mathsf {HS}}\) is compact if there exists a universal polynomial \(\mathsf {poly}(\cdot )\) such that for all \(\lambda \in \mathbb {N}\), messages \(\vec {x}\in \mathcal {X}^\ell \), and functions \(C \in \mathcal {C}_\lambda \), and setting \(\vec {\mathsf {pk}}\leftarrow \mathsf {PrmsGen}(1^\lambda , 1^\ell )\), \((\mathsf {vk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\), \(\vec {\sigma }\leftarrow \mathsf {Sign}(\vec {\mathsf {pk}}, \mathsf {sk}, \vec {x})\), and \(\sigma \leftarrow \mathsf {SigEval}(C, \vec {\mathsf {pk}}, \vec {x}, \vec {\sigma })\), we have that \(\left| \sigma \right| \le \mathsf {poly}(\lambda , d)\). In particular, the size of the evaluated signature \(\left| \sigma \right| \) depends only on the depth of the circuit C, and not on the message length \(\ell \).²¹

1.4 B.4 Homomorphic Signatures Construction

In this section, we show that the [96] homomorphic signature construction is decomposable in the sense of Definition B.9, and in addition, it satisfies our stronger notion of context-hiding (Definition B.11). We start with a description of a simpler variant of the [96] construction that satisfies selective unforgeability (Remark B.8), and show that it satisfies context-hiding (against malicious signers). Although it is possible to directly construct a homomorphic signature scheme that satisfies adaptive security, the simpler variant better demonstrates the main ideas of the construction. In Appendix B.5, we modify the construction and show that it satisfies both adaptive unforgeability and strong context-hiding (Corollary B.24).

Construction B.13

(Selectively Secure Homomorphic Signature [96, adapted])

Fix a security parameter \(\lambda \) and a message length \(\ell = \mathsf {poly}(\lambda )\). Let \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) be a function class where each \(\mathcal {C}_\lambda \) is a collection of Boolean circuits of depth at most \(d = d(\lambda )\) from \(\{0,1\}^\ell \) to \(\{0,1\}\). In our description, we use lattice trapdoors and the GSW homomorphic operations described in Appendix 3.1. For lattice parameters n, m, q, and norm bounds \(\beta _{\mathsf {ini}}\), \(\beta _{\mathsf {eval}}\), \(\beta _{\mathsf {hide}}\), we construct a decomposable homomorphic signature scheme \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) with message space \(\mathcal {X}= \{0,1\}\), message length \(\ell \), and function class \(\mathcal {C}\) as follows:

• \(\mathsf {PrmsGen}(1^\lambda , 1^\ell ) \rightarrow \vec {\mathsf {pk}}\): On input the security parameter \(\lambda \) and the message length \(\ell \), the parameter generation algorithm samples matrices \(\mathbf {V}_1, \ldots , \mathbf {V}_\ell \mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_q^{n \times m}\). It sets \(\mathsf {pk}_i = \mathbf {V}_i\) for \(i \in [\ell ]\) and returns the public keys \(\vec {\mathsf {pk}}= (\mathsf {pk}_1, \ldots , \mathsf {pk}_\ell )\).

• \(\mathsf {KeyGen}(1^\lambda ) \rightarrow (\mathsf {vk}, \mathsf {sk})\): On input the security parameter \(\lambda \), the key generation algorithm samples a lattice trapdoor \((\mathbf {A}, \mathsf {td}) \leftarrow \mathsf {TrapGen}(1^\lambda )\). It sets \(\mathsf {vk}= \mathbf {A}\) and \(\mathsf {sk}= (\mathbf {A}, \mathsf {td})\).

• \(\mathsf {Sign}(\mathsf {pk}_i, \mathsf {sk}, x_i) \rightarrow \sigma _i\): The signing algorithm computes \(\sigma ^{\mathsf {pk}}_i \leftarrow \mathsf {SignPK}(\mathsf {pk}_i, \mathsf {sk})\) and \(\sigma ^{\mathsf {m}}_i \leftarrow \mathsf {SignM}(\mathsf {pk}_i, \mathsf {sk}, x_i, \sigma ^{\mathsf {pk}}_i)\) where the algorithms \(\mathsf {SignPK}\) and \(\mathsf {SignM}\) are defined as follows:

  1. –

     \(\mathsf {SignPK}(\mathsf {pk}_i, \mathsf {sk}) \rightarrow \sigma ^{\mathsf {pk}}_i\): The \(\mathsf {SignPK}\) algorithm outputs the empty string \(\sigma ^{\mathsf {pk}}_i = \varepsilon \).

  2. –

     \(\mathsf {SignM}(\mathsf {pk}_i, \mathsf {sk}, x_i, \sigma ^{\mathsf {pk}}_i) \rightarrow \sigma ^{\mathsf {m}}_i\): On input a public key \(\mathsf {pk}_i = \mathbf {V}_i\), a signing key \(\mathsf {sk}= (\mathbf {A}, \mathsf {td})\), a message \(x \in \{0,1\}\), and the public signature component \(\sigma ^{\mathsf {pk}}_i\), the \(\mathsf {SignM}\) algorithm samples a preimage \(\mathbf {U}_i \leftarrow \mathsf {SamplePre}(\mathbf {A}, \mathbf {V}_i - x_i \cdot \mathbf {G}, \mathsf {td})\) and outputs \(\sigma ^{\mathsf {m}}_i = \mathbf {U}_i\).

  Finally, the signing algorithm outputs the signature \(\sigma _i = (\sigma ^{\mathsf {pk}}_i, \sigma ^{\mathsf {m}}_i)\).

• \(\mathsf {PrmsEval}(C, \vec {\mathsf {pk}}')) \rightarrow \mathsf {pk}_C\): On input a Boolean circuit \(C :\{0,1\}^\ell \rightarrow \{0,1\}\) and a collection of public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_i')\) where \(\mathsf {pk}_i' = \mathbf {V}_i'\) for \(i \in [\ell ]\), the parameter evaluation algorithm outputs the evaluated public key \(\mathsf {pk}_C = \mathbf {V}_C \leftarrow \mathsf {EvalPK}(\mathbf {V}_1', \ldots , \mathbf {V}_\ell ', C)\).

• \(\mathsf {SigEval}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma }) \rightarrow \sigma \): The signature evaluation algorithm first parses \(\vec {\sigma }= (\vec {\sigma }^{\mathsf {pk}}, \vec {\sigma }^{\mathsf {m}})\). Then, it computes \(\sigma ^{\mathsf {pk}}\leftarrow \mathsf {SigEvalPK}(C, \vec {\mathsf {pk}}', \vec {\sigma }^{\mathsf {pk}})\) and \(\sigma ^{\mathsf {m}} \leftarrow \mathsf {SigEvalM}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma })\), where the algorithms \(\mathsf {SigEvalPK}\) and \(\mathsf {SigEvalM}\) are defined as follows:

  1. –

     \(\mathsf {SigEvalPK}(C, \vec {\mathsf {pk}}', \vec {\sigma }^{\mathsf {pk}}) \rightarrow \sigma ^{\mathsf {pk}}\): The \(\mathsf {SigEvalPK}\) algorithm outputs the empty string \(\sigma ^{\mathsf {pk}}= \varepsilon \).

  2. –

     \(\mathsf {SigEvalM}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma }) \rightarrow \sigma ^{\mathsf {m}}\): On input a Boolean circuit \(C :\{0,1\}^\ell \rightarrow \{0,1\}\), a set of public keys \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_\ell ')\), messages \(\vec {x}= (x_1, \ldots , x_\ell )\), and signatures \(\vec {\sigma }= (\sigma _1, \ldots , \sigma _\ell )\), the \(\mathsf {SigEvalM}\) algorithm first parses \(\mathsf {pk}_i' = \mathbf {V}_i'\) and \(\sigma _i = (\sigma ^{\mathsf {pk}}_i, \sigma ^{\mathsf {m}}_i) = (\varepsilon , \mathbf {U}_i)\) for all \(i \in [\ell ]\). Then, it outputs \(\sigma ^{\mathsf {m}}= \mathbf {U}_C \leftarrow \mathsf {EvalU}\big ( (\mathbf {V}_1', x_1, \mathbf {U}_1), \ldots , (\mathbf {V}_\ell ', x_\ell , \mathbf {U}_\ell ), C \big )\).

  Finally, it outputs the signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\).

• \(\mathsf {Hide}(\mathsf {vk}, x, \sigma ) \rightarrow \sigma ^*\): On input a verification key \(\mathsf {vk}= \mathbf {A}\), a message \(x \in \{0,1\}\), and a signature \(\sigma = (\varepsilon , \mathbf {U})\), the hide algorithm samples and outputs a signature

  $$\begin{aligned} \sigma ^*= \mathbf {u}\leftarrow \mathsf {SampleRight}(\mathbf {A}, \mathbf {A}\mathbf {U}+ (2x-1) \cdot \mathbf {G}, \mathbf {U}, \mathbf {0}, \beta _{\mathsf {hide}}). \end{aligned}$$

• \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}= \mathbf {V}\), a verification key \(\mathsf {vk}= \mathbf {A}\), a message \(x \in \mathcal {X}\), and a signature \(\sigma = (\varepsilon , \mathbf {U})\), the verification algorithm first checks whether \(\mathbf {A}\) is a rank-n matrix and outputs 0 if this is the case. Then, it outputs 1 if \({ \Vert \mathbf {U} \Vert } \le \beta _{\mathsf {eval}}\) and \(\mathbf {A}\mathbf {U}+ x \cdot \mathbf {G}= \mathbf {V}\) and 0 otherwise.

• \(\mathsf {VerifyFresh}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}= \mathbf {V}\), a verification key \(\mathsf {vk}= \mathbf {A}\), a message \(x \in \mathcal {X}\) and a signature \(\sigma = (\varepsilon , \mathbf {U})\), the fresh verification algorithm first checks whether \(\mathbf {A}\) is a rank-n matrix and outputs 0 if this is the case. Then, it outputs 1 if \({ \Vert \mathbf {U} \Vert } \le \beta _{\mathsf {ini}}\) and \(\mathbf {A}\mathbf {U}+ x \cdot \mathbf {G}= \mathbf {V}\) and 0 otherwise.

• \(\mathsf {VerifyHide}(\mathsf {pk}_C, \mathsf {vk}, x, \sigma ^*) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}_C = \mathbf {V}\), a verification key \(\mathsf {vk}= \mathbf {A}\), a message \(x \in \{0,1\}\), and a signature \(\sigma ^*= \mathbf {u}\), the hide verification algorithm first checks whether \(\mathbf {A}\) is a rank-n matrix and outputs 0 if this is the case. Then, it checks that \({ \Vert \mathbf {u} \Vert } \le \beta _{\mathsf {hide}}\) and that \([\mathbf {A}~|~ \mathbf {V}+ (x-1) \cdot \mathbf {G}] \cdot \mathbf {u}= \mathbf {0}\), and accepts if both of these conditions hold. Otherwise, it rejects.

We now state and prove the correctness and security theorems for Construction B.13.

Theorem B.14

(Correctness)

Fix a security parameter \(\lambda \), lattice parameters n, m, q, norm bounds \(\beta _{\mathsf {ini}}, \beta _{\mathsf {eval}}, \beta _{\mathsf {hide}}\), and a depth bound d. Suppose \(m = O(n \log q)\), \(\beta _{\mathsf {ini}}\ge O(n \sqrt{\log q})\), \(\beta _{\mathsf {eval}}\ge {\beta _{\mathsf {ini}}\cdot m^{O(d)}}\), \(\beta _{\mathsf {hide}}\ge \beta _{\mathsf {eval}}\cdot \omega (m \sqrt{\log m})\), and \(q \ge \beta _{\mathsf {hide}}\). Then, \(\Pi _{\mathsf {HS}}\) from Construction B.13 satisfies signing correctness (Definition B.4), evaluation correctness (Definition B.5), and hiding correctness (Definition B.6).

Proof

Signing correctness follows from Theorem A.1, evaluation correctness follows from Theorem A.3, and hiding correctness follows from Theorem A.2. \(\square \)

Theorem B.15

(Unforgeability)

Fix a security parameter \(\lambda \), lattice parameters n, m, q, norm bounds \(\beta _{\mathsf {ini}}, \beta _{\mathsf {eval}}, \beta _{\mathsf {hide}}\), and a depth bound d. Suppose \(m = O(n \log q)\). Then, under the \(\mathsf {SIS}(n,m,q,\beta _{\mathsf {eval}})\) assumption, \(\Pi _{\mathsf {HS}}\) in Construction B.13 satisfies selective unforgeability (Definition B.7, Remark B.8).

Proof

Follows from [96, §6]. \(\square \)

Theorem B.16

(Context-Hiding)

Fix a security parameter \(\lambda \), lattice parameters n, m, q, norm bounds \(\beta _{\mathsf {ini}}, \beta _{\mathsf {eval}}, \beta _{\mathsf {hide}}\), and a depth bound d. Suppose \(m = O(n \log q)\), \(\beta _{\mathsf {hide}}\ge 2 \cdot \beta _{\mathsf {eval}}\cdot \omega (m \sqrt{\log m})\), and \(q \ge \beta _{\mathsf {hide}}\). Then, \(\Pi _{\mathsf {HS}}\) in Construction B.13 satisfies context-hiding security (Definition B.11).

Proof of Theorem B.16

We construct a simulator \(\mathcal {S}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\) as follows:

• \(\mathcal {S}^\mathsf {Ext}(\mathsf {pk}, \mathsf {vk}, (\tilde{x}_0, {\tilde{\sigma }}_0), (\tilde{x}_1, {\tilde{\sigma }}_1))\): On input a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}\), and two message–signature pairs \((\tilde{x}_0, {\tilde{\sigma }}_0)\), \((\tilde{x}_1, {\tilde{\sigma }}_1)\), the simulator first parses \({\tilde{\sigma }}_0 = (\varepsilon , \tilde{\mathbf {U}}_0)\), \({\tilde{\sigma }}_1 = (\varepsilon , \tilde{\mathbf {U}}_1)\), and then outputs the simulation trapdoor \(\mathsf {td}= \tilde{\mathbf {U}}_0 - \tilde{\mathbf {U}}_1\).

• \(\mathcal {S}^\mathsf {Gen}(\mathsf {pk}, \mathsf {vk}, \mathsf {td}, x, \sigma ^{\mathsf {pk}})\): On input a public key \(\mathsf {pk}= \mathbf {V}\), a verification key \(\mathsf {vk}= \mathbf {A}\), a trapdoor \(\mathsf {td}= \tilde{\mathbf {U}}\), a message \(x \in \{0,1\}\), and a message-independent component \(\sigma ^{\mathsf {pk}}\), the simulator computes \(\mathbf {u}\leftarrow \mathsf {SampleLeft}(\mathbf {A}, \mathbf {V}+ (x-1) \cdot \mathbf {G}, \tilde{\mathbf {U}}, \mathbf {0}, \beta ^*)\), and returns \(\mathbf {u}\).

We now show that for any adversary \(\mathcal {A}\), the experiments \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 0)\) and \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1)\) are statistically indistinguishable. Consider the context-hiding experiment:

• Let \(\mathsf {pk}= \mathbf {V}\), \(\mathsf {vk}= \mathbf {A}\), and \((\tilde{x}_0, {\tilde{\sigma }}_0)\), \((\tilde{x}_1, {\tilde{\sigma }}_1)\) be the values that \(\mathcal {A}\) sends to the challenger. Write \({\tilde{\sigma }}_0 = (\varepsilon , \tilde{\mathbf {U}}_0)\) and \({\tilde{\sigma }}_1 = (\varepsilon , \tilde{\mathbf {U}}_1)\). Without loss of generality, we can assume that \(\mathbf {A}\) is a rank-n matrix, \(\tilde{x}_0 \ne \tilde{x}_1\), and \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, \tilde{x}_0, {\tilde{\sigma }}_0) = 1 = \mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, \tilde{x}_1, {\tilde{\sigma }}_1)\). Otherwise, the output is always 0 in both experiments. Since \(\tilde{x}_0, \tilde{x}_1 \in \{0,1\}\) and \(\tilde{x}_0 \ne \tilde{x}_1\), we can assume without loss of generality that \(\tilde{x}_0 = 0\) and \(\tilde{x}_1 = 1\). Moreover, since \({\tilde{\sigma }}_0\) and \({\tilde{\sigma }}_1\) are valid signatures, \({ \Vert \tilde{\mathbf {U}}_0 \Vert }, { \Vert \tilde{\mathbf {U}}_1 \Vert } \le \beta _{\mathsf {eval}}\). This means that \(\tilde{\mathbf {U}}= \tilde{\mathbf {U}}_0 - \tilde{\mathbf {U}}_1\) has bounded norm \({ \Vert \tilde{\mathbf {U}} \Vert } \le 2 \cdot \beta _{\mathsf {eval}}\) and, moreover, that \(\mathbf {A}\tilde{\mathbf {U}}= \mathbf {G}\), so \(\mathsf {td}= \tilde{\mathbf {U}}\) is a \(\mathbf {G}\)-trapdoor for \(\mathbf {A}\) (Theorem A.2).

• Let \(\mathsf {pk}' = \mathbf {V}'\), \(x \in \{0,1\}\), \(\sigma = (\varepsilon , \mathbf {U})\) be a query that \(\mathcal {A}\) makes to the challenger. If \(\mathbf {A}\mathbf {U}+ x \cdot \mathbf {G}\ne \mathbf {V}'\) or \({ \Vert \mathbf {U} \Vert } > \beta _{\mathsf {eval}}\), then the challenger ignores the query (and replies with \(\bot \)) in both experiments. Therefore, assume that \(\mathbf {A}\mathbf {U}+ x \cdot \mathbf {G}= \mathbf {V}'\) and \({ \Vert \mathbf {U} \Vert } \le \beta _{\mathsf {eval}}\). Then the challenger proceeds as follows:

  1. –

     In \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 0)\), the challenger’s response is \(\mathbf {u}\leftarrow \mathsf {SampleRight}(\mathbf {A}, \mathbf {A}\mathbf {U}+ (2x-1) \cdot \mathbf {G}, \mathbf {U}, \mathbf {0}, \beta _{\mathsf {hide}})\).

  2. –

     In \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1)\), the challenger responds with \(\mathbf {u}\leftarrow \mathcal {S}^\mathsf {Gen}(\mathsf {pk}', \mathsf {vk}, \mathsf {td}, x, \sigma ^{\mathsf {pk}})\), which is equivalent to \(\mathbf {u}\leftarrow \mathsf {SampleLeft}(\mathbf {A}, \mathbf {V}' + (x-1) \cdot \mathbf {G}, \tilde{\mathbf {U}}, \mathbf {0}, \beta _{\mathsf {hide}})\).

Since \(\mathbf {V}' + (x-1) \cdot \mathbf {G}= \mathbf {A}\mathbf {U}+ (2x-1) \cdot \mathbf {G}\), by Theorem A.2, as long as \(\max ({ \Vert \mathbf {U} \Vert }, { \Vert \tilde{\mathbf {U}} \Vert }) \cdot \omega (m \sqrt{\log m}) \le \beta _{\mathsf {hide}}\le q\) the challenger’s responses to all of the queries in the two experiments are statistically indistinguishable. From above, \({ \Vert \tilde{\mathbf {U}} \Vert } \le 2 \cdot \beta _{\mathsf {eval}}\) and \({ \Vert \mathbf {U} \Vert } \le \beta _{\mathsf {eval}}\), and the claim follows. \(\square \)

Remark B.17

(Weak Context-Hiding) Theorem B.16 implies that the homomorphic signature scheme \(\Pi _{\mathsf {HS}}\) in Construction B.13 also satisfies context-hiding security against honest signers (Definition B.10). Specifically, Theorem B.16 guarantees the existence of a simulator \(\mathcal {S}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\) that can be used to simulate the signatures generated by the \(\mathsf {Hide}\) algorithm. In the context-hiding security game against honest signers, the signing key \(\mathsf {sk}\) and verification key \(\mathsf {vk}\) are generated honestly, and the context-hiding simulator \(\mathcal {S}_{\mathsf {hon}}\) is given both \(\mathsf {vk}\) and \(\mathsf {sk}\). Given \(\mathsf {sk}\), the simulator \(\mathcal {S}_{\mathsf {hon}}\) can choose an arbitrary public key \(\mathsf {pk}= \mathbf {V}\mathop \leftarrow \limits ^{\mathrm{R}}\mathbb {Z}_{q}^{n \times m}\), and construct honest signatures \({\tilde{\sigma }}_0 \leftarrow \mathsf {Sign}(\mathsf {pk}, \mathsf {sk}, 0)\) and \({\tilde{\sigma }}_1 \leftarrow \mathsf {Sign}(\mathsf {pk}, \mathsf {sk}, 1)\). Simulator \(\mathcal {S}_{\mathsf {hon}}\) can then invoke \(\mathcal {S}^\mathsf {Ext}\) on \((\mathsf {pk}, \mathsf {vk}, (0, {\tilde{\sigma }}_0), (1, {\tilde{\sigma }}_1))\) to obtain the simulation trapdoor \(\mathsf {td}\), and then use \(\mathcal {S}^\mathsf {Gen}\) to simulate the \(\mathsf {Hide}\) algorithm. Thus, we can construct a simulator \(\mathcal {S}_{\mathsf {hon}}\) for the weak context-hiding security game using the simulator \(\mathcal {S}\) guaranteed by Theorem B.16.

Theorem B.18

(Compactness) Fix a security parameter \(\lambda \), lattice parameters n, m, q, norm bounds \(\beta _{\mathsf {ini}}, \beta _{\mathsf {eval}}, \beta _{\mathsf {hide}}\), and a depth bound d. Suppose \(n = \mathsf {poly}(\lambda )\), \(m = O(n \log q)\), and \(q = 2^{\mathsf {poly}(\lambda , d)}\). Then, \(\Pi _{\mathsf {HS}}\) in Construction B.13 satisfies compactness (Definition B.12).

Proof

Follows from Theorem A.3. Specifically, the signature output by \(\mathsf {SigEval}\) is a matrix \(\mathbf {U}\in \mathbb {Z}_{q}^{m \times m}\) which has size \(m^2 \log q = \mathsf {poly}(\lambda , d)\). \(\square \)

1.5 B.5 Adaptively Secure Homomorphic Signatures

Our construction of blind homomorphic signatures (and correspondingly, our construction of UC-NIZKs in the preprocessing model) will rely on adaptively secure homomorphic signatures. In this section, we show how to transform a homomorphic signature scheme that satisfies only selective unforgeability to full unforgeability (Definition B.7). Although the transformation follows the construction of [96], we give the full construction to show that the resulting construction still satisfies our strengthened notion of context-hiding (Definition B.11).

Construction B.19

(Adaptively Secure Homomorphic Signature [96, adapted]) Fix a security parameter \(\lambda \) and a message length \(\ell \in \mathbb {N}\). Let \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) be a function class where each \(\mathcal {C}_\lambda \) is a collection of Boolean circuits (on \(\ell \)-bit inputs). Then, define the following quantities:

• First, let \(\Pi _{\mathsf {HS},\mathsf {in}}= (\mathsf {PrmsGen}_{\mathsf {in}}, \mathsf {KeyGen}_{\mathsf {in}}, \mathsf {Sign}_{\mathsf {in}}, \mathsf {PrmsEval}_{\mathsf {in}}, \mathsf {SigEval}_{\mathsf {in}}, \mathsf {Hide}_{\mathsf {in}}, \mathsf {Verify}_{\mathsf {in}}, \mathsf {VerifyFresh}_{\mathsf {in}}, \mathsf {VerifyHide}_{\mathsf {in}})\) be a selectively secure decomposable homomorphic signature scheme with message space \(\{0,1\}\), message length \(\ell \in \mathbb {N}\), and function class \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\). This is the “inner” homomorphic signature scheme that will be used to sign messages \(\vec {x}\in \{0,1\}^\ell \). For simplicity, assume also that the signatures in \(\Pi _{\mathsf {HS},\mathsf {in}}\) have an “empty” message-independent component.²²

• Let \(\rho \) be the length of the public keys in \(\Pi _{\mathsf {HS},\mathsf {in}}\). For a circuit \(C \in \mathcal {C}_\lambda \), let \(F_C\) be the function that maps \(\vec {\mathsf {pk}}_{\mathsf {in}} \mapsto \mathsf {PrmsEval}_{\mathsf {in}}(C, \vec {\mathsf {pk}}_\mathsf {in})\), where \(\vec {\mathsf {pk}}_\mathsf {in}\) are the public parameters output by \(\mathsf {PrmsGen}_\mathsf {in}\). Let \(\mathcal {C}' = \{ \mathcal {C}_\lambda ' \}_{\lambda \in \mathbb {N}}\) be a function class where each function class \(\mathcal {C}_\lambda '\) contains all functions \(F_C\) for \(C \in \mathcal {C}_\lambda \).

• Finally, let \(\Pi _{\mathsf {HS},\mathsf {out}}= (\mathsf {PrmsGen}_{\mathsf {out}}, \mathsf {KeyGen}_{\mathsf {out}}, \mathsf {Sign}_{\mathsf {out}}, \mathsf {PrmsEval}_{\mathsf {out}}, \mathsf {SigEval}_{\mathsf {out}}, \mathsf {Hide}_{\mathsf {out}}, \mathsf {Verify}_{\mathsf {out}}, \mathsf {VerifyFresh}_{\mathsf {out}}, \mathsf {VerifyHide}_{\mathsf {out}})\) be a selectively secure homomorphic signature scheme with message space \(\{0,1\}\), message length \(\rho \in \mathbb {N}\), and function class \(\mathcal {C}' = \{ \mathcal {C}'_{\lambda } \}_{\lambda \in \mathbb {N}}\). This is the “outer” homomorphic signature scheme that will be used to sign the public keys of \(\Pi _{\mathsf {HS},\mathsf {in}}\).

We construct a homomorphic signature scheme \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) for message space \(\{0,1\}\), message length \(\ell \), and function class \(\mathcal {C}\) as follows:

• \(\mathsf {PrmsGen}(1^\lambda , 1^\ell ) \rightarrow \vec {\mathsf {pk}}\): On input the security parameter \(\lambda \) and message length \(\ell \), the parameter generation algorithm generates independent public parameters \(\vec {\mathsf {pk}}_{\mathsf {out}, i} \leftarrow \mathsf {PrmsGen}_\mathsf {out}(1^\lambda , 1^\rho )\) for \(i \in [\ell ]\). Then, it sets \(\mathsf {pk}_i = \vec {\mathsf {pk}}_{\mathsf {out}, i}\) for \(i \in [\ell ]\) and returns \(\vec {\mathsf {pk}}= (\mathsf {pk}_1, \ldots , \mathsf {pk}_\ell )\).

• \(\mathsf {KeyGen}(1^\lambda ) \rightarrow (\mathsf {vk}, \mathsf {sk})\): On input the security parameter \(\lambda \), the key generation algorithm generates two pairs of keys \((\mathsf {vk}_\mathsf {in}, \mathsf {sk}_\mathsf {in}) \leftarrow \mathsf {KeyGen}_\mathsf {in}(1^\lambda )\), \((\mathsf {vk}_\mathsf {out}, \mathsf {sk}_\mathsf {out}) \leftarrow \mathsf {KeyGen}_\mathsf {out}(1^\lambda )\), and sets \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\) and \(\mathsf {sk}= (\mathsf {sk}_\mathsf {in}, \mathsf {sk}_\mathsf {out})\).

• \(\mathsf {Sign}(\mathsf {pk}_i, \mathsf {sk}, x_i) \rightarrow \sigma _i\): On input a public key \(\mathsf {pk}_i = \vec {\mathsf {pk}}_{\mathsf {out}, i}\), a signing key \(\mathsf {sk}= (\mathsf {sk}_\mathsf {in}, \mathsf {sk}_\mathsf {out})\), and a message \(x_i \in \{0,1\}\), the signing algorithm computes \(\sigma ^{\mathsf {pk}}_i \leftarrow \mathsf {SignPK}(\mathsf {pk}_i, \mathsf {sk})\) and \(\sigma ^{\mathsf {m}}_i \leftarrow \mathsf {SignM}(\mathsf {pk}_i, \mathsf {sk}, x_i, \sigma ^{\mathsf {pk}}_i)\) where the algorithms \(\mathsf {SignPK}\) and \(\mathsf {SignM}\) are defined as follows:

  1. –

     \(\mathsf {SignPK}(\mathsf {pk}_i, \mathsf {sk})\): The message-independent signing algorithm first samples a fresh public key \(\mathsf {pk}_{\mathsf {in}, i} \leftarrow \mathsf {PrmsGen}_\mathsf {in}(1^\lambda , 1^1)\) for the inner homomorphic signature scheme.²³ By assumption, \(\mathsf {pk}_{\mathsf {in},i}\) is a bit string of length \(\rho \). Then, the algorithm signs the public key \(\mathsf {pk}_{\mathsf {in}, i}\) using the outer signature scheme: \(\vec {\sigma }_{\mathsf {out}, i} \leftarrow \mathsf {Sign}_\mathsf {out}(\vec {\mathsf {pk}}_{\mathsf {out},i}, \mathsf {sk}_\mathsf {out}, \mathsf {pk}_{\mathsf {in}, i})\). It returns \(\sigma ^{\mathsf {pk}}_i = (\vec {\sigma }_{\mathsf {out}, i}, \mathsf {pk}_{\mathsf {in}, i})\).

  2. –

     \(\mathsf {SignM}(\mathsf {pk}_i, \mathsf {sk}, x_i, \sigma ^{\mathsf {pk}})\): The message-dependent signing algorithm parses \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_{\mathsf {out},i}, \mathsf {pk}_{\mathsf {in}, i})\), and signs the message using the inner signature scheme: \(\sigma _{\mathsf {in},i} \leftarrow \mathsf {Sign}_\mathsf {in}(\mathsf {pk}_{\mathsf {in}, i}, \mathsf {sk}_{\mathsf {in}}, x_i)\). It outputs \(\sigma ^{\mathsf {m}}_i = \sigma _{\mathsf {in}, i}\).

  Finally, the signing algorithm outputs \(\sigma _i = (\sigma ^{\mathsf {pk}}_i, \sigma ^{\mathsf {m}}_i)\).

• \(\mathsf {PrmsEval}(C, \vec {\mathsf {pk}}) \rightarrow \mathsf {pk}_C\): On input a circuit \(C \in \mathcal {C}\) and public parameters \(\vec {\mathsf {pk}}= (\mathsf {pk}_1, \ldots , \mathsf {pk}_\ell )\), the parameter evaluation algorithm parses \(\mathsf {pk}_i = \vec {\mathsf {pk}}_{\mathsf {out},i}\) for each \(i \in [\ell ]\). It outputs \(\mathsf {pk}_C \leftarrow \mathsf {PrmsEval}_\mathsf {out}(F_C, (\vec {\mathsf {pk}}_{\mathsf {out},1}, \ldots , \vec {\mathsf {pk}}_{\mathsf {out},\ell }))\).

• \(\mathsf {SigEval}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma }) \rightarrow \sigma \): On input a circuit \(C \in \mathcal {C}\), public parameters \(\vec {\mathsf {pk}}' = (\mathsf {pk}_1', \ldots , \mathsf {pk}_\ell ')\), a message \(\vec {x}\in \{0,1\}^\ell \), and a signature \(\vec {\sigma }= (\vec {\sigma }^{\mathsf {pk}}, \vec {\sigma }^{\mathsf {m}})\), the signature evaluation algorithm parses \(\mathsf {pk}_i' = \vec {\mathsf {pk}}_{\mathsf {out},i}'\) for all \(i \in [\ell ]\). Then, it computes \(\sigma ^{\mathsf {pk}}\leftarrow \mathsf {SigEvalPK}(C, \vec {\mathsf {pk}}', \vec {\sigma }^{\mathsf {pk}})\) and \(\sigma ^{\mathsf {m}}\leftarrow \mathsf {SigEvalM}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma })\), where \(\mathsf {SigEvalPK}\) and \(\mathsf {SigEvalM}\) are defined as follows:

  1. –

     \(\mathsf {SigEvalPK}(C, \vec {\mathsf {pk}}, \vec {\sigma }^{\mathsf {pk}})\): The message-independent signature evaluation algorithm first parses \(\vec {\sigma }^{\mathsf {pk}}= ((\vec {\sigma }_{\mathsf {out}, 1}, \mathsf {pk}_{\mathsf {in}, 1}), \ldots , (\vec {\sigma }_{\mathsf {out}, \ell }, \mathsf {pk}_{\mathsf {in}, \ell }))\). It then computes

     $$\begin{aligned}&\vec {\sigma }_{\mathsf {out}, C} \leftarrow \mathsf {SigEval}_{\mathsf {out}}(F_C, (\vec {\mathsf {pk}}_{\mathsf {out}, 1}', \ldots , \vec {\mathsf {pk}}_{\mathsf {out}, \ell }'),\\&\quad (\mathsf {pk}_{\mathsf {in}, 1}, \ldots , \mathsf {pk}_{\mathsf {in}, \ell }), (\vec {\sigma }_{\mathsf {out}, 1}, \ldots , \vec {\sigma }_{\mathsf {out}, \ell })), \end{aligned}$$

     and \(\mathsf {pk}_{\mathsf {in}, C} \leftarrow \mathsf {PrmsEval}_{\mathsf {in}}(C, (\mathsf {pk}_{\mathsf {in}, 1}, \ldots , \mathsf {pk}_{\mathsf {in}, \ell }))\). Finally, it returns \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_{\mathsf {out}, C}, \mathsf {pk}_{\mathsf {in}, C})\).

  2. –

     \(\mathsf {SigEvalM}(C, \vec {\mathsf {pk}}', \vec {x}, \vec {\sigma })\): The message-dependent signature evaluation algorithm writes \(\vec {\sigma }\) as \((\vec {\sigma }^{\mathsf {pk}}, \vec {\sigma }^{\mathsf {m}})\), where \(\vec {\sigma }^{\mathsf {pk}}= ((\vec {\sigma }_{\mathsf {out}, 1}, \mathsf {pk}_{\mathsf {in}, 1}), \ldots , (\vec {\sigma }_{\mathsf {out}, \ell }, \mathsf {pk}_{\mathsf {in}, \ell }))\), and \(\vec {\sigma }^{\mathsf {m}}= (\sigma _{\mathsf {in}, 1}, \ldots , \sigma _{\mathsf {in}, \ell })\). It outputs the signature \(\sigma ^{\mathsf {m}}\leftarrow \mathsf {SigEval}_{\mathsf {in}}(C, (\mathsf {pk}_{\mathsf {in}, 1}, \ldots , \mathsf {pk}_{\mathsf {in}, \ell }), \vec {x}, (\sigma _{\mathsf {in}, 1}, \ldots , \sigma _{\mathsf {in}, \ell }))\).

  Finally, the signature evaluation algorithm outputs \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\).

• \(\mathsf {Hide}(\mathsf {vk}, x, \sigma ) \rightarrow \sigma ^*\): On input a verification key \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\), a message \(x \in \{0,1\}\), and a signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\), the hide algorithm parses \(\sigma ^{\mathsf {m}}= \sigma _\mathsf {in}\). It computes \(\sigma ^*_{\mathsf {in}} \leftarrow \mathsf {Hide}_\mathsf {in}(\mathsf {vk}_\mathsf {in}, x, \sigma _\mathsf {in})\), and returns \(\sigma ^*= (\sigma ^{\mathsf {pk}}, \sigma ^*_\mathsf {in})\).

• \(\mathsf {Verify}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}= \vec {\mathsf {pk}}_{\mathsf {out}}\), a verification key \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\), a message \(x \in \{0,1\}\), and a signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\), the verification algorithm parses \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_\mathsf {out}, \mathsf {pk}_\mathsf {in})\), \(\sigma ^{\mathsf {m}}= \sigma _\mathsf {in}\), and accepts if

  $$\begin{aligned}&\mathsf {Verify}_\mathsf {out}(\vec {\mathsf {pk}}_\mathsf {out}, \mathsf {vk}_\mathsf {out}, \mathsf {pk}_\mathsf {in}, \vec {\sigma }_\mathsf {out}) = 1 \quad \text {and} \\&\quad \mathsf {Verify}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, x, \sigma _\mathsf {in}) = 1. \end{aligned}$$

  Otherwise, it rejects.

• \(\mathsf {VerifyFresh}(\mathsf {pk}, \mathsf {vk}, x, \sigma ) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}= \vec {\mathsf {pk}}_{\mathsf {out}}\), a verification key \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\), a message \(x \in \{0,1\}\), and signature \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\), the fresh verification algorithm parses \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_\mathsf {out}, \mathsf {pk}_\mathsf {in})\), \(\sigma ^{\mathsf {m}}= \sigma _\mathsf {in}\), and accepts if

  $$\begin{aligned} \mathsf {VerifyFresh}_\mathsf {out}(\vec {\mathsf {pk}}_\mathsf {out}, \mathsf {vk}_\mathsf {out}, \mathsf {pk}_\mathsf {in}, \vec {\sigma }_\mathsf {out}) = 1 \quad \text {and} \quad \mathsf {VerifyFresh}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, x, \sigma _\mathsf {in}) = 1. \end{aligned}$$

  Otherwise, it rejects.

• \(\mathsf {VerifyHide}(\mathsf {pk}, \mathsf {vk}, x, \sigma ^*) \rightarrow \{0,1\}\): On input a public key \(\mathsf {pk}= \vec {\mathsf {pk}}_{\mathsf {out}}\), a verification key \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\), a message \(x \in \{0,1\}\), and signature \(\sigma ^*= (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\), the hide verification algorithm parses \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_\mathsf {out}, \mathsf {pk}_\mathsf {in})\), \(\sigma ^{\mathsf {m}}= \sigma _\mathsf {in}\), and accepts if

  $$\begin{aligned} \mathsf {Verify}_\mathsf {out}(\vec {\mathsf {pk}}_\mathsf {out}, \mathsf {vk}_\mathsf {out}, \mathsf {pk}_\mathsf {in}, \vec {\sigma }_\mathsf {out}) = 1 \quad \text {and} \quad \mathsf {VerifyHide}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, x, \sigma _\mathsf {in}) = 1. \end{aligned}$$

  Otherwise, it rejects.

Theorem B.20

(Correctness) Suppose \(\Pi _{\mathsf {HS},\mathsf {in}}\) and \(\Pi _{\mathsf {HS},\mathsf {out}}\) satisfy signing correctness (Definition B.4), evaluation correctness (Definition B.5), and hiding correctness (Definition B.6). Then, Construction B.19 satisfies signing correctness, evaluation correctness, and hiding correctness.

Proof

Follows by construction. \(\square \)

Theorem B.21

(Unforgeability) Suppose \(\Pi _{\mathsf {HS},\mathsf {in}}\) and \(\Pi _{\mathsf {HS},\mathsf {out}}\) satisfy selective unforgeability (Definition B.7). Then, Construction B.19 satisfies unforgeability (Definition B.5).

Proof

Follows from [96, §4]. \(\square \)

Theorem B.22

(Context-Hiding) Suppose \(\Pi _{\mathsf {HS},\mathsf {in}}\) satisfies context-hiding (Definition B.11). Then, Construction B.19 satisfies context-hiding.

Proof

Let \(\mathcal {S}_\mathsf {in}= (\mathcal {S}^\mathsf {Ext}_\mathsf {in}, \mathcal {S}^\mathsf {Gen}_\mathsf {in})\) be the context-hiding simulator for \(\Pi _{\mathsf {HS},\mathsf {in}}\). We construct a context-hiding simulator \(\mathcal {S}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\) for \(\Pi _{\mathsf {HS}}\) as follows:

• \(\mathcal {S}^\mathsf {Ext}(\mathsf {pk}, \mathsf {vk}, (\tilde{x}_0, {\tilde{\sigma }}_0), (\tilde{x}_1, {\tilde{\sigma }}_1))\): On input a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\), and two message–signature pairs \((\tilde{x}_0, {\tilde{\sigma }}_0)\), \((\tilde{x}_1, {\tilde{\sigma }}_1)\), the simulator first parses \({\tilde{\sigma }}_0 = (\tilde{\sigma }^{\mathsf {pk}}_0, \tilde{\sigma }^{\mathsf {m}}_0)\), and \({\tilde{\sigma }}_1 = (\tilde{\sigma }^{\mathsf {pk}}_1, \tilde{\sigma }^{\mathsf {m}}_1)\). Then, it parses \(\tilde{\sigma }^{\mathsf {pk}}_0 = (\vec {\sigma }_\mathsf {out}, \mathsf {pk}_\mathsf {in}) = \tilde{\sigma }^{\mathsf {pk}}_1\), \(\tilde{\sigma }^{\mathsf {m}}_0 = {\tilde{\sigma }}_{\mathsf {in}, 0}\), and \(\tilde{\sigma }^{\mathsf {m}}_1 = {\tilde{\sigma }}_{\mathsf {in}, 1}\). Finally, it outputs the trapdoor \(\mathsf {td}\leftarrow \mathcal {S}^\mathsf {Ext}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, (\tilde{x}_0, {\tilde{\sigma }}_{\mathsf {in}, 0}), (\tilde{x}_1, {\tilde{\sigma }}_{\mathsf {in}, 1}))\).

• \(\mathcal {S}^\mathsf {Gen}(\mathsf {pk}, \mathsf {vk}, \mathsf {td}, x, \sigma ^{\mathsf {pk}})\): On input a public key \(\mathsf {pk}\), a verification key \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\), a trapdoor \(\mathsf {td}\), a message \(x \in \{0,1\}\), and a message-independent signature component \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_\mathsf {out}, \mathsf {pk}_\mathsf {in})\), the simulator computes \(\sigma ^*_\mathsf {in}\leftarrow \mathcal {S}^\mathsf {Gen}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, \mathsf {td}, x, \varepsilon )\) and outputs \(\sigma ^*\leftarrow (\sigma ^{\mathsf {pk}}, \sigma ^*_\mathsf {in})\). Here, we rely on the assumption that the signatures in \(\Pi _{\mathsf {HS},\mathsf {in}}\) have an empty message-independent component.

We now show that if \(\Pi _{\mathsf {HS},\mathsf {in}}\) is context-hiding, then experiments \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 0)\) and \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1)\) are indistinguishable for any unbounded adversary \(\mathcal {A}\).

• Let \(\mathsf {pk}\) be the public key, \(\mathsf {vk}= (\mathsf {vk}_\mathsf {in}, \mathsf {vk}_\mathsf {out})\) be the verification key, and \((\tilde{x}_0, {\tilde{\sigma }}_0)\), \((\tilde{x}_1, {\tilde{\sigma }}_1)\) be the message–signature pairs that \(\mathcal {A}\) submits to the context-hiding challenger at the beginning of the experiment. Write \({\tilde{\sigma }}_0 = (\tilde{\sigma }^{\mathsf {pk}}_0, \tilde{\sigma }^{\mathsf {m}}_0)\) and \({\tilde{\sigma }}_1 = (\tilde{\sigma }^{\mathsf {pk}}_1, \tilde{\sigma }^{\mathsf {m}}_1)\), where \(\tilde{\sigma }^{\mathsf {m}}_0 = {\tilde{\sigma }}_{\mathsf {in}, 0}\) and \(\tilde{\sigma }^{\mathsf {m}}_1 = {\tilde{\sigma }}_{\mathsf {in}, 1}\) Without loss of generality, we can assume that \(\tilde{x}_0 \ne \tilde{x}_1\), \(\tilde{\sigma }^{\mathsf {pk}}_0 = \tilde{\sigma }^{\mathsf {pk}}_1\), and that \(\mathsf {Verify}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, \tilde{x}_0, {\tilde{\sigma }}_{\mathsf {in}, 0}) = 1 = \mathsf {Verify}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, \tilde{x}_1, {\tilde{\sigma }}_{\mathsf {in}, 1})\). Otherwise, the output of the experiment is always 0, and the adversary’s distinguishing advantage is correspondingly 0. Next, in \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1)\), the challenger constructs a trapdoor \(\mathsf {td}\) by invoking \(\mathsf {td}\leftarrow \mathcal {S}^\mathsf {Ext}_\mathsf {in}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, ({\tilde{x}}_0, \tilde{\sigma }_{\mathsf {in}, 0}), ({\tilde{x}}_1, {\tilde{\sigma }}_{\mathsf {in}, 1}))\).

• Let \(\mathsf {pk}'\), \(x \in \{0,1\}\), \(\sigma = (\sigma ^{\mathsf {pk}}, \sigma ^{\mathsf {m}})\) be a query \(\mathcal {A}\) makes to the challenger. If \(\mathsf {Verify}(\mathsf {pk}', \mathsf {vk}, x, \sigma ) = 1\), then the challenger proceeds as follows:

  1. –

     In \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 0)\), the challenger parses \(\sigma ^{\mathsf {m}}= \sigma _\mathsf {in}\), and computes \(\sigma ^*_\mathsf {in}\leftarrow \mathsf {Hide}_\mathsf {in}(\mathsf {vk}_\mathsf {in}, x, \sigma _\mathsf {in})\). It replies to the adversary with \(\sigma ^*\leftarrow (\sigma ^{\mathsf {pk}}, \sigma ^*_\mathsf {in})\).

  2. –

     In \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1)\), the challenger parses \(\sigma ^{\mathsf {pk}}= (\vec {\sigma }_\mathsf {out}, \mathsf {pk}_\mathsf {in})\), and computes \(\sigma ^*_\mathsf {in}\leftarrow \mathcal {S}^\mathsf {Gen}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, \mathsf {td}, x, \varepsilon )\). It returns \(\sigma ^*= (\sigma ^{\mathsf {pk}}, \sigma ^*_\mathsf {in})\).

Since \(\mathsf {Verify}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, \tilde{x}_0, {\tilde{\sigma }}_{\mathsf {in}, 0}) = 1 = \mathsf {Verify}(\mathsf {pk}_\mathsf {in}, \mathsf {vk}_\mathsf {in}, \tilde{x}_1, {\tilde{\sigma }}_{\mathsf {in}, 1})\), and \(\tilde{\sigma }^{\mathsf {pk}}_0 = \tilde{\sigma }^{\mathsf {pk}}_1\), we have that \(\mathsf {td}\) is a valid trapdoor for \(\mathcal {S}^\mathsf {Ext}_\mathsf {in}\). Since \(\Pi _{\mathsf {HS},\mathsf {in}}\) is context-hiding, the message-dependent component \(\sigma ^*_\mathsf {in}\) of the final signature \(\sigma ^*\) generated by \(\mathcal {S}^\mathsf {Gen}\) in \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 1)\) is statistically indistinguishable from \(\sigma ^*_\mathsf {in}\) generated by the challenger in \(\mathsf {Expt}_{\mathcal {A},\mathcal {S},\Pi _{\mathsf {HS}}}^{\mathsf {ch}}(\lambda , 0)\). The claim follows. \(\square \)

Theorem B.23

(Compactness) Fix a security parameter \(\lambda \). Suppose \(\Pi _{\mathsf {HS},\mathsf {in}}\) and \(\Pi _{\mathsf {HS},\mathsf {out}}\) satisfy compactness (Definition B.12), and moreover, the size of a homomorphically evaluated public key output by \(\mathsf {PrmsEval}_\mathsf {out}(C, \cdot )\) is \(\mathsf {poly}(\lambda , d)\), where d is a bound on the depth of the circuit C. Then, Construction B.19 satisfies compactness.

Proof

Follows immediately by construction. Specifically, the signature output by \(\mathsf {SigEval}\) consists of compact signatures output by \(\mathsf {SigEval}_\mathsf {out}\) and \(\mathsf {SigEval}_\mathsf {in}\), and a homomorphically evaluated public key output by \(\mathsf {PrmsEval}_\mathsf {out}\). Therefore, the size of the signatures depend only on \(|C(\vec {x})|\) and is independent of \(|\vec {x}|\). \(\square \)

Instantiating the construction We note that both \(\Pi _{\mathsf {HS},\mathsf {in}}\) and \(\Pi _{\mathsf {HS},\mathsf {out}}\) can be instantiated by Construction B.13 in Sect. 2.1. In particular, Construction B.13 satisfies the additional compactness requirement on the size of the public keys needed in Theorem B.23. This yields the following corollary:

Corollary B.24

(Adaptively Secure Homomorphic Signatures) Fix a security parameter \(\lambda \) and a message length \(\ell = \mathsf {poly}(\lambda )\). Let \(\mathcal {C}= \{ \mathcal {C}_\lambda \}_{\lambda \in \mathbb {N}}\) be a function class where \(\mathcal {C}_\lambda \) consists of Boolean circuits of depth up to \(d = d(\lambda )\) on \(\ell \)-bit inputs. Then, under the SIS assumption with a subexponential modulus, there exists a homomorphic signature scheme \(\Pi _{\mathsf {HS}}= (\mathsf {PrmsGen}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {PrmsEval}, \mathsf {SigEval}, \mathsf {Hide}, \mathsf {Verify}, \mathsf {VerifyFresh}, \mathsf {VerifyHide})\) with message space \(\{0,1\}\), message length \(\ell \), and function class \(\mathcal {C}\) that satisfies adaptive unforgeability (Definition B.7), context-hiding (Definition B.11), and compactness (Definition B.12).

1.6 B.6 Constructing Blind Homomorphic Signatures

In Fig. 7, we give the formal description of our blind homomorphic signature protocol \(\Pi _\textsc {bhs}\) in the \(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\)-hybrid model (Figure 3).²⁴ Here, we provide a brief overview of the construction. As discussed in Sect. 1.1, our construction combines homomorphic signatures with any UC-secure oblivious transfer protocol [58]. The key generation, signature verification, and signature evaluation operations in \(\Pi _\textsc {bhs}\) just correspond to running the underlying \(\Pi _{\mathsf {HS}}\) algorithms.

Fig. 7

\(\Pi _\textsc {bhs}\) protocol

The blind signing protocol is interactive and relies on OT. Since we use a bit-wise homomorphic signature scheme, a signature on an \(\ell \)-bit message consists of \(\ell \) signatures, one for each bit of the message. In the first step of the blind signing protocol, the signer constructs two signatures (one for the bit 0 and one for the bit 1) for each bit position of the message. The receiver then requests the signatures corresponding to the bits of its message using the OT protocol. Intuitively, the OT protocol ensures that the signer does not learn which set of signatures the receiver requested and the receiver only learns a single signature for each bit position. However, this basic scheme is vulnerable to a “selective failure” attack where the signer strategically generates invalid signatures for certain bit positions of the message \(\vec {x}\). As a result, whether the receiver obtains a valid signature on its entire message becomes correlated with its message itself. To prevent this selective failure attack, we use the standard technique of having the receiver first split its message \(\vec {x}\) into a number of random shares \(\vec {w}_1, \ldots , \vec {w}_t\) where \(\vec {x}= \bigoplus _{i \in [t]} \vec {w}_i\). Instead of asking for a signature on \(\vec {x}\) directly, it instead asks for a signature on the shares \(\vec {w}_1, \ldots , \vec {w}_t\). Since the signatures on the shares \(\vec {w}_1, \ldots , \vec {w}_t\) are homomorphic, the receiver can still compute a signature on the original message \(\vec {x}\), and hence, correctness of signing is preserved. Moreover, as we show in the proof of Theorem B.25, unless the malicious signer correctly guesses all of the shares of \(\vec {w}_1, \ldots , \vec {w}_t\) the receiver chose, the probability that the receiver aborts (due to receiving an invalid signature) is independent of \(\vec {x}\) no matter how the malicious signer generates the signatures. We formally summarize the security properties of \(\Pi _\textsc {bhs}\) in the following theorem, but defer its proof to Appendix B.8.

Theorem B.25

(Blind Homomorphic Signatures)

Fix a security parameter \(\lambda \). Define parameters \(\ell \), t, and s as in \(\Pi _\textsc {bhs}\) (Fig. 7) where \(t = \omega (\log \lambda )\). Let \(\mathcal {H}\) be a function class over \(\{0,1\}^\ell \) and let \(\Pi _{\mathsf {HS}}\) be a homomorphic signature scheme for the message space \(\{0,1\}\) and function class \(\mathcal {H}'\) such that for any function \(f \in \mathcal {H}\), we have \(f \circ f_{\mathsf {recon}}\in \mathcal {H}'\), where \(f_{\mathsf {recon}}\) is the share reconstruction function in Fig. 7. Suppose that \(\Pi _{\mathsf {HS}}\) satisfies correctness (Definitions B.4, B.5, and B.6), unforgeability (Definition B.7), and context-hiding (Definition B.11). Then, the protocol \(\Pi _\textsc {bhs}\) (when instantiated with \(\Pi _{\mathsf {HS}}\)) securely realizes the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) (Fig. 6) with respect to function class \(\mathcal {H}\) in the presence of (static) malicious adversaries in the \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\)-hybrid model.

Blind homomorphic signatures from LWE Combining the fully secure homomorphic signature scheme from Construction B.19 (based on [96]) with the lattice-based UC-secure oblivious transfer protocol from [128], we obtain a blind homomorphic signature scheme from standard lattice assumptions. We describe our instantiation below.

Fact B.26

(Oblivious Transfer from LWE [128]) Let \(\lambda \) be a security parameter and define parameters \(\ell , s = \mathsf {poly}(\lambda )\). Then, under the LWE assumption, there exists a protocol \(\Pi _\textsc {ot}\) that security realizes the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\) (Fig. 3) in the presence of malicious adversaries in the CRS model (and assuming static corruptions). Moreover, the protocol \(\Pi _{\textsc {ot}}\) is round-optimal: It consists of one message from the receiver to the signer and one from the receiver to the signer.

Corollary B.27

(Blind Homomorphic Signatures from LWE) Let \(\lambda \) be a security parameter. Then, under the LWE assumption with a subexponential modulus-to-noise ratio, for all \(d = \mathsf {poly}(\lambda )\), there exists a protocol \(\Pi _\textsc {bhs}'\) that securely realizes \(\mathcal {F}_{\textsc {bhs}}\) for the class of depth d Boolean circuits in the presence of malicious adversaries in the CRS model (and assuming static corruptions). Moreover, the protocol \(\Pi _{{\textsc {bhs}}}'\) satisfies the following properties:

• The key generation, signature verification, and signature evaluation protocols are non-interactive.

• The signature generation protocol (i.e., blind signing) is a two-round interactive protocol between the signer and the receiver (one message each way).

• The length of a signature is \(\mathsf {poly}(\lambda , d)\).

Proof

Let \(\Pi _\textsc {bhs}\) be the protocol in Fig. 7 instantiated with the homomorphic signature scheme from Construction B.19. By Theorem B.25 and Corollary B.24,²⁵ protocol \(\Pi _\textsc {bhs}\) securely realizes \(\mathcal {F}_{\textsc {bhs}}\) in the \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\)-hybrid model, for some \(\ell , s = \mathsf {poly}(\lambda )\). We let \(\Pi _\textsc {bhs}'\) be the protocol obtained by instantiating the functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) in \(\Pi _\textsc {bhs}\) with the protocol from Fact B.26. Security of \(\Pi _\textsc {bhs}'\) then follows from the universal composition theorem (Theorem B.2) [38]. Key generation, signature verification, and signature evaluation in \(\Pi _\textsc {bhs}'\) simply correspond to invoking the associated functionalities of the underlying homomorphic signature scheme and thus are non-interactive. The signature length is also inherited from \(\Pi _{\mathsf {HS}}\). The blind signing protocol reduces to a single invocation of \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), which by Fact B.26, can be implemented by just two rounds of interaction. \(\square \)

Remark B.28

(Size of CRS in Corollary B.27) In the lattice-based OT construction of [128], a single CRS can only be used for a bounded number of OTs. The blind signing protocol in \(\Pi _\textsc {bhs}'\) from Corollary B.27 requires \(\ell \cdot \mathsf {poly}(\lambda )\) invocations of OT, where \(\ell \) is the message length. Thus, instantiating \(\Pi _\textsc {bhs}'\) requires a CRS of length \(\mathsf {poly}(\ell , \lambda )\). In our preprocessing UC-NIZK (Appendix B.7), \(\ell = \mathsf {poly}(\lambda )\), and so a CRS of size \(\mathsf {poly}(\lambda )\) suffices to obtain a preprocessing UC-NIZK for general \(\mathsf {NP}\) languages. It is an open problem to build a lattice-based UC-secure OT protocol in the CRS model with a reusable CRS.

1.7 B.7 Universally Composable Preprocessing NIZKs

In this section, we show how to combine blind homomorphic signatures with CPA-secure encryption to obtain UC-NIZKs in the preprocessing model from standard lattice assumptions. We give our protocol \(\Pi _{\mathsf {ZK}}\) in the \(\mathcal {F}_{\textsc {bhs}}\)-hybrid model in Figure 8. Next, we state the formal security theorem and describe how to instantiate it from standard lattice assumptions. We give the proof of Theorem B.29 in Appendix B.9.

Fig. 8

Preprocessing ZK argument in the \(\mathcal {F}_{\textsc {bhs}}\)-hybrid model

Theorem B.29

(Preprocessing Zero-Knowledge Arguments) Let \(\Pi _{\mathsf {SE}}= (\mathsf {KeyGen}, \mathsf {Encrypt}, \mathsf {Decrypt})\) be a CPA-secure encryption scheme. Then, the protocol \(\Pi _{\mathsf {ZK}}\) in Fig. 8 (instantiated with \(\Pi _{\mathsf {SE}}\)) securely realizes \(\mathcal {F}_{\mathsf {ZK}}\) in the presence of (static) malicious adversaries in the \(\mathcal {F}_{\textsc {bhs}}\)-hybrid model.

Corollary B.30

(Preprocessing UC-NIZKs from LWE)

Let \(\lambda \) be a security parameter. Then, under the LWE assumption with a subexponential modulus-to-noise ratio, for all \(d = \mathsf {poly}(\lambda )\), there exists a protocol \(\Pi _{\mathsf {NIZK}}'\) that securely realizes \(\mathcal {F}_{\mathsf {ZK}}\) in the presence of (static) malicious adversaries in the CRS model for all \(\mathsf {NP}\) relations \(\mathcal {R}\) that can be computed by a circuit of depth at most d. The protocol \(\Pi _{\mathsf {NIZK}}'\) satisfies the following properties:

• The (one-time) preprocessing phase is a two-round protocol between the prover and the verifier.

• The prover’s and verifier’s algorithms are both non-interactive.

• If \(\mathcal {R}\) is an \(\mathsf {NP}\) relation, then the length of a proof of membership for the language associated with \(\mathcal {R}\) is \(m + \mathsf {poly}(\lambda , d)\), where m is the size of the witness associated with \(\mathcal {R}\).

Proof

Fix a depth bound \(d = \mathsf {poly}(\lambda )\). First, we can instantiate the CPA-secure encryption scheme \(\Pi _{\mathsf {SE}}= (\mathsf {KeyGen}, \mathsf {Encrypt}, \mathsf {Decrypt})\) in Fig. 8 from lattices using Fact 2.2. Let \(d'\) be a bound on the depth of the circuit that computes the \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}\) function in Fig. 8. Note that \(d' = \mathsf {poly}(\lambda , d)\), since the depth of the relation \(\mathcal {R}\) is bounded by d and the depth of the \(\mathsf {Decrypt}\) function is \(\mathsf {poly}(\lambda )\). By Corollary B.27, under the LWE assumption, there exists a protocol \(\Pi _\textsc {bhs}'\) that securely realizes \(\mathcal {F}_{\textsc {bhs}}\) for the class of all depth-\(d'\) Boolean circuits in the presence of (static) malicious adversaries. The claim then follows by combining Theorem B.29 with Corollary B.27 and the universal composition theorem (Theorem B.2). We now check the additional properties:

• The preprocessing phase corresponds to the blind signing protocol of \(\Pi _\textsc {bhs}'\), which is a two-round protocol between the signer and the verifier.

• The prover’s algorithm corresponds to signature evaluation, while the verifier’s algorithm corresponds to signature verification. Both of these are non-interactive in \(\Pi _\textsc {bhs}'\).

• The length of a proof for an \(\mathsf {NP}\) relation \(\mathcal {R}\) consists of an encryption of the witness under \(\Pi _{\mathsf {SE}}\) (of size \(m + \mathsf {poly}(\lambda )\)) and a signature under \(\Pi _\textsc {bhs}'\) (of size \(\mathsf {poly}(\lambda , d)\)). The total size is bounded by \(m + \mathsf {poly}(\lambda , d)\).

\(\square \)

Applications to MPC To conclude, we describe several applications of our preprocessing UC-NIZKs to boosting the security of MPC protocols. First, we show that combining our construction with the round-optimal, semi-malicious MPC protocol of Mukherjee–Wichs [119] yields a round-optimal, malicious-secure MPC protocol from lattices in a reusable preprocessing model where the communication complexity only depends on the size of the inputs/outputs (Remark B.33). Then, we show that by leveraging the observation in Remark 3.9, we obtain a succinct version of the GMW [81, 82] compiler from lattice assumptions.

Malicious-secure MPC from lattices Previously, Mukherjee and Wichs showed how to construct a two-round MPC protocol with UC security against semi-malicious adversaries from standard lattice assumptions [119]. Their protocol has several notable properties, including optimal round complexity and near-optimal communication complexity: Namely, the total communication between the parties depends only on the length of the parties’ inputs and outputs, and not on the complexity (i.e., circuit size) of the underlying computation. Achieving this latter property is often referred to as breaking the “circuit size barrier” for secure computation [29].

The Mukherjee–Wichs construction (as well as its predecessor [8]) achieve security against semi-malicious adversaries and rely on general-purpose NIZKs to achieve full security against malicious adversaries without increasing the round complexity. However, since NIZKs are not known to follow from standard lattice assumptions in the CRS model, the security of the malicious-secure protocols cannot be reduced to a single set of hardness assumptions. (For instance, we need to combine lattice assumptions with other number theoretic assumptions.)

Using our lattice-based preprocessing NIZKs, we can obtain malicious-secure MPC in a preprocessing model while basing security exclusively on standard lattice assumptions. Specifically, in the preprocessing step, the parties would execute the preprocessing protocol of our UC-NIZK construction (Fig. 8, Corollary B.30). In the online phase of the protocol, the parties essentially have access to an ideal zero-knowledge functionality, and so, we can apply the same semi-malicious to malicious boosting described in [8, 119] to obtain a protocol with full malicious security. The round complexity and communication complexity of the online phase of the protocol are unchanged from that of the Mukherjee–Wichs construction. Moreover, our preprocessing protocol has several appealing properties: It is not only independent of the party’s inputs, but also (almost) independent of the computation being performed. (It depends only polylogarithmically on the depth of the online computation.) This means that the same preprocessing can in fact be reused across many protocol executions, provided that the computations have bounded depth. In fact we can make the preprocessing completely independent of the online computation if we make an additional circular security assumption (c.f., Corollary B.32). We state our conclusions more precisely below:

Fact B.31

(MPC from Multi-Key FHE [119])

Let \(\lambda \) be a security parameter, and \(f :(\{0,1\}^{\ell _{\mathrm {in}}})^n \rightarrow (\{0,1\}^{\ell _{\mathrm {out}}})^n\) be an arbitrary n-input function. Let \(C_f\) be the circuit that computes f, and let \(d_f\) be its depth. Then, under the LWE assumption with a subexponential modulus-to-noise ratio, there exists a protocol \(\Pi _f\) that securely realizes \(\mathcal {F}_f\) in the presence of (static) semi-malicious adversaries in the CRS model and assuming the parties have access to an authenticated broadcast channel. Recall that \(\mathcal {F}_f\) is the general UC functionality for computing the function f (Fig. 5). Moreover, the protocol \(\Pi _f\) satisfies the following properties:

• Optimal round complexity: The protocol \(\Pi _f\) is a two-round protocol.

• Low communication complexity: The total communication complexity of the protocol is \((\ell _{\mathrm {in}}+ \ell _{\mathrm {out}}) \cdot \mathsf {poly}(\lambda , n, d_f)\). In other words, the total communication depends only on the security parameter, the length of the inputs, the length of the outputs, and the depth of the computation (rather than the size \(\left| C_f \right| \)). Moreover, if we make an additional circular security assumption, then the total communication complexity becomes \((\ell _{\mathrm {in}}+ \ell _{\mathrm {out}}) \cdot \mathsf {poly}(\lambda , n)\), which is completely independent of the complexity of the computation f. This is essentially the best we can hope for from an MPC protocol for \(\mathcal {F}_f\).

Corollary B.32

(Malicious-Secure MPC in the Preprocessing Model from Lattices)

Let \(\lambda \) be a security parameter, and let \(f :(\{0,1\}^{\ell _{\mathrm {in}}})^n \rightarrow (\{0,1\}^{\ell _{\mathrm {out}}})^n\) be an arbitrary n-input function. Let \(C_f\) be the circuit that computes f, and let \(d_f\) be its depth. Then, under the LWE assumption with a subexponential modulus-to-noise ratio, there exists a protocol \(\Pi _f\) that securely realizes \(\mathcal {F}_f\) in the presence of (static) malicious adversaries in the CRS model (and assuming the parties have access to an authenticated broadcast channel). The protocol \(\Pi _f\) splits into two subprotocols: a preprocessing protocol \(\Pi _f^{(\mathrm {pre})}\) and an online protocol \(\Pi _f^{(\mathrm {online})}\) with the following properties:

• Reusable preprocessing: The total computational and communication complexity of the preprocessing protocol \(\Pi _f^{(\mathrm {pre})}\) is \(\mathsf {poly}(n, \lambda , \log d_f)\). Notably, the preprocessing is independent of the size of each party’s inputs and the overall size \(\left| C_f \right| \) of the computation. Because the preprocessing only depends logarithmically on the depth of \(C_f\) (and not its size), the same precomputation can be reused across many parallel evaluations of \(C_f\) (which would increase the size of the computation, but not its depth). Moreover, if we make the additional circular security assumption from Fact B.31, then the total computational and communication complexity is \(\mathsf {poly}(n, \lambda )\), and completely independent of the function f.

• Optimal online round complexity: The online protocol \(\Pi _f^{(\mathrm {online})}\) consists of two rounds of communication.

• Low online communication complexity: The total communication complexity of the online protocol \(\Pi _f^{(\mathrm {online})}\) is \((\ell _{\mathrm {in}}+ \ell _{\mathrm {out}}) \cdot \mathsf {poly}(\lambda , n, d_f)\). If we make the additional circular security assumption from Fact B.31, then the total communication complexity of \(\Pi _f^{(\mathrm {online})}\) is again essentially optimal: \((\ell _{\mathrm {in}}+ \ell _{\mathrm {out}}) \cdot \mathsf {poly}(\lambda , n)\).

Proof

Follows by applying the generic semi-malicious-to-malicious compiler of [8, Appendix E] to the MPC protocol described in Fact B.31 along with our UC-NIZKs in the preprocessing model from LWE. \(\square \)

Remark B.33

(Reusable Preprocessing)

A nice property satisfied by our MPC protocol in the preprocessing model is that the preprocessing is reusable. Namely, we only have to run the preprocessing protocol once, provided that all of the computations in the online phase can be implemented by circuits of some bounded depth. In fact, if we are willing to make an additional circular security assumption, the preprocessing is entirely independent of the computation. We note that many classic MPC protocols that leverage preprocessing for better online efficiency do not provide reusable preprocessing [20, 67]. In these cases, the complexity of the preprocessing phase scales with the size of the circuit that is computed in the online phase as opposed to the depth (e.g., the classic technique of Beaver multiplication triples [20] requires generating a single triple for every multiplication gate that will be evaluated during the online phase of the protocol). Having a reusable preprocessing protocol enables us to amortize the cost of the preprocessing across many different computations.

Remark B.34

(Non-Reusable Preprocessing from Weaker Assumptions) An alternative approach to boosting the Mukherjee–Wichs protocol to provide malicious security in the preprocessing model is to use a bounded-theorem preprocessing NIZK, which can in turn be instantiated from one-way functions [62, 66, 112] or oblivious transfer [101]. One drawback of this approach is that the preprocessing is no longer reusable across multiple computations (since each NIZK system can only be used to prove an a priori bounded number of statements). As a result, the round complexity and the computational costs of the preprocessing protocol can no longer be amortized across multiple protocol executions. Moreover, it is unclear that the original bounded-theorem NIZK constructions satisfy the stronger property of universal composability. As such, they cannot be directly applied to achieve malicious security of the Mukherjee–Wichs construction in the UC model.

A succinct GMW compiler from lattices As discussed in Remark 3.9, if a prover wants to prove m statements (each of which can be checked by a circuit of depth at most d) using the same witness w, then the total length of all of the arguments will be \(\left| w \right| + m \cdot \mathsf {poly}(\lambda , d)\). In particular, the length of the common witness can be amortized across many statements. We can leverage this property to obtain a “succinct” version of the classic GMW compiler [81, 82] that transforms any MPC protocol \(\Pi \) for some function f in the semi-honest model to a protocol \(\Pi '\) for the same function f in the malicious model. We begin by briefly recalling the “GMW compiler:”

• Input commitment: First, the parties commit to their (private) inputs.

• Coin tossing: The parties engage in a secure coin-tossing protocol to determine the (secret) randomness each party uses in the protocol execution. At the end of this step, each party has a (private) random string as well as a commitment to every other party’s randomness.

• Protocol emulation: During the protocol execution, the parties run the semi-honest protocol \(\Pi \). Whenever the parties send a message, they include a NIZK argument that their message was computed according to the specification of \(\Pi \) on inputs and randomness that are consistent with their committed inputs and randomness.

The NIZK arguments bind each user to follow the semi-honest protocol as described. In the UC model, Canetti et al. [58] showed an analog of the GMW compiler based on UC-NIZKs.

Our preprocessing NIZKs from lattices gives a new instantiation of the GMW compiler from standard lattice assumptions. Our construction has the appealing property that the communication overhead of the compiler protocol \(\Pi '\) is essentially independent of the parties’ computational complexity in the semi-honest protocol \(\Pi \). We give a concrete comparison below:

• Using traditional NIZKs based on trapdoor permutations [37, 57, 63, 72, 84, 87] or pairing [85], the total size of the NIZK proofs is proportional to the size of each party’s computation. Thus, the communication overhead of \(\Pi '\) compared to the original protocol \(\Pi \) on each round r is \(\mathsf {poly}(\lambda , n, |C_r|)\), where \(\lambda \) is the security parameter, n is the number of parties, and \(C_r\) is the circuit that checks whether a party’s message on round r is consistent with the protocol specification \(\Pi \) as well as the party’s committed inputs and randomness.

• In the GMW protocol, each party uses the same witness to construct their proofs in each round of the protocol (the witness is their private input and randomness). Thus, using the trick described in Remark 3.9, the parties only have to communicate an encryption of their input and randomness once at the beginning of the protocol. Thereafter, on each round r of the protocol execution, the size of each proof is \(\mathsf {poly}(\lambda , n, d_r)\), where \(d_r\) is a bound on the depth of the consistency check circuit \(C_r\) defined above. Since \(d_r\) can be significantly smaller than \(C_r\), the communication overhead of using our lattice-based preprocessing NIZK to instantiate the GMW compiler can lead to substantial asymptotic savings.

As was also noted in Remark 3.9, a similar savings in communication is also possible by first applying the FHE-based transformation from [78] to any NIZK construction to obtain a NIZK with the same proof size as that of the construction in Corollary B.30, and then using the resulting construction to implement the GMW compiler. Compared to this alternative approach, our construction has the advantage that it can be instantiated directly from lattice assumptions (and does not additionally assume the existence of a NIZK). Moreover, our construction is likely more efficient since we do not have to incur the cost of composing FHE decryption with NIZK verification in addition to performing FHE evaluation.

1.8 B.8 Proof of Theorem B.25 (Blind Homomorphic Signatures)

Let \(\mathcal {A}\) be a static adversary that interacts with the environment \(\mathcal {Z}\), a signer \(\mathbf {S}\), and receiver \(\mathbf {R}\) running the real protocol \(\Pi _\textsc {bhs}\) (Fig. 7). We construct an ideal-world adversary (simulator) \(\mathcal {S}\) that interacts with the environment \(\mathcal {Z}\), the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\), and dummy parties \(\tilde{\mathbf {S}}\), \(\tilde{\mathbf {R}}\) such that no environment \(\mathcal {Z}\) can distinguish an interaction with \(\mathcal {A}\) in the real protocol from one with \(\mathcal {S}\) in the ideal world.

We begin by describing the simulator \(\mathcal {S}\). At the beginning of the protocol execution, the simulator \(\mathcal {S}\) begins by simulating an execution of \(\Pi _\textsc {bhs}\) with adversary \(\mathcal {A}\). In particular, \(\mathcal {S}\) simulates the environment \(\mathcal {Z}\), the behavior of the honest parties, as well as the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) in the simulated protocol execution with \(\mathcal {A}\). Algorithm \(\mathcal {A}\) begins by declaring which parties it wants to corrupt, and \(\mathcal {S}\) corrupts the analogous set of dummy parties in the ideal execution (e.g., if \(\mathcal {A}\) corrupts the signer \(\mathbf {S}\), then \(\mathcal {S}\) corrupts the dummy signer \(\tilde{\mathbf {S}}\)). The simulation then proceeds as follows.

Simulating the communication with the environment Whenever the simulator \(\mathcal {S}\) receives an input from the environment \(\mathcal {Z}\), it forwards the input to \(\mathcal {A}\) (as if it came from the environment in the simulated protocol execution). Whenever \(\mathcal {A}\) writes a message on its output tape (in the simulated protocol execution), the simulator \(\mathcal {S}\) writes the same output on its own output tape (to be read by the environment).

Simulating the key generation phase In the key generation phase, the simulator \(\mathcal {S}\) proceeds as follows, depending on whether the signer \(\tilde{\mathbf {S}}\) is corrupt:

• The signer is honest. When \(\mathcal {S}\) receives a value \((\textsf {sid}, \mathsf {keygen})\) from \(\mathcal {F}_{\textsc {bhs}}\), the simulator generates \(\vec {\mathsf {pk}}\leftarrow \mathsf {PrmsGen}(1^\lambda , 1^{t \ell })\), \((\mathsf {sk}, \mathsf {vk}') \leftarrow \mathsf {KeyGen}(1^\lambda )\), and stores \((\textsf {sid}, \mathsf {sk})\). It sets \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\) and sends \((\textsf {sid}, \mathsf {vkey}, \mathsf {vk})\) to \(\mathcal {F}_{\textsc {bhs}}\).

• The signer is corrupt. When \(\mathcal {Z}\) activates a corrupt signer \(\tilde{\mathbf {S}}\) on input \((\textsf {sid}, \mathsf {keygen})\), \(\mathcal {S}\) activates the signer \(\mathbf {S}\) with the same input \((\textsf {sid}, \mathsf {keygen})\) in its simulated copy of \(\Pi _\textsc {bhs}\). Let \((\textsf {sid}, \mathsf {vkey}, \mathsf {vk})\) be the verification key output by \(\mathbf {S}\) (as decided by \(\mathcal {A}\)). The simulator \(\mathcal {S}\) then sends a request \((\textsf {sid}, \mathsf {keygen})\) to \(\mathcal {F}_{\textsc {bhs}}\) (on behalf of \(\tilde{\mathbf {S}}\)) and responds to the key generation request from \(\mathcal {F}_{\textsc {bhs}}\) with the tuple \((\textsf {sid}, \mathsf {vkey}, \mathsf {vk})\).

Simulating the signature generation phase The simulator \(\mathcal {S}\) simulates the signing protocol as follows, depending on whether the signer \(\tilde{\mathbf {S}}\) is corrupt:

• The signer is honest. We first describe how the simulator \(\mathcal {S}\) constructs the ideal algorithms \((\mathsf {IdealSign}, \mathsf {IdealEval})\) when it receives a query \((\textsf {sid}, \mathsf {signature})\) from \(\mathcal {F}_{\textsc {bhs}}\). Let \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\) and \(\mathsf {sk}\) be the parameters the simulator sampled in the key generation phase. (Since \(\tilde{\mathbf {S}}\) is honest, the simulator chose the secret signing key.) The simulator then defines the \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\) algorithms (with \(\vec {\mathsf {pk}}, \mathsf {vk}', \mathsf {sk}\) hardwired) as follows:

  1. –

     \(\mathsf {IdealSign}(\vec {x})\): On input \(\vec {x}\in \{0,1\}^\ell \):

     1. 1.

        Sample shares \(\vec {w}_1, \ldots , \vec {w}_t \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}^\ell \) such that \(\bigoplus _{i \in [t]} \vec {w}_i = \vec {x}\).

     2. 2.

        Generate \((\vec {\sigma }_1, \ldots , \vec {\sigma }_t) \leftarrow \mathsf {Sign}\big ( \vec {\mathsf {pk}}, \mathsf {sk}, (\vec {w}_1, \ldots , \vec {w}_t) \big ) \).

     3. 3.

        Return \(\mathsf {SigEval}\big (f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {w}_1, \ldots , \vec {w}_t), (\vec {\sigma }_1, \ldots , \vec {\sigma }_t) \big )\).

  2. –

     \(\mathsf {IdealEval}(g, x)\): On input a function \(g \in \mathcal {H}\) and a value \(x \in \{0,1\}\):

     1. 1.

        Compute \(\mathsf {pk}_g \leftarrow \mathsf {PrmsEval}(g \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}})\).

     2. 2.

        Sign \(\sigma \leftarrow \mathsf {Sign}(\mathsf {pk}_g, \mathsf {sk}, x)\).

     3. 3.

        Return \(\mathsf {Hide}(\mathsf {vk}', x, \sigma )\).

  The simulator replies to \(\mathcal {F}_{\textsc {bhs}}\) with \((\mathsf {IdealSign}, \mathsf {IdealEval})\). If the receiver is honest, then this completes the simulation for the signing request. Conversely, if the receiver is corrupt, then the simulator \(\mathcal {S}\) proceeds as follows:

  1. –

     When \(\mathcal {Z}\) activates the receiver \(\tilde{\mathbf {R}}\) on input \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\), the simulator forwards \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\) to \(\mathbf {R}\) (which is under the control of \(\mathcal {A}\)) in the simulated protocol execution (as if it came from \(\mathcal {A}\)’s environment).

  2. –

     After \(\mathbf {R}\) sends inputs \(\big ( (\textsf {sid},i), \mathsf {receiver}, \vec {w}_i \big )\) for all \(i \in [t]\) to the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\) in the simulated protocol execution, the simulator computes \(\vec {x}\leftarrow \bigoplus _{i \in [t]} \vec {w}_i\). If this is not the first signing request from \(\mathbf {R}\), then the simulator ignores the request. Otherwise, the simulator sends \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\) to \(\mathcal {F}_{\textsc {bhs}}\).

  3. –

     When \(\mathcal {F}_{\textsc {bhs}}\) sends \((\textsf {sid}, \mathsf {sign}, x)\) to \(\mathcal {S}\) to choose the signature on behalf of \(\tilde{\mathbf {R}}\), the simulator constructs signatures \(\vec {\sigma }_i \leftarrow \mathsf {Sign}(\vec {\mathsf {pk}}_i, \mathsf {sk}, \vec {w}_i)\) and sends \(\big ((\textsf {sid}, i), \vec {\sigma }_i)\) to \(\mathbf {R}\) for \(i \in [t]\). For the message-independent components of the signatures, \(\mathcal {S}\) parses \(\vec {\sigma }_i = (\vec {\sigma }^{\mathsf {pk}}_i, \vec {\sigma }^{\mathsf {m}}_i)\) for \(i \in [t]\) and sends \(\{ \vec {\sigma }^{\mathsf {pk}}_i \}_{i \in [t]}\) to \(\mathbf {R}\). The simulator also computes \(\vec {\sigma }\leftarrow \mathsf {SigEval}(f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {w}_1, \ldots , \vec {w}_t), (\vec {\sigma }_1, \ldots , \vec {\sigma }_t))\) and sends \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\), where \(\vec {x}= \bigoplus _{i \in [t]} \vec {w}_i\), to \(\mathcal {F}_{\textsc {bhs}}\).

• The signer is corrupt. If the receiver \(\tilde{\mathbf {R}}\) is also corrupt, then \(\mathcal {S}\) determines the behavior of \(\tilde{\mathbf {S}}\) and \(\tilde{\mathbf {R}}\) using \(\mathcal {A}\) (who controls the behavior of \(\mathbf {S}\) and \(\mathbf {R}\) in the simulated protocol execution). Specifically, the simulator proceeds as follows:

  1. –

     When the environment activates \(\tilde{\mathbf {R}}\) with an input \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\), the simulator activates the receiver \(\mathbf {R}\) in its simulated protocol execution with the same input.

  2. –

     The simulator simulates the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) in its simulated protocol execution exactly according to the specification of \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) in Fig. 3.

  3. –

     The simulator echoes any output of \(\mathcal {A}\) (to the environment).

  Note that in this case where the signer and receiver are both corrupt, the simulator \(\mathcal {S}\)never interacts with the ideal functionality. Conversely, if the receiver \(\tilde{\mathbf {R}}\) is honest, then the simulator proceeds as follows:

  1. –

     When the ideal functionality sends a query \((\textsf {sid}, \mathsf {signature})\) to \(\mathcal {S}\), the simulator needs to respond with a specification of the ideal signing and evaluation functionalities \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\). The simulator starts by performing several basic checks:

     1. 1.

        The simulator begins by activating the signer \(\mathbf {S}\) with the input \((\textsf {sid}, \mathsf {signature})\) in its simulated execution of the protocol. Let \(\big ( (\textsf {sid},i), \mathsf {sender}, \{ (\sigma _{i,j,0}, \sigma _{i,j,1}) \}_{j \in [\ell ]} \big )\) for \(i \in [t]\) be the inputs \(\mathbf {S}\) sends to \(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\), and let \(\{ \sigma ^{\mathsf {pk}}_{i,j} \}_{i \in [t], j \in [\ell ]}\) be the message-independent components \(\mathbf {S}\) sends to \(\mathbf {R}\) in the simulated protocol execution. Note that in the real protocol execution, the receiver \(\mathbf {R}\) only interacts with \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) and does not send any messages to \(\mathbf {S}\) (so \(\mathcal {S}\) does not need to simulate any messages on behalf of \(\mathbf {R}\)).

     2. 2.

        Let \(\mathsf {vk}\) be the verification key \(\mathcal {S}\) chose during key generation. The simulator parses the verification key as \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\) where \(\vec {\mathsf {pk}}= \{ \mathsf {pk}_{i,j} \}_{i \in [t], j \in [\ell ]}\). If the verification key does not have this structure, then the simulator defines the ideal signing and evaluation functions \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\) to always output \(\bot \).

     3. 3.

        Otherwise, the simulator parses \(\sigma _{i,j,b} = (\sigma ^{\mathsf {pk}}_{i,j,b}, \sigma ^{\mathsf {m}}_{i,j,b})\) for \(i \in [t]\), \(j \in [\ell ]\), \(b \in \{0,1\}\). We say that a signature \(\sigma _{i, j, b}\) is “valid” if

        $$\begin{aligned} \sigma ^{\mathsf {pk}}_{i, j, b} = \sigma ^{\mathsf {pk}}_{i, j} \quad \text {and} \quad \mathsf {VerifyFresh}(\mathsf {pk}_{i, j}, \mathsf {vk}', b, \sigma _{i, j, b}) = 1, \end{aligned}$$

        (1)

        and otherwise, we say that \(\sigma _{i, j, b}\) is “invalid.” Then, if there exists indices \(i \in [t]\) and \(j \in [\ell ]\) where \(\sigma _{i,j,0}\) and \(\sigma _{i,j,1}\) are both invalid, the simulator defines the signing and evaluation functions \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\) to always output \(\bot \).

     4. 4.

        Finally, the simulator checks whether for all\(j \in [\ell ]\), there exists \(i \in [t]\) where \(\sigma _{i, j, 0}\) and \(\sigma _{i, j, 1}\) are both valid. If this is not the case, then \(\mathcal {S}\) defines the ideal signing and evaluation functions \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\) to always output \(\bot \).

     If all of the checks pass, then there exists \({i^*}, {j^*}\) where \(\sigma _{{i^*},{j^*},0}\) and \(\sigma _{{i^*}, {j^*}, 1}\) are both valid. In this case, the simulator uses the context-hiding simulator \(\mathcal {S}^{\mathsf {ch}}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\) from Definition B.11 to extract a simulation trapdoor \(\mathsf {td}\leftarrow \mathcal {S}^\mathsf {Ext}(\mathsf {pk}_{{i^*}, {j^*}}, \mathsf {vk}', (0, \sigma _{{i^*}, {j^*}, 0}), (1, \sigma _{{i^*}, {j^*}, 1}))\). Then, the simulator defines the functions \((\mathsf {IdealSign}, \mathsf {IdealEval})\) as follows. Note that the public keys \(\vec {\mathsf {pk}}\), the simulation trapdoor \(\mathsf {td}\), and the message-independent signature components \(\{ \sigma ^{\mathsf {pk}}_{i,j} \}_{i \in [t], j \in [\ell ]}\) are hardwired in the description of the algorithms.

     • \(\mathsf {IdealSign}(\vec {x})\): On input \(\vec {x}\in \{0,1\}^\ell \):

       1. 1.

          First, the ideal signing algorithm initializes \(\vec {w}_1, \ldots , \vec {w}_t \leftarrow 0^\ell \).

       2. 2.

          By assumption, for all \(i \in [t]\) and \(j \in [\ell ]\), there is at least one \(b \in \{0,1\}\) where \(\sigma _{i,j,b}\) is valid. Now, for all \(i \in [t]\) and \(j \in [\ell ]\), if there is exactly one bit \(b \in \{0,1\}\) where \(\sigma _{i,j,b}\) is valid, then the simulator sets \(w_{i, j} = b\).

       3. 3.

          For all remaining indices \(i \in [t]\) and \(j \in [\ell ]\) where both \(\sigma _{i,j,0}\) and \(\sigma _{i,j,1}\) are valid, the simulator samples \(w_{i,j} \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}\), subject to the restriction that \(\bigoplus _{i \in [t]} \vec {w}_i = \vec {x}\). Note that this constraint is always satisfiable since for all \(j \in [\ell ]\), there is at least one \(i \in [t]\) where both \(\sigma _{i,j,0}\) and \(\sigma _{i,j,1}\) are valid by assumption.

       4. 4.

          Then, for all \(i \in [t]\), the algorithm sets \(\vec {\sigma }_i = (\sigma _{i,1,w_{i,1}}, \ldots , \sigma _{i,\ell ,w_{i,\ell }})\) and outputs the signature \(\mathsf {SigEval}\big (f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {w}_1, \ldots , \vec {w}_t), (\vec {\sigma }_1, \ldots , \vec {\sigma }_t) \big )\).

     • \(\mathsf {IdealEval}(g, x)\): On input a function \(g \in \mathcal {H}\), and a value \(x \in \{0,1\}\):

       1. 1.

          Compute \(\mathsf {pk}_g \leftarrow \mathsf {PrmsEval}(g \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}})\).

       2. 2.

          Compute \(\sigma ^{\mathsf {pk}}_g \leftarrow \mathsf {SigEvalPK}\big (g \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {\sigma }^{\mathsf {pk}}_1, \ldots , \vec {\sigma }^{\mathsf {pk}}_t) \big )\), where \(\vec {\sigma }^{\mathsf {pk}}_i = (\sigma ^{\mathsf {pk}}_{i,1}, \ldots , \sigma ^{\mathsf {pk}}_{i, \ell })\).

       3. 3.

          Return \(\mathcal {S}^\mathsf {Gen}(\mathsf {pk}_g, \mathsf {vk}', \mathsf {td}, x, \sigma ^{\mathsf {pk}}_g)\)

  2. –

     When the ideal functionality sends \((\textsf {sid}, \mathsf {sig\textsc {-}success})\) to \(\mathcal {S}\), the simulator responds as follows. First, let \(\{ (\sigma _{i,j,0}, \sigma _{i,j,1}) \}_{i \in [t], j \in [\ell ]}\) be the set of signatures the signer provided to the ideal OT functionality and \(\{ \sigma ^{\mathsf {pk}}_{i,j} \}_{i \in [t], j \in [\ell ]}\) be the set of message-independent public components sent by \(\mathbf {S}\) in the simulated protocol execution. As before, we say that \(\sigma _{i, j, b}\) is valid if and only if Eq. (1) holds. First, if the simulator previously defined \(\mathsf {IdealSign}\) and \(\mathsf {IdealEval}\) to \(\bot \), then it replies with \((\textsf {sid}, 0)\). Otherwise, let n be the number of indices \(i \in [t]\), \(j \in [\ell ]\), and \(b \in \{0,1\}\) where \(\sigma _{i,j,b}\) is invalid. Then, with probability \(1 - 2^{-n}\), the simulator responds with \((\textsf {sid}, 0)\). With probability \(2^{-n}\), the simulator responds with \((\textsf {sid}, 1)\).

Simulating the signature verification phase When the environment activates \({\tilde{\mathbf {P}}\in \{ \tilde{\mathbf {S}}, \tilde{\mathbf {R}} \}}\) on input \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f,\vec {x}), \vec {\sigma })\), the simulator \(\mathcal {S}\) proceeds as follows:

• If \(\tilde{\mathbf {P}}\) is honest and the simulator \(\mathcal {S}\) receives a query \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f,\vec {x}), \vec {\sigma })\) from \(\mathcal {F}_{\textsc {bhs}}\), the simulator first parses \(\mathsf {vk}' = (\vec {\mathsf {pk}}', \mathsf {vk}'')\). It then computes \(\mathsf {pk}_f' \leftarrow \mathsf {PrmsEval}(f \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}}')\) and sets \(t \leftarrow \mathsf {VerifyHide}(\mathsf {pk}_f', \mathsf {vk}'', \vec {x}, \vec {\sigma })\) if \(f \ne f_{\mathsf {id}}\), and \(t \leftarrow \mathsf {Verify}(\mathsf {pk}_f', \mathsf {vk}'', \vec {x}, \vec {\sigma })\) if \(f = f_{\mathsf {id}}\). It returns \((\textsf {sid}, \mathsf {verified}, \vec {x}, \vec {\sigma }, t)\) to \(\mathcal {F}_{\textsc {bhs}}\).

• If \(\tilde{\mathbf {P}}\) is corrupted, then \(\mathcal {S}\) activates the party \(\mathbf {P}\) with the input \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f,\vec {x}), \vec {\sigma })\) in its simulated copy of \(\Pi _\textsc {bhs}\). Let \((\textsf {sid}, \mathsf {verified}, \vec {x}, \vec {\sigma }, t)\) be the output by \(\mathbf {P}\). The simulator forwards \((\textsf {sid}, \mathsf {verified}, \vec {x}, \vec {\sigma }, t)\) to the environment. Note that the simulator does not interact with the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) in this case.

Simulating the signature evaluation phase When the environment activates \(\tilde{\mathbf {P}}\in \{ \tilde{\mathbf {S}}, \tilde{\mathbf {R}} \}\) on an input \((\textsf {sid}, \mathsf {eval}, \mathsf {vk}, g, (f,\vec {x}), \vec {\sigma })\), where \(f = f_{\mathsf {id}}\), the simulator \(\mathcal {S}\) proceeds as follows:

• If \(\tilde{\mathbf {P}}\) is honest, then \(\mathcal {S}\) only needs to simulate the verification request (if asked by the ideal functionality). The simulator responds to the verification request using the procedure described above (for simulating the verification queries).

• If \(\tilde{\mathbf {P}}\) is corrupt, then \(\mathcal {S}\) activates party \(\mathbf {P}\) with the input \((\textsf {sid}, \mathsf {eval}, \mathsf {vk}, g, (f,\vec {x}), \vec {\sigma })\) in its simulated copy of \(\Pi _\textsc {bhs}\). Let \((\textsf {sid}, \mathsf {signature}, (g, g(\vec {x})), \sigma ')\) be the output by \(\mathbf {P}\). The simulator forwards \((\textsf {sid}, \mathsf {signature}, (g, g(\vec {x})), \sigma ')\) to the environment. Note that the simulator does not interact with the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) in this case.

To complete the proof, we show that no efficient environment \(\mathcal {Z}\) can distinguish the output of the real execution with the adversary \(\mathcal {A}\) from the output of the ideal execution with the simulator \(\mathcal {S}\). Our argument considers several distinct cases, depending on whether the signer and receiver are honest or corrupt.

Lemma B.35

If both the signer and the receiver are honest, then for all efficient environments \(\mathcal {Z}\), we have that \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}} {\mathop {\approx }\limits ^{c}}\textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

Proof

We proceed via a hybrid argument:

• \(\textsc {hyb}_0\): This is the real distribution \(\textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

• \(\textsc {hyb}_1\): Same as \(\textsc {hyb}_0\), except we modify the honest parties’ behavior as follows:

  1. –

     At the beginning of the experiment, initialize \(\vec {x}^* \leftarrow \bot \).

  2. –

     At the end of a signing request, let \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\) be the signature output by the receiver. Update \(\vec {x}^* \leftarrow \vec {x}\). If any party issued a verification request of the form \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\) prior to the signing request, then the experiment aborts with output \(\bot \).

  3. –

     Let \(\mathsf {vk}\) be the verification key generated by the signer in the key generation phase. When the environment activates a party on a verification request \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f, \vec {x}), \vec {\sigma })\) where \(\mathsf {vk}' = \mathsf {vk}\) and \(\vec {x}\ne f(\vec {x}^*)\), then the party outputs \((\textsf {sid}, \mathsf {verified}, (f, \vec {x}), \vec {\sigma }, 0)\). Otherwise, the output is determined as in \(\textsc {hyb}_0\).

• \(\textsc {hyb}_2\): This is the ideal distribution \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}}\).

We now show that the outputs of each pair of consecutive hybrid experiments are computationally indistinguishable.

Claim B.36

Suppose \(\Pi _{\mathsf {HS}}\) satisfies unforgeability (Definition B.7). Then, the outputs of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are computationally indistinguishable.

Proof

Suppose there exists an environment \(\mathcal {Z}\) (and an adversary \(\mathcal {A}\)) such that the outputs of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are distinguishable. We use \(\mathcal {Z}\) and \(\mathcal {A}\) to construct an adversary \(\mathcal {B}\) that breaks unforgeability (Definition B.7) of \(\Pi _{\mathsf {HS}}\). Algorithm \(\mathcal {B}\) operates according to the specification of the unforgeability security experiment \(\mathsf {Expt}_{\mathcal {A},\Pi _{\mathsf {HS}}}^{\mathsf {uf}}(\lambda )\), and simulates an execution of \(\textsc {hyb}_0\) or \(\textsc {hyb}_1\) for the environment \(\mathcal {Z}\) (and adversary \(\mathcal {A}\)). Specifically, \(\mathcal {B}\) simulates the behavior of the honest signer and receiver in the protocol execution experiment:

• At the beginning of the unforgeability security game, algorithm \(\mathcal {B}\) receives public keys \(\vec {\mathsf {pk}}\) and a verification key \(\mathsf {vk}'\) from the challenger. It also initializes \(\vec {x}^* \leftarrow \bot \).

• When \(\mathcal {Z}\) activates the signer \(\mathbf {S}\) to run the key generation protocol with a query \((\textsf {sid}, \mathsf {keygen})\), algorithm \(\mathcal {B}\) simulates the honest signer’s behavior by outputting \((\textsf {sid}, \mathsf {vkey}, (\vec {\mathsf {pk}}, \mathsf {vk}'))\). By definition of the unforgeability experiment \(\mathsf {Expt}_{\mathcal {A},\Pi _{\mathsf {HS}}}^{\mathsf {uf}}(\lambda )\), the unforgeability challenger samples \(\vec {\mathsf {pk}}\leftarrow \mathsf {PrmsGen}(1^\lambda , 1^{t \ell })\), and \((\mathsf {sk}, \mathsf {vk}') \leftarrow \mathsf {KeyGen}(1^\lambda )\). Thus, algorithm \(\mathcal {B}\) perfectly simulates the signer’s behavior in \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\).

• For signing queries, after \(\mathcal {Z}\) activates the receiver \(\mathbf {R}\) with a tuple \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\) and the signer \(\mathbf {S}\) with a tuple \((\textsf {sid}, \mathsf {signature})\), algorithm \(\mathcal {B}\) samples \(\vec {w}_1, \ldots , \vec {w}_t \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}^\ell \) such that \(\bigoplus _{i \in [t]} \vec {w}_i = \vec {x}\) and submits \((\vec {w}_1, \ldots , \vec {w}_t)\) to the unforgeability challenger to receive \((\vec {\sigma }_1, \ldots , \vec {\sigma }_t)\). It computes \(\vec {\sigma }\leftarrow \mathsf {SigEval}(f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {w}_1, \ldots , \vec {w}_t), (\vec {\sigma }_1, \ldots , \vec {\sigma }_t))\) and simulates the receiver’s output as \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}},\vec {x}), \vec {\sigma })\). In addition, \(\mathcal {B}\) sets \(\vec {x}^* \leftarrow \vec {x}\). In \(\mathsf {Expt}_{\mathcal {A},\Pi _{\mathsf {HS}}}^{\mathsf {uf}}(\lambda )\), the challenger computes \((\vec {\sigma }_1, \ldots , \vec {\sigma }_t) \leftarrow \mathsf {Sign}\big ( \vec {\mathsf {pk}}, \mathsf {sk}, (\vec {w}_1, \ldots , \vec {w}_t) \big )\), exactly as in \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\). Thus, \(\mathcal {B}\) perfectly simulates the signing queries in \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\).

• For verification and evaluation queries, \(\mathcal {B}\) implements the same procedure as in \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\). None of these queries require knowledge of the secret signing key \(\mathsf {sk}\) and thus can be perfectly simulated by \(\mathcal {B}\).

• At any point during the simulation, if \(\mathcal {Z}\) activates a party on a verification request of the form \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}, (f, \vec {x}), \vec {\sigma })\) where \(f(\vec {x}^*) \ne \vec {x}\) and \(\vec {\sigma }\) is a valid signature on \((f, \vec {x})\), then \(\mathcal {B}\) does the following:

  1. –

     If \(f = f_{\mathsf {id}}\), then \(\mathcal {B}\) computes \(\vec {\sigma }^* \leftarrow \mathsf {Hide}(\mathsf {vk}', \vec {x}, \vec {\sigma })\) and sends the tuple \((f_{\mathsf {recon}}, \vec {x}, \vec {\sigma }^*)\) to the unforgeability challenger as its forgery.

  2. –

     Otherwise, \(\mathcal {B}\) sends the tuple \((f \circ f_{\mathsf {recon}}, \vec {x}, \vec {\sigma })\) to the unforgeability challenger as its forgery.

Since the only difference between \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) is the additional checks in the signing and verification protocols, if the outputs of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are distinguishable with non-negligible advantage \(\varepsilon \), then one of the following conditions must hold with probability \(\varepsilon \):

• The receiver’s output in the signing request is a tuple \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\) and a party was activated to run a verification request on the tuple \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\) before the signing request. Since \(\vec {\sigma }\) was output by an honest signing request, this means that \(\vec {\sigma }\) is a valid signature on \(\vec {x}\): namely, that \(\mathsf {Verify}(\mathsf {pk}_{\mathsf {recon}}, \mathsf {vk}', \vec {x}, \vec {\sigma }) = 1\), where \(\mathsf {pk}_{\mathsf {recon}} \leftarrow \mathsf {PrmsEval}(f_\mathsf {recon}, \vec {\mathsf {pk}})\). Moreover, since the verification request occurred before the signing request, algorithm \(\mathcal {B}\) would have submitted the tuple \((f_\mathsf {recon}, \vec {x}, \vec {\sigma }^*)\) to the unforgeability challenger where \(\vec {\sigma }^* \leftarrow \mathsf {Hide}(\mathsf {vk}', \vec {x}, \vec {\sigma })\)before it made any signing queries to the unforgeability challenger. By hiding correctness, \(\vec {\sigma }^*\) is a valid signature on \(\vec {x}\) with respect to \(f_\mathsf {recon}\), and so \(\mathcal {B}\) wins the unforgeability game.

• Otherwise, the environment must have activated a party on a verification query of the form \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}, (f,\vec {x}), \vec {\sigma })\) the successfully verifies in \(\textsc {hyb}_0\) but not in \(\textsc {hyb}_1\). First, since the signature \(\vec {\sigma }\) verifies in \(\textsc {hyb}_0\), this means that \(f \circ f_{\mathsf {recon}}\in \mathcal {H}'\) and, moreover, that \(\mathsf {VerifyHide}(\mathsf {pk}_{f \circ f_{\mathsf {recon}}}, \mathsf {vk}', \vec {x}, \vec {\sigma }) = 1\) where \(\vec {\mathsf {pk}}_{f \circ f_{\mathsf {recon}}} \leftarrow \mathsf {PrmsEval}(f \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}})\). Now, if the adversary \(\mathcal {B}\) made a signing request to the unforgeability challenger on the message \((\vec {w}_1, \ldots , \vec {w}_t)\), then it would have also set \(\vec {x}^* = \bigoplus _{i \in [t]} \vec {w}_i\). Since \(\vec {\sigma }\) verifies in \(\textsc {hyb}_0\) but not in \(\textsc {hyb}_1\), the special condition in \(\textsc {hyb}_1\) must be satisfied which means

  $$\begin{aligned} (f \circ f_{\mathsf {recon}})(\vec {w}_1, \ldots , \vec {w}_t) = f(\vec {x}^*) \ne \vec {x}. \end{aligned}$$

  This means that \(\vec {\sigma }\) is a valid signature on \(\vec {x}\) with respect to the function \(f \circ f_{\mathsf {recon}}\) and thus is a valid forgery. Alternatively, if \(\mathcal {B}\) never made a signing request to the unforgeability challenger, then \(\vec {\sigma }\) is trivially a valid forgery.

In both cases, algorithm \(\mathcal {B}\) breaks unforgeability of \(\Pi _{\mathsf {HS}}\), so we conclude that \(\mathcal {B}\) has advantage \(\varepsilon \) in the unforgeability game. \(\square \)

Claim B.37

The outputs of hybrids \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are identically distributed.

Proof

We consider the view of the environment \(\mathcal {Z}\) in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) during each phase of the protocol.

• Key generation: For the key generation phase, the simulator \(\mathcal {S}\) in \(\textsc {hyb}_2\) exactly emulates the generation of \(\vec {\mathsf {pk}}\) and \(\mathsf {vk}= (\mathsf {sk}, \mathsf {vk}')\) as defined in \(\textsc {hyb}_1\). Thus, the outputs of the honest parties in the key generation phase of \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are identically distributed.

• Signature generation: In \(\textsc {hyb}_2\), since both \(\mathbf {S}\) and \(\mathbf {R}\) are honest, the signatures that the receiver obtains from \(\mathcal {F}_{\textsc {bhs}}\) are determined by the ideal algorithm \(\mathsf {IdealSign}\) that \(\mathcal {S}\) provides to the functionality \(\mathcal {F}_{\textsc {bhs}}\). Since \(\mathcal {S}\) defines these algorithms exactly as in the protocol specification of \(\Pi _\textsc {bhs}\) using the identically distributed signing key \(\mathsf {sk}\) and verification key \(\mathsf {vk}\), the resulting signatures in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are identically distributed. Moreover, the same abort condition is present in both \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\), so whenever an environment issues a query that causes the ideal functionality to abort in \(\textsc {hyb}_2\), the experiment also aborts in \(\textsc {hyb}_1\).

• Signature verification: In \(\textsc {hyb}_2\), the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) handles the signature verification queries \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f, \vec {x}), \vec {\sigma })\). We consider the different possibilities:

  1. –

     If \(f \notin \mathcal {H}\), then \(\mathcal {F}_{\textsc {bhs}}\) always sets the verification bit \(t = 0\). In this case, the honest parties in \(\textsc {hyb}_1\) also sets \(t = 0\) according to the protocol specification.

  2. –

     Otherwise, if \(\mathsf {vk}= \mathsf {vk}'\) and \((\mathsf {vk}, (f,\vec {x}), \vec {\sigma }, 1) \in \mathcal {L}\), then \(\mathcal {F}_{\textsc {bhs}}\) sets \(t = 1\). We consider several scenarios depending on how the entry \((\mathsf {vk}, (f,\vec {x}), \vec {\sigma }, 1) \in \mathcal {L}\) was added to \(\mathcal {L}\). If \(\vec {\sigma }\) was generated as the result of a signing or a evaluation request, then by correctness of \(\Pi _{\mathsf {HS}}\), the honest party in \(\textsc {hyb}_1\) also outputs 1. If the entry was added as a result of a previous verification request (which successfully verified), then because the honest party’s verification algorithm in \(\Pi _{\mathsf {HS}}\) is deterministic (and the signature verified previously), the party also outputs 1 in \(\textsc {hyb}_1\).

  3. –

     Otherwise, if \(\mathsf {vk}= \mathsf {vk}'\), and there does not exist \((\mathsf {vk}, (f_{\mathsf {id}}, \vec {x}'), \vec {\sigma }', 1) \in \mathcal {L}\) for some \(\vec {x}', \vec {\sigma }'\) where \(\vec {x}= f(\vec {x}')\), then \(\mathcal {F}_{\textsc {bhs}}\) sets \(t = 0\). This corresponds to a setting where the receiver never makes a signing request on any \(\vec {x}^* \in \{0,1\}^\ell \) where \(\vec {x}= f(\vec {x}^*)\). This means the condition in \(\textsc {hyb}_1\) is satisfied, in which case the party’s output is \((\textsf {sid}, \mathsf {verified}, (f, \vec {x}'), \vec {\sigma }', 0)\). This matches the behavior in \(\textsc {hyb}_2\).

  4. –

     Otherwise, if there is already an entry \((\mathsf {vk}', (f,\vec {x}), \vec {\sigma }, t') \in \mathcal {L}\) for some \(t'\), the ideal functionality sets \(\mathcal {F}_{\textsc {bhs}}\) sets \(t = t'\). In the real protocol execution in \(\textsc {hyb}_1\), the honest verifier’s decision algorithm is deterministic. Hence, if a signature previously verified (resp., failed to verify), it will continue to verify (resp., fail to verify).

  5. –

     Finally, if none of the above criteria apply, then the ideal functionality allows the simulator \(\mathcal {S}\) to decide the verification response in \(\textsc {hyb}_2\). By construction, for an honest party, the simulator implements the same logic as that in the actual protocol \(\Pi _\textsc {bhs}\).

  We conclude that the outputs of the honest parties in response to verification queries are identically distributed in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\).

• Signature evaluation: In \(\textsc {hyb}_2\), since both parties \(\mathbf {S}\) and \(\mathbf {R}\) are honest, the resulting signatures that a party receives from \(\mathcal {F}_{\textsc {bhs}}\) are fully determined by the ideal algorithm \(\mathsf {IdealEval}\) that \(\mathcal {S}\) provides to the functionality \(\mathcal {F}_{\textsc {bhs}}\). Since \(\mathcal {S}\) implements these algorithms exactly as in the protocol specification of \(\Pi _\textsc {bhs}\) using the identically distributed signing key \(\mathsf {sk}\) and verification key \(\mathsf {vk}\), the signature output by the evaluation algorithm in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are identically distributed. Moreover, by correctness of \(\Pi _{\mathsf {HS}}\) and construction of \(\mathcal {S}\), the abort condition in \(\mathcal {F}_{\textsc {bhs}}\) for evaluation queries is never triggered.

\(\square \)

Lemma B.35 now follows by combining Claims B.36 and B.37. \(\square \)

Lemma B.38

If the signer is honest and the receiver is corrupt, then for all efficient environments \(\mathcal {Z}\), we have that \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}} {\mathop {\approx }\limits ^{c}}\textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

Proof

We use a similar hybrid structure as that used in the proof of Lemma B.35:

• \(\textsc {hyb}_0\): This is the real distribution \(\textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

• \(\textsc {hyb}_1\): Same as \(\textsc {hyb}_0\), except we modify the honest signer’s behavior as follows:

  1. –

     At the beginning of the experiment, initialize \(\vec {x}^* \leftarrow \bot \).

  2. –

     During a signing request, let \(\vec {w}_1, \ldots , \vec {w}_t\) be the messages \(\mathbf {R}\) submits to \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\). Update \(\vec {x}^* \leftarrow \bigoplus _{i \in [t]} \vec {w}_i\). If the environment activated the signer to make a verification request of the form \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}^*), \vec {\sigma })\) where \(\vec {\sigma }\) is a valid signature on \((f_{\mathsf {id}}, \vec {x}^*)\) prior to the signing request, then the experiment aborts with output \(\bot \).

  3. –

     Let \(\mathsf {vk}\) be the verification key generated by the signer in the key generation phase. If the environment activates the honest signer on a verification request of the form \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f, \vec {x}), \vec {\sigma })\) where \(\mathsf {vk}' = \mathsf {vk}\) and \(\vec {x}\ne f(\vec {x}^*)\), then the signer’s output is set to \((\textsf {sid}, \mathsf {verified}, (f, \vec {x}), \vec {\sigma }, 0)\). Otherwise, the output is determined as in \(\textsc {hyb}_0\).

• \(\textsc {hyb}_2\): This is the ideal distribution \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}}\).

Claim B.39

Suppose \(\Pi _{\mathsf {HS}}\) satisfies unforgeability (Definition B.7). Then, the outputs of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are computationally indistinguishable.

Proof

Suppose there exists an environment \(\mathcal {Z}\) and adversary \(\mathcal {A}\) (that corrupts the receiver \(\mathbf {R}\)) such that the outputs of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are distinguishable. We use \(\mathcal {Z}\) and \(\mathcal {A}\) to construct an algorithm \(\mathcal {B}\) that breaks unforgeability of \(\Pi _{\mathsf {HS}}\). In the reduction, algorithm \(\mathcal {B}\) simulates the behavior of the honest signer for \(\mathcal {Z}\) and \(\mathcal {A}\) according to the protocol specification in \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\). The overall argument follows a very similar structure as the proof of Claim B.36, so we only give a sketch of how \(\mathcal {B}\) simulates the execution of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) below:

• As in the proof of Claim B.36, algorithm \(\mathcal {B}\) uses the public keys \(\vec {\mathsf {pk}}\) and the verification key \(\mathsf {vk}'\) from the unforgeability challenger as the signer’s verification key \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\).

• To simulate a signing protocol, after the receiver \(\mathbf {R}\) (under the direction of \(\mathcal {A}\)) submits shares \(\vec {w}_1, \ldots , \vec {w}_t \in \{0,1\}^\ell \) to \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), algorithm \(\mathcal {B}\) submits \((\vec {w}_1, \ldots , \vec {w}_t)\) to the unforgeability challenger to obtain the signatures \((\vec {\sigma }_1, \ldots , \vec {\sigma }_t)\), which it uses to simulate the response from \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\).

• Finally, algorithm \(\mathcal {B}\) simulates the verification and evaluation queries to the honest signer as described in \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\), since these operations only depend on the public parameters.

By an analogous argument to that in the proof of Claim B.36, algorithm \(\mathcal {B}\) correctly simulates the behavior of the honest signer in a protocol execution with \(\mathcal {Z}\) and \(\mathcal {A}\). Thus, with non-negligible probability, the environment will activate the honest signer on a signing or verification query whose behavior differs between \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\). As in the proof of Claim B.36, if either condition is satisfied, the environment’s query enables \(\mathcal {B}\) to break unforgeability of the signature scheme. \(\square \)

Claim B.40

The outputs of \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are identically distributed.

Proof

We argue that the view of the environment \(\mathcal {Z}\) is identically distributed in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\). The argument follows similarly to that in the proof of Claim B.37. We sketch the key details below:

• Key generation: The simulator \(\mathcal {S}\) (in \(\textsc {hyb}_2\)) implements the key generation phase exactly according to the specification of the real protocol \(\Pi _\textsc {bhs}\) (in \(\textsc {hyb}_1\)).

• Signature generation: In \(\textsc {hyb}_1\), when the receiver \(\mathbf {R}\) (under the direction of \(\mathcal {A}\)) submits shares \(\vec {w}_1, \ldots , \vec {w}_t \in \{0,1\}^\ell \) to \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), it receives in response from the \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) functionality signatures \(\vec {\sigma }_1, \ldots , \vec {\sigma }_t\) where \((\vec {\sigma }_1, \ldots , \vec {\sigma }_t) \leftarrow \mathsf {Sign}(\vec {\mathsf {pk}}, \mathsf {sk}, (\vec {w}_1, \ldots , \vec {w}_t))\). This is precisely how \(\mathcal {S}\) simulates the signing request for \(\mathcal {A}\) in \(\textsc {hyb}_2\). Let \(((f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\) be the message–signature pair that the simulator \(\mathcal {S}\) registers with the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) at the end of the signing request in \(\textsc {hyb}_2\). If this pair is already registered with \(\mathcal {F}_{\textsc {bhs}}\) as an invalid signature, then \(\mathcal {F}_{\textsc {bhs}}\) aborts and the protocol execution halts in \(\textsc {hyb}_2\). By definition of \(\textsc {hyb}_2\) and \(\mathcal {S}\), this is only possible if the environment activates the honest signer to make a verification request on the message–signature pair \(((f_{\mathsf {id}}, \vec {x}), \vec {\sigma })\) prior to the signing request. This coincides with the abort condition in \(\textsc {hyb}_1\), and so we conclude that the output of the signature generation phase in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) is identically distributed.

• Signature verification: Signature verification is a non-interactive procedure, so it suffices to argue that the outputs of the honest signer in response to the environment’s queries are identically distributed in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\). By construction of \(\mathcal {S}\), only verification and evaluation queries involving an honest party requires interacting with the ideal functionality. The argument then proceeds as in the proof of Claim B.37.

• Signature evaluation: Similar to the case of signature verification, signature evaluation is non-interactive, so it suffices to argue that the outputs of the honest signer in response to the environment’s queries are identically distributed. This argument then proceeds as in the proof of Claim B.37.

\(\square \)

Combining Claims B.39 and B.40, the lemma follows. \(\square \)

Lemma B.41

If the signer is corrupt and the receiver is honest, then for all efficient environments \(\mathcal {Z}\), we have that \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}} {\mathop {\approx }\limits ^{c}}\textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

Proof

We proceed via a hybrid argument:

• \(\textsc {hyb}_0\): This is the real distribution \(\textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

• \(\textsc {hyb}_1\): Same as \(\textsc {hyb}_0\) except we modify the honest receiver’s behavior in the signature generation protocol as follows. Let \(\mathsf {vk}\) be the verification key chosen by the signer in the key generation phase. Let \(\big ((\textsf {sid},i), \mathsf {sender}, \{ (\sigma _{i,j,0}, \sigma _{i,j,1}) \}_{i \in [t], j \in [\ell ]} \big )\) be the set of signatures the signer submits to the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), and let \(\{ \sigma ^{\mathsf {pk}}_{i, j} \}_{i \in [t], j \in [\ell ]}\) be the message-independent signature components \(\mathbf {S}\) sends to \(\mathbf {R}\). The receiver always outputs \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \bot )\) if any of the following conditions hold:

  1. –

     The signer’s verification key \(\mathsf {vk}\) cannot be written as \((\vec {\mathsf {pk}}, \mathsf {vk}')\) where \(\vec {\mathsf {pk}}= \{ \mathsf {pk}_{i,j} \}_{i \in [t], j \in [\ell ]}\).

  2. –

     If there exists indices \(i \in [t]\) and \(j \in [\ell ]\) where both \(\sigma _{i, j, 0}\) and \(\sigma _{i, j, 1}\) are invalid. We say that a signature \(\sigma _{i, j, b}\) is valid if it satisfies Eq. (1).

  3. –

     If there exists \(j \in [\ell ]\) such that for all \(i \in [t]\), at least one of \(\sigma _{i, j, 0}\) and \(\sigma _{i, j, 1}\) is invalid.

  Otherwise, the honest receiver implements the verification protocol as in the real scheme.

• \(\textsc {hyb}_2\): Same as \(\textsc {hyb}_1\) except we use the context-hiding simulator \(\mathcal {S}= (\mathcal {S}^\mathsf {Ext}, \mathcal {S}^\mathsf {Gen})\) to generate the signatures the honest receiver \(\mathbf {R}\) outputs on evaluation queries. Here, we assume that none of the conditions from \(\textsc {hyb}_1\) are satisfied (otherwise, the honest receiver outputs \(\bot \) in the signing protocol and ignores all evaluation requests). In particular, we have the following:

  1. –

     Let \(\big ((\textsf {sid},i), \mathsf {sender}, \{ (\sigma _{i,j,0}, \sigma _{i,j,1}) \}_{i \in [t], j \in [\ell ]} \big )\) be the set of signatures the signer submits to the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), and let \(\{ \sigma ^{\mathsf {pk}}_{i, j} \}_{i \in [t], j \in [\ell ]}\) be the message-independent signature components \(\mathbf {S}\) sends to \(\mathbf {R}\).

  2. –

     Since none of the conditions in \(\textsc {hyb}_1\) are satisfied, there exist indices \({i^*}, {j^*}\) where \(\sigma _{{i^*}, {j^*}, 0}\) and \(\sigma _{{i^*}, {j^*}, 1}\) are both valid. Moreover, the verification key \(\mathsf {vk}\) can be written as \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\) where \(\vec {\mathsf {pk}}= \{ \mathsf {pk}_{i, j} \}_{i \in [t], j \in [\ell ]}\). The experiment invokes the context-hiding simulator \(\mathcal {S}^\mathsf {Ext}\) to extract a simulation trapdoor \(\mathsf {td}\leftarrow \mathcal {S}^\mathsf {Ext}(\mathsf {vk}', (0, \sigma _{{i^*},{j^*},0}), (1, \sigma _{{i^*},{j^*},1}))\), and stores \(\mathsf {td}\). The receiver’s signature is constructed using the same procedure from \(\textsc {hyb}_1\).

  3. –

     During signature evaluation, on input \((\textsf {sid}, \mathsf {eval}, \mathsf {vk}, g, (f,\vec {x}), \vec {\sigma })\), \(\mathbf {R}\) first applies the signature verification procedure on input \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}, (f,\vec {x}), \vec {\sigma })\). If the signature verifies, the receiver’s signature is generated by computing \(\mathsf {pk}_g \leftarrow \mathsf {PrmsEval}(g \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}})\), \(\sigma ^{\mathsf {pk}}_g \leftarrow \mathsf {SigEvalPK}\big (g \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {\sigma }^{\mathsf {pk}}_1, \ldots , \vec {\sigma }^{\mathsf {pk}}_t) \big )\), where \(\vec {\sigma }^{\mathsf {pk}}_i = (\sigma ^{\mathsf {pk}}_{i, 1}, \ldots , \sigma ^{\mathsf {pk}}_{i, \ell })\), and finally \(\sigma ^*\leftarrow \mathcal {S}^\mathsf {Gen}(\mathsf {pk}_g, \mathsf {vk}', \mathsf {td}, g(\vec {x}), \sigma ^{\mathsf {pk}}_g)\). The receiver’s output is the tuple \((\textsf {sid}, \mathsf {signature}, (g, g(\vec {x})), \sigma ^*)\).

• \(\textsc {hyb}_3\): This is the ideal distribution \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}}\).

Claim B.42

Suppose \(t = \omega (\log \lambda )\). Then, the outputs of hybrids \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are statistically indistinguishable.

Proof

The only difference between the two experiments is the additional checks in \(\textsc {hyb}_1\) which affects the honest receiver’s output on signing queries. We consider each of the conditions separately and argue that for each of them, the receiver’s output in \(\textsc {hyb}_1\) is the same as that in \(\textsc {hyb}_0\), except with probability at most \(2^{-(t-1)} = 2^{-\omega (\log \lambda )} = \mathsf {negl}(\lambda )\).

• Suppose that the signer’s verification key is not well formed: namely, that \(\mathsf {vk}\ne (\vec {\mathsf {pk}}, \mathsf {vk}')\) where \(\vec {\mathsf {pk}}= \{ \mathsf {pk}_{i,j} \}_{i \in [t], j \in [\ell ]}\). In this case, the receiver’s signature is \(\bot \) in both \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\).

• Suppose there exists \(i \in [t]\) and \(j \in [\ell ]\) where both \(\sigma _{i, j, 0}\) and \(\sigma _{i, j, 1}\) are invalid. In this case, the honest receiver in \(\textsc {hyb}_0\) outputs \(\bot \) as its signature, which matches the behavior in \(\textsc {hyb}_1\).

• Suppose there exists \(j \in [\ell ]\) such that for all \(i \in [t]\), at least one of \(\sigma _{i, j, 0}\) and \(\sigma _{i, j, 1}\) is invalid. We argue that in this case, the receiver outputs \(\bot \) with probability at least \(1 - 2^{-(t-1)}\) in \(\textsc {hyb}_0\). Without loss of generality, we can assume that exactly one of \(\sigma _{i, j, 0}\) and \(\sigma _{i, j, 1}\) for all \(i \in [t]\) is invalid. (The case where both are invalid is captured by the previous case.) Let \(b_1, \ldots , b_t \in \{0,1\}\) be such that \(\sigma _{i, j, b_i}\) is invalid, and let \(\vec {x}= (x_1, \ldots , x_\ell ) \in \{0,1\}^\ell \) be the receiver’s message in the signing protocol. In the real protocol, the honest receiver samples \(w_{i, j} \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}\) for all \(i \in [t]\) such that \(x_j = \bigoplus _{i \in [t]} w_{i,j}\). We consider two possibilities:

  1. –

     Suppose \(x_j \ne \bigoplus _{i \in [t]} b_i\). This means that there exists \(i \in [t]\) where \(w_{i, j} \ne b_i\). In the real protocol, this means that the receiver obtains signature \(\sigma _{i, j, w_{i, j}}\), which by assumption is invalid. In this case, the receiver in \(\textsc {hyb}_0\) outputs \(\bot \) as its signature.

  2. –

     Suppose \(x_j = \bigoplus _{i \in [t]} b_i\). Since \(w_{i,j}\) are sampled uniformly at random subject to the constraint, with probability \(2^{-(t-1)}\), it is the case that \(w_{i, j} = b_i\) for all \(i \in [t]\). In this case, the receiver in \(\textsc {hyb}_0\) does not output \(\bot \) (since every signature it obtains is valid). With probability \(1-2^{-(t-1)}\), there is an index \(i \in [t]\) where \(w_{i,j} \ne b_i\). In this case, the receiver obtains signature \(\sigma _{i, j, w_{i,j}}\), which by assumption is invalid. Thus, we conclude that the receiver in \(\textsc {hyb}_0\) aborts with probability \(1-2^{-(t-1)}\).

  In this case, the honest receiver in \(\textsc {hyb}_0\) outputs \(\bot \) with probability at least \(1-2^{-(t-1)}\), while in \(\textsc {hyb}_1\), the receiver outputs \(\bot \) with probability 1. In both cases, the probability is taken over the receiver’s random coins. Since \(t = \omega (\log \lambda )\), we conclude that the statistical distance between the output distributions of \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) is negligible.

\(\square \)

Claim B.43

Suppose \(\Pi _{\mathsf {HS}}\) satisfies context-hiding (Definition B.11). Then, the outputs of hybrids \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are computationally indistinguishable.

Proof

Suppose there exists an environment \(\mathcal {Z}\) and adversary \(\mathcal {A}\) (that corrupts the signer \(\mathbf {S}\)) such that the outputs of \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are distinguishable. We use \(\mathcal {Z}\) and \(\mathcal {A}\) to construct an adversary \(\mathcal {B}\) that breaks context-hiding security (Definition B.11) of \(\Pi _{\mathsf {HS}}\). Algorithm \(\mathcal {B}\) begins by simulating the protocol execution in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) for \(\mathcal {Z}\) and \(\mathcal {A}\). In the simulation, \(\mathcal {B}\) is responsible for simulating the behavior of the honest receiver \(\mathbf {R}\) and the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\).

• Key generation: The key generation protocol only involves \(\mathcal {Z}\) and \(\mathcal {A}\), so \(\mathcal {B}\) does not need to simulate anything.

• Signature generation: On a signature generation query \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\), let \(\{ (\sigma _{i,j,0}, \sigma _{i,j,1}) \}_{i \in [t], j \in [\ell ]}\) be the signatures the signer \(\mathbf {S}\) submits to the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell ,s}\) in the simulated protocol execution (as directed by \(\mathcal {Z}\) and \(\mathcal {A}\)). Additionally, let \(\{ \sigma ^{\mathsf {pk}}_{i,j} \}_{i \in [t], j \in [\ell ]}\) be the message-independent signature components the signer sends to the receiver. Algorithm \(\mathcal {B}\) checks the three conditions in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\), and if any condition is satisfied, it defines the receiver’s output to be \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \bot )\). Otherwise, the verification key \(\mathsf {vk}\) has the form \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\) where \(\vec {\mathsf {pk}}= \{ \mathsf {pk}_{i, j} \}_{i \in [t], j \in [\ell ]}\), and moreover, there exists indices \({i^*}, {j^*}\) where \(\sigma _{{i^*}, {j^*}, 0}\) and \(\sigma _{{i^*}, {j^*}, 1}\) are both valid. Algorithm \(\mathcal {B}\) submits the public key \(\mathsf {pk}_{{i^*}, {j^*}}\), the verification key \(\mathsf {vk}'\), and the message–signature pairs \((0, \sigma _{{i^*}, {j^*}, 0})\) and \((1, \sigma _{{i^*}, {j^*}, 1})\) to the context-hiding challenger. Finally, algorithm \(\mathcal {B}\) simulates the receiver’s output according to the specification in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\). If the receiver’s output is not \(\bot \), algorithm \(\mathcal {B}\) does the following. Let \(\vec {w}_1, \ldots , \vec {w}_t\) where \(\bigoplus _{i \in [t]} \vec {w}_i = \vec {x}\) be the bit strings \(\mathcal {B}\) chose when simulating the honest receiver. For \(i \in [t]\), algorithm \(\mathcal {B}\) defines \(\vec {\sigma }_i = (\sigma _{i, 1, w_{i, 1}}, \ldots , \sigma _{i, \ell , w_{i, \ell }})\).

• Signature verification: Algorithm \(\mathcal {B}\) simulates the verification queries involving the receiver \(\mathbf {R}\) as described in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\). Note that because signature verification is non-interactive, the environment \(\mathcal {Z}\) and the adversary \(\mathcal {A}\) completely dictate the behavior of verification queries to the corrupt signer.

• Signature evaluation: Whenever \(\mathcal {Z}\) activates the receiver on a signature evaluation query \((\textsf {sid}, \mathsf {eval}, \mathsf {vk}, g, (f, \vec {x}), \vec {\sigma })\), where \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\), algorithm \(\mathcal {B}\) ignores the request if the receiver’s signature in the signing protocol was \(\bot \). Otherwise, it proceeds as follows:

  1. –

     As in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\), algorithm \(\mathcal {B}\) checks that \(f = f_{\mathsf {id}}\) and that \(\sigma \) is a valid signature on \((f, \vec {x})\). If the signature verifies, then \(\mathcal {B}\) first computes \(\mathsf {pk}_g \leftarrow \mathsf {PrmsEval}(g \circ f_{\mathsf {recon}}, \vec {\mathsf {pk}})\). Then, it computes \(\sigma ' \leftarrow \mathsf {SigEval}(g \circ f_{\mathsf {recon}}, (\vec {\sigma }_1, \ldots , \vec {\sigma }_t))\) where \(\vec {\sigma }_i\) is defined as in the signing protocol.

  2. –

     Algorithm \(\mathcal {B}\) submits the public key \(\mathsf {pk}_g\), the message \(g(\vec {x})\), and the signature \(\sigma '\) to the context-hiding challenger, and receives in response a signature \(\sigma ^*\). Algorithm \(\mathcal {B}\) simulates the output of the honest receiver as \((\textsf {sid}, \mathsf {signature}, (g, g(\vec {x})), \sigma ^*)\).

  Note that signature evaluation is non-interactive, the environment \(\mathcal {Z}\) and the adversary \(\mathcal {A}\) completely dictate the behavior of evaluation queries to the corrupt signer.

• At the end of the experiment, when \(\mathcal {Z}\) outputs a bit, \(\mathcal {B}\) outputs the same bit.

We now show that \(\mathcal {B}\) breaks context-hiding security with the same advantage as \(\mathcal {Z}\). By construction, the only difference between the two hybrid experiments \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) is the way the honest receiver’s signatures are generated on evaluation queries. Note that if the honest receiver outputs \(\bot \) in response to a signing query, then the honest receiver in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) ignores all evaluation queries. In this case, the two experiments are identical. Thus, without loss of generality, we assume that the signing protocol succeeds. In this case, algorithm \(\mathcal {B}\) submits a valid key, verification key, and message–signature pairs to the context-hiding challenger.

Now, assume that \(\mathcal {B}\) does not abort during signature generation. Then, if the context-hiding challenger implements the hide algorithm using \(\mathsf {Hide}\), then the signatures output by \(\mathcal {B}\) when simulating the honest evaluation queries are distributed according to \(\textsc {hyb}_1\), and \(\mathcal {B}\) perfectly simulates an execution of \(\textsc {hyb}_1\) for \(\mathcal {Z}\) and \(\mathcal {A}\). Alternatively, if the context-hiding challenger implements the hide algorithm using \(\mathcal {S}^\mathsf {Gen}\), then the signatures output by \(\mathcal {B}\) when simulating the honest evaluation queries are distributed according to \(\textsc {hyb}_2\), and \(\mathcal {B}\) perfectly simulates an execution of \(\textsc {hyb}_2\) for \(\mathcal {Z}\) and \(\mathcal {A}\). Thus, if \(\mathcal {Z}\) is able to distinguish experiments \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\), algorithm \(\mathcal {B}\) breaks context-hiding of \(\Pi _{\mathsf {HS}}\) with the same advantage. \(\square \)

Claim B.44

The outputs of hybrids \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) are identically distributed.

Proof

We now show that the view of the environment \(\mathcal {Z}\) when interacting with an adversary \(\mathcal {A}\) in \(\textsc {hyb}_2\) is distributed identically with its view when interacting with the simulator \(\mathcal {S}\) in \(\textsc {hyb}_3\).

• Key generation: When the environment \(\mathcal {Z}\) activates the signer on a key generation query, algorithm \(\mathcal {S}\) simply forwards the query to its simulated protocol execution with adversary \(\mathcal {A}\) (as if it came from \(\mathcal {A}\)’s environment). Thus, the output of \(\mathcal {S}\) in \(\textsc {hyb}_3\) is distributed identically to the output of \(\mathcal {A}\) in \(\textsc {hyb}_2\).

• Signature generation: By construction, \(\mathcal {S}\) perfectly simulates the behavior of the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), so it perfectly simulates the view of \(\mathcal {A}\) in its simulated protocol execution (since \(\mathcal {A}\) only interacts with \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\)). Thus, \(\mathcal {S}\) perfectly simulates any interaction between the adversary and the environment that can occur during this phase. It suffices to argue that the output of the honest receiver in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) is identically distributed on a query \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \vec {x})\), where \(\mathsf {vk}\) can be parsed as \(\mathsf {vk}= (\vec {\mathsf {pk}}, \mathsf {vk}')\). Let \(\{ (\sigma _{i,j,0}, \sigma _{i,j,1}) \}_{i \in [t], j \in [\ell ]}\) be the signatures the signer submits to the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\), and let \(\{ \sigma ^{\mathsf {pk}}_{i, j} \}_{i \in [t], j \in [\ell ]}\) be the message-independent signature components the signer sends to the receiver. First, if any of the verification conditions in \(\textsc {hyb}_2\) (defined in the description of \(\textsc {hyb}_1\)) are satisfied, then the output of the honest receiver in \(\textsc {hyb}_2\) is \((\textsf {sid}, \mathsf {signature}, (f_{\mathsf {id}}, \vec {x}), \bot )\). By construction, the simulator \(\mathcal {S}\) implements an identical set of checks. If any of the conditions are satisfied, then the simulator defines the \(\mathsf {IdealSign}\) function to output \(\bot \) on all inputs. This means that in \(\textsc {hyb}_3\), the honest receiver also outputs \(\bot \) as its signature in response to the signing request. We conclude that the behavior in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) is identical whenever any of the conditions in \(\textsc {hyb}_2\) is triggered. Now, consider the case where none of the conditions in \(\textsc {hyb}_2\) are satisfied. This means that for all \(j \in [\ell ]\), there is at least one \(i_j \in [t]\) where both\(\sigma _{i_j, j, 0}\) and \(\sigma _{i_j, j, 1}\) are valid (according to the criterion in Eq. (1)). We consider the receiver’s output in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\).

  1. –

     In \(\textsc {hyb}_2\), the honest receiver chooses \(\vec {w}_i \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}^\ell \) for all \(i \in [t]\) such that \(\vec {x}= \bigoplus _{i \in [t]} \vec {w}_i\). This is equivalent to first sampling \(w_{i, j} \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}\) for all \(j \in [\ell ]\) and \(i \ne i_j\) and setting \(w_{i_j, j} \in \{0,1\}\) such that \(\vec {x}= \bigoplus _{i \in [t]} \vec {w}_i\). Next, we say that an index \(i \in [t]\) and \(j \in [\ell ]\) is “bad” if either \(\sigma _{i, j, 0}\) or \(\sigma _{i, j, 1}\) is invalid. For all bad indices i, j, define \(b_{i, j} \in \{0,1\}\) so that \(\sigma _{i, j, b_{i,j}}\) is valid. We consider two possibilities.

     • The receiver in \(\textsc {hyb}_2\) outputs \(\bot \) as its signature if there is a bad index \(i \in [t]\), \(j \in [\ell ]\) where \(w_{i, j} \ne b_{i, j}\). Suppose there are n such bad indices. Since both \(\sigma _{i_j, j, 0}\) and \(\sigma _{i_j, j, 1}\) are valid for all \(j \in [\ell ]\), and all of the \(w_{i,j}\)’s are sampled uniformly at random for \(i \ne i_j\), it follows that with probability \(1 - 2^{-n}\) (over the randomness used to sample the \(w_{i,j}\)’s), there is at least one \(i \ne i_j\) and \(j \in [\ell ]\) where \(w_{i, j} \ne b_{i, j}\).

     • With probability \(2^{-n}\), for all bad indices \(i \in [t]\), \(j \in [\ell ]\), we have that \(w_{i, j} = b_{i, j}\). In this case, the honest receiver in \(\textsc {hyb}_2\) obtains valid signatures \(\sigma _{i, j, w_{i,j}}\) from \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) and constructs \(\vec {\sigma }\) according to the specification of \(\textsc {hyb}_2\). Here, \(w_{i, j} = b_{i, j}\) for all bad indices, and for all remaining indices \(i \ne i_j\) and \(j \in [\ell ]\), the choice bit \(w_{i, j}\) is uniformly random.

  2. –

     In \(\textsc {hyb}_3\), the ideal signing algorithm \(\mathsf {IdealSign}\) is used to generate the honest receiver’s signature, and the simulator \(\mathcal {S}\) decides whether the honest receiver outputs \(\bot \) or the output of \(\mathsf {IdealSign}\). By construction, if n is the number of bad indices, then \(\mathcal {S}\) causes the honest receiver to output \(\bot \) with probability \(1 - 2^{-n}\), which is precisely the probability that the honest receiver outputs \(\bot \) in \(\textsc {hyb}_2\). With probability \(2^{-n}\), the honest receiver outputs the signature computed by \(\mathsf {IdealSign}\). We argue that in this case, the signature output by \(\mathsf {IdealSign}\) is distributed identically to the signature that would have been constructed by the honest receiver in \(\textsc {hyb}_2\). By construction, \(\mathsf {IdealSign}\) sets \(\vec {\sigma }_i = (\sigma _{i, 1, w_{i,1}}, \ldots , \sigma _{i, \ell , w_{i, \ell }})\) for all \(i \in [t]\) where \(w_{i, j} = b_{i, j}\) for all bad indices \(i \in [t]\) and \(j \in [\ell ]\). For the remaining indices, \(w_{i, j}\) is uniformly random subject to the restriction that \(\bigoplus \vec {w}_i = \vec {x}\) where \(\vec {w}_i = (w_{i, 1}, \ldots , \vec {w}_{i, \ell })\). Observe that this is the same distribution from which the \(w_{i, j}\) are sampled in \(\textsc {hyb}_2\). Finally, \(\mathsf {IdealSign}\) constructs the final signature \(\sigma '\) by computing \(\vec {\sigma }\leftarrow \mathsf {SigEval}(f_{\mathsf {recon}}, \vec {\mathsf {pk}}, (\vec {w}_1, \ldots , \vec {w}_t), (\vec {\sigma }_1, \ldots , \vec {\sigma }_t))\). This is precisely the behavior of the honest receiver in \(\textsc {hyb}_2\). In addition, by correctness of \(\Pi _{\mathsf {HS}}\), it will never be the case that \((\mathsf {vk}, (f_{\mathsf {id}}, \vec {x}), \vec {\sigma }, 0) \in \mathcal {L}\). Specifically, \(\vec {\sigma }\) is a valid signature on \(\vec {x}\) under \(\mathsf {vk}\), so the simulator \(\mathcal {S}\) would never register it as an invalid signature in \(\mathcal {F}_{\textsc {bhs}}\). (Because the signer is corrupt, the unforgeability criterion in signature verification is ignored.)

  We conclude that the output of the honest receiver in response to a signing query is identically distributed in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\).

• Signature verification: If the environment \(\mathcal {Z}\) activates the corrupt signer \(\tilde{\mathbf {S}}\) on a verification query \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f,\vec {x}), \vec {\sigma })\), the simulator \(\mathcal {S}\) activates the real signer \(\mathbf {S}\) (under the control of \(\mathcal {A}\)) in its simulated version of \(\Pi _\textsc {bhs}\). Since the simulator \(\mathcal {S}\) forwards \(\mathbf {S}\)’s output to \(\mathcal {Z}\), the responses to these queries in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) are identically distributed. Next, suppose the environment \(\mathcal {Z}\) activates the honest receiver \(\mathbf {R}\) on a signature verification query \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}', (f,\vec {x}), \vec {\sigma })\). In \(\textsc {hyb}_3\), the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) handles the signature verification queries. We consider the different possibilities below. Note that because the signer is assumed to be corrupt, the unforgeability condition is ignored.

  1. –

     If \(f \notin \mathcal {H}\), then \(\mathcal {F}_{\textsc {bhs}}\) sets the verification bit \(t = 0\). This is the behavior in \(\textsc {hyb}_2\).

  2. –

     Otherwise, if \(\mathsf {vk}= \mathsf {vk}'\) and \((\mathsf {vk}, (f,\vec {x}), \vec {\sigma }, 1) \in \mathcal {L}\), then \(\mathcal {F}_{\textsc {bhs}}\) sets \(t = 1\). We consider several scenarios depending on how the entry \((\mathsf {vk}, (f, \vec {x}), \vec {\sigma }, 1)\) was added to \(\mathcal {L}\). If \(\vec {\sigma }\) was generated as a result of a signing or a evaluation request involving the honest receiver, then by (evaluation and hiding) correctness of \(\Pi _{\mathsf {HS}}\), \(\vec {\sigma }\) is a valid signature on \(\vec {x}\), and the honest receiver in \(\textsc {hyb}_2\) would also accept the signature. If the entry was added as a result of a previous verification request (which successfully verified), then because the honest party’s verification algorithm in \(\Pi _{\mathsf {HS}}\) is deterministic and since the signature previously verified, then the honest receiver would also output 1 in \(\textsc {hyb}_2\).

  3. –

     Otherwise, if there is already an entry \((\mathsf {vk}', (f,\vec {x}), \vec {\sigma }, t') \in \mathcal {L}\) for some \(t'\), \(\mathcal {F}_{\textsc {bhs}}\) sets \(t = t'\). In the real protocol in \(\textsc {hyb}_2\), the honest verifier’s algorithm is deterministic. Hence, if a signature previously verified (resp., failed to verify), it will continue to verify (resp., fail to verify).

  4. –

     Finally, if none of the above criteria apply, then the ideal functionality allows the simulator \(\mathcal {S}\) to decide the verification response in \(\textsc {hyb}_3\). By construction, for the honest receiver, the simulator implements the same logic as in the real protocol in \(\textsc {hyb}_2\).

  We conclude that the output of the honest receiver in response to verification queries is identically distributed in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\).

• Signature evaluation: By definition, for any signature evaluation query made by \(\mathcal {Z}\) to \(\tilde{\mathbf {S}}\) in \(\textsc {hyb}_3\), the simulator \(\mathcal {S}\) invokes \(\mathbf {S}\) (under the control of \(\mathcal {A}\)) in its simulated copy of \(\Pi _\textsc {bhs}\) and forwards \(\mathbf {S}\)’s output to \(\mathcal {Z}\). Therefore, \(\mathcal {Z}\)’s views in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) are identical. Next, suppose that the environment \(\mathcal {Z}\) activates the honest receiver \(\tilde{\mathbf {R}}\) on an evaluation query in \(\textsc {hyb}_3\). In this case, the ideal functionality first verifies the signature (as argued above, the outcome of the signature verification procedure is identically distributed in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\)) and then invokes the \(\mathsf {IdealEval}\) algorithm provided by \(\mathcal {S}\) to construct the signature. By construction, \(\mathsf {IdealEval}\) is precisely the algorithm used in \(\textsc {hyb}_2\) to generate the signatures. (Specifically, both \(\mathsf {IdealEval}\) and the procedure in \(\textsc {hyb}_2\) simulate the signatures using the context-hiding simulator for \(\Pi _{\mathsf {HS}}\).) We conclude that the output of the honest receiver in response to an evaluation query is identically distributed in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\).

We conclude that on all queries, the view of the environment \(\mathcal {Z}\) in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) is identically distributed. \(\square \)

Lemma B.41 now follows by combining Claims B.42, B.43, and B.44. \(\square \)

Lemma B.45

If both the signer and the receiver are corrupt, then \(\textsc {ideal}_{\mathcal {F}_{\textsc {bhs}},\mathcal {S},\mathcal {Z}} \equiv \textsc {real}_{\Pi _\textsc {bhs},\mathcal {A},\mathcal {Z}}\).

Proof

When both parties are corrupt, the simulator \(\mathcal {S}\) only needs to simulate the behavior of the ideal OT functionality \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) when simulating the protocol execution for adversary \(\mathcal {A}\). Since \(\mathcal {S}\) forwards all of the queries from \(\mathcal {Z}\) to \(\mathcal {A}\) (as if it came from \(\mathcal {A}\)’s environment in the simulated protocol execution), and moreover, \(\mathcal {S}\) perfectly simulates the behavior of the \(\mathcal {F}_{\textsc {ot}}^{\ell , s}\) functionality, the output of \(\mathcal {S}\) in the ideal execution is distributed identically to the output of \(\mathcal {A}\) in the real execution. \(\square \)

Theorem B.25 now follows by combining Lemmas B.35, B.38, B.41, and B.45. \(\square \)

1.9 B.9 Proof of Theorem B.29 (UC-NIZK Arguments)

Let \(\mathcal {A}\) be a static adversary that interacts with the environment \(\mathcal {Z}\), a prover \(\mathcal {P}\), and a verifier \(\mathcal {V}\) running the real protocol \(\Pi _{\mathsf {ZK}}\) (Fig. 8). We construct an ideal-world adversary (simulator) \(\mathcal {S}\) that interacts with the environment \(\mathcal {Z}\), a dummy prover \({\tilde{\mathcal {P}}}\), a dummy verifier \({\tilde{\mathcal {V}}}\), and ideal functionality \(\mathcal {F}_{\mathsf {ZK}}\) such that no environment \(\mathcal {Z}\) can distinguish an interaction with \(\mathcal {A}\) in the real execution from one with \(\mathcal {S}\) in the ideal execution.

We begin by describing the simulator \(\mathcal {S}\). At the beginning of the protocol execution, the simulator \(\mathcal {S}\) begins by invoking the adversary \(\mathcal {A}\). Algorithm \(\mathcal {A}\) begins by declaring which parties it would like to corrupt, and \(\mathcal {S}\) corrupts the corresponding set of dummy parties. The simulation then proceeds as follows.

Simulating the communication with the environment Whenever the simulator \(\mathcal {S}\) receives an input from the environment \(\mathcal {Z}\), it forwards the input to \(\mathcal {A}\) (as if it came from the environment in the simulated protocol execution). Whenever \(\mathcal {A}\) writes a message on its output tape (in the simulated protocol execution), the simulator \(\mathcal {S}\) writes the same output on its own output tape (to be read by the environment).

Simulating the ideal BHS functionality At the beginning of the protocol execution, the simulator \(\mathcal {S}\) initializes an empty list \(\mathcal {L}\) to keep track of the signatures in the simulated instance of \(\mathcal {F}_{\textsc {bhs}}\). The simulator \(\mathcal {S}\) simulates the ideal BHS functionality exactly as described in Fig. 6. Whenever the specification of \(\mathcal {F}_{\textsc {bhs}}\) needs to interact with the ideal adversary, the simulator \(\mathcal {S}\) forwards the request to \(\mathcal {A}\) (as if it came from \(\mathcal {F}_{\textsc {bhs}}\) in the simulated protocol execution) and uses the response from \(\mathcal {A}\) to continue the simulation.

Simulating the preprocessing phase In the preprocessing phase, the verifier and the prover never exchange any messages with each other. They only interact with the \(\mathcal {F}_{\textsc {bhs}}\) functionality. As stated above, the simulator simulates the behavior of \(\mathcal {F}_{\textsc {bhs}}\) exactly as described in Fig. 6. If a party is corrupt, then the simulator uses \(\mathcal {A}\) to determine the messages it sends to \(\mathcal {F}_{\textsc {bhs}}\). If a party is honest, then \(\mathcal {S}\) simulates the behavior of the honest party exactly as in the real protocol. Let \({\widetilde{\mathsf {vk}}}\) be the verification key the verifier sends to the prover in the simulated execution.

Simulating the proofs After simulating the preprocessing phase, the simulator \(\mathcal {S}\) proceeds as follows, depending on which parties are corrupt:

• The prover is honest: If the prover is honest, then the prover (in both the real and ideal executions) does nothing until it is activated by the environment. In the ideal execution, whenever the environment activates the prover on an input \((\textsf {sid}, \textsf {ssid}, \mathsf {prove}, \mathcal {R}, x, w)\) where \(\mathcal {R}(x, w) = 1\), then \(\mathcal {S}\) receives a tuple \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\) from \(\mathcal {F}_{\mathsf {ZK}}\). When this occurs, \(\mathcal {S}\) simulates the request as follows. First, let \({\widetilde{\mathsf {sk}}}\) be the secret key the simulator \(\mathcal {S}\) chose for the prover when simulating the preprocessing phase (since the prover is honest, \(\mathcal {S}\) chooses the secret key). Then, \(\mathcal {S}\) constructs a ciphertext \({\widetilde{\mathsf {ct}}}\leftarrow \mathsf {Encrypt}(\mathsf {sk}, 0^\tau )\), where \(\tau \) denotes the length of the witness for relation \(\mathcal {R}\). Next, \(\mathcal {S}\) constructs a signature \({\tilde{\sigma }}^* \leftarrow \mathsf {IdealEval}(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1)\), where \(\mathsf {IdealEval}\) is the ideal signature evaluation functionality that \(\mathcal {A}\) chooses for \(\mathcal {F}_{\textsc {bhs}}\). The simulator \(\mathcal {S}\) constructs the simulated proof \({\tilde{\pi }} = ({\widetilde{\mathsf {ct}}}, {\tilde{\sigma }}^*)\), adds the signature \((\mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), {\tilde{\sigma }}^*, 1)\) to \(\mathcal {L}\) (if an entry does not already exist), and sends \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, x, \tilde{\pi })\) to the verifier in the simulated protocol execution.

• The prover is corrupt: First, if the verifier is also corrupt, then the simulator \(\mathcal {S}\) only needs to simulate the BHS functionality \(\mathcal {F}_{\textsc {bhs}}\). Specifically, whenever the environment activates the prover on an input in the ideal execution, the simulator simply forwards the input to the (corrupt) prover in the simulated execution. On the other hand, if the verifier is honest, then \(\mathcal {S}\) proceeds as follows:

  1. –

     At the beginning of the simulation, \(\mathcal {S}\) initializes \({\widetilde{\mathsf {sk}}}\) to \(\bot \). At any point in the simulated protocol execution, if the prover (as dictated by \(\mathcal {A}\)) makes a successful signing request to the \(\mathcal {F}_{\textsc {bhs}}\) functionality, the simulator \(\mathcal {S}\) updates \({\widetilde{\mathsf {sk}}}\) to be the message the prover submitted to the signing functionality. By definition of the \(\mathcal {F}_{\textsc {bhs}}\) functionality, the prover can make at most one successful signing request to the \(\mathcal {F}_{\textsc {bhs}}\).

  2. –

     Whenever the environment activates the prover in the ideal execution on an input \((\textsf {sid}, \textsf {ssid}, \mathsf {prove}, \mathcal {R}, x, w)\), the simulator \(\mathcal {S}\) activates the prover in the simulated protocol execution on the same input.

  3. –

     Whenever the prover in the simulated execution sends a message \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x, \pi )\) to the verifier, the simulator parses \(\pi = (\mathsf {ct}, \sigma ^*)\). If \(\pi \) does not have this form or if \({\widetilde{\mathsf {sk}}}= \bot \), then \(\mathcal {S}\) ignores the message. Otherwise, the simulator \(\mathcal {S}\) submits the request \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma ^*)\) to its (simulated) ideal functionality \(\mathcal {F}_{\textsc {bhs}}\). If the signature does not verify, then \(\mathcal {S}\) ignores the request. Otherwise, it computes \(w \leftarrow \mathsf {Decrypt}({\widetilde{\mathsf {sk}}}, \mathsf {ct})\) and outputs \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\) for the honest verifier in the simulated execution. In addition, \(\mathcal {S}\) submits \((\textsf {sid}, \textsf {ssid}, \mathsf {prove}, \mathcal {R}, x, w)\) to \(\Pi _{\mathsf {ZK}}\) (on behalf of the prover \({\tilde{\mathcal {P}}}\)).

To conclude the proof, we show that the environment cannot distinguish the output of the real execution with adversary \(\mathcal {A}\) from an ideal execution with the simulator \(\mathcal {S}\). We consider the two cases separately.

Lemma B.46

If the prover is honest, and \(\Pi _{\mathsf {SE}}\) is a CPA-secure encryption scheme, then in the \(\mathcal {F}_{\textsc {bhs}}\)-hybrid model, \(\textsc {real}_{\Pi _{\mathsf {ZK}}, \mathcal {A}, \mathcal {Z}} {\mathop {\approx }\limits ^{c}}\textsc {ideal}_{\mathcal {F}_{\mathsf {ZK}}, \mathcal {S}, \mathcal {Z}}\).

Proof

Our proof proceeds via a hybrid argument:

• \(\textsc {hyb}_0\): This is the real distribution \(\textsc {real}_{\Pi _{\mathsf {ZK}}, \mathcal {A}, \mathcal {Z}}\).

• \(\textsc {hyb}_1\): Same as \(\textsc {hyb}_0\), except when constructing proofs, the honest prover does not submit \((\textsf {sid}, \mathsf {eval}, \mathsf {vk}, \mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma _\mathsf {sk})\) to \(\mathcal {F}_{\textsc {bhs}}\) to obtain the signature \(\sigma ^*\). Instead, the signature is constructed as \(\sigma ^* \leftarrow \mathsf {IdealEval}(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1)\). Afterward, the entry \((\mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma ^*, 1)\) is added to \(\mathcal {F}_{\textsc {bhs}}\) (if an entry does not already exist).

• \(\textsc {hyb}_2\): Same as \(\textsc {hyb}_1\), except during the preprocessing phase, the honest prover sends \((\textsf {sid}, \mathsf {sign}, \mathsf {vk}, \mathsf {sk}')\) to \(\mathcal {F}_{\textsc {bhs}}\) where \(\mathsf {sk}' \leftarrow \mathsf {KeyGen}(1^\lambda )\) is generated independently of \(\mathsf {sk}\). The ciphertexts in the encryption step are still generated using \(\mathsf {sk}\).

• \(\textsc {hyb}_3\): Same as \(\textsc {hyb}_2\), except the honest prover encrypts the all-zero string \(0^\tau \) (where \(\tau \) is the bit length of the witness) when constructing the proofs.

• \(\textsc {hyb}_4\): Same as \(\textsc {hyb}_3\), except the honest prover requests the signature on \(\mathsf {sk}\) in the preprocessing step (instead of the dummy key \(\mathsf {sk}'\)).

• \(\textsc {hyb}_5\): This is the ideal distribution \(\textsc {ideal}_{\mathcal {F}_{\mathsf {ZK}}, \mathcal {S}, \mathcal {Z}}\).

We now show that assuming \(\Pi _{\mathsf {SE}}\) is CPA-secure, the outputs of each pair of consecutive hybrid experiments are computationally indistinguishable.

• Hybrids \(\textsc {hyb}_0\) and \(\textsc {hyb}_1\) are identical experiments according to the specification of \(\mathcal {F}_{\textsc {bhs}}\). Specifically, since the prover is honest, the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) answers the signature evaluation queries using the ideal evaluation function \(\mathsf {IdealEval}\), which is precisely the procedure described in \(\textsc {hyb}_1\).

• Hybrids \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are computationally indistinguishable if the encryption scheme \((\mathsf {KeyGen}, \mathsf {Encrypt}, \mathsf {Decrypt})\) is CPA-secure. First, the only difference in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) is that in \(\textsc {hyb}_2\), the entry \((\textsf {sid}, \mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma _\mathsf {sk})\) in \(\mathcal {F}_{\textsc {bhs}}\) is replaced with the entry \((\textsf {sid}, \mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}'), \sigma _\mathsf {sk})\). We consider two cases, depending on whether the verifier is honest or corrupt. The verifier is honest: If the verifier is honest, then these two experiments are identically distributed. Specifically, the only queries the honest verifier makes to \(\mathcal {F}_{\textsc {bhs}}\) are on (computed) signatures \(\sigma ^*\) that are registered with \(\mathcal {F}_{\textsc {bhs}}\). The verifier is corrupt: In this case, the adversary \(\mathcal {A}\) can make arbitrary queries (on behalf of the verifier) to the \(\mathcal {F}_{\textsc {bhs}}\) functionality. In addition, since the verifier is the signer (with respect to the \(\mathcal {F}_{\textsc {bhs}}\) functionality), during signature verification, only the correctness and consistency conditions are checked (and in particular, not the unforgeability condition). This means that the view of adversary \(\mathcal {A}\) is identically distributed in \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) unless \(\mathcal {A}\) makes an evaluation or a verification query to \(\mathcal {F}_{\textsc {bhs}}\) on a message of the form \((f_{\mathsf {id}}, \mathsf {sk})\) or \((f_{\mathsf {id}}, \mathsf {sk}')\). We first show that in \(\textsc {hyb}_2\), the probability that \(\mathcal {A}\) makes a verification query to \(\mathcal {F}_{\textsc {bhs}}\) on a message of the form \((f_{\mathsf {id}}, \mathsf {sk}')\) is negligible. By construction, in \(\textsc {hyb}_2\), the adversary’s view is completely independent of \(\mathsf {sk}'\), so we can effectively defer the sampling of \(\mathsf {sk}'\) until after the adversary has made all of its verification queries. Since the adversary makes \(\mathsf {poly}(\lambda )\) verification queries, and \(\mathsf {sk}'\) is drawn from a distribution with min entropy at least \(\omega (\log \lambda )\),²⁶ the probability (taken over the randomness of the key generation algorithm) that \(\mathsf {sk}'\) coincides with a message in the adversary’s query is negligible. We now show that if there exists an adversary \(\mathcal {A}\) and an environment \(\mathcal {Z}\) such that the outputs of \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are not computationally indistinguishable, then we can construct an adversary \(\mathcal {B}\) that breaks CPA security of \(\Pi _{\mathsf {SE}}\). Based on the above analysis, to achieve non-negligible distinguishing advantage, algorithm \(\mathcal {A}\) has to issue a verification query on the message \((f_{\mathsf {id}}, \mathsf {sk})\) to the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) with non-negligible probability. Algorithm \(\mathcal {B}\) simulates an instance of the protocol execution environment according to \(\textsc {hyb}_2\) as follows:

  1. –

     Then, \(\mathcal {B}\) starts the protocol execution experiment by activating the environment \(\mathcal {Z}\). Algorithm \(\mathcal {B}\) now simulates the protocol execution experiment as described in \(\textsc {hyb}_2\).

  2. –

     To simulate the honest prover during the preprocessing phase, \(\mathcal {B}\) leaves the secret key \(\mathsf {sk}\) unspecified (since it is not needed in the simulation). It samples \(\mathsf {sk}' \leftarrow \mathsf {KeyGen}(1^\lambda )\) for the honest prover and simulates the rest of the preprocessing as described in \(\textsc {hyb}_2\).

  3. –

     Whenever the environment activates the prover to construct a proof on a statement–witness pair (x, w) for a relation \(\mathcal {R}\), algorithm \(\mathcal {B}\) simulates the honest prover in \(\textsc {hyb}_2\) by first checking that \(\mathcal {R}(x, w) = 1\). If so, then \(\mathcal {B}\) submits an encryption query on the pair (w, w) to the encryption oracle to obtain a ciphertext \(\mathsf {ct}\). Algorithm \(\mathcal {B}\) simulates the rest of the protocol exactly as described in \(\textsc {hyb}_2\).

  4. –

     Algorithm \(\mathcal {B}\) simulates the \(\mathcal {F}_{\textsc {bhs}}\) functionality according to the specification of \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\). (The behavior of \(\mathcal {F}_{\textsc {bhs}}\) is identical in the two hybrids, and does not depend on \(\mathsf {sk}\).)

  5. –

     At the end of the protocol execution experiment, algorithm \(\mathcal {B}\) chooses a random bit string \(\xi \mathop \leftarrow \limits ^{\mathrm{R}}\{0,1\}^\lambda \). It makes \(\xi \) chosen message queries to the encryption oracle on pairs \((\xi _1, 0), \ldots , (\xi _\lambda , 1)\) to obtain ciphertexts \(\mathsf {ct}_1, \ldots , \mathsf {ct}_\lambda \). Then, for each verification query made by adversary \(\mathcal {A}\) to \(\mathcal {F}_{\textsc {bhs}}\) on a message of the form \((f_{\mathsf {id}}, {{\widehat{\mathsf {sk}}}})\) for some \({\widehat{\mathsf {sk}}}\), algorithm \(\mathcal {B}\) checks to see whether for all \(i \in [\lambda ]\), \(\mathsf {Decrypt}({\widehat{\mathsf {sk}}}, \mathsf {ct}_i) = \xi _i\). If this holds for all \(i \in [\lambda ]\), then \(\mathcal {B}\) outputs 1. Otherwise, it outputs 0.

  By definition, we see that \(\mathcal {B}\) perfectly simulates the protocol execution according to the specification in \(\textsc {hyb}_2\). By assumption, with non-negligible probability \(\varepsilon \), algorithm \(\mathcal {A}\) will issue a query to \(\mathcal {F}_{\textsc {bhs}}\) on the message \((f_{\mathsf {id}}, \mathsf {sk})\). This means that with probability \(\varepsilon \), there is some \({\widehat{\mathsf {sk}}}\) where \({\widehat{\mathsf {sk}}} = \mathsf {sk}\).

  1. –

     Suppose \(\mathcal {B}\) is interacting with the encryption oracle \(\mathcal {O}_0\) in the CPA security game. In this case, if there is a message of the form \((f_{\mathsf {id}}, {\widehat{\mathsf {sk}}})\) where \({\widehat{\mathsf {sk}}} = \mathsf {sk}\), then \(\mathcal {B}\) outputs 1 by correctness of the encryption scheme. In this case, \(\mathcal {B}\) outputs 1 with probability at least \(\varepsilon \).

  2. –

     Suppose instead that \(\mathcal {B}\) is interacting with the encryption oracle \(\mathcal {O}_1\). In this case, the ciphertexts \(\mathsf {ct}_1, \ldots , \mathsf {ct}_\lambda \) and keys \({\widehat{\mathsf {sk}}}\) are all independent of \(\xi _i\). Thus, union bounding over all of the messages of the form \((f_{\mathsf {id}}, {\widehat{\mathsf {sk}}})\) appearing in the verification queries to \(\mathcal {F}_{\textsc {bhs}}\), the probability that \(\mathcal {B}\) outputs 1 (taken over the choice of \(\xi _i\)’s) is at most \(\mathsf {poly}(\lambda ) / 2^\lambda = \mathsf {negl}(\lambda )\).

  We conclude that \(\mathcal {B}\) is able to break CPA security with non-negligible probability \(\varepsilon - \mathsf {negl}(\lambda )\). Thus, if the encryption scheme is CPA-secure, the outputs of hybrids \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\) are computationally indistinguishable.

• Hybrids \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) are computationally indistinguishable if \(\Pi _{\mathsf {SE}}\) is CPA-secure. Observe that none of the logics in \(\textsc {hyb}_2\) and \(\textsc {hyb}_3\) depend on the secret key \(\mathsf {sk}\), and all of the messages can be simulated given access to an encryption oracle \(\mathsf {Encrypt}(\mathsf {sk}, \cdot )\). By CPA security of \(\Pi _{\mathsf {SE}}\), we conclude that the outputs of these two hybrid experiments are computationally indistinguishable.

• Hybrids \(\textsc {hyb}_3\) and \(\textsc {hyb}_4\) are computationally indistinguishable if \(\Pi _{\mathsf {SE}}\) is CPA-secure. The argument follows by the same logic as that used to argue computational indistinguishability of \(\textsc {hyb}_1\) and \(\textsc {hyb}_2\).

• Hybrids \(\textsc {hyb}_4\) and \(\textsc {hyb}_5\) are identically distributed. By construction, the honest prover’s behavior in \(\textsc {hyb}_4\) precisely coincides with the behavior of the simulated prover in \(\textsc {hyb}_5\). Thus, the outputs of \(\mathcal {A}\) in \(\textsc {hyb}_4\) are distributed exactly as the outputs of \(\mathcal {S}\) in \(\textsc {hyb}_5\). Moreover, if the verifier is honest, then the outputs of the honest verifier in \(\textsc {hyb}_4\) are distributed identically to the outputs in \(\textsc {hyb}_5\); this follows by appealing to the correctness property of the ideal \(\mathcal {F}_{\textsc {bhs}}\) functionality. We conclude that the output distribution of \(\textsc {hyb}_4\) is identical to that of the ideal execution.

Since each pair of hybrid arguments is computationally indistinguishable, the lemma follows. \(\square \)

Lemma B.47

If the prover is corrupt, then in the \(\mathcal {F}_{\textsc {bhs}}\)-hybrid model, we have that \(\textsc {real}_{\Pi _{\mathsf {ZK}}, \mathcal {A}, \mathcal {Z}} \equiv \textsc {ideal}_{\mathcal {F}_{\mathsf {ZK}}, \mathcal {S}, \mathcal {Z}}\).

Proof

In the case where the prover is corrupt, we show that the output of the real and ideal protocol executions are identically distributed. We consider two cases.

The verifier is corrupt: If the verifier is also corrupt, then the simulator \(\mathcal {S}\) is only responsible for simulating the \(\mathcal {F}_{\textsc {bhs}}\) functionality. Since \(\mathcal {S}\) simulates the ideal BHS functionality exactly as described in Fig. 6, the output of \(\mathcal {S}\) is identically distributed as the output of \(\mathcal {A}\) in the real execution, and the claim follows.

The verifier is honest: If the verifier is honest, we show that \(\mathcal {S}\) perfectly simulates the behavior of the honest verifier in the simulated protocol execution. By construction, \(\mathcal {S}\) perfectly simulates the behavior of the honest verifier in the preprocessing phase. Next, in the real execution, the honest verifier only responds when it receives a tuple of the form \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x, \pi )\) from the prover. We show that the simulation is correct:

• Suppose in the real scheme, the verifier has not set the \(\mathsf {ready}\) flag. This corresponds to the setting where the prover has never made a signing request to \(\mathcal {F}_{\textsc {bhs}}\). In this case, the verifier ignores the request. In the simulated protocol execution, if the prover never makes a signing request to \(\mathcal {F}_{\textsc {bhs}}\), then \({\widetilde{\mathsf {sk}}}= \bot \), and the verifier also ignores the request.

• Suppose in the real scheme, the proof \(\pi \) does not have the form \((\mathsf {ct}, \sigma )\). In this case, the verifier also ignores the request. This is precisely how \(\mathcal {S}\) simulates the honest verifier’s behavior in the simulated protocol execution.

• Otherwise, in the real scheme, the honest verifier parses the proof as \(\pi = (\mathsf {ct}, \sigma )\) and submits \((\textsf {sid}, \mathsf {verify}, \mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma )\) to \(\mathcal {F}_{\textsc {bhs}}\). We consider several cases: Case 1: Suppose that \((\mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma , 1) \in \mathcal {L}\), where \(\mathcal {L}\) is the list of signatures maintained by \(\mathcal {F}_{\textsc {bhs}}\). In this case, \(\mathcal {F}_{\textsc {bhs}}\) declares the signature valid, and the honest verifier in the real scheme accepts the proof by outputting \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\). According to the specification of \(\mathcal {F}_{\textsc {bhs}}\), there are two possible ways for \((\mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma , 1)\) to be added to \(\mathcal {L}\):

  1. –

     The prover made a successful evaluation query with function \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}\) on some input \(\mathsf {sk}\) where \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\), and moreover, there is an entry \((\mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma ', 1) \in \mathcal {L}\) for some \(\sigma '\).

  2. –

     The prover previously made a verification query on \((\mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma , 1)\) and the adversary decided the verification result. According to the \(\mathcal {F}_{\textsc {bhs}}\) specification, the adversary chooses the verification output only if there exists \((\mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma ', 1) \in \mathcal {L}\) for some \(\sigma '\) where \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\).

  We conclude that in this case, there exist \(\mathsf {sk}\) and \(\sigma '\) where \((\mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma ', 1) \in \mathcal {L}\) and \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\). Since the verifier is honest, by the specification of \(\mathcal {F}_{\textsc {bhs}}\), this is possible only if the prover has previously made a successful signing request on \(\mathsf {sk}\). This means that in the simulated protocol execution, the prover must have submitted a signing request to \(\mathcal {F}_{\textsc {bhs}}\) on message \(\mathsf {sk}\). By construction of the simulator, \({\widetilde{\mathsf {sk}}}= \mathsf {sk}\). Now, in the simulation, \(\mathcal {S}\) computes \(\mathsf {Decrypt}({\widetilde{\mathsf {sk}}}, \mathsf {ct})\) to obtain w. Since \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\), this means that \(\mathcal {R}(x, w) = 1\). In the ideal execution, the simulator sends \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x, w)\) to \(\Pi _{\mathsf {ZK}}\), which by definition forwards the output \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\) to the dummy verifier. Thus, in this case, the honest verifier’s behavior in both the real and ideal executions is identical. Case 2: Suppose that \((\mathsf {vk}, (\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}, 1), \sigma , 1) \notin \mathcal {L}\). We consider two possibilities.

  1. –

     If there does not exist an entry \((\mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma ', 1)\) where \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\) in the list \(\mathcal {L}\) for some \(\mathsf {sk}\) and \(\sigma '\), then by the unforgeability condition, the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) declares the signature invalid, and the honest verifier in the real scheme ignores the message. Since \(\mathcal {S}\) simulates the ideal functionality \(\mathcal {F}_{\textsc {bhs}}\) perfectly, the simulator \(\mathcal {S}\) also ignores the message in the simulated execution.

  2. –

     On the other hand, if \(\mathcal {L}\) does contain an entry \((\mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma ', 1)\) for some \(\mathsf {sk}\) and \(\sigma '\) where \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\), then \(\mathcal {F}_{\textsc {bhs}}\) allows the adversary to decide whether the signature is valid or not. If the adversary declares the signature invalid, then in both the real and the simulated executions, the verifier ignores the message. If the adversary declares the signature valid, then in the real execution, the verifier accepts the proof and outputs \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\). In the simulated execution, because there does exist \((\mathsf {vk}, (f_{\mathsf {id}}, \mathsf {sk}), \sigma ', 1) \in \mathcal {L}\) where \(\mathsf {CheckWitness}_{\mathcal {R}, \mathsf {ct}, x}(\mathsf {sk}) = 1\), we can apply the same analysis from Case 1 to argue that in the ideal execution, the simulated verifier also accepts the proof and outputs \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\). Moreover, in this case, \(\mathcal {S}\) also forwards \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x, w)\) where \(w \leftarrow \mathsf {Decrypt}({\widetilde{\mathsf {sk}}}, \mathsf {ct})\) and \(\mathcal {R}(x, w) = 1\) to \(\Pi _{\mathsf {ZK}}\). This means that the honest verifier in the ideal execution also outputs \((\textsf {sid}, \textsf {ssid}, \mathsf {proof}, \mathcal {R}, x)\).

From the above analysis, we see that in all cases, the behavior of the honest verifier in both the real execution and the ideal execution is identical. Moreover, algorithm \(\mathcal {S}\) perfectly simulates the view of \(\mathcal {A}\) in the simulated protocol execution. The lemma follows. \(\square \)

Combining Lemmas B.46 and B.47, we conclude that the \(\Pi _{\mathsf {ZK}}\) protocol securely realizes \(\mathcal {F}_{\mathsf {ZK}}\) in the presence of malicious adversaries in the \(\mathcal {F}_{\textsc {bhs}}\)-hybrid model. \(\square \)