parent
62f7624397
commit
444641891c
24
abstract.tex
24
abstract.tex

@ 5,14 +5,14 @@




\begin{otherlanguage}{french}


Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.


Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissances et leurs applications.


Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissance et leurs applications.


Un exemple de ces constructions est la signature de groupe. Ce protocole a pour but de permettre à un utilisateur de s'authentifier comme appartenant à un groupe, sans révéler son identité.


Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litiges.


Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transports en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transports ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.


Nous avons proposé deux constructions de ces signatures de groupes, prouvées sous des hypothèses simples sur les couplages et les réseaux euclidiens.


Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige.


Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transport en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transport ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.


Nous avons proposé deux constructions de ces signatures de groupe, prouvées sûres sous des hypothèses simples dans le monde des couplages et des réseaux euclidiens.


Dans la continuité de ces travaux, nous avons aussi proposé la première construction de chiffrement de groupe (l'équivalent de la signature de groupe pour le chiffrement) à base de réseaux euclidiens.


Finalement, ces travaux nous ont amené à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens.


Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern.


Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern, qui reposait initialement sur la difficulté du problème du décodage de syndrome.


\end{otherlanguage}


\clearpage





@ 28,13 +28,13 @@


In this thesis, we study provably secure privacypreserving cryptographic constructions.


We focus on zeroknowledge proofs and their applications.


Group signatures are an example of such constructions.


This primitive allows users to sign messages on behalf of a group (which they formerly join), while staying anonymous inside this group.


Additionally, users remains accountable for their behavior as another independent authority, a judge, is empowered with a secret information to lift anonymity of given signatures.


This primitive allows users to sign messages on behalf of a group (which they formerly joined), while remaining anonymous inside this group.


Additionally, users remain accountable for their actions as another independent authority, a judge, is empowered with a secret information to lift the anonymity of any given signature.


This construction has applications in anonymous access control, such as public transportations.


Whenever someone enters a public transport, he signs a timestamp. Doing this proves that he belongs to the group of people with a valid subscription.


Whenever someone enters a public transportation, he signs a timestamp. Doing this proves that he belongs to the group of people with a valid subscription.


In case of problem, the transportation company hands the record of suspicious signatures to the police, which is able to unanonymize them.


We propose two constructions for dynamically growing group signatures. The first is based on pairings assumptions and aims practicality, while the second one is proven secure under lattice assumptions for the sake of not putting all eggs in the same basket.


We propose two constructions of group signatures for dynamically growing groups. The first is based on pairingrelated assumptions and is fairly practical. The second construction is proven secure under lattice assumptions for the sake of not putting all eggs in the same basket.


Following the same spirit, we also propose two constructions for privacypreserving cryptography.


The first one is a group encryption scheme, which is the encryption analogue of group signatures. Here, the goal is to hide the recipient of a message who belongs to a group, while proving some properties on the message, like the absence of malwares.


The second is an adaptive oblivious transfer scheme, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.


These constructions were made possible through a series of work improving the expressiveness of Sternlike zeroknowledge arguments.


The first one is a group encryption scheme, which is the encryption analogue of group signatures. Here, the goal is to hide the recipient of a ciphertext who belongs to a group, while proving some properties on the message, like the absence of malwares.


The second is an adaptive oblivious transfer protocol, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.


These constructions were made possible through a series of work improving the expressiveness of Stern's protocol, which was originally based on the syndrome decoding problem.





@ 3,7 +3,7 @@ This construction relies on a signature scheme with efficient protocols as in~\c


As a consequence, it is possible to design latticebased anonymous credentials from this building block.


The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identitybased encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2secure public key encryption scheme which will be used to provide fullanonymity.




The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixedsize and well studied assumptions.


The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixedsize and wellstudied assumptions.


As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.


Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. nonideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:latticegscomparison}.


In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.



@ 1008,7 +1008,7 @@ to compute a smallnorm matrix


$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.


\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$


(i.e., by computing $\lfloor (\mathbf{c}_2  \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip


\item[3.] Determine if the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,


\item[3.] Determine whether the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step~2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,


output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.


\end{itemize}


\end{description}



@ 1784,8 +1784,9 @@ and that (modulo $q$)


\begin{cases}


\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\




\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\


\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(


\mathbf{c}_{\mathbf{v}, 1} = \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\


\mathbf{c}_{\mathbf{v},2} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} \\


\hphantom{\mathbf{c}_{\mathbf{v},2}} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(


\begin{array}{c}


\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\


\mathbf{0}\\





@ 1,12 +1,13 @@


In this part, we will present two constructions for dynamic group signatures.


The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain efficiency while keeping the assumptions simple.


This gives us a constantsize group signature scheme that is shown to be competitive with other constructions based on less standard assumptions.


In this part, we will present two constructions of dynamic group signatures.


The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain in efficiency while keeping the assumptions simple.


This gives us a constantsize group signature scheme that is shown to be competitive with other constructions based on less standard assumptions such as the $\qSDH$ assumption.


An implementation is available and detailed in \cref{ch:sigmasig}.




The second construction, described in \cref{ch:gslwe}, is a latticebased dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.


The second construction, described in \cref{ch:gslwe}, is a latticebased dynamic group signature based on the scheme of Ling, Nguyen and Wang~\cite{LNW15} for static groups.


This construction was improved to match the requirements for dynamic groups, which closes an openproblem~\cite{GKV10}.


This construction has been the first fully secure group signature scheme from lattices.




Before describing those schemes, let us recall in this chapter the definition of dynamic group signatures and their related security definitions.


Before describing those schemes, this chapter recalls the definition of dynamic group signatures and their related security definitions.




\section{Background} \label{sse:gsbackground}


\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}



@ 21,23 +22,23 @@ In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed formal security


This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. These two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gsdefinitions}.




The \cite{BMW03}~model summarizes the security of a group signatures in two notions: \textit{anonymity} and \textit{traceability}.


The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can trace a user from a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.


The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can identify the author of a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.




In the dynamic setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.


In the dynamic setting, the \textit{group signingkeys issuing} phase is replaced by an interactive \textit{join} protocol where a user who wants to join the group interacts with the group manager.


In this context, the two notions of the BMW model are retained, and a third one is added: the ``\textit{nonframeability}'' property.


This notion expresses the impossibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.


This notion expresses the infeasibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.




One possible application of this primitive is anonymous access control for public transportation systems.


In order to commute, a person should prove possession of a valid subscription to the transportation service.


Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}'' and when it uses the transportation service, it is asked to sign the timestamp of its entry in the name of the group.


Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}''. When he uses the transportation service, he is asked to sign the timestamp of his entry in the name of the group.


In case of misbehavior, another entity \,let say the police\, is able to lift the anonymity of the signatures logged by the reading machine.


Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to it.


Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to them.




Other applications of group signatures can be advocated as authentication of lowrange communications for intelligent cars or anonymous access control of a building.


Other applications of group signatures can be found as authentication of lowrange communications for intelligent cars or anonymous access control of a building.


As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.




Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rose the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fullydynamic}'' group signatures.


As the main difficulty is to allow users to dynamically enroll to the group \,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\, this approach is not considered here, even if it is of some interests~\cite{LNWX17}.


Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} raised the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fullydynamic}'' group signatures.


As the main difficulty is to allow users to dynamically enroll in the group \,revocation has been known to be implemented in a modular manner~\cite{LLNW14}\, this approach is not considered here, even if it is of interest~\cite{LNWX17}.




\section{Formal Definition and Correctness} \label{sse:gsdefinitions}


\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}




169
chapOTLWE.tex
169
chapOTLWE.tex

@ 525,7 +525,7 @@ Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{C


using a multibit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the wellformedness of its public key and all ciphertexts. In addition,


all ciphertexts are signed using a signature scheme. At each


transfer, the receiver statistically rerandomizes a blinded version of the desired ciphertext, where the blinding is done via the additive


homomorphism of Regev. Then, the receiver provides a witness indistinguishable (WI) argument that the modified ciphertext (which is


homomorphism of Regev. Then, the receiver provides a witness indistinguishable (\textsf{WI}) argument that the modified ciphertext (which is


submitted for oblivious decryption) is


a transformation of one of the original ciphertexts by arguing knowledge of a signature on this hidden ciphertext. In response,


the sender obliviously decrypts the modified ciphertext and argues in zeroknowledge that the response is correct.



@ 571,10 +571,9 @@ ${PK}_{sig}:=\big( \mathbf{A},


Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample


U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to


compute


\begin{eqnarray} \label{initdb}


(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N].


\qquad


\end{eqnarray}


\begin{align} \label{initdb}


(\mathbf{a}_i,\mathbf{b}_i) &= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} & \forall i \in [N].


\end{align}




\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition


$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q1}(\mathbf{a}_i^T \mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T  \mathbf{b}_i^T)^T \in \Zq^{n+t}$.



@ 600,7 +599,7 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}


\qquad


\end{eqnarray}


which is a rerandomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to


$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows


$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows


a signature on $\mathfrak{m} = \mathsf{vdec}_{n+1,q1}(\mathbf{a}_{\rho_i}^T  \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.


To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZKprotocol3}.





@ 609,9 +608,9 @@ To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system i


obtain $M' = \lfloor (\mathbf{c}_1  \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$


which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zeroknowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1  \mathbf{S}^T \cdot \mathbf{c}_0  M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$


of norm $\ \mathbf{y} \_{\infty} \leq q/5$ and smallnorm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)


\begin{eqnarray} \label{testtransfer}


\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T  {M'}^T \cdot \lfloor q/2 \rfloor.


\end{eqnarray}


\begin{align} \label{testtransfer}


\mathbf{P} &= \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} & \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T &= \mathbf{c}_1^T  {M'}^T \cdot \lfloor q/2 \rfloor.


\end{align}


To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZKprotocol2}.


\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls


the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$



@ 626,7 +625,7 @@ outputting $S_i=S_{i1}$ and $R_i=R_{i1}$, respectively.


In the initialization phase, the sender has to repeat step 5 with each


receiver to prove that $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are wellformed. Using the FiatShamir heuristic \cite{FS86}, we can decrease this initialization


cost from $O(N \cdot U)$ to $O(N)$ (regardless of the number of users $U$) by making the proof noninteractive.


This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be noninteractive and the receiver's arguments only need to be WI, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof


This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be noninteractive and the receiver's arguments only need to be \textsf{WI}, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof


simple, we derive the matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.


%which the sender can build his $\LWE$based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for smallnorm matrices $\mathbf{S} \in \ZZ^{n \times t}$


%and $\mathbf{E} \in \ZZ^{m \times t}$.



@ 685,11 +684,11 @@ samples vectors $\mathbf{e} \sample U(\{1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$


(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,


\end{eqnarray*}


which is a rerandomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$.


Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that


Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that


$(\mathbf{c}_0,\mathbf{c}_1)$ is a rerandomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.


It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q1}(\mathbf{a}_1 \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{1,0,1\}^t$, $\mu \in \{0,1\}^t$,


It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q1}(\mathbf{a}_1 \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{1,0,1\}^t$, $\mu \in \{0,1\}^t$,


$\nu \in [B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T  \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol3original}. %(\ref{statementrandun})(\ref{statementranddeux}).


By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter


By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter


such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always rerandomizing


$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.


We have $  \Pr[W_2] \Pr[W_1]  \leq \mathsf{negl}(\lambda). $ \smallskip



@ 927,7 +926,7 @@ the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desi


satisfies \eqref{vereqblock} and that $\\mathbf{v}_\USR\ \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets


$C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$ does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip


\end{itemize}


\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender \textsf{DB}


\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender % \textsf{DB}


has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database of $N$ pairs made of a message


$M_i \in \{0,1\}^{t}$ and a policy realized by a length$L$


branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$. %.of length $L \in \mathsf{poly}(n)$,



@ 973,7 +972,7 @@ the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desi


\end{itemize}




\item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:]


Given an index $\rho \in [N]$, a record


From an index $\rho \in [N]$, a record


$ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses


$st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.


$\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he



@ 1020,7 +1019,7 @@ $t$bit messages $\{M_i\}_{i=1}^N$ satisfying~\eqref{PKgenac}\eqref{initdba


(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,


\qquad


\end{eqnarray}


which is sent to $\mathsf{DB}$ as a rerandomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a rerandomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated


which is sent to $\mathsf{DB}$ as a rerandomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a rerandomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated


with a policy $\BPR_\rho$ for which $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.


%To this end, $\USR$ uses the technique of Section \ref{ineffmethod}.


In addition, $\USR$



@ 1061,40 +1060,42 @@ satisfying the relations (modulo $q$)


%\begin{eqnarray} \label{statementranddeuxac}


%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2)  \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},


%\end{eqnarray}


\begin{eqnarray}\label{statementrandtroisac}


\begin{cases}


\mathbf{H}_{2n+t,q1} \cdot \mathfrak{m} +


\left[ \begin{array}{cccc}


~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}


~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline


& & &  \mathbf{A}_{\mathrm{HBP}}


\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline


\mathbf{z}_{\BPR,\rho}


\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip


\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T  \mathbf{b}_{\rho}^T  \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q1} \cdot \mathfrak{m} $)}} \\[2.5pt]


\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2)  \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]


\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +


\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2})  \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]


\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}}  \mathbf{H}_{n,q1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]


\left[


\begin{array}{cc}


\mathbf{H}_{n,q1} & \mathbf{0} \\


\hline \rule{0pt}{2.6ex}


\mathbf{0} & \mathbf{I}_\kappa \\


\end{array}


\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[


\begin{array}{c}


\bar{\mathbf{A}} \\


\mathbf{0} \\


\end{array}


\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[


\begin{array}{c}


\mathbf{0} \\


\mathbf{I}_\kappa \\


\end{array}


\right]\cdot \mathbf{x} = \mathbf{0}


\end{cases}


\end{eqnarray}


{\footnotesize


\begin{eqnarray}\label{statementrandtroisac}


\begin{cases}


\mathbf{H}_{2n+t,q1} \cdot \mathfrak{m} +


\left[ \begin{array}{cccc}


~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}


~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline


& & &  \mathbf{A}_{\mathrm{HBP}}


\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline


\mathbf{z}_{\BPR,\rho}


\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip


\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T  \mathbf{b}_{\rho}^T  \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q1} \cdot \mathfrak{m} $)}} \\[2.5pt]


\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2)  \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]


\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +


\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2})  \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]


\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}}  \mathbf{H}_{n,q1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]


\left[


\begin{array}{cc}


\mathbf{H}_{n,q1} & \mathbf{0} \\


\hline \rule{0pt}{2.6ex}


\mathbf{0} & \mathbf{I}_\kappa \\


\end{array}


\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[


\begin{array}{c}


\bar{\mathbf{A}} \\


\mathbf{0} \\


\end{array}


\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[


\begin{array}{c}


\mathbf{0} \\


\mathbf{I}_\kappa \\


\end{array}


\right]\cdot \mathbf{x} = \mathbf{0}


\end{cases}


\end{eqnarray}


}


and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes $\BPR_\rho$ such that $\BPR_\rho (\mathbf{x})=1$.


This is done by running the argument system described in Section~\ref{subsection:ZKProtocol4BP}.





@ 1478,33 +1479,34 @@ Let $n, m , m_d, q, t, \ell, B$ be the parameters defined in Section~\ref{OTsch


$\mathbf{c}_0 \in \mathbb{Z}_q^n, \hspace*{2.5pt}\mathbf{c}_1 \in \mathbb{Z}_q^t, \hspace*{2.5pt}\mathbf{u} \in \mathbb{Z}_q^n$. \smallskip


\item[Prover's goal] is to prove knowledge of $\mathfrak{m} \in \{0,1\}^{m_d}$, $\mu \in \{0,1\}^t$, $\mathbf{e} \in \{1,0,1\}^t$, $\nu \in [B,B]^t$, $\tau = (\tau[1], \ldots, \tau[\ell])^T \in \{0,1\}^\ell$, $\mathbf{v}_1, \mathbf{v}_2 \in [\beta, \beta]^m$ such that the following equations hold:


\end{description}


{\small


\begin{eqnarray}\label{eq:protocol3original}


\begin{cases}


\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2)  \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \bmod q; \\


\mathbf{H}_{n+t, q1}\hspace*{2pt}\cdot \hspace*{2pt}\mathfrak{m} + \left(


\begin{array}{c}


\mathbf{F} \\


\mathbf{P}^T \\


\end{array}


\right)\hspace*{2pt}\cdot\hspace*{2pt} \mathbf{e} + \left(


\begin{array}{c}


\mathbf{0}^{n \times t} \\


\lfloor \frac{q}{2}\rfloor \hspace*{2pt}\cdot\hspace*{2pt} \mathbf{I}_t\\


\end{array}


\right) \hspace*{2pt}\cdot\hspace*{2pt} \mu + \left(


\begin{array}{c}


\mathbf{0}^{n \times t} \\


\mathbf{I}_t \\


\end{array}


\right) \hspace*{2pt}\cdot\hspace*{2pt} \nu = \left(


\begin{array}{c}


\mathbf{c}_0 \\


\mathbf{c}_1 \\


\end{array}


\right) \bmod q. ~~~~~


\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2)  \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \bmod q; \\


\mathbf{H}_{n+t, q1}\hspace*{2pt}\cdot \hspace*{2pt}\mathfrak{m} + \left(


\begin{array}{c}


\mathbf{F} \\


\mathbf{P}^T \\


\end{array}


\right)\hspace*{2pt}\cdot\hspace*{2pt} \mathbf{e} + \left(


\begin{array}{c}


\mathbf{0}^{n \times t} \\


\lfloor \frac{q}{2}\rfloor \hspace*{2pt}\cdot\hspace*{2pt} \mathbf{I}_t\\


\end{array}


\right) \hspace*{2pt}\cdot\hspace*{2pt} \mu + \left(


\begin{array}{c}


\mathbf{0}^{n \times t} \\


\mathbf{I}_t \\


\end{array}


\right) \hspace*{2pt}\cdot\hspace*{2pt} \nu = \left(


\begin{array}{c}


\mathbf{c}_0 \\


\mathbf{c}_1 \\


\end{array}


\right) \bmod q. ~~~~~


\end{cases}


\end{eqnarray}


For this purpose, we perform the following transformations on the witnesses. \smallskip \smallskip


\end{eqnarray}}


For this purpose, we perform the following transformations on the witnesses. \medskip






\noindent



@ 2089,7 +2091,7 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}


\qquad


\end{eqnarray}


which is a rerandomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The resulting ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to


$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a rerandomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.


$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a rerandomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.


To this end, $\mathsf{R}_\mathsf{T}$ argues knowledge of short vectors $\mathfrak{m} = \mathsf{vdec}_{n+1,q1}(\mathbf{a}_i \mathbf{b}_i) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{1,0,1\}^t$, $\mu \in \{0,1\}^t$,


$\nu \in [B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T  \mathbf{v}_2^T)^T \in \ZZ^{2m}$ such that


\begin{eqnarray} \label{statementrandunapp}



@ 2105,7 +2107,7 @@ and


\vdots \\ \hline \rule{0pt}{2.5ex} \tau[\ell] \cdot \mathbf{v}_2 \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \mathfrak{m} ~\bmod q


\end{eqnarray}




\item[2.] If the WI argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and


\item[2.] If the \textsf{WI} argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and


obtain $$M' = \lfloor (\mathbf{c}_1  \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$


which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1  \mathbf{S}^T \cdot \mathbf{c}_0  M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$


of norm $\ \mathbf{y} \_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1\ldots  \mathbf{e}_t] \in \chi^{m \times t}$ satisfying (modulo $q$)



@ 2114,16 +2116,17 @@ of norm $\ \mathbf{y} \_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1\ldot


\end{eqnarray}


Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^T \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1 \ldots  \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge


of $\mathbf{s}_j \in \chi^n$, $\mathbf{y}[j] \in \ZZ$ such that $\mathbf{y}[j]  < q/4$ and $\mathbf{e}_j \in \chi^m$, such that


\begin{eqnarray} \label{senderprooftwoapp}


\begin{align} \label{senderprooftwoapp}


\left[ \begin{array}{ccc}


~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline


\rule{0pt}{2.5ex} \mathbf{c}_0^T ~ & & 1


\end{array} \right]


\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} = \begin{pmatrix}


\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} &=


\begin{pmatrix}


\mathbf{p}_j \\ \hline


\rule{0pt}{2.5ex} \mathbf{c}_1[j]  M'[j] \cdot \lfloor q/2 \rfloor


\end{pmatrix} \qquad~ \forall j \in [t], \qquad


\end{eqnarray}


\end{pmatrix} & \forall j \in [t],


\end{align}


where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^T $ and $M' = (M'[1],\ldots,M'[t])^T$. Let the NIZK argument be $\pi_T=(


\{\mathsf{Comm}_{T,j}\}_{j=1}^\varsigma,\mathsf{Chall}_T,\{\mathsf{Resp}_{T,j}\}_{j=1}^\varsigma)$,


where $\mathsf{Chall}_T = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{c}_0, \mathbf{c}_{1}),



@ 2217,12 +2220,12 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption


\begin{eqnarray*}


(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,


\end{eqnarray*}


which is a rerandomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that


which is a rerandomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that


$(\mathbf{c}_0,\mathbf{c}_1)$ is a rerandomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.


It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q1}(\mathbf{a}_1 \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{1,0,1\}^t$, $\mu \in \{0,1\}^t$,


It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q1}(\mathbf{a}_1 \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{1,0,1\}^t$, $\mu \in \{0,1\}^t$,


$\nu \in [B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T  \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol3original}.


%(\ref{statementrandun})(\ref{statementranddeux}).


By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.


By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.


We have $  \Pr[W_4] \Pr[W_3]  \in \mathsf{negl}(\lambda). $ \smallskip


\end{description}


In $\textsf{Exp}_4$, we define the idealworld cheating sender $\hat{\mathsf{S}}'$ in the following way. It programs the random oracle $H_F : \{0,1\}^\ast





@ 5,18 +5,18 @@


In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.


These contributions focus on the design and analysis of new cryptographic schemes that target privacypreserving applications.




In pairingbased cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.


It relies on broadly used assumptions with simple statements which exist for more than ten years.


In pairingbased cryptography, we proposed a practical dynamic group signature scheme, for which security is wellunderstood.


It relies on broadly used assumptions with simple and constantsize descriptions which exist for more than ten years.


This work is also supported by an implementation in \texttt{C}.




Our work in the lattice setting gives rise to three fundamental schemes that were missing in the landscape of latticebased privacypreserving cryptography.


Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantumsecure privacyfriendly world.


The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of latticebased privacypreserving cryptography.


Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantumsecure privacyfriendly world.




In the way of doing it, improvements have been made in the state of the art of zeroknowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.


On the road, improvements have been made in the state of the art of zeroknowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.


As of our signature with efficient protocols, it has already been used to design a latticebased ecash system~\cite{LLNW17}.




All these works are proven under strong security model within simple assumptions.


This made a breeding ground for new theoretical constructions, as well as going toward practicality.


All these works are proven under strong security models under simple assumptions.


This provides a breeding ground for new theoretical constructions.




\section*{Open Problems}





@ 24,12 +24,12 @@ The path of providing new cryptographic primitives and proving them is dissemina


The most obvious questions that stem from this work are about how to tackle the tradeoffs we made in the design of those primitives.




\begin{question}


Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?


Is it possible to build a fullysimulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?


\end{question}




In other words, is it possible to avoid the use of smudging to guarantee messageprivacy in the oblivious transfer scheme of~\cref{ch:otlwe}.


As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.


However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.


In other words, is it possible to avoid the use of smudging to guarantee messageprivacy in the adaptive oblivious transfer scheme of~\cref{ch:otlwe}.


As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.


However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.


Then, the main difficulty is to have zeroknowledge proofs compatible with the access control and the encryption layers.




\subsection*{ZeroKnowledge Proofs}



@ 39,10 +39,11 @@ Then, the main difficulty is to have zeroknowledge proofs compatible with the a


\end{question}




Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for latticebased privacypreserving cryptography.


Recent line of work goes toward this direction~\cite{RSS18}, but relies on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).


This question remains open for more than $10$ years~\cite{KW18}.


Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).




The Sternlike proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.


The choice of permutations used to ensure zeroknowledgeness (and so witnessindistinguishability) is quite strict, and force the challenge space to be ternary.


The choice of permutations used to ensure zeroknowledgeness (and thus witnessindistinguishability) is quite strict, and force the challenge space to be ternary.


This proves to be a real bottleneck in the efficiency of such proof systems.




\begin{question}



@ 53,7 +54,7 @@ As explained in~\cref{ch:zka}, nowadays latticebased proof systems for $\SIS$/$


If the natural structure of a lattice is a group, additive noise or witnesslength restrictions forbid the use of standard groupbased cryptography to undertake this problem.


However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and noninteractive) zeroknowledge proofs for some worstcase lattice problems.


It may be an interesting question to see if the restricted geometry of averagecase lattice problems can be exploited to provide such proofs.


If these proof systems can be used after applying a transformation from averagecase to worstcase problem, this methodology is highly inefficient and does not close the question.


%If these proof systems can be used after applying a transformation from averagecase to worstcase problem, this methodology is highly inefficient and does not close the question.




As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.


Thus, a natural question may be:



@ 61,12 +62,12 @@ Thus, a natural question may be:


\subsection*{Cryptographic Constructions}




\begin{question}


Does a trapdoorfree (H)IBE exists?


Does an efficient trapdoorfree (H)IBE exists?


\end{question}




For instance, in the group encryption scheme of~\cref{ch:gelwe}, trapdoors are used in two places.


To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.


Both these primitives are induced by identitybased encryption: the CanettiHaleviKatz transformations generically transform an IBE into a \textsf{INDCCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{INDCPA}secure IBE~\cite{BF01,BLS01}.


To have a secure public key encryption scheme under adaptive chosenciphertext attacks and for the signature scheme.


Both these primitives are induced by identitybased encryption: the CanettiHaleviKatz transform generically turns an IBE into a \textsf{INDCCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{INDCPA}secure IBE~\cite{BF01,BLS01}.


Actually, even the question of having a trapdoorless \textsf{INDCCA2} public key encryption scheme still remains an open question.




\begin{question}



@ 75,6 +76,6 @@ Actually, even the question of having a trapdoorless \textsf{INDCCA2} public ke




Our work during this thesis also focuses on the security proofs of cryptographic schemes.


As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.


Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.


Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.


This improves the understanding of the links between cryptographic schemes and security assumptions, leading to more reliable constructions.


Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.


Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.


This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.





@ 55,7 +55,7 @@ In the context of this thesis, the developed cryptographic schemes rely on latti


Latticebased cryptography is used to step towards postquantum cryptography, while the latter proves useful in the design of practical schemes.


The details of these two structures are given in~\cref{ch:structures}.




\subsection{Zeroknowledge Proofs}


\subsection{ZeroKnowledge Proofs}




As explained before, zeroknowledge proofs are a basic building block for privacypreserving cryptography.


They requires completeness, soundness and zeroknowledge properties.





@ 179,9 +179,12 @@ For instance, there is no security proofs for the El Gamal encryption scheme fro


Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple to state'' or not.


This observation is buttressed by the statement of~\cite[p.25]{KL07}:~``\ldots\textit{there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute.}''.




It is harder to evaluate the security of an assumption as $q$Strong DiffieHellman, which is a variant of $\DDH$ where the adversary is given the tuple $(g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{})$ and has to devise $g^{a^{q+1}}$.


Indeed, it is complicated to evaluate the security of an assumption as $q$Strong DiffieHellman assumptions defined as follows.


\begin{definition}[$q$Strong DiffieHellman assumption~\cite{BB04,BBS04}]


In a cyclic group $\GG$, the $q$\textit{Strong DiffieHellman} ($\qSDH$) problem is, given $g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{}$, compute the element $g^{a^{q+1}}$.


\end{definition}


The security of this assumption inherently depends on the parameter $q$ of the assumption.


Cheon also proved that for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.


Cheon additionally showed that, for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.


These parameterized assumptions are called \emph{$q$type assumptions}.


There also exist other kinds of nonstatic assumptions, such as interactive assumptions.


An example can be the ``\emph{$1$more\textsf{DL}}'' assumption.





@ 2,8 +2,8 @@


% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}


% \label{ch:sigmasig}


%


In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an \textit{efficient} construction~\cite{BR93}.


Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with two companion protocols: a protocol whereby a signer can obliviously sign a committed message known only to the user and a zeroknowledge proof to efficiently attest possession of a hidden messagesignature pair.


In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} to the random oracle model~\cite{BR93} in order to get an \textit{efficient} construction.


In the Camenish and Lysyanskaya terminology, signatures with efficient protocols~\cite{CL04a} are digital signatures which come with two companion protocols: a protocol whereby a signer can obliviously sign a committed message known only to the user and a zeroknowledge proof to efficiently attest possession of a hidden messagesignature pair.




This building block proved useful in the design of many efficient anonymityrelated protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).


In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.



@ 12,16 +12,16 @@ Later on, users can make themselves known to verifiers under a different pseudon


In this context, signature with efficient protocols can typically be used as follows:


the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret messagesignature pair.




As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.


Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or nonstandard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.


To illustrate this multicriteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairingfriendly groups but relies on the noninteractive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$block message.


Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).


As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the reliability of the assumptions it relies on.


Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or nonstandard assumptions in groups with bilinear maps~\cite{CL04, BBS04, Oka06}.


To illustrate this multicriteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairingfriendly groups but relies on the interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$block message.


Pointcheval and Sanders~\cite{PS18} improved this signature to go down to $\bigO(1)$ group elements for an $\ell$block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).




We note that beside the scheme presented in this section, we are only aware of two schemes based on fixedsize assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.


Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.


(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacyenhancing cryptography. An application of this property is, in the context of group signatures, the rerandomization of credentials accross distinct privacypreserving authentication.


We note that besides the scheme presented in this section, we are only aware of two schemes based on fixedsize assumptions: (1) A variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.


Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in primeorder groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.


(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} that unfortunately does not support ``randomizable signature'', which is an important property in privacyenhancing cryptography. An application of this property is, in the context of group signatures, the rerandomization of credentials accross distinct privacypreserving authentication.




In this chapter, we describe a new signature scheme with efficient protocols and rerandomizable signatures under a simple and well studied assumption.


In this chapter, we describe a new signature scheme with efficient protocols and rerandomizable signatures under a simple and wellstudied assumption.


Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.


From an efficiency point of view, the signature for an $\ell$block message consists of only $4$ groups elements.





@ 31,7 +31,7 @@ The signature scheme described in this chapter (\cref{scalsig}) crucially takes


This construction natively supports efficient protocols to enhance privacy as described in \cref{newproto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.




As another showcase for this signature, we also design another primitive.


Namely, a dynamic group signature scheme, as described in \cref{ch:gsbackground}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).


Namely, a dynamic group signature scheme, as described in \cref{ch:gsbackground}, which is practical and relies on simple assumptions (namely, \SXDH and \SDL).


This construction is competitive both in term of signature size and computation time with the best solutions based on noninteractive assumptions~\cite{BBS04,DP06} (in these cases, the Strong DiffieHellman assumption~\cite{BB04}).


Concretely, at the 128bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).





@ 1392,7 +1392,7 @@ We stress that the proofs can be easily adapted to the case where the opening a




\subsection{Comparison with Existing Schemes}




\begin{table*}


\begin{table*}[h]


\small


\centering


\begin{tabular}{ccccccc}



@ 1468,13 +1468,13 @@ number $\Ngs$ of group users (like \cite{BCN+10}).


\label{ta:sigmasigfigures}


\end{table}




An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairingbased cryptography~\cite{AG} and is available at the following address:~\url{https://gforge.inria.fr/projects/sigmasigc/}.


An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairingbased cryptography~\cite{AG} and is available at the following \textsc{URL}:~\url{https://gforge.inria.fr/projects/sigmasigc/}.




The relic toolkit provides an implementation for pairing computations, hash functions (SHA256 in this case) and benchmarking macros.


The benchmarking was made on a singlecore of an \textit{Intel\textregistered{} Core\texttrademark{} i57500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.


To implement pairings, the relic library implements the BarretoNaehrig~\cite{BN06} curve over a 256 bits curve.


As explained previously, since recent advances in pairingfriendly elliptic curve cryptanalysis, there is no curve anymore that shows the best timing results in every aspect.


As explained previously, since recent advances in pairingfriendly elliptic curve cryptanalysis, there is no more curve that shows the best timing results in every aspect.


Figures are available in Table~\ref{ta:sigmasigfigures}.




Unfortunately, we didn't have time to implement other protocols from~\cref{sigcomp} in order to present fair comparison.


Moreover, those schemes hardly show implementation results, and providing timing comparisons seems compromised.


%Unfortunately, we didn't have time to implement other protocols from~\cref{sigcomp} in order to present fair comparison.


%Moreover, those schemes hardly show implementation results, and providing timing comparisons seems compromised.





@ 75,7 +75,7 @@ Devant le jury composé de :




%\bigskip




\textsc{Catalano} Dario, Professeur Associé, Università di Catania (Italie)\hfill Rapporteur


\textsc{Catalano} Dario, Associate Professor, Università di Catania (Italie)\hfill Rapporteur




\textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur







@ 52,6 +52,7 @@


%% Pairings


\newcommand{\DLP}{\textsf{DLP}\xspace}


\newcommand{\DDH}{\textsf{DDH}\xspace}


\newcommand{\qSDH}{\textsf{$q$SDH}\xspace}


\newcommand{\SXDH}{\textsf{SXDH}\xspace}


\newcommand{\SDL}{\textsf{SDL}\xspace}


%% Lattices




18
main.tex
18
main.tex

@ 3,7 +3,7 @@


\semiisopage




%% Highlight overfull hbox


\overfullrule=1mm


%\overfullrule=1mm


%% Show labels


%\usepackage{showkeys}





@ 17,7 +17,7 @@


% Customization


\usepackage{lmodern}


\usepackage{libertine}


\usepackage{inconsolata}


\usepackage[scaled=.87]{inconsolata}


\chapterstyle{madsen}




\usepackage{subfig}



@ 25,12 +25,20 @@


\floatstyle{boxed}


\restylefloat{figure}




\let\theoldbibliography\thebibliography


\renewcommand\thebibliography[1]{


\theoldbibliography{#1}


\setlength{\parskip}{0pt}


\setlength{\itemsep}{4pt plus 0.3ex}


\small


}




\usepackage{xcolor, graphicx}


\usepackage{multirow}


\usepackage[pagebackref]{hyperref}


\renewcommand*{\backref}[1]{}


\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#2}


\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!green, breaklinks=true}


\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!purple, breaklinks=true}


\hypersetup{pdftitle={Privacypreserving cryptography from pairings and lattices},


pdfauthor={Fabrice Mouhartem},


pdfsubject={Cryptography}}



@ 84,14 +92,14 @@


\cleardoublepage


\vspace*{\stretch{1}}


\begin{flushright}


À \ldots


%À \ldots


\end{flushright}


\vspace*{\stretch{2}}


%%%%%%%%%%%%%




\input abstract




\input acknowledgements


%\input acknowledgements




%\cleardoublepage


%\frenchtableofcontents





@ 31,7 +31,7 @@


$\ZKAoK$ & ZeroKnowledge Argument of Knowledge \\


$\NIZK$ & NonInteractive ZeroKnowledge \\


$\QANIZK$ & QuasiAdaptive NonInteractive ZeroKnowledge \\


$\textsf{WI}$ & Witness indistinguishable \\


$\textsf{WI}$ & Witness Indistinguishable \\


$\textsf{GS}$ & Group Signature \\


$\GE$ & Group Encryption \\


$\OT$ & Oblivious Transfer \\




42
these.bib
42
these.bib

@ 192,7 +192,7 @@




@InProceedings{BCKL09,


author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},


title = {Compact ECash and Simulatable VRFs Revisited},


title = {{Compact ECash and Simulatable VRFs Revisited}},


booktitle = {{Pairing}},


year = {2009},


volume = {5671},



@ 3068,4 +3068,44 @@


publisher = {Springer},


}




@InProceedings{KW18,


author = {Sam Kim and David J. Wu},


title = {{MultiTheorem Preprocessing NIZKs from Lattices}},


booktitle = {Crypto},


year = {2018},


series = {LNCS},


pages = {To appear},


publisher = {Springen},


}




@InProceedings{LSSS17,


author = {Libert, Benoît and Sakzad, Amin and Stehlé, Damien and Steinfeld, Ron},


title = {{AllButMany Lossy Trapdoor Functions and Selective Opening ChosenCiphertext Security from LWE}},


booktitle = {Crypto},


year = {2017},


series = {LNCS},


pages = {332364},


publisher = {Springer},


}




@InProceedings{LJYP14,


author = {Libert, Benoît and Joye, Marc and Yung, Moti and Peters, Thomas},


title = {{Concise Multichallenge CCASecure Encryption and Signatures with Almost Tight Security}},


booktitle = {Asiacrypt},


year = {2014},


series = {LNCS},


pages = {121},


publisher = {Springer},


}




@InProceedings{PS18,


author = {Pointcheval, David and Sanders, Olivier},


title = {{Reassessing Security of Randomizable Signatures}},


booktitle = {CTRSA},


year = {2018},


series = {LNCS},


pages = {319338},


publisher = {Springer},


}




@Comment{jabrefmeta: databaseType:bibtex;}




Loading…
Reference in New Issue