2018-04-13 13:46:34 +00:00
%--------------------------------------------------
In this chapter, we aim at lifting the \textit { signature with efficient protocols} from~\cite { LPY15} into the random oracle model in order to get an efficient construction.
2018-04-13 13:50:34 +00:00
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite { CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove
2018-04-12 16:42:39 +00:00
2018-04-13 13:46:34 +00:00
%--------------------------------------------------
2018-04-12 16:42:39 +00:00
\section { Building blocks}
2018-04-13 13:41:25 +00:00
\addcontentsline { tof} { section} { \protect \numberline { \thesection } Briques de base}
2018-04-12 16:42:39 +00:00
We use bilinear maps $ e: \GG \times \Gh \to \GT $ over
groups of prime order $ p $ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref { se:pairings} . All these definitions are recalled below.
\defPairings *
\defSXDH *
\defSDL *
\subsection { Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label { sse:sigmasig-qa-nizk}
2018-04-13 13:41:25 +00:00
\addcontentsline { tof} { section} { \protect \numberline { \thesection } Argument NIZK quasi-adaptatif pour un sous-espace linéaire}
2018-04-12 16:42:39 +00:00
Quasi-Adaptive NIZK (QA-NIZK) proofs \cite { JR13} are NIZK proofs where the common reference string (CRS)
2018-04-13 13:50:34 +00:00
may depend on the language for which proofs have to be generated.
Formal definitions are given in \cite { JR13,LPJY14,KW15} . %Appendix~\ref{QA-NIZK}.
2018-04-12 16:42:39 +00:00
2018-04-13 13:50:34 +00:00
This section recalls the QA-NIZK argument of \cite { KW15} for proving membership in the row space of a matrix.
In the description below, we assume that all
algorithms take as input the description of common public parameters $ \mathsf { cp } $ consisting of asymmetric
2018-04-13 13:41:25 +00:00
bilinear groups $ ( \GG , \Gh , \GT ,p ) $ of prime order $ p> 2 ^ \lambda $ , where $ \lambda $ is the security parameter.
2018-04-13 13:50:34 +00:00
In this setting the problem is to convince that $ \boldsymbol { v } $ is a linear combination of the rows of a given
2018-04-12 16:42:39 +00:00
$ \mathbf { M } \in \GG ^ { t \times n } $ .
Kiltz and Wee \cite { KW15} suggested the following construction which simplifies \cite { LPJY14} and remains secure under \SXDH .
We stress that $ \mathsf { cp } $ is independent of the matrix $ \mathbf { M } = ( \vec { M } _ 1 \cdots \vec { M } _ t ) ^ T $ .
\begin { description}
2018-04-13 13:50:34 +00:00
\item [\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:]
2018-04-13 13:41:25 +00:00
Given public parameters $ \mathsf { cp } = ( \GG , \Gh , \GT ,p ) $ and the matrix $ \mathbf { M } = ( M _ { i,j } ) \in \GG ^ { t \times n } $ .
2018-04-13 13:50:34 +00:00
Then, choose $ \hat { g _ z } \sample \Gh $ . Pick $ \mathsf { tk } = ( \chi _ 1 , \ldots , \chi _ n ) \sample \Zp ^ n $
and compute $ \hat { g } _ j = \hat { g _ z } ^ { \chi _ j } $ , for all $ j = 1 $ to $ n $ .
2018-04-12 16:42:39 +00:00
Then, for $ i = 1 $ to $ t $ , compute $ z _ i = \prod _ { j = 1 } ^ n M _ { i,j } ^ { - \chi _ j } $ and
2018-04-13 13:50:34 +00:00
output $ \mathsf { crs } = \big ( \{ z _ i \} _ { i = 1 } ^ t,~ \hat { g } _ z,~ \{ \hat { g } _ j \} _ { j = 1 } ^ n \big )
\in \GG ^ t\times \Gh ^ { n+1} $ .
2018-04-12 16:42:39 +00:00
2018-04-13 13:50:34 +00:00
\item [\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:]
To prove that $ { \boldsymbol { v } } = \vec { M } _ 1 ^ { \omega _ 1 } \cdots \vec { M } _ t ^ { \omega _ t } $ ,
2018-04-12 16:42:39 +00:00
for some witness $ \omega _ 1 , \ldots , \omega _ t \in \Zp $ ,
2018-04-13 13:50:34 +00:00
where $ \vec { M } _ i $ denotes the $ i $ -th row of $ \mathbf { M } $ ,
2018-04-12 16:42:39 +00:00
parse $ \mathsf { crs } $ as above
and return $ \pi = \prod _ { i = 1 } ^ t z _ { i } ^ { \omega _ i } $ .
2018-04-13 13:50:34 +00:00
\item [\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol{v}})$:]
In order to simulate a proof for a vector $ { \boldsymbol { v } } \in \GG ^ n $ using $ \mathsf { tk } = \{ \chi _ i \} _ { i = 1 } ^ n $ ,
2018-04-12 16:42:39 +00:00
output $ \pi = \prod _ { j = 1 } ^ n v _ j ^ { - \chi _ j } $ .
2018-04-13 13:50:34 +00:00
\item [\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:]
Given $ \pi \in \GG $ and $ { \boldsymbol { v } } = ( v _ 1 , \dotsc ,v _ n ) $ ,
2018-04-12 16:42:39 +00:00
return $ 1 $ if and only if $ ( v _ 1 , \dotsc ,v _ n ) \neq ( 1 _ { \GG } , \dotsc , 1 _ { \GG } ) $ and $ \pi $ satisfies
2018-04-13 13:50:34 +00:00
$ 1 _ { \GT } = e ( \pi , \hat { g _ z } ) \cdot \prod _ { j = 1 } ^ n e ( v _ j, \hat { g } _ j ) . $
2018-04-12 16:42:39 +00:00
\end { description}
2018-04-13 13:50:34 +00:00
The proof of the soundness of this QA-NIZK argument system requires the matrix $ \mathbf { M } $ to be witness-samplable.
2018-04-12 16:42:39 +00:00
This means that the reduction has to know the discrete logarithms of the group elements of $ \mathbf { M } $ .
This requirement is compatible with our security proofs.
\section { A Randomizable Signature on Multi-Block Messages} \label { scal-sig}
2018-04-13 13:50:34 +00:00
In \cite { LPY15} , Libert \textit { et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $ \Zp ^ { \ell } $ while keeping the scheme
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite { KW15} has constant size, regardless of the dimensions of the considered linear subspace.
Moreover, we show that their scheme remains unforgeable under the SXDH assumption.
2018-04-12 16:42:39 +00:00
\begin { description}
2018-04-13 13:50:34 +00:00
\item [\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $ \mathsf { cp } = ( \GG , \Gh , \GT ,p ) $
of prime order $ p> 2 ^ { \lambda } $ with $ g \sample \GG $ , $ \hat { g } \sample \Gh $ .
2018-04-12 16:42:39 +00:00
\end { description}
\begin { enumerate}
\item Choose $ \omega ,a \sample \Zp $ ,
and set $ h = g ^ a $ ,
$ \Omega = h ^ { \omega } $ .
2018-04-13 13:50:34 +00:00
\item Choose $ \vec { v } = ( v _ 1 , \ldots ,v _ \ell ,w ) \sample \GG ^ { \ell + 1 } $ .
\item Define a matrix $ \mathbf { { M } } = ( M _ { j,i } ) _ { j,i } \in { \GG } ^ { ( \ell + 2 ) \times ( 2 \ell + 4 ) } $
\begin { equation} \label { matrix-scal-sig}
\mathbf { { M} } = %\big({M}_{i,j} \big)_{i,j} =
\setlength { \arraycolsep } { 0.3em} \def \arraystretch { 1.3}
\left (\begin { array} { c|c|c|c}
g & \mathbf { 1} _ { { } _ { \ell +1} } & \mathbf { 1} _ { { } _ { \ell +1} } & h \\ \hline
\vec { v} ^ \top & g^ { \mathbf { I_ { \ell +1} } } & h^ { \mathbf { I_ { \ell +1} } }
& \mathbf { 1} _ { { } _ { \ell +1} } ^ \top
2018-04-12 16:42:39 +00:00
\end { array} \right ) ,
\end { equation}
where $ \mathbf { 1 } _ { { } _ { \ell + 1 } } = ( 1 _ { \GG } , \ldots , 1 _ { \GG } ) \in \GG ^ { \ell + 1 } $ .
2018-04-13 13:50:34 +00:00
\item Run $ \mathsf { Keygen } ( \mathsf { cp } ,M ) $ of the QA-NIZK argument of Section~\ref { sse:sigmasig-qa-nizk}
to get $ \mathsf { crs } = ( \{ z _ i \} _ { i = 1 } ^ { \ell + 2 } ,~ \hat { g } _ z,~ \{ \hat { g } _ j \} _ { j = 1 } ^ { 2 \ell + 4 } ) $ .
2018-04-12 16:42:39 +00:00
\bigskip
\item []
2018-04-13 13:50:34 +00:00
The private key is $ \mathsf { sk } : = \omega $ and the public key is
2018-04-12 16:42:39 +00:00
\begin { align*}
\mathsf { pk} =\Bigl (
\mathsf { cp} ,~g,~h,~\hat { g} , ~\vec { v} %=(v_1,\ldots,v_\ell,w)
,~\Omega =h^ \omega ,~\mathsf { crs}
\Bigr ).
\end { align*}
\end { enumerate}
\begin { description}
2018-04-13 13:50:34 +00:00
\item [\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given
the private key $ \mathsf { sk } = \omega $ and a message
$ \vec { m } \in \Zp ^ \ell $ , choose $ s \sample \Zp $ to compute
2018-04-12 16:42:39 +00:00
\begin { align*}
2018-04-13 13:50:34 +00:00
\sigma _ 1 &
= g^ \omega \cdot (v_ 1^ { m_ 1} \cdots v_ \ell ^ { m_ \ell } \cdot w)^ { s} , &
2018-04-12 16:42:39 +00:00
\sigma _ 2 & = g^ { s} , & \sigma _ 3 & = h^ { s} .
\end { align*}
2018-04-13 13:50:34 +00:00
Then, run $ \mathsf { Prove } $ of the QA-NIZK argument to prove that
2018-04-12 16:42:39 +00:00
the following vector of $ \GG ^ { 2 \ell + 4 } $
\begin { align} \label { eq:vector}
2018-04-13 13:50:34 +00:00
(\sigma _ 1,\sigma _ 2^ { m_ 1} ,\ldots ,\ sigma_ 2^ { m_ \ell } ,\sigma _ 2,
\sigma _ 3^ { m_ 1} ,\ldots ,\sigma _ 3^ { m_ \ell } ,\sigma _ 3,\Omega )
2018-04-12 16:42:39 +00:00
\end { align}
2018-04-13 13:50:34 +00:00
is in the row space of $ \mathbf { M } $ . This QA-NIZK proof $ \pi \in \GG $ consists of $ \pi = z _ 1 ^ \omega \cdot ( z _ 2 ^ { m _ 1 } \cdots z _ { \ell + 1 } ^ { m _ \ell } \cdot
z_ { \ell +2} )^ { s} .$
2018-04-12 16:42:39 +00:00
Return the signature $ \sigma = \big ( \sigma _ 1 , \sigma _ 2 , \sigma _ 3 , \pi \big ) \in \GG ^ { 4 } $ .
2018-04-13 13:50:34 +00:00
\item [\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$]
parse $ \sigma $ as above and $ \vec { m } $ as a tuple $ ( m _ 1 , \ldots ,m _ \ell ) $ in $ \Zp ^ \ell $ and return $ 1 $
if and only if
2018-04-12 16:42:39 +00:00
\begin { align} \label { sig-ver-1}
e(\Omega ,\hat { g} _ { 2\ell +4} )^ { -1} =
& ~ e(\pi ,\hat { g} _ z) \cdot e(\sigma _ 1,\hat { g_ 1} ) \\ \nonumber
& ~ \cdot e(\sigma _ 2,\hat { g} _ { 2} ^ { m_ 1} \cdots \hat { g} _ { \ell +1} ^ { m_ \ell } \cdot \hat { g} _ { \ell +2} ) \\ \nonumber
& ~~~ \cdot e(\sigma _ 3,\hat { g} _ { \ell +3} ^ { m_ 1} \cdots \hat { g} _ { 2\ell +2} ^ { m_ \ell } \cdot \hat { g} _ { 2\ell +3} ) .
\end { align}
\end { description}
2018-04-13 13:50:34 +00:00
The signature on $ \ell $ scalars thus only consists of 4 elements in $ \GG $
2018-04-12 16:42:39 +00:00
while the verification equation only involves a computation of 5 pairings.
\begin { theorem} \label { th:eu-cma-1}
2018-04-13 13:41:25 +00:00
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf { eu-cma} ) if the SXDH assumption holds in $ ( \GG , \Gh , \GT ) $ .
2018-04-12 16:42:39 +00:00
\end { theorem}
\begin { proof}
2018-04-13 13:50:34 +00:00
We will proceed as in~\cite { LPY15} to prove that the scheme of
2018-04-12 16:42:39 +00:00
section~\ref { scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two
kinds of signatures. \vspace { -0.1 cm}
\begin { description}
\item [Type A signatures:] These are real signatures:
\begin { equation} \label { eq:rel-sig-A}
\begin { aligned}
\sigma _ 1 & = g^ \omega \cdot ( v_ 1^ { m_ 1} \cdots v_ \ell ^ { m_ \ell } \cdot w)^ s, &
\sigma _ 2 & = g^ s, \\
2018-04-13 13:50:34 +00:00
\pi & = z_ 1^ \omega \cdot (z_ 2^ { m_ 1} \cdots z_ { \ell +1} ^ { m_ \ell } \cdot
z_ { \ell +2} )^ { s} ,&
2018-04-12 16:42:39 +00:00
\sigma _ 3 & = h^ s.
\end { aligned}
\end { equation}
2018-04-13 13:50:34 +00:00
Since $ ( \sigma _ 1 , \sigma _ 2 ^ { m _ 1 } , \ldots , \sigma _ 2 ^ { m _ \ell } , \sigma _ 2 , \sigma _ 3 ^ { m _ 1 } , \ldots , \sigma _ 3 ^ { m _ \ell } , \sigma _ 3 , \Omega ) $
is in the row space of $ \mathbf { M } $ , the QA-NIZK proof $ \pi $ has the same distribution as if it were computed as
2018-04-12 16:42:39 +00:00
\begin { equation}
\label { eq:rel-sim-A}
\begin { aligned}
2018-04-13 13:50:34 +00:00
\pi & = \sigma _ 1^ { -\chi _ 1} \cdot \left ( \prod _ { i=2} ^ { \ell +1} \sigma _ 2^ { -\chi _ i m_ { i-1} } \right ) \cdot \sigma _ 2^ { -\chi _ { \ell + 2} } \cdot \quad \\ \quad &
2018-04-12 16:42:39 +00:00
\left ( \prod _ { i=\ell + 3} ^ { 2 \ell + 2} \sigma _ 3^ { -\chi _ i m_ { i - \ell - 2} } \right ) \cdot
2018-04-13 13:50:34 +00:00
\sigma _ 3^ { -\chi _ { 2\ell +3} } \cdot \Omega ^ { -\chi _ { 2 \ell + 4} } .
2018-04-12 16:42:39 +00:00
\end { aligned}
\end { equation}
\end { description} \smallskip
\noindent We also define \textbf { Type $ \mathbf { A' } $ } signatures as a generalization of
Type A signatures where only condition~\eqref { eq:rel-sig-A} are imposed and no
restriction is given on $ \pi $ beyond the fact that it should be a valid
homomorphic signature on vector~\eqref { eq:vector} .
\smallskip
\begin { description}
2018-04-13 13:50:34 +00:00
\item [Type B signatures:] These use a random value $ \omega ' \in _ R \Zp $ instead of the secret key $ \omega $ . We pick random $ \omega ', s, s _ 1 \sample \Zp $ and
2018-04-12 16:42:39 +00:00
compute:
\begin { equation*}
\begin { gathered}
(\sigma _ 1,\sigma _ 2,\sigma _ 3) =( g^ { \omega '} \cdot ( v_ 1^ { m_ 1} \cdots v_ \ell ^ { m_ \ell } \cdot w)^ s, ~ g^ s, ~ h^ { s+s_ 1} ),
\end { gathered}
\label { eq:rel-sig-B}
\end { equation*}
The QA-NIZK proof $ \pi $ is
computed as in \eqref { eq:rel-sim-A} by using $ \mathsf { tk } = \{ \chi _ i \} _ { i = 1 } ^ { 2 \ell + 4 } $ . Note that Type B signatures can be generated without using $ \omega \in \Zp $ .
\end { description}
\smallskip
2018-04-13 13:50:34 +00:00
We consider a sequence of games.
2018-04-12 16:42:39 +00:00
In Game $ i $ , $ S _ i $ denotes the event that $ \adv $
produces a valid signature $ \sigma ^ \star $ on $ M ^ \star $ such that
$ ( M ^ \star , \sigma ^ \star ) $ was not queried before, and by $ E _ i $ the event that
$ \adv $ produces a Type $ \mathrm { A } ' $ signature.
\begin { description}
\item [Game 0:] This is the real game. The challenger $ \bdv $ produces
a key pair $ ( \mathsf { sk } , \mathsf { pk } ) $ and sends $ \mathsf { pk } $ to $ \adv $ . Then $ \adv $
makes $ Q $ signature queries: $ \adv $ sends messages $ M _ i $ to $ \bdv $ , and $ \bdv $
answers by sending $ \sigma _ i = \Sign ( \mathsf { sk } , M _ i ) $ to $ \adv $ . Finally $ \adv $
2018-04-13 13:50:34 +00:00
sends a pair $ ( M ^ \star , \sigma ^ \star ) \notin \{ ( M _ i, \sigma _ i ) \} _ { i = 1 } ^ Q $
2018-04-12 16:42:39 +00:00
and wins if $ \Verify ( \mathsf { pk } , \sigma ^ \star , M ^ \star ) = 1 $ .
\item [Game 1:] We change the way $ \bdv $ answers signing queries.
The QA-NIZK proofs $ \pi $ are then computed as simulated QA-NIZK proofs
using $ \mathsf { tk } $
as in~\eqref { eq:rel-sim-A} . These QA-NIZK proofs are thus simulated
proofs for true statements, and then their distribution remains unchanged.
We have $ \Pr [ S _ 1 ] = \Pr [ S _ 1 \wedge E _ 1 ] + \Pr [ S _ 1 \wedge
2018-04-13 13:50:34 +00:00
\neg E_ 1]$ .
Lemma~\ref { le:type-a-sig} states
2018-04-12 16:42:39 +00:00
that the event $ S _ 1 \wedge
\neg E_ 1$ happens with all but negligible probability: $ \Pr [S_ 1 \wedge
\neg E_ 1] \leq \advantage { \DDH } { \Gh } (\lambda ) - 1/p$ . Thus our task is now
to upper-bound the probability $ \Pr [ S _ 1 \wedge E _ 1 ] $ .
\item [Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $ 2 .k $ , the
challenger returns a Type B signature for the first $ k $ queries. At the
last $ Q - k $ signature queries, the challenger answers a type $ A $
signature. \cref { le:type-b-sig} ensures that
\[ \left | \Pr \Bigl [ S _ { 2 .k } \wedge E _ { 2 .k } \Bigr ] - \Pr \Bigl [ S _ { 2 . ( k - 1 ) } \wedge E _ { 2 . ( k - 1 ) } \Bigr ] \right | \]
2018-04-13 13:50:34 +00:00
is smaller than $ \advantage { \DDH } { \GG } ( \lambda ) + 1 / p $ .
2018-04-12 16:42:39 +00:00
\end { description}
In Game $ 2 .Q $ , we know that if SXDH holds, $ \adv $ can only output a type $ \mathrm { A } ' $
forgery even if it only obtains type B signatures during the game.
2018-04-13 13:50:34 +00:00
Nevertheless, lemma~\ref { le:final-forgery} shows
2018-04-12 16:42:39 +00:00
that a type $ \mathrm { A } ' $ forgery in Game
$ 2 .Q $ contradicts the DDH assumptions in $ \GG $ . Therefore we have
2018-04-13 13:50:34 +00:00
$ \Pr [ S _ { 2 .Q } \wedge E _ { 2 .Q } ] \leq \advantage { \DDH } { \GG } ( \lambda ) $ . Putting the above altogether, the probability $ \Pr [ S _ 0 ] $ is upper-bounded by
2018-04-12 16:42:39 +00:00
\begin { multline*}
\advantage { \DDH } { \Gh } (\lambda ) + \frac { 1} { p} + Q \left ( \advantage { \DDH } { \GG } (\lambda ) + \frac { 1} { p} \right ) + \advantage { \DDH } { \GG } (\lambda ) \\
2018-04-13 13:50:34 +00:00
< (Q + 2) \cdot \left ( \advantage { \mathrm { SXDH} { \GG , \Gh } } (\lambda ) + \frac { 1} { p} \right ).
\end { multline*}
2018-04-12 16:42:39 +00:00
\end { proof}
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin { lemma} \label { le:type-a-sig}
In \textbf { Game 1} , if the DDH assumption holds in $ \Gh $ , $ \adv $ can only output a type $ A' $
forgery.
\end { lemma}
\begin { proof}
Let $ \adv $ be an attacker that does not
2018-04-13 13:50:34 +00:00
output a type $ \mathrm { A } ' $ forgery. We will build an attacker $ \bdv $ against the soundness of the
2018-04-12 16:42:39 +00:00
Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing
problem that reduces from DDH as explained in~\cite { LPJY13} .
2018-04-13 13:50:34 +00:00
Let us define the vector $ \ssigma \in \GG ^ { 2 \ell + 4 } $ as
2018-04-12 16:42:39 +00:00
\[
2018-04-13 13:50:34 +00:00
\ssigma \triangleq (\sigma _ 1^ \star , \sigma _ 2^ { \star m_ 1} , \ldots , \sigma _ 2^ { \star m_ \ell } , \sigma _ 2^ \star , \sigma _ 3^ { \star m_ 1} , \ldots , \sigma _ 3^ { \star m_ \ell } , \sigma _ 3^ \star , \Omega )
2018-04-12 16:42:39 +00:00
\in \GG ^ { 2\ell + 4} .
\]
If $ ( M ^ \star , \sigma ^ \star ) $ is not a type $ \mathrm { A } ' $ forgery, $ \ssigma $ is then not in the row
space of $ \mathbf { M } $ .
2018-04-13 13:50:34 +00:00
Our reduction $ \bdv $ receives as input $ \mathsf { cp } = ( \GG , \Gh , \GT ,p ) $ , a matrix $ { \mathbf { M } } $ as in
(\ref { matrix-scal-sig} ) and a common
reference string $ \mathsf { crs } $ (depending on the matrix) for an instance of the
QA-NIZK scheme allowing to prove that vectors of dimension $ 2 \ell + 4 $ are in the row space of $ { \mathbf { M } } $ .
2018-04-12 16:42:39 +00:00
The generation of the matrix $ { \mathbf { M } } $ fixes $ g $ , $ h $ and $ \vec { v } = ( v _ 1 , \ldots ,v _ \ell ,w ) \in \GG ^ { \ell + 1 } $ .
After that, $ \bdv $ picks $ \omega \sample Z _ p $ and $ \hat g \sample \Gh $ , and set $ \Omega = h ^ \omega $ .
Then, the reduction $ \bdv $ sends to $ \adv $ $ \mathsf { cp } $ and the verification key:
\begin { align*}
2018-04-13 13:50:34 +00:00
\mathsf { pk} = \bigl ( g,h,\hat g, \vec { v} , \omega ,\mathsf { crs} \bigr ).
2018-04-12 16:42:39 +00:00
\end { align*}
Since $ \bdv $ knows the secret key $ \omega \in \Zp $ , it can answer all signing queries by honestly
running the $ \Sign $ algorithm, in particular, it does not need to know $ \mathsf { tk } $ to do this.
When $ \adv $ halts, it outputs $ ( M ^ \star , \sigma ^ \star ) $ where $ \sigma ^ \star $ is not a Type $ \mathrm { A } ' $ forgery, so that $ \ssigma $ is not in the row space of $ \mathbf { M } $ .
Therefore, outputting $ \pi ^ \star $ constitutes a valid proof against the soundness property of the
2018-04-13 13:50:34 +00:00
scheme, and thus implies an algorithm against DDH as in~\cite { KW15} since the matrix can be
witness-samplable.
2018-04-12 16:42:39 +00:00
\end { proof}
\begin { lemma} \label { le:type-b-sig}
If DDH holds in $ \GG $ , for each $ k \in
\{ 1,\ldots , Q \} $ , $ \adv $ produces a type $ A'$ forgery with negligibly different probabilities in \textbf { Game $ \boldsymbol { 2.k} $ } and \textbf { Game $ \boldsymbol { 2.(k-1)} $ } .
\end { lemma}
%
\begin { proof}
Let us assume there exists an index $ k \in \{ 1 , \ldots , Q \} $ and an adversary $ \adv $ that outputs a
Type $ \mathrm { A } ' $ forgery with smaller probability in Game $ 2 .k $ than in Game
$ 2 . ( k - 1 ) $ . We build a DDH distinguisher $ \bdv $ . \medskip
\\
Algorithm $ \bdv $ takes in $ ( g ^ a, g ^ b, \eta ) \in \GG ^ 3 $ , where $ \eta =
g^ { a(b+c)} $ , and decides if $ c=0$ or $ c \in _ R \Zp $ . To do this, $ \bdv $ sets $ h = g^ a$ . It
picks $ \omega , a _ { v _ 1 } , b _ { v _ 1 } , \ldots , a _ { v _ \ell } , b _ { v _ \ell } , a _ { w } , b _ { w } \sample \Zp $
and sets $ \Omega = h ^ \omega $ as well as:
\[ \forall i \in \{ 1 , \dots , \ell \} :~~ v _ i = g ^ { a _ { v _ i } } \cdot h ^ { b _ { v _ i } } , \quad w = g ^ { a _ w } \cdot h ^ { b _ w } . \]
% in order to have the discrete logs of $v_i$ and $w$. \medskip
% \\
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
The reduction $ \bdv $ also chooses $ \mathsf { tk } = \{ \chi _ i \} _ { i = 1 } ^ { 2 \ell + 4 } $ and
2018-04-13 13:50:34 +00:00
computes $ \mathsf { crs } = ( \{ z _ j \} _ { j = 1 } ^ { 2 \ell + 4 } , \hat g _ z, \{ \hat g _ i \} _ { i = 1 } ^ { 2 \ell + 4 } ) $
2018-04-12 16:42:39 +00:00
as in steps 3-4 of \textsf { Keygen} . It then outputs $ \mathsf { pk } = ( g,h, \hat g, \vec { v } , \omega , \mathsf { crs } ) $ .
\smallskip
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
Then, queries are answered depending on their index~$ j $ :\\
\textbf { Case $ \boldsymbol { j < k } $ :} $ \bdv $ computes a Type B signature, $ \sigma = ( \sigma _ 1 , \sigma _ 2 ,
\sigma _ 3, \pi )$ , using $ \mathsf { tk} =\{ \chi _ i \} _ { i=1} ^ { 2\ell + 4} $ with the QA - NIZK simulator
to computes $ \pi $ .
\noindent \textbf { Case $ \boldsymbol { j > k } $ :} The last $ Q - k - 1 $ signing queries are computed as
Type A signatures, which $ \bdv $ is able to generate using the secret key $ \omega \in \Zp $ he knows
and $ \mathsf { crs } $ or $ \mathsf { tk } = \{ \chi _ i \} _ { i = 1 } ^ { 2 \ell + 4 } $ to produces valid proofs.
\noindent \textbf { Case $ \boldsymbol { j = k } $ :} In the $ k $ -th signing query $ ( m _ 1 , \dots ,m _ \ell ) $ , $ \bdv $
embeds the DDH instance in the signature and simulates either Game $ 2 .k $ or Game $ 2 . ( k - 1 ) $
2018-04-13 13:50:34 +00:00
depending on whether $ \eta = g ^ { ab } $ or $ \eta = g ^ { a ( b + c ) } $ for some $ c \in _ R \Zp $ . Namely, $ \bdv $ computes $ \sigma _ 2 = g ^ b $ , $ \sigma _ 3 = \eta $ ,
2018-04-12 16:42:39 +00:00
and
2018-04-13 13:50:34 +00:00
$ \sigma _ 1 = g ^ \omega \sigma _ 2 ^ { a _ w + \sum _ { i = 1 } ^ \ell a _ { v _ i } m _ i } \sigma _ 3 ^ { b _ w + \sum _ { i = 1 } ^ \ell b _ { v _ i } m _ i } . $
2018-04-12 16:42:39 +00:00
Then $ \bdv $ simulates QA-NIZK proofs $ \pi $ as recalled in \eqref { eq:rel-sim-A} , and sends $ \sigma = ( \sigma _ 1 , \sigma _ 2 , \sigma _ 3 , \pi ) $ to $ \adv $ .
\smallskip
If $ \eta = g ^ { ab } $ , the $ k $ -th signature $ \sigma $ is
a Type A signature with $ s = b $ . If $ \eta = g ^ { a ( b + c ) } $ for some $ c
\in _ R \Zp $ , we have:
\begin { align*}
\sigma _ 1 & = g^ \omega g^ { ac\cdot (b_ w + \sum _ { i=1} ^ \ell b_ { v_ i} m_ i)} (v_ 1^ { m_ 1} \cdots v_ \ell ^ { m_ \ell } w)^ b\\
& = g^ { \omega '} (v_ 1^ { m_ 1} \cdots v_ \ell ^ { m_ \ell } w)^ b \\
\sigma _ 2 & = g^ b, \qquad \qquad \qquad \qquad \qquad
2018-04-13 13:50:34 +00:00
\sigma _ 3 = h^ { b+c}
2018-04-12 16:42:39 +00:00
\end { align*}
Where $ \omega ' = \omega + ac \cdot ( b _ w + \sum _ { i = 1 } ^ \ell b _ { v _ i } m _ i ) $ . Since the term $ b _ w +
\sum _ { i=1} ^ \ell b_ { v_ i} m_ i$ is uniform and independent of $ \adv $ 's view, $ \sigma $ is
distributed as a Type B signature if $ \eta = g ^ { a ( b + c ) } $ .
When $ \adv $ terminates, it outputs a couple $ ( m _ 1 ^ \star \cdots m _ \ell ^ \star , \sigma ^ \star ) $ that has not been queried
during the signing queries. Now the reduction $ \bdv $ has to determine whether $ \sigma ^ \star $ is a
Type $ \mathrm { A } ' $ forgery or not. To this end, it tests if the equality:
\begin { equation} \label { eq:verif-proof}
2018-04-13 13:50:34 +00:00
\sigma _ 1^ \star = g^ \omega \sigma _ 2^ { \star a_ w + \sum _ { i=1} ^ \ell a_ { v_ i} m_ i^ \star } \sigma _ 3^ { \star b_ w + \sum _ { i=1} ^ \ell b_ { v_ i} m_ i^ \star }
2018-04-12 16:42:39 +00:00
\end { equation}
is satisfied. If it is, $ \bdv $ outputs $ 1 $ to indicate that $ \eta = g ^ { ab } $ . Otherwise it outputs
$ 0 $ and rather bets that $ \eta \in _ R \GG $ .
To see why this test allows recognizing Type $ \mathrm { A } ' $ forgeries,
2018-04-13 13:50:34 +00:00
we remark that $ \sigma ^ \star $ is of the form:
2018-04-12 16:42:39 +00:00
\begin { align*}
\sigma ^ \star _ 2 & = g^ s , &
\sigma ^ \star _ 3 & = h^ { s + s_ 1} , &
\sigma ^ \star _ 1 & = g^ { \omega + s_ 0} (v_ 1^ { m^ \star _ 1} \cdots v_ \ell ^ { m^ \star _ \ell } w)^ s ,
\end { align*}
2018-04-13 13:50:34 +00:00
and the goal of $ \bdv $ is to decide whether $ ( s _ 0 , s _ 1 ) = ( 0 , 0 ) $ or not. We notice that
2018-04-12 16:42:39 +00:00
$ s _ 0 = a \cdot s _ 1 \cdot ( b _ w + \sum _ { i = 1 } ^ \ell b _ { v _ i } \cdot m _ i ^ \star ) $ if the forgery fulfills
relation~\eqref { eq:verif-proof} and we show this to only happen with probability $ 1 / p $ for any $ s _ 1 \neq 0 $
meaning that Type $ \mathrm { B } $ forgery passes the test with the same probability.
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
%\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if
%$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then
%have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell
%b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with
%probability $1/p$.
From the entire game, and assuming a forgery which passes the test, we have the following linear system:
%On the other hand, the information that $\adv$ can infer about
%$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
%during the game amounts to the first
%$\ell + 2$ rows of the right-hand-side member in the following linear system:
\[
\left (
\bgroup
\def \arraystretch { 1.5}
\begin { array} { c|c}
\mathbf { I} _ { \ell +1} & a \cdot \mathbf { I} _ { \ell + 1} \\ \hline
\boldsymbol { 0} _ { \ell + 1} ^ { \top } & ac \cdot ( m_ 1 | \cdots | m_ \ell | 1) \\ \hline
2018-04-13 13:50:34 +00:00
\boldsymbol { 0} _ { \ell + 1} ^ { \top } & a s_ 1 \cdot ( m_ 1^ \star | \cdots | m_ \ell ^ \star | 1)
2018-04-12 16:42:39 +00:00
\end { array}
\egroup
\right ) \cdot
% \begin{pmatrix}
% 1 & & & a & & \\
% & \ddots & & & \ddots & \\
% & & 1 & & & & a \\
% & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\
% & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac
% \end{pmatrix} \cdot
\begin { pmatrix}
a_ { v_ 1} \\ \vdots \\ a_ { v_ \ell } \\ a_ w\\
b_ { v_ 1} \\ \vdots \\ b_ { v_ \ell } \\ b_ w
2018-04-13 13:50:34 +00:00
\end { pmatrix}
2018-04-12 16:42:39 +00:00
=
\begin { pmatrix}
\log _ g(v_ 1) \\ \vdots \\ \log _ g(v_ \ell ) \\ \log _ g(w) \\
\omega ' - \omega \\ s_ 0
\end { pmatrix}
\]
2018-04-13 13:50:34 +00:00
where, $ \boldsymbol { 0 } _ { \ell + 1 } $ denotes the zero vector of length $ \ell + 1 $ and $ m _ 1 , \ldots , m _ \ell $
is the message involved in the $ k $ -th signing query. Note that the $ ( l + 2 ) $ -th equation is meaningless when
2018-04-12 16:42:39 +00:00
$ c = 0 $ since then $ \omega ' = \omega $ . However, even if $ c \neq 0 $ the information that $ \adv $ can infer about
$ ( a _ { v _ 1 } , \ldots , a _ { v _ \ell } , a _ w, b _ { v _ 1 } , \ldots , b _ { v _ \ell } , b _ w ) \in \Zp ^ { 2 \ell + 2 } $
2018-04-13 13:50:34 +00:00
during the game amounts to the first $ \ell + 2 $ equations of the system which is of full rank. It means that
this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension
2018-04-12 16:42:39 +00:00
at least one (actually $ \ell = ( 2 \ell + 2 ) - ( \ell + 2 ) $ ). Finally, as long as $ s _ 1 \neq 0 $ , the right value $ s _ 0 $
2018-04-13 13:50:34 +00:00
can only be guessed with probability $ 1 / p $ since the last row of the matrix is independent of the others
2018-04-12 16:42:39 +00:00
as soon as $ ( m _ 1 , \ldots , m _ \ell ) \neq ( m ^ \star _ 1 , \ldots , m ^ \star _ \ell ) \neq 0 $ .
2018-04-13 13:50:34 +00:00
To conclude the proof, since $ \bdv $ is able the tell apart the type of the forgery, if $ \adv $ 's probability to
output a forgery of some Type in Game $ k - 1 $ (\textit { i.e.} , $ c = 0 $ ) was significantly different than in Game $ k $
(\textit { i.e.} , $ c \neq 0 $ ) then $ B $ would be able to solve the DDH problem with non-negligible advantage.
2018-04-12 16:42:39 +00:00
\end { proof}
\begin { lemma} \label { le:final-forgery}
In \textbf { Game $ \boldsymbol { 2 .Q } $ } , a PPT adversary outputting a type $ A' $ forgery would contradict
the DDH assumption in $ \GG $ :
$ \Pr [ S _ { 2 .Q } \wedge E _ { 2 .Q } ] \leq \advantage { \DDH } { \GG } ( \lambda ) . $
\end { lemma}
\begin { proof}
We will build an algorithm $ \bdv $ for solving the Computational Diffie Hellman problem~(CDH) which is at
least as hard as the DDH problem. The reduction $ \bdv $ takes as input a tuple $ ( g, h, \Omega =
h^ \omega )$ and computes $ g^ \omega $ . To generate $ \mathsf { pk} $ , $ \bdv $ picks $ \hat g
2018-04-13 13:50:34 +00:00
\sample \Gh $ , $ a_ { v_ 1} , \ldots , a_ { v_ \ell } , a_ w \sample \Zp $ and computes
$ v _ 1 = g ^ { a _ { v _ 1 } } , $ \ldots , $ v _ \ell = g ^ { a _ { v _ \ell } } $ , and $ w = g ^ { a _ w } . $ Then $ \bdv $ generates
2018-04-12 16:42:39 +00:00
$ \mathsf { tk } = \{ \chi _ i \} _ { i = 1 } ^ { 2 \ell + 4 } $ ,
$ \mathsf { crs } = ( \{ z _ j \} _ { j = 1 } ^ { \ell + 2 } , \hat g _ z, \{ \hat g _ i \} _ { i = 1 } ^ { 2 \ell + 4 } ) $
2018-04-13 13:50:34 +00:00
as in step 3-4 of the key generation algorithm, then sends the public key
2018-04-12 16:42:39 +00:00
$ pk = \bigl ( g, h, \hat g, \boldsymbol { v } , \Omega = h ^ \omega , \mathsf { crs } \bigr ) $ to $ \adv $ .
%\begin{multline*}
2018-04-13 13:50:34 +00:00
% pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega,
% \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr)
2018-04-12 16:42:39 +00:00
%\end{multline*}
\noindent $ \bdv $ also retains $ \mathsf { tk } = \{ \chi _ i \} _ { i = 1 } ^ { 2 \ell + 4 } $ to handle
signing queries. We recall that during the game, signing queries are answered by returning a
Type B signature so that, using $ \mathsf { tk } $ , $ \bdv $ can answer all queries without knowing the
$ \omega = \log _ h ( \Omega ) $ which is part of the CDH challenge.
The results of Lemma~\ref { le:type-b-sig} implies that even if $ \adv $ only obtains Type B signatures,
it will necessarily output a Type $ \mathrm { A } ' $ forgery
$ \sigma ^ \star = ( \sigma ^ \star _ 1 , \sigma ^ \star _ 2 , \sigma ^ \star _ 3 , \pi ^ \star ) $
2018-04-13 13:50:34 +00:00
unless the DDH assumption does not hold in $ \GG $ .
This event thus allows $ \bdv $ to compute
2018-04-12 16:42:39 +00:00
\[ g ^ \omega = \sigma _ 1 ^ \star \cdot { \sigma _ 2 ^ \star } ^ { - a _ w - \sum _ { i = 1 } ^ \ell a _ { v _ i } m _ i ^ \star } _ { } , \]
which contradicts the DDH assumption in $ \GG $ .
\end { proof}
2018-04-13 13:41:25 +00:00
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section { Companion Protocols } \label { new-proto}
2018-04-12 16:42:39 +00:00
2018-04-13 13:41:25 +00:00
In this section, we give $ \Sigma $ -protocols (\cref { sse:sigma-protocols} ) for issuing a signature on a committed multi-block message and for proving knowledge of a valid message-signature pair.
2018-04-12 16:42:39 +00:00
2018-04-13 13:41:25 +00:00
%------------------------------------------------------------------------
\subsection { Proof of Knowledge of a Signature on a Committed Message}
2018-04-12 16:42:39 +00:00
2018-04-13 13:41:25 +00:00
We give $ \Sigma $ -protocols for proving the knowledge of a signature-message pair $ ( { \sigma } , \vec { m } ) $ satisfying the verification equation of the scheme of Section~\ref { scal-sig}
2018-04-12 09:03:12 +00:00
2018-04-13 13:41:25 +00:00
\begin { align} \label { eq-mult-sig}
2018-04-13 13:50:34 +00:00
e(\Omega ,\hat { g} _ { 2 \ell +4} )^ { -1}
& = \, e(\sigma _ 1,\hat { g_ 1} ) \cdot
e(\sigma _ 2,\hat { g} _ { 2} ^ { m_ 1} \cdots \hat { g} _ { \ell +1} ^ { m_ \ell } \cdot \hat { g} _ { \ell +2} )
\\ \nonumber
& \quad \cdot e(\sigma _ 3,\hat { g} _ { \ell +3} ^ { m_ 1} \cdots \hat { g} _ { 2 \ell +2} ^ { m_ \ell } \cdot \hat { g} _ { 2 \ell +3} )
\cdot e(\pi ,\hat { g} _ z),
2018-04-13 13:41:25 +00:00
\end { align}
%
2018-04-13 13:50:34 +00:00
where $ { \sigma } = ( \sigma _ 1 , \sigma _ 2 , \sigma _ 3 , \pi ) $ and $ \vec { m } = ( m _ 1 , \ldots ,m _ \ell ) $ .
We note that, as shown in the proof of Theorem \ref { th:eu-cma-1} , a candidate signature $ ( \sigma _ 1 , \sigma _ 2 , \sigma _ 3 , \pi ) $ may satisfy the verification equation
although $ \log _ g ( \sigma _ 2 ) \neq \log _ h ( \sigma _ 3 ) $ . In applications to anonymous credentials, a malicious credential issuer could take advantage of this fact in attempts to
break the anonymity of the scheme (e.g., by linking two authentications involving the same credential). For this reason, we consider a protocol for proving possession
of a possibly maliciously generated signature.
2018-04-13 13:41:25 +00:00
We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, { e.g.} , aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $ \Sigma $ -protocol to hedge against such attacks.
\vspace { -1mm}
A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref { eq-mult-sig} ) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $ \Sigma $ -protocols for quadratic scalar relations.
2018-04-13 13:50:34 +00:00
Even though a quadratic pairing-product equation $ e ( x _ 1 , \hat { a } ) \cdot e ( x _ 2 , \hat { y } ) $ -- for variables $ x _ 1 ,x _ 2 , \hat { y } $ and constant $ \hat { a } $ -- can be linearized by partially randomizing the variables so as to get the equation $ e ( x _ 1 \cdot x _ 2 ^ { r } , \hat { a } ) \cdot e ( x _ 2 , \hat { y } \cdot \hat { a } ^ { - r } ) $ (which allows $ \hat { y } ' = \hat { y } \cdot \hat { a } ^ { - r } $ to appear in the
clear), proving knowledge of a valid signature still requires proving a statement about some representation of $ \hat { y } $ which now appears in committed form. Somehow, going through the randomizing factor $ \hat { a } ^ { - r } $ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $ \GG $ and $ \hat { \GG } $ using their available generator $ g $ and $ \hat { g } $ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $ f $ of $ \GG $ whose discrete logarithm is unknown.
2018-04-13 13:41:25 +00:00
\vspace { -1mm}
\begin { description}
\item [\textsf{Commit}] Given $ ( { \sigma } , \vec { m } ) $ , conduct the following steps. \vspace { -1mm}
2018-04-13 13:50:34 +00:00
\end { description}
2018-04-13 13:41:25 +00:00
\begin { enumerate}
2018-04-13 13:50:34 +00:00
\item Commit to $ d _ 1 : = \hat { g } _ 2 ^ { m _ 1 } \cdots \hat { g } _ { \ell + 1 } ^ { m _ \ell } \cdot \hat { g } _ { \ell + 2 } \in \hat { \GG } $
and $ d _ 2 : = \hat { g } _ { \ell + 3 } ^ { m _ 1 } \cdots \hat { g } _ { 2 \ell + 2 } ^ { m _ \ell } \cdot \hat { g } _ { 2 \ell + 3 } \in \hat { \GG } $ .
To this end, choose
2018-04-13 13:41:25 +00:00
$ r _ 1 ,r _ 2 \sample \ZZ _ p $ and compute $ \hat { D } _ 1 = d _ 1 \cdot \hat { g } ^ { r _ 1 } $ and $ \hat { D } _ 2 = d _ 2 \cdot \hat { g } ^ { r _ 2 } $ .
2018-04-13 13:50:34 +00:00
\item In order to prove knowledge of an opening of commitments $ \hat { D } _ 1 , \hat { D } _ 2 \in \Gh $ to the same message $ \vec { m } = ( m _ 1 , \ldots ,m _ \ell ) \in \ZZ _ p ^ \ell $ ,
2018-04-13 13:41:25 +00:00
choose $ s _ 1 ,s _ 2 ,u _ 1 , \ldots ,u _ \ell \sample \ZZ _ p $
2018-04-13 13:50:34 +00:00
and compute $ \hat { E } _ 1 = \hat { g } _ 2 ^ { u _ 1 } \cdots \hat { g } _ { \ell + 1 } ^ { u _ \ell } \cdot \hat { g } ^ { s _ 1 } $
2018-04-13 13:41:25 +00:00
and $ \hat { E } _ 2 = \hat { g } _ { \ell + 3 } ^ { u _ 1 } \cdots \hat { g } _ { 2 \ell + 2 } ^ { u _ \ell } \cdot \hat { g } ^ { s _ 2 } $ .
2018-04-13 13:50:34 +00:00
\item Using $ r _ 1 ,r _ 2 \in \ZZ _ p $ from step 1, define $ \sigma _ 0 = \sigma _ 2 ^ { r _ 1 } \cdot \sigma _ 3 ^ { r _ 2 } $
and commit to $ ( \pi , \sigma _ 0 , \sigma _ 1 , \sigma _ 2 , \sigma _ 3 ) \in \GG ^ 5 . $
For this purpose, choose $ t _ z,t _ 0 ,t _ 1 ,t _ 2 ,t _ 3 \sample \ZZ _ p $ at random and set $ C _ z = \pi \cdot g ^ { t _ z } $ ,
$ C _ i = \sigma _ i \cdot g ^ { t _ i } $ , for $ i \in \{ 0 , \ldots , 3 \} $ , and
$ \hat { D } _ 0 = \hat { g } _ z ^ { t _ z } \cdot \hat { g } _ 1 ^ { t _ 1 } \cdot \hat { D } _ { 1 } ^ { t _ 2 }
\cdot \hat { D} _ { 2} ^ { t_ 3} \cdot \hat { g} ^ { -t_ 0} .$
2018-04-13 13:41:25 +00:00
\item In order to prove (partial) knowledge of an opening to $ ( C _ z,C _ 0 ,C _ 1 ,C _ 2 ,C _ 3 , \hat { D } _ 0 ) $ , compute
2018-04-13 13:50:34 +00:00
$ \hat { E } _ 0 = \hat { g } _ z ^ { v _ z } \cdot \hat { g } _ 1 ^ { v _ 1 } \cdot \hat { D } _ { 1 } ^ { v _ 2 }
\cdot \hat { D} _ { 2} ^ { v_ 3} \cdot \hat { g} ^ { -v_ 0} $
2018-04-13 13:41:25 +00:00
for random $ v _ z,v _ 0 ,v _ 1 ,v _ 2 ,v _ 3 \sample \ZZ _ p $ .
2018-04-13 13:50:34 +00:00
\item Prove that $ C _ 0 $ is well-formed relatively to the committed values in $ C _ 1 ,C _ 2 $ and the coins
$ r _ 1 ,r _ 2 \in \ZZ _ p $ used in $ \hat { D } _ 1 , \hat { D } _ 2 $ . To this end, prove knowledge of the representation
2018-04-13 13:41:25 +00:00
$ C _ 0 = C _ 2 ^ { r _ 1 } \cdot C _ 3 ^ { r _ 2 } \cdot { g } ^ { t _ 4 } , $ where $ t _ 4 = t _ 0 - r _ 1 \cdot t _ 2 - r _ 2 \cdot t _ 3 $ . To do this, compute
2018-04-13 13:50:34 +00:00
$ F _ 0 = C _ 2 ^ { s _ 1 } \cdot C _ 3 ^ { s _ 2 } \cdot { g } ^ { v _ 4 } $ , for $ v _ 4 \sample \ZZ _ p $ and where $ s _ 1 ,s _ 2 \in \ZZ _ p $ are the random coins used in $ \hat { E } _ 1 , \hat { E } _ 2 $ .
\item To prove that $ t _ 4 = t _ 0 - r _ 1 \cdot t _ 2 - r _ 2 \cdot t _ 3 $ , (re-)commit to $ t _ 0 ,t _ 2 ,t _ 3 ,t _ 4 \in \ZZ _ p $ by picking $ x _ 2 ,x _ 3 ,x _ 4 \sample \ZZ _ p $ and computing
$$ T _ i = g ^ { t _ i } \cdot f ^ { x _ i } \qquad \forall i \in \{ 0 , 2 , 3 , 4 \} , $$ where $ x _ 0 = x _ 2 \cdot r _ 1 + x _ 3 \cdot r _ 2 + x _ 4 $ . Ensure that committed
variables coincide with those of previous steps by computing $$ \{ V _ i = g ^ { v _ i } \cdot f ^ { y _ i } \} _ { i \in \{ 0 , 2 , 3 , 4 \} } , $$ where
$ y _ 0 ,y _ 2 ,y _ 3 ,y _ 4 \sample \ZZ _ p $ . To prove the equality $ T _ 0 = T _ 2 ^ { r _ 1 } \cdot T _ 3 ^ { r _ 2 } \cdot T _ 4 $ , re-use $ s _ 1 ,s _ 2 \in \ZZ _ p $ from steps 2 and 5 to compute
2018-04-13 13:41:25 +00:00
$ S _ 0 = T _ 2 ^ { s _ 1 } \cdot T _ 3 ^ { s _ 2 } $ .
\medskip
2018-04-13 13:50:34 +00:00
\item [~~~Finally,] keep $ C _ z \in \GG $ and all the random coins in $ \mathsf { aux } $ ,
2018-04-13 13:41:25 +00:00
\item [~~~and] output
\begin { equation} \label { eq-comm-2}
\begin { aligned}
\mathsf { com} =\Bigl (
\{ C_ i\} _ { i=0} ^ 3, F_ 0, \{ (T_ i,V_ i)\} _ { i=0,2,3,4} ,~~~\\
S_ 0, \{ (\hat { D} _ i,\hat { E} _ i)\} _ { i=0} ^ 2
2018-04-13 13:50:34 +00:00
\Bigr ) \in \GG ^ { 14} \times \hat { \GG } ^ { 6}
2018-04-13 13:41:25 +00:00
\end { aligned}
\end { equation}
\end { enumerate} \vspace { -2mm}
%
\begin { description}
\item [\textsf{Challenge}] Given $ \mathsf { com } $ as per (\ref { eq-comm-2} ), pick $ \rho \sample \ZZ _ p $ uniformly at random and return $ \mathsf { chall } = \rho $ .
\item [\textsf{Response}] On inputs $ \mathsf { com } $ , $ \mathsf { aux } $ and $ \mathsf { chall } = \rho $ , compute: % the following elements over $\ZZ_p$:
\end { description} \vspace { -4mm}
2018-04-13 13:50:34 +00:00
%set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
2018-04-13 13:41:25 +00:00
\begin { enumerate}
2018-04-13 13:50:34 +00:00
\item $ \bar { m } _ i = \rho \cdot m _ i + u _ i $ , for $ i = 1 $ to $ \ell $ , $ \bar { r } _ 1 = \rho \cdot r _ 1 + s _ 1 $ ,
2018-04-13 13:41:25 +00:00
and $ \bar { r } _ 2 = \rho \cdot r _ 2 + s _ 2 $ ;
\item $ w _ z = \rho \cdot t _ z + v _ z $ and $ w _ i = \rho \cdot t _ i + v _ i $ , for $ i = 0 $ to $ 3 $ ;
\item $ w _ 4 = \rho \cdot t _ 4 + v _ 4 $ , where $ t _ 4 : = t _ 0 - t _ 1 \cdot r _ 1 - t _ 2 \cdot r _ 2 $ ;
\item $ z _ i = \rho \cdot x _ i + y _ i $ for each $ i \in \{ 0 , 2 , 3 , 4 \} $ . \smallskip
\item [~~~Output] $ \mathsf { resp } \in \GG \times \ZZ _ p ^ { \ell + 12 } $ as
2018-04-13 13:50:34 +00:00
\begin { align*}
2018-04-13 13:41:25 +00:00
%\mathsf{resp}=
\bigl ( C_ z,\{ \bar { m} _ i\} _ { i=1} ^ \ell ,\bar { r} _ 1,\bar { r} _ 2,
w_ z,\{ w_ i\} _ { i=0} ^ 4,\{ z_ i\} _ { i=0,2,3,4} \bigr ).
\end { align*} \vspace { -5mm}
\end { enumerate}
%
\begin { description}
\item [\textsf{Verify}] Given $ ( \mathsf { com } ; \mathsf { chall } ; \mathsf { resp } ) $ return $ 0 $ if it does not parse correctly or if the following relations do not hold: \vspace { -2mm}
2018-04-13 13:50:34 +00:00
\end { description}
2018-04-13 13:41:25 +00:00
\begin { enumerate}
\item $ ( \hat { D } _ 1 / \hat { g } _ { \ell + 2 } ) ^ { \, \rho } \cdot \hat { E } _ 1
=\hat { g} _ 2^ { \, \bar { m} _ 1} \cdots \hat { g} _ { \ell +1} ^ { \, \bar { m} _ \ell } \cdot g^ { \bar { r} _ 1} $ and
$ ( \hat { D } _ 2 / \hat { g } _ { 2 \ell + 3 } ) ^ { \, \rho } \cdot \hat { E } _ 2
=\hat { g} _ { \ell +3} ^ { \, \bar { m} _ 1} \cdots \hat { g} _ { 2 \ell +2} ^ { \, \bar { m} _ \ell } \cdot g^ { \bar { r} _ 2} $ ;
\item $ \hat { D } _ 0 ^ { \, \rho } \cdot \hat { E } _ 0
2018-04-13 13:50:34 +00:00
=\hat { g} _ z^ { w_ z} \cdot \hat { g} _ 1^ { w_ 1} \cdot \hat { D} _ { 1} ^ { w_ 2} \cdot \hat { D} _ { 2} ^ { w_ 3}
\cdot \hat { g} ^ { -w_ 0} $ and
2018-04-13 13:41:25 +00:00
$ C _ 0 ^ { \, \rho } \cdot F _ 0 = C _ 2 ^ { \, \bar { r } _ 1 } \cdot C _ 3 ^ { \, \bar { r } _ 2 } \cdot { g } ^ { w _ 4 } $ .
\item $ T _ i ^ { \rho } \cdot V _ i = g ^ { w _ i } f ^ { z _ i } $ for each $ i \in \{ 0 , 2 , 3 , 4 \} $ and
\begin { eqnarray} \label { last-ver-sig}
(T_ 0/T_ 4)^ \rho \cdot S_ 0 = T_ 2^ { \bar { r} _ 1} \cdot T_ 3^ { \bar { r} _ 2} .
\end { eqnarray} \vspace { -5mm}
%\end{enumerate}
%
2018-04-13 13:50:34 +00:00
\item [~~~Then,] return $ 1 $ if and only if
2018-04-13 13:41:25 +00:00
%
\begin { align} \label { eq-vrf-2}
\lefteqn { e(C_ 0,\hat { g} ) \cdot e(g,\hat { D} _ 0) \cdot e(\Omega ,\hat { g} _ { 2 \ell +4} )^ { -1} } \\ \nonumber
& \quad = \, e(C_ 1,\hat { g_ 1} ) \cdot e(C_ 2,\hat { D} _ 1) %\\ \qquad
\cdot e(C_ 3,\hat { D} _ 2) \cdot e(C_ z,\hat { g} _ z) .
\end { align}
2018-04-13 13:50:34 +00:00
%
2018-04-13 13:41:25 +00:00
% and $0$ otherwise. \vspace{-1mm}
\end { enumerate}
\noindent
2018-04-13 13:50:34 +00:00
It is worth noticing that no pairing evaluation is required until the final step of $ \mathsf { Verify } $ , which is almost as efficient as the verification of
2018-04-13 13:41:25 +00:00
underlying signatures.
2018-04-13 13:50:34 +00:00
Moreover, the prover's first message $ \mathsf { com } $ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
2018-04-13 13:41:25 +00:00
a constant additive overhead.
\vspace { -1mm}
\begin { theorem}
2018-04-13 13:50:34 +00:00
The above interactive scheme is a secure $ \Sigma $ -protocol for the language $ L _ { sig } $ induced by the relation
$ R _ { sig } ( \mathsf { pk } , ( \vec { \sigma } , \vec { m } ) ) = 1 $ if and only if $ \mathsf { Verify } ' ( \mathsf { pk } , \vec { \sigma } , \vec { m } ) = 1 $ ,
2018-04-13 13:41:25 +00:00
where $ ( \mathsf { KeyGen } , \mathsf { Sign } , \mathsf { Verify } ' ) $ is the signature of Section~\ref { scal-sig} .
\end { theorem}
2018-04-13 13:50:34 +00:00
\begin { proof}
\emph { Correctness.}
Expanding an honestly generated $ \hat { D } _ 0 = \hat { g } _ z ^ { t _ z } \cdot \hat { g } _ 1 ^ { t _ 1 } \cdot \hat { D } _ 1 ^ { t _ 2 } \cdot
2018-04-13 13:41:25 +00:00
\hat { D} _ 2^ { t_ 3} \cdot \hat { g} ^ { -t_ 0} $ in equation ( \ref { eq - vrf - 2 } ) and regrouping the pairing factors gives
%
2018-04-13 13:50:34 +00:00
\begin { multline*} %\label{eq-vrf-corr-1}
2018-04-13 13:41:25 +00:00
\quad
e(C_ 0\cdot { g} ^ { -t_ 0} ,\hat { g} ) \cdot e(\Omega ,\hat { g} _ { 2\ell +4} )^ { -1} \\ %& \quad \!\!
2018-04-13 13:50:34 +00:00
= \, e(C_ 1\cdot { g} ^ { -t_ 1} ,\hat { g_ 1} ) \cdot e(C_ 2\cdot { g} ^ { -t_ 2} ,\hat { D} _ 1) \\ %\nonumber &
\cdot \, e(C_ 3\cdot { g} ^ { -t_ 3} ,\hat { D} _ 2) \cdot e(C_ z\cdot { g} ^ { -t_ z} ,\hat { g} _ z) .
2018-04-13 13:41:25 +00:00
\end { multline*}
2018-04-13 13:50:34 +00:00
%
2018-04-13 13:41:25 +00:00
Now, expanding the commitments to group elements in $ \GG $ reduces this equation to
%
\begin { align*} %\label{eq-vrf-corr-2}
\lefteqn { e(\sigma _ 2^ { r_ 1} \cdot \sigma _ 3^ { r_ 2} ,\hat { g} ) \cdot e(\Omega ,\hat { g} _ { 2 \ell +4} )^ { -1} }
2018-04-13 13:50:34 +00:00
\\ %\nonumber
2018-04-13 13:41:25 +00:00
& \quad = \, e(\sigma _ 1,\hat { g_ 1} ) \cdot e(\sigma _ 2,\hat { D} _ 1) \cdot e(\sigma _ 3,\hat { D} _ 2) \cdot e(\pi ,\hat { g} _ z)
\end { align*}
2018-04-13 13:50:34 +00:00
%
which holds true for valid witnesses when $ \hat { D } _ 1 = d _ 1 \cdot \hat { g } ^ { r _ 1 } $ and $ \hat { D } _ 2 = d _ 2 \cdot \hat { g } ^ { r _ 2 } $ .
2018-04-13 13:41:25 +00:00
Remaining verifications of items 1,2,3 follow from the correctness of the built-in $ \Sigma $ -protocols.
\medskip
2018-04-13 13:50:34 +00:00
\noindent \emph { Special-Soundness.} Let us assume two accepting transcripts $ ( \mathsf { com } , \rho , \mathsf { resp } ) $ , $ ( \mathsf { com } , \rho ', \mathsf { resp } ' ) $ with $ \rho \neq \rho ' $ .
2018-04-13 13:41:25 +00:00
The special soundness of the sub-protocols involving $ \hat { D } _ 1 , \hat { D } _ 2 $ (with $ \hat { E } _ 1 , \hat { E } _ 2 $ )
2018-04-13 13:50:34 +00:00
-- consisting of steps 1 and 2 of \textsf { Commit} and step 1 of \textsf { Verify} --
2018-04-13 13:41:25 +00:00
ensures the extraction of $ m _ 1 , \ldots ,m _ \ell ,r _ 1 ,r _ 2 $ satisfying
2018-04-13 13:50:34 +00:00
$ \hat { D } _ 1 = d _ 1 \cdot \hat { g } ^ { r _ 1 } $ , where $ d _ 1 = \hat { g } _ 2 ^ { m _ 1 } \cdots \hat { g } _ { \ell + 1 } ^ { m _ \ell } \cdot \hat { g } _ { \ell + 2 } $ , and
2018-04-13 13:41:25 +00:00
$ \hat { D } _ 2 = d _ 2 \cdot \hat { g } ^ { r _ 2 } $ , where $ d _ 2 = \hat { g } _ { \ell + 3 } ^ { m _ 1 } \cdots \hat { g } _ { 2 \ell + 2 } ^ { m _ \ell } \cdot \hat { g } _ { 2 \ell + 3 } $ .
2018-04-13 13:50:34 +00:00
From step 2 of $ \mathsf { Verify } $ , a similar argument on $ \hat { D } _ 0 $ (with $ \hat { E } _ 0 $ ) implies the extractability of $ ( t _ z,t _ 0 ,t _ 1 ,t _ 2 ,t _ 3 ,t _ 4 ) $ such
2018-04-13 13:41:25 +00:00
that $ \hat { D } _ 0 = { \hat { g } _ z } ^ { t _ z } \cdot { \hat { g } _ 1 } ^ { t _ 1 } \cdot { \hat { D } _ { 1 } } ^ { t _ 2 } \cdot { \hat { D } _ { 2 } } ^ { t _ 3 } \cdot { \hat { g } } ^ { - t _ 0 } . $
2018-04-13 13:50:34 +00:00
Moreover, together with previously extracted $ ( r _ 1 ,r _ 2 ) $ , step 2 of $ \mathsf { Verify } $ also guarantees that $ t _ 4 $ satisfies $ C _ 0 = C _ 2 ^ { r _ 1 } \cdot C _ 3 ^ { r _ 2 } \cdot g ^ { t _ 4 } $ .
2018-04-13 13:41:25 +00:00
%
2018-04-13 13:50:34 +00:00
We now state that quantities $ \{ \sigma _ i = C _ i \cdot { g } ^ { - t _ i } \} _ { i \in \{ 1 , 2 , 3 \} } $ and $ \pi = C _ z \cdot { g } ^ { - t _ z } $ satisfy (\ref { sig-ver-1} ),
so that, together with $ \vec { m } = ( m _ 1 , \ldots ,m _ \ell ) $ , they form a valid witness for $ R _ { sig } $ . Namely,
2018-04-13 13:41:25 +00:00
$ ( { \sigma } , \vec { m } ) = ( ( \sigma _ 1 , \sigma _ 2 , \sigma _ 3 , \pi ) , ( m _ 1 , \ldots ,m _ \ell ) ) $ is a valid message-signature pair.
2018-04-13 13:50:34 +00:00
2018-04-13 13:41:25 +00:00
To see this, define $ \sigma _ 0 = C _ 0 \cdot g ^ { - t _ 0 } $ . Since equation (\ref { eq-vrf-2} ) holds by hypothesis, if we expand
all commitments using extracted values, we find
%
\begin { align*} %\label{eq-sound-1}
\lefteqn { e(\sigma _ 0,\hat { g} ) \cdot e(\Omega ,\hat { g} _ { 2 \ell +4} )^ { -1} } \\ %\nonumber
2018-04-13 13:50:34 +00:00
& \; = \, e(\sigma _ 1,\hat { g_ 1} ) \cdot e(\sigma _ 2,d_ 1\cdot \hat { g} ^ { r_ 1} )
2018-04-13 13:41:25 +00:00
\cdot e(\sigma _ 3,d_ 2\cdot \hat { g} ^ { r_ 2} ) \cdot e(\pi ,\hat { g} _ z) .
\end { align*}
2018-04-13 13:50:34 +00:00
%
We are thus left with showing that $ \sigma _ 0 = \sigma _ 2 ^ { r _ 1 } \cdot \sigma _ 3 ^ { r _ 2 } $ or, equivalently,
2018-04-13 13:41:25 +00:00
$ e ( \sigma _ 0 , \hat { g } ) = e ( \sigma _ 2 , \hat { g } ^ { r _ 1 } ) \cdot e ( \sigma _ 3 , \hat { g } ^ { r _ 2 } ) $ . Remember that, from step 2 of $ \mathsf { Verify } $ , we know that
extracted $ ( r _ 1 ,r _ 2 ,t _ 4 ) \in \ZZ _ p ^ 3 $ form a representation of $ C _ 0 $ { w.r.t.}
2018-04-13 13:50:34 +00:00