Add sigmasig

master
Fabrice Mouhartem 2018-04-12 18:42:39 +02:00
parent 324565e63c
commit b87c4a9de1
15 changed files with 605 additions and 128 deletions

View File

@ -1,6 +1,3 @@
\chapter{Lattice-Based Dynamic Group Signatures}
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de réseaux euclidiens}
\label{ch:gs-lwe}
% TODO: remove
\clearpage

View File

@ -11,20 +11,33 @@ This construction has been the first fully secure group signature scheme from la
Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions.
\section{State of the art of ZK proofs} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
\section{Background} \label{sse:gs-background}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}
Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group.
On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key.
In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it.
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang ({BSZ}) in 2005~\cite{BSZ05}.
The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}.
The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user.
One application of this primitive can be to handle anonymous access control for public transportation systems.
In order to commute, a person should prove the possession of a valid subscription to the transportation service.
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
In case of misbehaviour, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
Then, the public transportation company is unable to learn anything from seeing the signatures, except the validity of the subscription of a user, and on the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group ---\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,--- we do not consider this approach.
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
This section recalls the syntax and the security definitions of dynamic group signatures based on the model of Kiayias and Yung~\cite{KY06}.
A \emph{group signature} allows a group member to
attest that a message was provided by a member of a \emph{group} without being
altered during the process and preserving the \emph{anonymity} of the users.
This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03}
in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang
({BSZ}) in 2005~\cite{BSZ05}.
%A \emph{group signature} allows a group member to attest that a message was provided by a member of a \emph{group} without being altered during the process and preserving the \emph{anonymity} of the users.
\begin{figure}
@ -155,20 +168,20 @@ provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.
%
\item If
$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$
is run by two honest parties following the protocol and
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
is run by two honest parties following the protocol and
$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then
we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$.
%
\item For each %revocation period $t$ and any
$\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i }
\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have
\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have
$ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i
},M),M,\mathcal{Y}\big)=1$.
},M),M,\mathcal{Y}\big)=1$.
%
\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid
\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid
$St$,
if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$
$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$
%
\end{enumerate}
%
@ -249,7 +262,7 @@ following oracles:
certificate $\crt_{i }$ and a membership secret $\scr_{i }$. If no such elements $(\crt_i,\scr_i)$ exist or if $i \not\in U^b$, the
interface returns $\bot$. Otherwise, it outputs a signature $\sigma$ on
behalf of user
$i$
$i$
and also sets $\mathsf{Sigs} \leftarrow \mathsf{Sigs} || (i,M,\sigma)$.
%
\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid
@ -272,7 +285,7 @@ following oracles:
\end{itemize}
\noindent Based on the above syntax, the
\noindent Based on the above syntax, the
security properties are formalized as follows.
\subsection{Security Against Misidentification Attacks}
@ -300,7 +313,7 @@ security properties are formalized as follows.
In a misidentification attack, the adversary can corrupt the opening authority
using the $Q_{\mathsf{keyOA}}$ oracle and introduce
malicious users in the group via $Q_{\ajoin}$-queries.
malicious users in the group via $Q_{\ajoin}$-queries.
It aims at producing a valid signature $\sigma^\star$ that does not open to any
adversarially-controlled user.
@ -309,11 +322,11 @@ adversarially-controlled user.
A dynamic group signature scheme is secure against \emph{misidentification
attacks} if, for any $\ppt$ adversary $\adv$ involved in Experiment~$\Exp{\textrm{mis-id}}{\adv}(\lambda)$
described in Figure~\ref{exp:mis-id}, we have:
\[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq
\[\advantage{\adv}{\mathrm{mis}\textrm{-}\mathrm{id}}(\lambda) \triangleq
\Proba{\,\Exp{\mathrm{mis}\textrm{-}\mathrm{id}}{\adv}(\lambda)=1} =
\negl[\lambda].\]
\end{definition}
\subsection{Non-Frameability}
@ -334,7 +347,7 @@ adversarially-controlled user.
\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},
\mathcal{Y},St') \not \in U^b \pcthen\\
\pcind \pcreturn 0\\
\pcif
\pcif
\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)
\not\in \mathsf{Sigs} \pcthen \\
\pcind \pcreturn 1\\
@ -425,7 +438,7 @@ to query $Q_{\mathsf{open}}$ for $(M^\star,\sigma^\star)$.
%
A dynamic group signature scheme is fully anonymous if, for any $\ppt$ adversary
$\adv$
in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible:
in the experiment~$\Exp{\mathrm{anon}}{\adv, d}(\lambda)$ described in Figure~\ref{exp:anon}, the following distance is negligible:
\[\advantage{\adv}{\mathrm{anon}}\left( \lambda \right) \triangleq
\left| \Proba{\,\Expt_{\adv, 1}^{\mathrm{anon}}(\lambda) = 1} -\Proba{\,\Expt_{\adv, 0}^{\mathrm{anon}}(\lambda) = 1} \right|\]

View File

@ -128,24 +128,24 @@ An example of commitment scheme that will prove useful in \cref{sse:stern} is th
This construction relies on the following hash function:
\begin{definition}[$\SIS$-based hash function] \label{de:sis-hash}
Let $n,\ell,q \in \ZZ$ be parameters such that the $\SIS_{n,\ell,q, \sqrt \ell}$ assumption holds.
Let $\mathbf A \in \Zq^{n \times \ell}$, and let $f_{\mathbf A}: \bit^\ell \to \Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf x \in \Zq^n$ and outputs $\mathbf A \mathbf x \bmod q \in \Zq^n$.
Let $\mathbf{A} \in \Zq^{n \times \ell}$, and let $f_{\mathbf{A}}: \bit^\ell \to \Zq^n$ be the function that maps its input string $x$ into a binary vector $\mathbf{x} \in \Zq^n$ and outputs $\mathbf{A} \mathbf{x} \bmod q \in \Zq^n$.
One can notice that $f_{\mathbf A}$ is indeed a collision resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq \tilde{x}$ such that $\mathbf A \cdot \mathbf x = \mathbf A \cdot \tilde{\mathbf x} \bmod q$ leads to a non-zero vector $\mathbf x' =\mathbf x - \tilde{\mathbf x} \in \ZZ$ such that $\|\mathbf x'\|_2 \leq \sqrt \ell$.
One can notice that $f_{\mathbf{A}}$ is indeed a collision resistant one-way function under the $\SIS$ assumption, as finding two inputs $x \neq \tilde{x}$ such that $\mathbf{A} \cdot \mathbf{x} = \mathbf{A} \cdot \tilde{\mathbf{x}} \bmod q$ leads to a non-zero vector $\mathbf{x}' =\mathbf{x} - \tilde{\mathbf{x}} \in \ZZ$ such that $\|\mathbf{x}'\|_2 \leq \sqrt \ell$.
It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf A}$ to obtain a \textit{collision resistant hash function} $h_{\mathbf A}: \bit^\star \to \Zq^n$ that is secure under $\SIS_{n,\ell, q, \sqrt \ell}$.
It is thus possible to apply the \textit{Merkle-Damg{\aa}rd construction}~\cite{Mer79,Mer89,Dam89} on $f_{\mathbf{A}}$ to obtain a \textit{collision resistant hash function} $h_{\mathbf{A}}: \bit^\star \to \Zq^n$ that is secure under $\SIS_{n,\ell, q, \sqrt \ell}$.
\end{definition}
It is then possible to use this hash function $h_{\mathbf A}$ to construct the following string commitment scheme.
It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the following string commitment scheme.
\begin{definition}[\SIS-based commitment scheme] \label{de:sis-commitment}
Given parameters $n,m,q \in \ZZ$, let us define the following commitment scheme due to~\cite{KTX08}.
\begin{description}
\item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf A_M, \mathbf A_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf A = [ \mathbf A_M \mid \mathbf A_\rho]$.
\item[$\textsf{Commit}(\mathbf A, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf A \in \Zq^{n \times 2m}$ as $[\mathbf A_M \mid \mathbf A_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
then compute $\com = h_{\mathbf A_M}(M) + f_{\mathbf A_\rho}(\rho) \in \Zq^n$,
where $h_{\mathbf A_M}$ and $f_{\mathbf A_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}.
\item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf{A}_M, \mathbf{A}_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf{A} = [ \mathbf{A}_M \mid \mathbf{A}_\rho]$.
\item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
then compute $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho) \in \Zq^n$,
where $h_{\mathbf{A}_M}$ and $f_{\mathbf{A}_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}.
The opening corresponds to the randomness $\rho$ used in the computation.
\item[$\textsf{Verify}(\mathbf A, \com, \open, M)$:] First parse $\mathbf A$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open \in \bit^m$ and $\com = h_{\mathbf A_M}(M) + f_{\mathbf A_\rho}(\rho)$.
\item[$\textsf{Verify}(\mathbf{A}, \com, \open, M)$:] First parse $\mathbf{A}$ as in the \textsf{\textbf{Setup}} algorithm. Then accept if and only if $\open \in \bit^m$ and $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho)$.
\end{description}
\end{definition}
@ -231,29 +231,29 @@ In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commi
Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}.
This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}.
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf y_1, \mathbf y_2$ and $\mathbf c$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf z_1, \mathbf z_2$ in order not to leak informations about $\mathbf s_1, \mathbf s_2$.
The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf z_1, \mathbf z_2$ will not leak any information about $\mathbf s_1, \mathbf s_2$ to V.
In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.
The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.
This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.
\begin{figure}
\textbf{Common input:} A public element $\mathbf a \in R$ where $R = \ZZ_p[\mathbf x]/\langle \mathbf x^n + 1 \rangle$.
\textbf{Common input:} A public element $\mathbf{a} \in R$ where $R = \ZZ_p[\mathbf{x}]/\langle \mathbf{x}^n + 1 \rangle$.
\bigskip
\centering
\procedure{Schnorr's Protocol for Ring-SIS}{%
P(\mathbf t = \mathbf a \cdot \mathbf s_1 + \mathbf s_2, (\mathbf s_1, \mathbf s_2)) \> \> V(\mathbf t) \\
\mathbf y_1, \mathbf y_2 \sample D_y \in R \> \> \\
\mathbf w = \mathbf a \cdot \mathbf y_1 + \mathbf y_2 \in R \\
\> \sendmessageright*{\mathbf w} \> \\
\> \> \mathbf c \sample D_c \in R \mbox{ (small)} \\
\> \sendmessageleft*{\mathbf c} \> \\
\mathbf z_1 \gets \mathbf s_1 \mathbf c + \mathbf y_1 \in R\\
\mathbf z_2 \gets \mathbf s_2 \mathbf c + \mathbf y_2 \in R\\{}
[\pcif \mathbf z_1, \mathbf z_2 \notin G^2 \pcthen\\
\pcind \mathbf z_1, \mathbf z_2 \gets \bot, \bot ]\\
\> \sendmessageright*{\mathbf z_1, \mathbf z_2} \> \\
\> \> \pcif \mathbf z_1 \in G \wedge \mathbf z_2 \in G \wedge\\
\>\> \pcind \mathbf a \cdot \mathbf z_1 + \mathbf z_2 = \mathbf t \mathbf c + \mathbf w \pcthen\\
P(\mathbf{t} = \mathbf{a} \cdot \mathbf{s}_1 + \mathbf{s}_2, (\mathbf{s}_1, \mathbf{s}_2)) \> \> V(\mathbf{t}) \\
\mathbf{y}_1, \mathbf{y}_2 \sample D_y \in R \> \> \\
\mathbf{w} = \mathbf{a} \cdot \mathbf{y}_1 + \mathbf{y}_2 \in R \\
\> \sendmessageright*{\mathbf{w}} \> \\
\> \> \mathbf{c} \sample D_c \in R \mbox{ (small)} \\
\> \sendmessageleft*{\mathbf{c}} \> \\
\mathbf{z}_1 \gets \mathbf{s}_1 \mathbf{c} + \mathbf{y}_1 \in R\\
\mathbf{z}_2 \gets \mathbf{s}_2 \mathbf{c} + \mathbf{y}_2 \in R\\{}
[\pcif \mathbf{z}_1, \mathbf{z}_2 \notin G^2 \pcthen\\
\pcind \mathbf{z}_1, \mathbf{z}_2 \gets \bot, \bot ]\\
\> \sendmessageright*{\mathbf{z}_1, \mathbf{z}_2} \> \\
\> \> \pcif \mathbf{z}_1 \in G \wedge \mathbf{z}_2 \in G \wedge\\
\>\> \pcind \mathbf{a} \cdot \mathbf{z}_1 + \mathbf{z}_2 = \mathbf{t} \mathbf{c} + \mathbf{w} \pcthen\\
\>\> \pcind \pcreturn 1\\
\>\> \pcelse \\
\>\> \pcind \pcreturn 0

View File

@ -233,7 +233,7 @@ Two examples of security game are given in Figure~\ref{fig:sec-game-examples}: t
\caption{Some security games examples} \label{fig:sec-game-examples}
\end{figure}
\index{Reduction!Advantage}
\index{Reduction!Advantage} \index{Encryption!IND-CPA}
The \indcpa{} game is an \emph{indistinguishability} game. Meaning that the goal for the adversary $\mathcal A$ against this game is to distinguish between two messages from different distributions.
To model this, for any adversary $\adv$, we define a notion of \emph{advantage} for the $\indcpa$ game as
\[
@ -255,6 +255,7 @@ The goal of the adversary is not to distinguish between two distributions, but t
Those signature queries are provided by an oracle \oracle{sign}{sk,\cdot}, which on input $m$ returns the signature $\sigma = \Sigma.\mathsf{sign}(sk, m)$ and add $\sigma$ to $\ensemble{sign}$. The initialization of these sets and the behaviour of oracle may be omitted in the rest of this thesis for the sake of readability.
\index{Signatures!EU-CMA}
For EU-CMA, the advantage of an adversary $\adv$ is defined as
\[
\advantage{\textrm{EU-CMA}}{\adv}(\lambda)

View File

@ -1,4 +1,4 @@
\chapter*{List of Publications}
\chapter*[Publication List]{List of Publications}
\addcontentsline{toc}{chapter}{List of publications}
\addcontentsline{tof}{chapter}{Liste des publications}
@ -30,4 +30,3 @@
Available at \url{https://hal.inria.fr/hal-01622197v1/}.\\
\doi{10.1007/978-3-319-70694-8_19}.
\end{description}

View File

@ -2,5 +2,451 @@
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
\label{ch:sigmasig}
This section present the result of~\cite{LMPY16}
%-----------------------------------------------------------------------
\section{Building blocks}
We use bilinear maps $e:\GG \times \Gh \to \GT$ over
groups of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below.
\defPairings*
\defSXDH*
\defSDL*
\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Briques de base}
\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk}
\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Argument NIZK quasi-adaptatif pour un sous-espace linéaire}
Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS)
may depend on the language for which proofs have to be generated.
Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}.
This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix.
In the description below, we assume that all
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric
bilinear groups $(\GG,\Gh,\GG_T,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
In this setting the problem is to convince that $\boldsymbol v$ is a linear combination of the rows of a given
$\mathbf{M}\in\GG^{t\times n}$.
Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH.
We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$.
\begin{description}
\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:]
Given public parameters $\mathsf{cp}=(\GG,\Gh,\GG_T,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$.
Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$
and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$.
Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and
output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big)
\in \GG^t\times\Gh^{n+1}$.
\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol v}, \{\omega_i\}_{i=1}^t)$:]
To prove that ${\boldsymbol v}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$,
for some witness $\omega_1,\ldots,\omega_t \in \Zp$,
where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$,
parse $\mathsf{crs}$ as above
and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$.
\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol v})$:]
In order to simulate a proof for a vector ${\boldsymbol v} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $,
output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $.
\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol v}, \pi)$:]
Given $\pi \in \GG$ and ${\boldsymbol v}=(v_1,\dotsc,v_n)$,
return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies
$ 1_{\GG_T} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
\end{description}
The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
This requirement is compatible with our security proofs.
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
Moreover, we show that their scheme remains unforgeable under the SXDH assumption.
\begin{description}
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$.
\end{description}
\begin{enumerate}
\item Choose $\omega,a \sample \Zp$,
and set $h=g^a$,
$\Omega=h^{\omega}$.
\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$.
\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$
\begin{equation}\label{matrix-scal-sig}
\mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} =
\setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}
\left(\begin{array}{c|c|c|c}
g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline
\vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}}
& \mathbf{1}_{{}_{\ell+1}}^\top
\end{array}\right) ,
\end{equation}
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk}
to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.
\bigskip
\item[]
The private key is $ \mathsf{sk}:=\omega $ and the public key is
\begin{align*}
\mathsf{pk}=\Bigl(
\mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
,~\Omega=h^\omega,~\mathsf{crs}
\Bigr).
\end{align*}
\end{enumerate}
\begin{description}
\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given
the private key $\mathsf{sk}=\omega$ and a message
$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute
\begin{align*}
\sigma_1 &
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .
\end{align*}
Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that
the following vector of $\GG^{2\ell+4}$
\begin{align} \label{eq:vector}
(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,
\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)
\end{align}
is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
z_{\ell+2})^{s}.$
Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.
\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$]
parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$
if and only if
\begin{align} \label{sig-ver-1}
e(\Omega,\hat{g}_{2\ell+4})^{-1} =
&~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber
&~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) \\ \nonumber
&~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) .
\end{align}
\end{description}
The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$
while the verification equation only involves a computation of 5 pairings.
\begin{theorem} \label{th:eu-cma-1}
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GG_T)$.
\end{theorem}
\begin{proof}
We will proceed as in~\cite{LPY15} to prove that the scheme of
section~\ref{scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two
kinds of signatures. \vspace{-0.1 cm}
\begin{description}
\item[Type A signatures:] These are real signatures:
\begin{equation} \label{eq:rel-sig-A}
\begin{aligned}
\sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, &
\sigma_2 &= g^s, \\
\pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
z_{\ell+2})^{s} ,&
\sigma_3 &= h^s.
\end{aligned}
\end{equation}
Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$
is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as
\begin{equation}
\label{eq:rel-sim-A}
\begin{aligned}
\pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad &
\left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot
\sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} .
\end{aligned}
\end{equation}
\end{description} \smallskip
\noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of
Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no
restriction is given on $\pi$ beyond the fact that it should be a valid
homomorphic signature on vector~\eqref{eq:vector}.
\smallskip
\begin{description}
\item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and
compute:
\begin{equation*}
\begin{gathered}
(\sigma_1,\sigma_2,\sigma_3) =( g^{\omega'} \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, ~ g^s, ~ h^{s+s_1}),
\end{gathered}
\label{eq:rel-sig-B}
\end{equation*}
The QA-NIZK proof $\pi$ is
computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.
\end{description}
\smallskip
We consider a sequence of games.
In Game $i$, $S_i$ denotes the event that $\adv$
produces a valid signature $\sigma^\star$ on $M^\star$ such that
$(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that
$\adv$ produces a Type $\mathrm{A}'$ signature.
\begin{description}
\item[Game 0:] This is the real game. The challenger $\bdv$ produces
a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to $\adv$. Then $\adv$
makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$
answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$
sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$
and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.
\item[Game 1:] We change the way $\bdv$ answers signing queries.
The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs
using $\mathsf{tk}$
as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated
proofs for true statements, and then their distribution remains unchanged.
We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
\neg E_1]$.
Lemma~\ref{le:type-a-sig} states
that the event $S_1 \wedge
\neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge
\neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now
to upper-bound the probability $\Pr[S_1 \wedge E_1]$.
\item[Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $2.k$, the
challenger returns a Type B signature for the first $k$ queries. At the
last $Q - k$ signature queries, the challenger answers a type $A$
signature. \cref{le:type-b-sig} ensures that
\[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\]
is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.
\end{description}
In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$
forgery even if it only obtains type B signatures during the game.
Nevertheless, lemma~\ref{le:final-forgery} shows
that a type $\mathrm{A}'$ forgery in Game
$2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have
$\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by
\begin{multline*}
\advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\
< (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right).
\end{multline*}
\end{proof}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{lemma} \label{le:type-a-sig}
In \textbf{Game 1}, if the DDH assumption holds in $\Gh$, $\adv$ can only output a type $A'$
forgery.
\end{lemma}
\begin{proof}
Let $\adv$ be an attacker that does not
output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the
Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing
problem that reduces from DDH as explained in~\cite{LPJY13}.
Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as
\[
\ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega)
\in \GG^{2\ell + 4}.
\]
If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row
space of $\mathbf{M}$.
Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\hat\GG,\GG_T,p)$, a matrix ${\mathbf{M}}$ as in
(\ref{matrix-scal-sig}) and a common
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
\begin{align*}
\mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr).
\end{align*}
Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly
running the $\Sign$ algorithm, in particular, it does not need to know $\mathsf{tk}$ to do this.
When $\adv$ halts, it outputs $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that $\ssigma$ is not in the row space of $\mathbf{M}$.
Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the
scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be
witness-samplable.
\end{proof}
\begin{lemma} \label{le:type-b-sig}
If DDH holds in $\GG$, for each $k \in
\{1,\ldots, Q \}$, $\adv$ produces a type $A'$ forgery with negligibly different probabilities in \textbf{Game $\boldsymbol{2.k}$} and \textbf{Game $\boldsymbol{2.(k-1)}$}.
\end{lemma}
%
\begin{proof}
Let us assume there exists an index $k \in \{1, \ldots, Q\}$ and an adversary $\adv$ that outputs a
Type $\mathrm{A}'$ forgery with smaller probability in Game $2.k$ than in Game
$2.(k-1)$. We build a DDH distinguisher $\bdv$. \medskip
\\
Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta =
g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It
picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$
and sets $\Omega = h^\omega$ as well as:
\[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \]
% in order to have the discrete logs of $v_i$ and $w$. \medskip
% \\
The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and
computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$
as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$.
\smallskip
Then, queries are answered depending on their index~$j$:\\
\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator
to computes $\pi$.
\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows
and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs.
\noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$
embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
and
$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $
Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
\smallskip
If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is
a Type A signature with $s=b$. If $\eta = g^{a(b+c)}$ for some $c
\in_R \Zp$, we have:
\begin{align*}
\sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\
& = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\
\sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad
\sigma_3 = h^{b+c}
\end{align*}
Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w +
\sum_{i=1}^\ell b_{v_i}m_i$ is uniform and independent of $\adv$'s view, $\sigma$ is
distributed as a Type B signature if $\eta = g^{a(b+c)}$.
When $\adv$ terminates, it outputs a couple $(m_1^\star\cdots m_\ell^\star, \sigma^\star)$ that has not been queried
during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a
Type $\mathrm{A}'$ forgery or not. To this end, it tests if the equality:
\begin{equation} \label{eq:verif-proof}
\sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star}
\end{equation}
is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs
$0$ and rather bets that $\eta \in_R \GG$.
To see why this test allows recognizing Type $\mathrm{A}'$ forgeries,
we remark that $\sigma^\star$ is of the form:
\begin{align*}
\sigma^\star_2 & = g^s , &
\sigma^\star_3 & = h^{s + s_1} , &
\sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s ,
\end{align*}
and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that
$s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills
relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$
meaning that Type $\mathrm{B}$ forgery passes the test with the same probability.
%\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if
%$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then
%have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell
%b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with
%probability $1/p$.
From the entire game, and assuming a forgery which passes the test, we have the following linear system:
%On the other hand, the information that $\adv$ can infer about
%$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
%during the game amounts to the first
%$\ell + 2$ rows of the right-hand-side member in the following linear system:
\[
\left(
\bgroup
\def\arraystretch{1.5}
\begin{array}{c|c}
\mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline
\boldsymbol{0}_{\ell + 1}^{\top} & ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline
\boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1)
\end{array}
\egroup
\right) \cdot
% \begin{pmatrix}
% 1 & & & a & & \\
% & \ddots & & & \ddots & \\
% & & 1 & & & & a \\
% & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\
% & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac
% \end{pmatrix} \cdot
\begin{pmatrix}
a_{v_1} \\ \vdots \\ a_{v_\ell} \\ a_w\\
b_{v_1} \\ \vdots \\ b_{v_\ell} \\ b_w
\end{pmatrix}
=
\begin{pmatrix}
\log_g(v_1) \\ \vdots \\ \log_g(v_\ell) \\ \log_g(w) \\
\omega' - \omega \\ s_0
\end{pmatrix}
\]
where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$
is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when
$c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about
$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that
this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension
at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$
can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others
as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$.
To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to
output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$
(\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage.
\end{proof}
\begin{lemma} \label{le:final-forgery}
In \textbf{Game $\boldsymbol{2.Q}$}, a PPT adversary outputting a type $A'$ forgery would contradict
the DDH assumption in $\GG$:
$ \Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda).$
\end{lemma}
\begin{proof}
We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at
least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega =
h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g
\sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes
$ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates
$\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$,
$\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$
as in step 3-4 of the key generation algorithm, then sends the public key
$ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to $\adv$.
%\begin{multline*}
% pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega,
% \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr)
%\end{multline*}
\noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle
signing queries. We recall that during the game, signing queries are answered by returning a
Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the
$\omega = \log_h(\Omega)$ which is part of the CDH challenge.
The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures,
it will necessarily output a Type $\mathrm{A}'$ forgery
$\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$
unless the DDH assumption does not hold in $\GG$.
This event thus allows $\bdv$ to compute
\[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\]
which contradicts the DDH assumption in $\GG$.
\end{proof}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

View File

@ -18,7 +18,7 @@ In this chapter, we describe the different structures on which the cryptography
\section{Pairing-Based Cryptography}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Cryptographie à base de couplage}
\label{se:pairing}
\label{se:pairings}
\input sec-pairings

View File

@ -11,9 +11,9 @@
\draw[matA, xshift=-2cm, yshift=.5cm] (0,0) rectangle node {$\mathbf{A}$} (1.5,1);
\node at (-.2, .75) {$,$};
\draw[matA] (0,0) rectangle node {$\mathbf{A}^T_{}$} (1,1.5);
\draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf s$} ++(0, -1);
\draw[|-|, vecS] (1.2, 1.5) -- node[right] {$\mathbf{s}$} ++(0, -1);
\node at (1.8, .75) {$+$};
\draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf e$} ++ (0, -1.5);
\draw[|-|, vecE] (2.1, 1.5) -- node[right] {$\mathbf{e}$} ++ (0, -1.5);
\end{tikzpicture}
\right)$\\[.5em]
$\in \Zq^{n \times m} \times \Zq^{m}$,
@ -22,15 +22,15 @@
\begin{minipage}[t]{.4\textwidth}
\textbf{$\SIS_{n,m,q,\beta}$ problem:}\\Given\\[.5em]
$\tikz[baseline=.3cm]{ \draw[fill=blue!10] (0,0) rectangle node {$\mathbf{A}$} (1.5,1); } \in \Zq^{n \times m},$
find $\textcolor{red!70!black}{\mathbf x} \in \ZZ^m_{}$ such that\\[.5em]
find $\textcolor{red!70!black}{\mathbf{x}} \in \ZZ^m_{}$ such that\\[.5em]
$\begin{tikzpicture}[baseline=.25cm]
\tikzstyle{matA}=[fill=blue!10]
\tikzstyle{vecX}=[color=red!70!black]
\draw[matA] (0,0) rectangle node {$\mathbf{A}$} (1.5,1);
\draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf x$} ++ (0, -1.5);
\draw[|-|, vecX] (1.7, 1) -- node[right] {$\mathbf{x}$} ++ (0, -1.5);
\node at (2.4, .25) {$=$};
\draw[|-|] (2.8, 1) -- node[right] {$\mathbf 0^n$} ++ (0, -1);
\end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf x}\| \leq \beta$.
\end{tikzpicture},$ and\\$0< \|\textcolor{red!70!black}{\mathbf{x}}\| \leq \beta$.
\end{minipage}
\hfill
\medskip

View File

@ -1,7 +1,7 @@
\makeatletter
\newcommand\frenchtableofcontents{%
\selectlanguage{french}%
\chapter*{\contentsname
\chapter*[\contentsname]{\contentsname
\@mkboth{%
\MakeUppercase\contentsname}{\MakeUppercase\contentsname}}%
\@starttoc{tof}%

View File

@ -14,6 +14,7 @@
\newcommand{\redto}{\ensuremath{\preceq_P}}
%% Primitives
\newcommand{\ZK}{\textsf{ZK}\xspace}
\newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace}
\newcommand{\NIZK}{\textsf{NIZK}\xspace}
\newcommand{\PKE}{\textsf{PKE}\xspace}
\newcommand{\OT}{\textsf{OT}\xspace}
@ -105,6 +106,7 @@
\newcommand{\bjoin}{\mathsf{b}\textrm{-}\mathsf{join}}
\newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}}
\newcommand{\interface}{\mathcal{I}}
\newcommand{\ssigma}{\boldsymbol{\sigma}\xspace}
% Other
\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}}

View File

@ -76,6 +76,7 @@
À \ldots
\end{flushright}
\vspace*{\stretch{2}}
%%%%%%%%%%%%%
\input abstract
@ -86,12 +87,15 @@
\cleardoublepage
\tableofcontents
\cleardoublepage
\input symbols
\mainmatter
\pagestyle{ruled}
\input chap-introduction
\cleardoublepage
{\let\newpage\relax
\part{Background}
\label{pa:background}
@ -104,6 +108,7 @@
\input chap-ZK
\cleardoublepage
{\let\newpage\relax
\part{Group Signatures and Anonymous Credentials}
\label{pa:gs-ac}
@ -116,6 +121,7 @@
\input chap-GS-LWE
\cleardoublepage
{\let\newpage\relax
\part{Group Encryption and Adaptive Oblivious Transfer}
\label{pa:ge-ot}

View File

@ -67,13 +67,13 @@ In order to define the $\SIVP$ problem and assumption, let us first define the s
\begin{definition}[Successive minima] \label{de:lattice-lambda}
For a lattice $\Lambda$ of dimension $n$, let us define for $i \in \{1,\ldots,n\}$ the $i$-th successive minimum as
\[ \lambda_i(\Lambda) = \inf \bigl\{ r \mid \dim \left( \Span\left(\lambda \cap \mathcal B\left(\mathbf 0, r \right) \right) \right) \geq i \bigr\}, \]
where $\mathcal B(\mathbf c, r)$ denotes the ball of radius $r$ centered in $\mathbf c$.
where $\mathcal B(\mathbf{c}, r)$ denotes the ball of radius $r$ centered in $\mathbf{c}$.
\end{definition}
This leads us to the $\SIVP$ problem, which is finding a set of sufficiently short linearly independent vectors given a lattice basis.
\begin{definition}[$\SIVP$] \label{de:sivp}
For a dimension $n$ lattice described by a basis $\mathbf B \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf B)$.
For a dimension $n$ lattice described by a basis $\mathbf{B} \in \RR^{n \times m}$, and a parameter $\gamma > 0$, the shortest independent vectors problem is to find $n$ linearly independent vectors $v_1, \ldots, v_n$ such that $\| v_1 \| \leq \| v_2 \| \leq \ldots \leq \| v_n \|$ and $\|v_n\| \leq \gamma \cdot \lambda_n(\mathbf{B})$.
\end{definition}
As explained before, the hardness of this assumption for worst-case lattices implies the hardness of the following two assumptions in their average-case setting, which are illustrated in Figure~\ref{fig:lwe-sis}.
@ -84,7 +84,7 @@ In other words, it means that no polynomial time algorithms can solve those prob
Let~$m,q,\beta$ be functions of~$n \in \mathbb{N}$.
The \textit{Short Integer Solution} problem $\SIS_{n,m,q,\beta}$ is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$, find~$\mathbf{x} \in \Lambda_q^{\perp}(\mathbf{A})$ with~$0 < \|\mathbf{x}\| \leq \beta$.
The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf u \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf u}(\mathbf A)$ with~$0 < \| \mathbf x \| \leq \beta$.
The \textit{Inhomogeneous Short Integer Solution}~$\ISIS_{n,m,q,\beta}$ problem is, given~$\mathbf{A} \sample \U(\Zq^{n \times m})$ and $\mathbf{u} \in \Zq^n$, find~$\mathbf{x} \in \Lambda_q^{\mathbf{u}}(\mathbf{A})$ with~$0 < \| \mathbf{x} \| \leq \beta$.
\end{definition}
Evidences of the hardness of the $\SIS$ and $\ISIS$ assumptions are given by the following Lemma, which reduced these problems from $\SIVP$.
@ -168,10 +168,10 @@ We also make use of an algorithm that extends a trapdoor for~$\mathbf{A} \in \ZZ
In some of our security proofs, analogously to \cite{Boy10,BHJ+15} we also use a technique due to Agrawal, Boneh and Boyen~\cite{ABB10} that implements an all-but-one trapdoor mechanism (akin to the one of Boneh and Boyen \cite{BB04}) in the lattice setting.
\begin{lemma}[{\cite[Th.~19]{ABB10}}]\label{lem:sampler}
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf A, \mathbf C \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf R \in \ZZ^{m \times m}$,
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf u \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf A ~ &~ \mathbf A
\cdot \mathbf R + \mathbf C \end{array} \right]\cdot \mathbf b = \mathbf u \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
lattice $\Lambda^\mathbf{u}_q \left( \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \right)$.
%$\{ \mathbf x \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf A ~&~ \mathbf A \cdot \mathbf R + \mathbf C \end{array} \right] \cdot \mathbf x = \mathbf u \bmod q \}$.
There exists a $\ppt$ algorithm $\SampleR$ that takes as inputs matrices $\mathbf{A}, \mathbf{C} \in \ZZ_q^{n \times m}$, a low-norm matrix $\mathbf{R} \in \ZZ^{m \times m}$,
a short basis $\mathbf{T_C} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$, a vector $\mathbf{u} \in \ZZ_q^{n}$ and a rational $\sigma$ such that $\sigma \geq \|
\widetilde{\mathbf{T_C}}\| \cdot \Omega(\sqrt{\log n})$, and outputs a short vector $\mathbf{b} \in \ZZ^{2m}$ such that $\left[ \begin{array}{c|c} \mathbf{A} ~ &~ \mathbf{A}
\cdot \mathbf{R} + \mathbf{C} \end{array} \right]\cdot \mathbf{b} = \mathbf{u} \bmod q$ and with distribution statistically close to $D_{L,\sigma}$ where $L$ denotes the shifted
lattice $\Lambda^\mathbf{u}_q \left( \left[ \begin{array}{c|c} \mathbf{A} ~&~ \mathbf{A} \cdot \mathbf{R} + \mathbf{C} \end{array} \right] \right)$.
%$\{ \mathbf{x} \in \ZZ^{2 m} : \left[ \begin{array}{c|c} \mathbf{A} ~&~ \mathbf{A} \cdot \mathbf{R} + \mathbf{C} \end{array} \right] \cdot \mathbf{x} = \mathbf{u} \bmod q \}$.
\end{lemma}

View File

@ -11,14 +11,14 @@ In the following, we rely on the black-box definition of cryptographic pairings
%\subsection{Bilinear maps}
\begin{definition}[Pairings~\cite{BSS05}] \label{de:pairings} \index{Pairings}
\begin{restatable}[Pairings~\cite{BSS05}]{definition}{defPairings} \label{de:pairings} \index{Pairings}
A pairing is a map $e: \GG \times \Gh \to \GT$ over cyclic groups of order $p$ that verifies the following properties for any $g \in \GG, \hat{g} \in \Gh$:
\begin{enumerate}[\quad (i)]
\item bilinearity: for any $a, b \in \Zp$, we have $e(g^a, \hat{g}^b) = e(g^b, \hat{g}^a) = e(g, \hat{g})^{ab}$.
\item non-degeneracy: $e(g,\hat{g}) = 1_{\GT} \iff g = 1_{\GG}$ or $\hat{g} = 1_{\Gh}$.
\item the map is computable in polynomial time in the size of the input.
\end{enumerate}
\end{definition}
\end{restatable}
For cryptographic purpose, pairings are usually defined over elliptic curves, hence $\GT$ is a multiplicative subgroup of the multiplicative group of a finite field.
@ -29,9 +29,9 @@ described in \cref{de:DDH} and recalled here.
This hypothesis, from which the Diffie-Hellman key exchange relies its security on, is then used to defined the $\SXDH$ assumption.
\begin{definition}[{$\SXDH$~\cite[As.~1]{BGdMM05}}] \index{Pairings!SXDH} \label{de:SXDH}
\begin{restatable}[{$\SXDH$~\cite[As.~1]{BGdMM05}}]{definition}{defSXDH} \index{Pairings!SXDH} \label{de:SXDH}
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{definition}
\end{restatable}
In \cref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.
@ -41,12 +41,12 @@ For instance, Cheon gave an attack against $q$-Strong Diffie-Hellmann problem fo
In the aforementioned chapter, we also rely on the following assumption, which generalizes the Discrete Logarithm problem to asymmetric groups.
\begin{definition}[$\SDL$]
\begin{restatable}[$\SDL$]{definition}{defSDL}
\label{de:SDL} \index{Pairings!SDL}
In bilinear groups $\bigl(\GG,\Gh,\GT^{}\bigr)$ of prime order $p$, the \emph {Symmetric Discrete Logarithm} ($\SDL$) problem consists in, given
$\bigl(g,\hat{g},g^a_{},\hat{g}^a_{}\bigr) \in \bigl(\GG \times \Gh\bigr)^2_{}$
where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.
\end{definition}
\end{restatable}
This assumption is still a static and non-interactive assumption.

View File

@ -5,16 +5,16 @@
On the other hand, Stern's protocol has been originally introduced in the context of code-base cryptography~\cite{Ste96}.
\index{Syndrome Decoding Problem}
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf M \in \FF_2^{n \times m}$ and a syndrome $\mathbf v \in \FF_2^n$, the goal is to find a binary vector $\mathbf w \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf M \cdot \mathbf w = \mathbf v \bmod 2$.
Initially, it was introduced for Syndrome Decoding Problem (\SDP): given a matrix $\mathbf{M} \in \FF_2^{n \times m}$ and a syndrome $\mathbf{v} \in \FF_2^n$, the goal is to find a binary vector $\mathbf{w} \in \FF_2^m$ with fixed hamming weight $w$ such that $\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2$.
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf x$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
This problem shows similarities with the $\ISIS$ problem defined in \cref{de:sis} where the constraints on the norm of $\mathbf{x}$ is a constraint on Hamming weight, and operations are in $\FF_2$ instead of $\Zq$.
After the first works of Kawachi, Tanaka and Xagawa~\cite{KTX08} that extended Stern's proofs to statements $\bmod q$, the work of Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} enables the use of Stern's protocol to prove general $\SIS$ or $\LWE$ statements (meaning the knowledge of a solution to these problems).
These advances in the expressivity of Stern-like protocols has been used to further improve it and therefore enable privacy-based primitives for which no constructions existed in the post-quantum world, such as dynamic group signatures~\cite{LLM+16}, group encryption~\cite{LLM+16a}, electronic cash~\cite{LLNW17}, etc.
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf w \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf w$ satisfies these conditions if and only if $\pi(\mathbf x)$ also does.
Unlike the Schnorr-like proof we saw in the previous section, Stern's proof is mainly combinatorial and relies on the fact that every permutation on a binary vector $\mathbf{w} \in \bit^m_{}$ leaves its Hamming weight $w$ invariant. As a consequence, for $\pi \in \permutations_m$, $\mathbf{w}$ satisfies these conditions if and only if $\pi(\mathbf{x})$ also does.
Therefore, the randomness of $\pi$ is used to verify these two constraints (being binary and the hamming weight) in a zero-knowledge fashion.
We can notice that this can be extended to vectors $\mathbf w \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
We can notice that this can be extended to vectors $\mathbf{w} \in \nbit^m$ of fixed numbers of $-1$ and $1$ that allowed~\cite{LNSW13} to propose the generalization of this protocol to any $\ISIS_{n,m,q,\beta}$ statements.
In \cref{sse:stern-abstraction}, we describes these permutations while abstracting the set of ZK-provable statements as the set $\mathsf{VALID}$ that satisfies conditions~\eqref{eq:zk-equivalence}.
It is worth noticing that this argument on knowledge does not form a $\Sigma$-protocol, as the challenge space is ternary as described in \cref{sse:stern-abstraction}.
@ -31,8 +31,8 @@ In this Section, we describe in a high-level view how Stern's protocol works, an
%%%%%%%%%%%%%%%%%%%%%
\begin{figure}[h]
\begin{itemize}
\item $\mathsf B^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
\item $\mathsf B^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
\item $\mathsf{B}^{2}_{\mathfrak m}$: the set of vectors in $\bit^{2\mathfrak m}$ with Hamming weight $\mathfrak m$.
\item $\mathsf{B}^{3}_{\mathfrak m}$: the set of vectors in $\nbit^{3\mathfrak m}$ which has exactly $\mathfrak m$ coordinates equal to $j$ for each $j \in \nbit$.
\end{itemize}
\caption{Notations for Stern-like protocols.}
\label{fig:stern-notations}
@ -40,7 +40,7 @@ In this Section, we describe in a high-level view how Stern's protocol works, an
The original Stern protocol was designed to prove knowledge of a SDP preimage. That is, to prove the knowledge of a vector $\mathbf{w} \in \bit^m$ that verifies
\begin{equation} \label{eq:sdp-statement}
\mathbf M \cdot \mathbf{w} = \mathbf v \bmod 2.
\mathbf{M} \cdot \mathbf{w} = \mathbf{v} \bmod 2.
\end{equation}
A first improvement by~\cite{KTX08} was to extend this protocol using a statistically hiding SIS-based commitment scheme as described in~\ref{fig:Interactive-Protocol} to prove in (statistical) zero-knowledge that
@ -51,7 +51,7 @@ A first improvement by~\cite{KTX08} was to extend this protocol using a statisti
The details of this proof is given in \cref{sse:stern-abstraction}, but it can be summarized in the following Lemma.
\begin{lemma}[{\cite[Se. 4]{KTX08}}] \label{le:zk-ktx}
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf M, \mathbf v) \in \Zq^{n \times m} \times \Zq^{n}$.
There exists a statistical \textsf{ZKAoK} with perfect completeness and soundness error 2/3 to prove the knowledge of a secret vector $\mathbf{w} \in \bit^m$ that verifies relation~\eqref{eq:isis-stern-relation} for public input $(\mathbf{M}, \mathbf{v}) \in \Zq^{n \times m} \times \Zq^{n}$.
\end{lemma}
Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.
@ -59,12 +59,12 @@ Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of
A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).
\index{Lattices!Inhomogeneous \SIS}
To prove the knowledge of an \ISIS preimage, i.e.
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf w$ as $\bar{\mathbf w} = \mathbf K \cdot \mathbf w \bmod q$ with a public transfer matrix $\mathbf K$ such that $\bar{\mathbf w} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf w} \in \nbit^{m'}$ for public input $(\mathbf M \cdot \mathbf K, \mathbf v)$.
To prove the knowledge of an \ISIS preimage, i.e.
the knowledge of a bounded vector $\mathbf{w} \in [-B,B]^m$ that satisfies relation~\eqref{eq:isis-stern-relation}, the goal is to rewrite $\mathbf{w}$ as $\bar{\mathbf{w}} = \mathbf{K} \cdot \mathbf{w} \bmod q$ with a public transfer matrix $\mathbf{K}$ such that $\bar{\mathbf{w}} \in \nbit^{m'}$ and of known numbers of elements equal to $j$ for $j \in \nbit$.
This reduces to use \cref{le:zk-ktx} to prove the knowledge of $\bar{\mathbf{w}} \in \nbit^{m'}$ for public input $(\mathbf{M} \cdot \mathbf{K}, \mathbf{v})$.
To construct such a transfer matrix $\mathbf K$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf x \in [-B,B]^m$ as a vector $\tilde{\mathbf x} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf x} \in \mathsf B^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf I_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters.
To construct such a transfer matrix $\mathbf{K}$, \cite{LNSW13} showed that \textit{decomposing} a vector $\mathbf{x} \in [-B,B]^m$ as a vector $\tilde{\mathbf{x}} \in \nbit^{m \cdot \delta_B}$ and \textit{extending} the resulting vector into $\bar{\mathbf{x}} \in \mathsf{B}^3_{m \delta_B}$ leads to a new statement that can be proven using the~\cite{KTX08} variant of Stern's protocol.
The resulting matrix $\mathbf{K}= \left[\mathbf{K}_{m,B}^{} \mid \mathbf 0^{m \times 2m\delta_B}\right] \in \ZZ^{m \times 3m\delta_B}$, where $\mathbf{K}_{m,B}^{}$ is the \nbit-decomposition matrix $\mathbf{K}_{m,B} = \mathbf{I}_m \otimes \left[B_1 \mid \cdots \mid B_{\delta_B} \right]$ with $B_j^{} = \left\lfloor \frac{B + 2^{j-1}}{2^j} \right\rfloor$ for all $j \in \{1,\ldots,j\}$ can be computed from public parameters.
\subsection{Abstraction of Stern's Protocol} \label{sse:stern-abstraction}
@ -189,7 +189,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\noindent
\item[\textsf{Case} $\overline{Ch}=2$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
\begin{gather*}
C'_1 = \mathsf{COM}(\pi, \mathbf{M}\cdot \mathbf{r}; \rho_1), \qquad
@ -209,7 +209,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\noindent
\item[Case $\overline{Ch}=3$:] $\mathsf{SIM}$ samples $\mathbf{w}' \hookleftarrow \U(\mathsf{VALID})$, $\mathbf{r} \hookleftarrow \U(\mathbb{Z}_q^D)$, $\pi \hookleftarrow \U(\mathcal{S})$, and randomnesses $\rho_1, \rho_2, \rho_3$ for $\mathsf{COM}$.
Then it sends the commitment $\mathrm{CMT}= \big(C'_1, C'_2, C'_3\big)$ to $\widehat{\mathcal{V}}$, where
\[ C'_2 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{r}); \rho_2), \qquad C'_3 = \mathsf{COM}(\Gamma_{\pi}(\mathbf{w}' + \mathbf{r}); \rho_3)\]
as in the previous two cases, while
@ -231,7 +231,7 @@ The proof of the theorem relies on standard simulation and extraction techniques
\medskip
\noindent
\scbf{Argument of Knowledge.} Let us assume that
\scbf{Argument of Knowledge.} Let us assume that
\begin{gather*}
\mathrm{RSP}_1 = (\mathbf{t}_x, \mathbf{t}_r, \rho_{2}^{(1)}, \rho_{3}^{(1)}), \qquad
\mathrm{RSP}_2 = (\phi_2, \mathbf{y}, \rho_{1}^{(2)}, \rho_{3}^{(2)}),\\

View File

@ -1,41 +1,54 @@
\chapter*{List of Symbols}
\chapter*[List of Symbols]{List of Symbols}
\addcontentsline{toc}{chapter}{List of Symbols}
\addcontentsline{tof}{chapter}{Liste des symboles et abréviations}
\begin{longtable}{ll}
\multicolumn{2}{l}{\scbf{General Notations}} \\
TM & Turing Machine \\
$\ppt$ & Probabilistic Polynomial Time \\
$\epsilon$ & empty word \\
$\mathbf A$ & bold uppercase letters represent matrices\\
$\mathbf b$ & bold lowercase letters represent column vectors\\
$\widetilde{\mathbf A}$ & Gram-Schmidt orthogonalization of matrix $\mathbf A$\\
$\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively\\
$\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$ \\
[1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\
$\QQ$ & the set of rational numbers \\
$\RR$ & the set of real numbers \\
$\ZZ$ & the set of relative integers \\
$\ZZ_q$ & the field $\ZZ_{/q\ZZ}$, with $q$ prime \\
$\FF_2$ & the field $\ZZ_{/2\ZZ}$ \\
[1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\
$\PKE$ & Public Key Encryption \\
$\ZK$ & Zero-Knowledge \\
$\NIZK$ & Non-Interactive Zero-Knowledge \\
$\OT$ & Oblivious Transfer \\
[1ex] \multicolumn{2}{l}{\scbf{Security Models}} \\
$\ROM$ & Random-Oracle Model \\
$\UC$ & Universal Composability \\
[1ex] \multicolumn{2}{l}{\scbf{Security Assumptions}} \\
[.5ex] \multicolumn{2}{l}{\quad\textbf{Lattice-based}} \\
$\SIS$ & Short Integer Solution \\
$\ISIS$ & Inhomogeneous Short Integer Solution \\
$\LWE$ & Learning with Errors \\
$\SIVP$ & Shortest Independent Vectors Problem \\
[.5ex] \multicolumn{2}{l}{\quad\textbf{Cyclic groups}} \\
$\DLP$ & Discrete Logarithm Problem \\
$\DDH$ & Decisional Diffie-Hellman \\
[.5ex] \multicolumn{2}{l}{\quad\textbf{Bilinear groups}} \\
$\SXDH$ & Symmetric eXternal Diffie-Hellman \\
$\SDL$ & Symmetric Discrete Logarithm
\multicolumn{2}{l}{\scbf{General Notations}} \\
TM & Turing Machine \\
$\ppt$ & Probabilistic Polynomial Time \\
$\epsilon$ & empty word \\
$\mathbf{A}$ & bold uppercase letters represent matrices \\
$\mathbf{b}$ & bold lowercase letters represent column vectors \\
$\widetilde{\mathbf{A}}$ & Gram-Schmidt orthogonalization of matrix $\mathbf{A}$ \\
$\mathbf{A}^T_{}, \mathbf{u}^T_{}$ & the transpose of a matrix or a vector respectively \\
$\U(S)$ & If $S$ is a finite set, $\U(S)$ denotes the uniform distribution over $S$\\
$\Pr[E]$ & Probability that an event $E$ occurs \\
[1ex] \multicolumn{2}{l}{\scbf{Usual sets}} \\
$\QQ$ & the set of rational numbers \\
$\RR$ & the set of real numbers \\
$\ZZ$ & the set of relative integers \\
$\ZZ_q$ & the field $\ZZ_{/q\ZZ}$, with $q$ prime \\
$\FF_2$ & the field $\ZZ_{/2\ZZ}$ \\
$\mathbb{S}^d$ & the set of vectors of dimension $d$ in the set $\mathbb{S}$ \\
$\mathbb{S}^{n \times m}$ & the set of matrices with $n$ rows and $m$ columns in the set $\mathbb{S}$ \\
[1ex] \multicolumn{2}{l}{\scbf{Protocols}} \\
$\PKE$ & Public Key Encryption \\
$\ZK$ & Zero-Knowledge \\
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
$\NIZK$ & Non-Interactive Zero-Knowledge \\
$\OT$ & Oblivious Transfer \\
[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\
EU-CMA & Existentially Unforgeable under chosen-message attacks \\
EU-RMA & Existentially Unforgeable under random-message attacks \\
IND-CPA & Indistinguishable under chosen-plaintext attacks (passive adversary) \\
IND-CCA1 & Indistinguishable under non-adaptive active adversary\\
IND-CCA2 & Indistinguishable under adaptive active adversary\\
[1ex] \multicolumn{2}{l}{\scbf{Security Models}} \\
$\ROM$ & Random-Oracle Model \\
$\UC$ & Universal Composability \\
[1ex] \multicolumn{2}{l}{\scbf{Security Assumptions}} \\
[.5ex] \multicolumn{2}{l}{\quad