A certificateless linearly homomorphic signature scheme for network coding and its application in the IoT

Abstract

Network coding is an effective method to optimize network throughput and improve routing reliability, and has been widely used in a decentralized Internet of Things system. However, the packet-mixing property of network coding renders transmission susceptible to pollution attacks, which may prevent the reconstruction of the original file. A homomorphic signature scheme is a powerful tool that enables network coding to combat pollution attacks. Although a series of homomorphic signature schemes already exists, no construction has been proposed to support both homomorphic network coding signatures and the certificateless characteristic. In this paper, we construct a certificateless linearly homomorphic signature scheme for network coding, thus avoiding the disadvantages of certificate management and key escrow problems. We then prove the security of the scheme in a random oracle model against an adaptively chosen dataset attack under two types of adversaries. Moreover, performance analysis results show that our scheme has a lower communication overhead and enjoys a comparable computation cost with related schemes.

Appendix: Proof of Lemma 2

Proof

Assume that \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) represents a malicious key generation center against the unforgeability of our CL-LHS scheme. We construct a simulator \(\mathcal C \) that uses \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as a subroutine to solve the CDH problem. According to the definition of Game 2, adversary \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) eventually outputs either a Type 1 forgery or a Type 2 forgery. \( \mathcal {C} \) guesses the type of forgery to be output by \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) based on the result of flipping a coin randomly. Clearly, \( \mathcal {C} \) guesses correctly with a probability of \( \frac {1}{2} \).

Case 1 (Type 1 forgery:):

In this case, \( \mathcal {C} \) has guessed that \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) will output a Type 1 forgery. Given a random instance \( (\mathbb {G}_{1}, \mathbb {G}_{2}, e, p, g, g^{a}, g^{b}) \) of the CDH problem, \( \mathcal {C} \) interacts with \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as follows:

• Setup: \( \mathcal {C} \) runs the setup, randomly chooses \( s\in { \mathbb {F}^{*}_{p}} \) as the master key, and then initializes \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) with the master key s and params= \( (\mathbb {G}_{1}, \mathbb {G}_{2}, e, p, g, P_{pub}=g^{s}) \).

• Queries: \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) can issue queries to the following oracles, and \( \mathcal {C} \) responds to \(\mathcal {A}_{\mathcal {I}\mathcal {I}} \) as follows:

  • H Queries: \( \mathcal {C} \) maintains a list referred to as L_H. Suppose that \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) makes at most q_H queries. \( \mathcal {C} \) randomly chooses k ∈{1, 2, ⋯ , q_H} and guesses that the k-th identity ID_k submitted by \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) is the challenge identity. When \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) makes an H query on identity ID, \( \mathcal {C} \) picks a random number \( w_{ID}\in { \mathbb {F}^{*}_{p}} \), outputs \( Q(ID)=H(ID)=g^{w_{ID}} \), and adds < ID, H(ID), w_ID > to L_H.

  • Public Key Queries: \( \mathcal {C} \) maintains a list L_PK that is initially empty. When an identity ID is submitted for this query, \( \mathcal {C} \) responds as follows:

  1. (1)

     If ID = ID_k, \( \mathcal {C} \) outputs the public key PK_ID = g^a and adds < ID_k, g^a,⊥> to L_PK.

  2. (2)

     Otherwise, \( \mathcal {C} \) randomly chooses \( x_{ID}\in {\mathbb {F}^{*}_{p}} \) as the secret value. Then, \( \mathcal {C} \) returns the public key \( PK_{ID}= g^{x_{ID}} \) to \( \mathcal {A}_{\mathcal {I}} \) and saves < ID, PK_ID, x_ID > in L_PK.

  • Private Key Extraction: \( \mathcal {C} \) maintains a list L_SK that is initially empty. Given an identity ID, \(\mathcal {C} \) performs the following actions:

  1. (1)

     If ID ≠ ID_k, it recovers the tuple < ID, H(ID), w_ID > from L_H and < ID, PK_ID, x_ID > from L_PK. Then, \( \mathcal {C} \) returns the secret key \( SK_{ID}=((g^{w_{ID}})^{s}, x_{ID}) \) to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) and adds < ID, SK_ID > to L_SK.

  2. (2)

     Otherwise, \( \mathcal {C} \) aborts.

  • H₁ Queries: Suppose (ID, P_pub, τ, U, i) is submitted to oracle H₁(⋅). \( \mathcal {C} \) first scans < (ID, P_pub, τ, U, i), T_i, t_i > from the list \( L_{H_{1}} \) to check whether T_i has already been defined. If so, \( \mathcal {C} \) returns it. Otherwise, \( \mathcal {C} \) randomly chooses a number \( t_{i}\in { \mathbb {F}^{*}_{p}} \), returns \( T_{i}=g^{t_{i}} \) to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as the hash value of H₁(ID, P_pub, τ, U, i), and stores the value in the list \( L_{H_{1}} \).

  • H₂ Queries: Suppose (ID, PK_ID, τ, i) is submitted to oracle H₂(⋅). \( \mathcal {C} \) first scans \( <(ID, PK_{ID}, \tau , i), T^{\prime }_{i}, t^{\prime }_{i}> \) from the list \( L_{H_{2}} \) to check whether \( T^{\prime }_{i} \) has already been defined. If so, \( \mathcal {C} \) returns it. Otherwise, \( \mathcal {C} \) chooses a random number \( t^{\prime }_{i}\in {\mathbb {F}^{*}_{p}} \), returns \( T^{\prime }_{i}=g^{t^{\prime }_{i}} \) to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as the hash value of H₂(ID, PK_ID, τ, i), and stores the value in the list \( L_{H_{2}} \).

  • H₃ Queries: \( \mathcal {C} \) maintains a list \(L_{H_{3}} \) containing tuples < (ID, PK_ID), T, t >. Upon receiving \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \)’s query on (ID, PK_ID), if it already exists in \(L_{H_{3}} \), \( \mathcal {C} \) returns T. Otherwise, \( \mathcal {C} \) chooses a random number \( t\in { \mathbb {F}^{*}_{p}} \), returns T = (g^b)^t to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as the hash value of H₃(ID, PK_ID), and saves the value in the list \( L_{H_{3}} \).

  • Signing Queries: Given an identity ID and a vector space \( V\subset \mathbb {F}^{N}_{p} \) described by augmented basis vectors \( \boldsymbol {v}_{1}, \cdots , \boldsymbol {v}_{m} \in \mathbb {F}^{N}_{p}\), where \( \boldsymbol {v}_{i}=(v_{i1}, \cdots ,v_{in}, \underbrace { 0,\cdots , 1}_{i} , \cdots , 0) \), if ID is the challenge identity (e.g., ID = ID_k), \( \mathcal {C} \) preforms the following steps:

  1. (1)

     Randomly choose an identifier \( \tau \leftarrow \{0, 1\}^{k} \) and numbers \( r, u_{i}\in {\mathbb {F}^{*}_{p}} (i\in [N])\), and set \( U={PK_{ID}}^{r} \).

  2. (2)

     Define the hash values of H₁(ID, P_pub, τ, U, i) as \(T_{i}=(\frac {g^{u_{i}}}{T} )^{r^{-1}} \in {\mathbb {G}_{1}}\), where T = H₃(ID, PK_ID) = (g^b)^t. Abort if H₁(ID, P_pub, τ, U, i) has already been queried for some i ∈ [N].

  3. (3)

     Recover \( T^{\prime }_{i} (i\in [N]) \) and Q_ID from \( L_{H_{2}} \) and L_H, respectively. If there are no such items, \( \mathcal {C} \) makes queries on oracles H₂(⋅) and H(⋅).

  4. (4)

     Finally, compute

     $$ W_{i} =(Q_{ID})^{s\underset{j\in{[N]}}{\sum}v_{ij}}\cdot(PK_{ID})^{\underset{j\in{[N]}}{\sum}u_{j}v_{ij} + \underset{j\in{[N]}}{\sum}t^{\prime}_{j}v_{ij}} $$

  Now, σ_i = (U, W_i)(i ∈ [m]) are returned to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \). Each σ_i is a valid signature, since

  $$ \begin{array}{@{}rcl@{}} &&\underline{e(Q_{ID}, P_{pub})^{\sum\limits_{j\in{[N]}}v_{ij}}}_{1}\cdot \underline{e\left( \prod\limits_{j\in{[N]}}T_{j}^{v_{ij}}, U\right)}_{2}\cdot e\left( \prod\limits_{j\in{[N]}}{T_{j}^{\prime}}^{v_{ij}} \cdot T^{\sum\limits_{j\in{[N]}}v_{ij}}, PK_{ID}\right) \end{array} $$

  (6)
  $$ \begin{array}{@{}rcl@{}} &=&\underline{e(Q_{ID}, P_{pub})^{\sum\limits_{j\in{[N]}}v_{ij}}}_{1}\cdot \underline{e\left( \prod\limits_{j\in{[N]}}(\frac{g^{u_{j}}}{Q_{ID}} )^{r^{-1}{v_{ij}}}, P^{r}_{pub}\right)}_{2'}\cdot e\left( g^{\sum\limits_{j\in{[N]}}t^{\prime}_{j}v_{ij} + t\sum\limits_{j\in{[N]}}v_{ij}}, PK_{ID}\right)\\ &=&\underline{e(Q_{ID}, P_{pub})^{\sum\limits_{j\in{[N]}}v_{ij}}}_{1}\cdot \underline{e(Q_{ID}, P_{pub})^{-\!\sum\limits_{j\in{[N]}}v_{ij}}}_{2'_{(1)}}\cdot \underline{e\left( g^{\sum\limits_{j\in{[N]}}u_{j}v_{ij}}, P_{pub}\right)}_{2'_{(2)}} \end{array} $$

  (7)
  $$ \begin{array}{@{}rcl@{}} &&\cdot e\left( g^{\sum\limits_{j\in{[N]}}t^{\prime}_{j}v_{ij} + \sum\limits_{j\in{[N]}}tv_{ij}}, PK_{ID}\right) \end{array} $$

  (8)
  $$ \begin{array}{@{}rcl@{}} &=& e\left( (P_{pub})^{\sum\limits_{j\in{[N]}}u_{j}v_{ij}}\cdot (PK_{ID})^{\sum\limits_{j\in{[N]}}t^{\prime}_{j}v_{ij} + \sum\limits_{j\in{[N]}}tv_{ij}}, g\right) \end{array} $$

  (9)
  $$ \begin{array}{@{}rcl@{}} &=& e (W_{i}, g) \end{array} $$

  (10)

  The derivation process of the core part of the above series of equations is shown as follows.⁶

  Otherwise,⁷\( \mathcal {C} \) randomly chooses an identifier \( \tau \leftarrow \{0, 1\}^{k} \) and a number \( r\in {\mathbb {F}^{*}_{p}}\), sets U = g^r, and computes

  $$ W_{i} =(Q_{ID})^{s\underset{j\in{[N]}}{\sum}v_{ij}}\cdot U^{\underset{j\in{[N]}}{\sum}t_{j}v_{ij}}\cdot (PK_{ID})^{\underset{j\in{[N]}}{\sum}t^{\prime}_{j}v_{ij}}\cdot(g^{b})^{tx_{ID}\underset{j\in{[N]}}{\sum}tv_{ij}} $$

  The verification of the validity of the above signature is straightforward and is omitted here.

• Output: Eventually, \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) outputs a tuple \( (ID^{*}, PK_{ID^{*}} \), y, τ^∗, σ^∗), where \( \boldsymbol {v}=(v^{*}_{1}, \cdots , v^{*}_{N} ) \), σ^∗ = (U^∗, W^∗). If ID^∗ ≠ ID_k, then \( \mathcal {C} \) aborts. Otherwise, for each i ∈ [N], it retrieves the items \( T^{*}_{i} \) from \( L_{H_{1}} \), the items \( T^{\prime *}_{i} \) from \( L_{H_{2}} \), and the item T^∗ from \( L_{H_{3}} \). Note that \( T^{*}_{i} =g^{t^{*}_{i}}, T^{\prime *}_{i} =g^{t^{\prime *}_{i}}, T^{*} =(g^{b})^{t^{*}}\). If \( \mathcal {A}_{\mathcal {I}} \) successfully outputs Type 1 forgery signatures, the file identifier τ^∗ ≠ τ_i for all τ_i appears in signing queries, and the following equation holds:

  $$ \begin{array}{@{}rcl@{}} e \left( W^{*},g\right)&=&e(Q_{ID^{*}}, P_{pub})^{\underset{i\in{[N]}}{\sum}v^{*}_{i}}\cdot e(\underset{i\in{[N]}}{\prod}(T^{*}_{i})^{v^{*}_{i}}, U^{*})\cdot e(\underset{i\in{[N]}}{\prod}{(T^{\prime*}_{i}})^{v^{*}_{i}} \cdot T^{\underset{i\in{[N]}}{\sum}v^{*}_{i}}, PK_{ID^{*}})\\ &=&e((Q_{ID^{*}})^{s\underset{i\in{[N]}}{\sum}v^{*}_{i}}\cdot (U^{*})^{\underset{i\in{[N]}}{\sum}t^{*}_{i}v^{*}_{i}}\cdot(PK_{ID^{*}})^{\underset{i\in{[N]}}{\sum}t^{\prime*}_{i}v^{*}_{i}}\cdot(g^{ab})^{t^{*}\underset{i\in{[N]}}{\sum}v^{*}_{i}} , g) \end{array} $$

  Therefore, by the nondegenerate property, we have the solution of the CDH problem as follows:

  $$ \left( \frac{W^{*}}{(Q_{ID^{*}})^{s\underset{i\in{[N]}}{\sum}v^{*}_{i}} \cdot (U^{*})^{\underset{i\in{[N]}}{\sum}t^{*}_{i}v^{*}_{i}}\cdot (PK_{ID^{*}})^{\underset{i\in{[N]}}{\sum}t^{\prime*}_{i}v^{*}_{i}} }\right)^{\frac{1}{t^{*}\underset{i\in{[N]}}{\sum}v^{*}_{i}}}. $$

Now, we evaluate \( \mathcal {C} \)’s probability of success.

We first analyze the probability of aborting in performing a signing query. The probability of the event that \( \mathcal {C} \) responds to two distinct signature queries by choosing the same identifier τ is at most \( \frac {{q_{s}^{2}}}{2^{k}}\), while the probability of the event that \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) has already requested the value of H₁(ID, P_pub, τ, U, i) for some i is at most \( \frac {q_{H_{1}}\cdot q_{s}}{2^{k}}\).

It is not hard to see that the probability of not aborting in key extraction queries is \( (1-\frac {1}{q_{H}})^{q_{sk}} \), and the probability of not aborting in the output stage is \( \frac {1}{q_{H}} \), where q_s, q_H, q_sk are the number of signing queries, H is the number of hash queries and private key extraction is performed by \(\mathcal {A}_{\mathcal {I}\mathcal {I}} \).

Thus, if \(\mathcal {A}_{\mathcal {I}\mathcal {I}} \) has an advantage \(Adv_{\mathcal {A}_{\mathcal {I}\mathcal {I}}}^{CL-LHS}(k)\) in forging a signature in Game 2, then \( \mathcal {C} \) can solve the CDH problem with probability

$$ \begin{array}{@{}rcl@{}} \left( \frac{1}{2}Adv_{\mathcal{A}_{\mathcal{I}\mathcal{I}}}^{CL-LHS}(k)-\frac{{q_{s}^{2}}+q_{H_{1}}\cdot q_{s}}{2^{k}}\right)\cdot\left( 1-\frac{1}{q_{H}}\right)^{q_{sk}}\cdot \frac{1}{q_{H}} \end{array} $$

Case 2 (Type 2 forgery:):

In this case, \( \mathcal {C} \) has guessed that \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) will output a Type 2 forgery. Given a CDH instance \( (\mathbb {G}_{1}, \mathbb {G}_{2}, e, p, g, g^{a}, g^{b}) \), the goal of \( \mathcal {C} \) is to compute the value of g^ab by using \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as a subroutine. \( \mathcal {C} \) interacts with \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as follows:

• Setup: \( \mathcal {C} \) chooses a random number \( s\in { \mathbb {F}^{*}_{p}} \) as the master key and sets P_pub = g^s and params= \( (\mathbb {G}_{1}, \mathbb {G}_{2},{e}, p, g, P_{pub}=g^{s}) \). It invokes \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) on the input params and master key s.

• Queries: \( \mathcal {C} \) simulates the oracle queries of \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) as follows:

  • H Queries: \( \mathcal {C} \) maintains a list L_H that is initially empty. Suppose that \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) makes at most q_H queries. \( \mathcal {C} \) randomly chooses k ∈{1, 2, ⋯ , q_H} and guesses that the k-th identity ID_k submitted by \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) is the challenge identity. When \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) makes an H query on identity ID, \( \mathcal {C} \) picks a random number \( w_{ID}\in { \mathbb {F}^{*}_{p}} \), outputs \( Q(ID)=H(ID)=g^{w_{ID}} \), and adds < ID, H(ID), w_ID > to L_H.

  • Public Key Queries: \( \mathcal {C} \) maintains a list referred to as L_PK. Given an identity ID, \( \mathcal {C} \) responds as follows:

  1. (1)

     If ID = ID_k, \( \mathcal {C} \) outputs the public key PK_ID = g^a and adds < ID_k, g^a,⊥> to L_PK.

  2. (2)

     Otherwise, \( \mathcal {C} \) randomly chooses \( x_{ID}\in { \mathbb {F}^{*}_{p}} \) as the secret value. Then, \( \mathcal {C} \) returns the public key \( PK_{ID}= g^{x_{ID}} \) to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) and saves < ID, PK_ID, x_ID > in L_PK.

  • Private Key Extraction: \( \mathcal {C} \) maintains a list L_SK containing tuples < ID, SK_ID >. Given an identity ID, \( \mathcal {C} \) performs the following actions:

  1. (1)

     If ID ≠ ID_k, it recovers the tuple < ID, H(ID), w_ID > from L_H and < ID, PK_ID, x_ID > from L_PK. Then, \( \mathcal {C} \) returns the secret key \( SK_{ID}=((g^{w_{ID}})^{s}, x_{ID}) \) to \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) and adds < ID, SK_ID > to L_SK.

  2. (2)

     Otherwise, \( \mathcal {C} \) aborts.

  • H₁ Queries: Suppose (ID, P_pub, τ, U, i) is submitted to oracle H₁(⋅). \( \mathcal {C} \) first scans for < (ID, P_pub, τ, U, i), T_i, t_i > in the list \( L_{H_{1}} \) to check whether T_i has already been defined. If so, \( \mathcal {C} \) returns it. Otherwise, \( \mathcal {C} \) chooses a random number \( t_{i}\in {\mathbb {F}^{*}_{p}} \), returns \( T_{i}=g^{t_{i}} \) to \( \mathcal {A}_{\mathcal {I}} \) as the hash value of H₁(ID, P_pub, τ, U, i), and stores the value in the list \( L_{H_{1}} \).

  • H₂ Queries: Suppose (ID, PK_ID, τ, i) is submitted to oracle H₂(⋅). \( \mathcal {C} \) first scans for \( <(ID, PK_{ID}, \tau , i), T^{\prime }_{i}, t^{\prime }_{i}> \) in the list \( L_{H_{2}} \) to check whether \( T^{\prime }_{i} \) has already been defined. If so, \( \mathcal {C} \) returns it. Otherwise, \( \mathcal {C} \) selects \( t^{\prime }_{i}\in {\mathbb {F}^{*}_{p}} \) at random, returns \( T^{\prime }_{i}=g^{t^{\prime }_{i}} \) to \( \mathcal {A}_{\mathcal {I}} \) as the hash value of H₂(ID, PK_ID, τ, i), and stores the value in the list \( L_{H_{2}} \).

  • H₃ Queries: \( \mathcal {C} \) maintains a list \( L_{H_{3}} \) containing tuples < (ID, PK_ID), T, t >. Taking (ID, PK_ID) as input, if it already exists in \(L_{H_{3}} \), \( \mathcal {C} \) returns T. Otherwise, \( \mathcal {C} \) randomly chooses \( t\in { \mathbb {F}^{*}_{p}} \), returns H₃(ID, PK_ID) = g^t to \( \mathcal {A}_{\mathcal {I}} \), and saves < (ID, PK_ID), T, t > in \( L_{H_{3}} \).

  • Signing Queries: Given an identity ID and a vector space \( V\subset \mathbb {F}^{N}_{p} \) described by augmented basis vectors \(\boldsymbol { v}_{1}, \cdots , \boldsymbol {v}_{m} \in \mathbb {F}^{N}_{p}\), where \( \boldsymbol {\boldsymbol {v}}_{i}=(v_{i1}, \cdots , v_{in}, \underbrace { 0,\cdots , 1}_{i} , \cdots , 0) \), \( \mathcal {C} \) preforms the following steps:

  1. (1)

     Randomly choose an identifier \( \tau \leftarrow \{0, 1\}^{k} \) and numbers \( r, \alpha _{1}, \cdots , \alpha _{n}\in {\mathbb {F}^{*}_{p}}\), and set U = g^r.

  2. (2)

     Set n = N − m, and for each i ∈ [n], compute

     $$ \begin{array}{@{}rcl@{}} T^{\prime}_{i}=H_{2} (ID, PK_{ID}, \tau, i)=(g^{b})^{\alpha_{i}} \end{array} $$

     For each i ∈ [m], compute

     $$ \begin{array}{@{}rcl@{}} \beta_{i}&=&-\underset{j\in{[n]}}{\sum}\alpha_{j}v_{ij}\\ T^{\prime}_{n+i}&=&H_{2} (ID, PK_{ID}, \tau, n+i)=(g^{b} )^{\beta{i}} \end{array} $$

     and set α = (α₁, ⋯ , α_n, β₁, ⋯ , β_m). Now observe that we constructed α so that α ∈ V^⊥ (i.e., α ⋅v = 0, for all v ∈ V = Span{v₁, ⋯ , v_m}).⁸\( \mathcal {C} \) aborts if H₂(ID, PK_ID, τ, i) has already been queried for some i ∈ [N].

  3. (3)

     Recover T_i, T and SK_ID from \( L_{H_{1}} \), \( L_{H_{3}} \) and L_SK, respectively. If there are no such items, \( \mathcal {C} \) makes queries on the corresponding oracle.

  4. (4)

     Compute

     $$ \begin{array}{@{}rcl@{}} W_{i} =(Q_{ID})^{s\underset{j\in{[N]}}{\sum}v_{ij}}\cdot U^{\underset{j\in{[N]}}{\sum}t_{j}v_{ij}}\cdot (PK_{ID})^{t\underset{j\in{[N]}}{\sum}v_{ij}} \end{array} $$
  5. (5)

     Return τ and σ = (σ₁, ⋯ , σ_m); here, σ_i = (U, W_i).

  Now, we show that the signatures σ_i are valid signatures, since

  $$ \begin{array}{@{}rcl@{}} W_{i} &=&(D_{ID})^{\underset{j\in{[N]}}{\sum}v_{ij}}\cdot \left( \underset{j\in{[N]}}{\prod}T_{j}^{v_{ij}}\right)^{r}\cdot \left( \underset{j\in{[N]}}{\prod}{T_{j}^{\prime}}^{v_{ij}}\cdot T^{\underset{j\in{[N]}}{\sum}v_{ij}}\right)^{x_{ID}} \\ &=&(Q_{ID})^{s\underset{j\in{[N]}}{\sum}v_{ij}}\cdot \left( g^{\underset{j\in{[N]}}{\sum}t_{j}v_{ij}}\right)^{r}\cdot \left( \underset{j\in{[n]}}{\prod}(g^{b})^{\alpha_{j}v_{ij}}\cdot \underset{j\in{[m]}}{\prod}(g^{b})^{\beta_{j}v_{i,(n+j)}} \right)^{a}\cdot \left( g^{t\underset{j\in{[N]}}{\sum}v_{ij}}\right)^{a}\\ &=&(Q_{ID})^{s\underset{j\in{[N]}}{\sum}v_{ij}}\cdot U^{\underset{j\in{[N]}}{\sum}t_{j}v_{ij}}\cdot (g^{ab})^{\boldsymbol {\alpha}\cdot \boldsymbol{v}_{i}}\cdot (PK_{ID})^{\underset{j\in{[N]}}{\sum}tv_{ij}} \\ &=&(Q_{ID})^{s\underset{j\in{[N]}}{\sum}v_{ij}}\cdot U^{\underset{j\in{[N]}}{\sum}t_{j}v_{ij}}\cdot (PK_{ID})^{\underset{j\in{[N]}}{\sum}tv_{ij}} \end{array} $$

  Since we constructed α such that α ⋅v = 0 for all v ∈ V, the signatures output by \( \mathcal {C} \) in step (5) of signing queries are valid signatures.

• Output: Eventually, \( \mathcal {A}_{\mathcal {I}\mathcal {I}} \) outputs \( ID^{*}, PK_{ID^{*}}\), an identifier τ^∗, a nonzero vector y = (y₁, ⋯ , y_N) and signatures \( \sigma _{i}^{*}=(U^{*}, W^{*}_{i}), i\in {[m]}\). If ID^∗ ≠ ID_k, then \( \mathcal {C} \) aborts.

  If \( \mathcal {A}_{\mathcal {I}} \) successfully outputs Type 2 forgery signatures σ^∗, then τ^∗ has been used to answer a vector subspace V under a signature query, but y∉V; it is known that \( T^{\prime *}_{i}=(g^{b} )^{a_{i}} (i\in {[n]})\) and \( T^{\prime *}_{n+i}=(g^{b} )^{\beta {i}} (i\in {[m]}) \). \( \mathcal {C} \) recovers \( T^{*}_{i} \) from list \( L_{H_{1}} \), T^∗ from list \( L_{H_{3}} \) and \( D_{ID^{*}} \) from list L_SK; then, the following equation holds:

  $$ \begin{array}{@{}rcl@{}} &&e \left( \underset{i\in{[m]}}{\prod}{(W^{*}_{i})}^{y_{n+i}}, g\right)\\ &=&e\left( Q_{ID^{*}}^{\underset{i\in{[N]}}{\sum}y_{i}}, P_{pub}\right)\cdot e\left( \underset{i\in{[N]}}{\prod}{(T^{*}_{i})}^{y_{i}}, U^{*}\right)\cdot e\left( \underset{i\in{[N]}}{\prod}{(T^{\prime*}_{i})}^{y_{i}} \cdot {(T^{*})}^{\underset{i\in{[N]}}{\sum}y_{i}}, PK_{ID^{*}}\right)\\ &=&e\left( (Q_{ID})^{s\underset{i\in{[N]}}{\sum}y_{i}}, g\right)\cdot e\left( (U^{*})^{\underset{i\in{[N]}}{\sum}t^{*}_{i}y_{i}}, g\right)\cdot e\left( (g^{ab})^{(\boldsymbol {\alpha}\cdot \boldsymbol {y})}, g\right)\cdot e\left( (PK_{ID^{*}})^{t^{*}\underset{i\in{[N]}}{\sum}y_{i}}, g\right)\\ \end{array} $$

  If α ⋅y ≠  0, by the nondegenerate property, we obtain the value of g^ab as follows:

  $$ \begin{array}{@{}rcl@{}} \left( \frac{\underset{i\in{[m]}}{\prod}{(W^{*}_{i})}^{y_{n+i}}}{(Q_{ID})^{\underset{i\in{[N]}}{\sum}sy_{i}} \!\cdot(U^{*})^{\underset{i\in{[N]}}{\sum}t^{*}_{i}y_{i}} \!\cdot (PK_{ID^{*}})^{\underset{i\in{[N]}}{\sum}t^{*}y_{i}}}\right)^{\frac{1}{(\boldsymbol{\alpha}\cdot \boldsymbol{y})}} \end{array} $$

Now, we evaluate \( \mathcal {C} \)’s probability of success.

As before, obviously, the probability of \( \mathcal {C} \) aborting in the signing query is at most \( \frac {{q_{s}^{2}}+q_{H_{2}}\cdot q_{s}}{2^{k}} \), the probability of not aborting in the output stage is \( \frac {1}{q_{H}} \) and α ⋅y = 0 with probability \( \frac {1}{p} \), where \( q_{s}, q_{H}, q_{H_{2}} \) are the numbers of signing queries and H and H₂ are the numbers of hash queries made by \(\mathcal {A}_{\mathcal {I}\mathcal {I}} \).

Therefore, if \(\mathcal {A}_{\mathcal {I}\mathcal {I}} \) has an advantage \(Adv_{\mathcal {A}_{\mathcal {I}\mathcal {I}}}^{CL-LHS}(k)\) in forging a signature in Game 2, then \( \mathcal {C} \) can solve the CDH problem with probability

$$ \begin{array}{@{}rcl@{}} \left( \frac{1}{2}Adv_{\mathcal{A}_{\mathcal{I}\mathcal{I}}}^{CL-LHS}(k)-\frac{{q_{s}^{2}}+q_{H_{1}}\cdot q_{s}}{2^{k}}\right)\cdot\left( 1-\frac{1}{p}\right)\cdot\frac{1}{q_{H}} \end{array} $$

□