thesis/chap-sigmasig.tex

453 lines
24 KiB
TeX
Raw Normal View History

2018-04-12 09:03:12 +00:00
\chapter{Pairing-Based Dynamic Group Signatures}
2018-04-04 16:46:37 +00:00
\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
2018-04-12 09:03:12 +00:00
\label{ch:sigmasig}
2018-04-11 16:00:51 +00:00
2018-04-12 16:42:39 +00:00
%-----------------------------------------------------------------------
\section{Building blocks}
We use bilinear maps $e:\GG \times \Gh \to \GT$ over
groups of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below.
\defPairings*
\defSXDH*
\defSDL*
\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Briques de base}
\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk}
\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Argument NIZK quasi-adaptatif pour un sous-espace linéaire}
Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS)
may depend on the language for which proofs have to be generated.
Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}.
This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix.
In the description below, we assume that all
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric
bilinear groups $(\GG,\Gh,\GG_T,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
In this setting the problem is to convince that $\boldsymbol v$ is a linear combination of the rows of a given
$\mathbf{M}\in\GG^{t\times n}$.
Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH.
We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$.
\begin{description}
\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:]
Given public parameters $\mathsf{cp}=(\GG,\Gh,\GG_T,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$.
Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$
and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$.
Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and
output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big)
\in \GG^t\times\Gh^{n+1}$.
\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol v}, \{\omega_i\}_{i=1}^t)$:]
To prove that ${\boldsymbol v}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$,
for some witness $\omega_1,\ldots,\omega_t \in \Zp$,
where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$,
parse $\mathsf{crs}$ as above
and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$.
\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol v})$:]
In order to simulate a proof for a vector ${\boldsymbol v} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $,
output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $.
\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol v}, \pi)$:]
Given $\pi \in \GG$ and ${\boldsymbol v}=(v_1,\dotsc,v_n)$,
return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies
$ 1_{\GG_T} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
\end{description}
The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
This requirement is compatible with our security proofs.
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
Moreover, we show that their scheme remains unforgeable under the SXDH assumption.
\begin{description}
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$.
\end{description}
\begin{enumerate}
\item Choose $\omega,a \sample \Zp$,
and set $h=g^a$,
$\Omega=h^{\omega}$.
\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$.
\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$
\begin{equation}\label{matrix-scal-sig}
\mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} =
\setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}
\left(\begin{array}{c|c|c|c}
g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline
\vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}}
& \mathbf{1}_{{}_{\ell+1}}^\top
\end{array}\right) ,
\end{equation}
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk}
to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.
\bigskip
\item[]
The private key is $ \mathsf{sk}:=\omega $ and the public key is
\begin{align*}
\mathsf{pk}=\Bigl(
\mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
,~\Omega=h^\omega,~\mathsf{crs}
\Bigr).
\end{align*}
\end{enumerate}
\begin{description}
\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given
the private key $\mathsf{sk}=\omega$ and a message
$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute
\begin{align*}
\sigma_1 &
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .
\end{align*}
Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that
the following vector of $\GG^{2\ell+4}$
\begin{align} \label{eq:vector}
(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,
\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)
\end{align}
is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
z_{\ell+2})^{s}.$
Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.
\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$]
parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$
if and only if
\begin{align} \label{sig-ver-1}
e(\Omega,\hat{g}_{2\ell+4})^{-1} =
&~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber
&~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) \\ \nonumber
&~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) .
\end{align}
\end{description}
The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$
while the verification equation only involves a computation of 5 pairings.
\begin{theorem} \label{th:eu-cma-1}
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GG_T)$.
\end{theorem}
\begin{proof}
We will proceed as in~\cite{LPY15} to prove that the scheme of
section~\ref{scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two
kinds of signatures. \vspace{-0.1 cm}
\begin{description}
\item[Type A signatures:] These are real signatures:
\begin{equation} \label{eq:rel-sig-A}
\begin{aligned}
\sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, &
\sigma_2 &= g^s, \\
\pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
z_{\ell+2})^{s} ,&
\sigma_3 &= h^s.
\end{aligned}
\end{equation}
Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$
is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as
\begin{equation}
\label{eq:rel-sim-A}
\begin{aligned}
\pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad &
\left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot
\sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} .
\end{aligned}
\end{equation}
\end{description} \smallskip
\noindent We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of
Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no
restriction is given on $\pi$ beyond the fact that it should be a valid
homomorphic signature on vector~\eqref{eq:vector}.
\smallskip
\begin{description}
\item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and
compute:
\begin{equation*}
\begin{gathered}
(\sigma_1,\sigma_2,\sigma_3) =( g^{\omega'} \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, ~ g^s, ~ h^{s+s_1}),
\end{gathered}
\label{eq:rel-sig-B}
\end{equation*}
The QA-NIZK proof $\pi$ is
computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.
\end{description}
\smallskip
We consider a sequence of games.
In Game $i$, $S_i$ denotes the event that $\adv$
produces a valid signature $\sigma^\star$ on $M^\star$ such that
$(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that
$\adv$ produces a Type $\mathrm{A}'$ signature.
\begin{description}
\item[Game 0:] This is the real game. The challenger $\bdv$ produces
a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to $\adv$. Then $\adv$
makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$
answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$
sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$
and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.
\item[Game 1:] We change the way $\bdv$ answers signing queries.
The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs
using $\mathsf{tk}$
as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated
proofs for true statements, and then their distribution remains unchanged.
We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
\neg E_1]$.
Lemma~\ref{le:type-a-sig} states
that the event $S_1 \wedge
\neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge
\neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now
to upper-bound the probability $\Pr[S_1 \wedge E_1]$.
\item[Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $2.k$, the
challenger returns a Type B signature for the first $k$ queries. At the
last $Q - k$ signature queries, the challenger answers a type $A$
signature. \cref{le:type-b-sig} ensures that
\[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\]
is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.
\end{description}
In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$
forgery even if it only obtains type B signatures during the game.
Nevertheless, lemma~\ref{le:final-forgery} shows
that a type $\mathrm{A}'$ forgery in Game
$2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have
$\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by
\begin{multline*}
\advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\
< (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right).
\end{multline*}
\end{proof}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{lemma} \label{le:type-a-sig}
In \textbf{Game 1}, if the DDH assumption holds in $\Gh$, $\adv$ can only output a type $A'$
forgery.
\end{lemma}
\begin{proof}
Let $\adv$ be an attacker that does not
output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the
Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing
problem that reduces from DDH as explained in~\cite{LPJY13}.
Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as
\[
\ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega)
\in \GG^{2\ell + 4}.
\]
If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row
space of $\mathbf{M}$.
Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\hat\GG,\GG_T,p)$, a matrix ${\mathbf{M}}$ as in
(\ref{matrix-scal-sig}) and a common
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
\begin{align*}
\mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr).
\end{align*}
Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly
running the $\Sign$ algorithm, in particular, it does not need to know $\mathsf{tk}$ to do this.
When $\adv$ halts, it outputs $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that $\ssigma$ is not in the row space of $\mathbf{M}$.
Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the
scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be
witness-samplable.
\end{proof}
\begin{lemma} \label{le:type-b-sig}
If DDH holds in $\GG$, for each $k \in
\{1,\ldots, Q \}$, $\adv$ produces a type $A'$ forgery with negligibly different probabilities in \textbf{Game $\boldsymbol{2.k}$} and \textbf{Game $\boldsymbol{2.(k-1)}$}.
\end{lemma}
%
\begin{proof}
Let us assume there exists an index $k \in \{1, \ldots, Q\}$ and an adversary $\adv$ that outputs a
Type $\mathrm{A}'$ forgery with smaller probability in Game $2.k$ than in Game
$2.(k-1)$. We build a DDH distinguisher $\bdv$. \medskip
\\
Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta =
g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It
picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$
and sets $\Omega = h^\omega$ as well as:
\[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \]
% in order to have the discrete logs of $v_i$ and $w$. \medskip
% \\
The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and
computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$
as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$.
\smallskip
Then, queries are answered depending on their index~$j$:\\
\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator
to computes $\pi$.
\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows
and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs.
\noindent\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$
embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
and
$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $
Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
\smallskip
If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is
a Type A signature with $s=b$. If $\eta = g^{a(b+c)}$ for some $c
\in_R \Zp$, we have:
\begin{align*}
\sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\
& = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\
\sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad
\sigma_3 = h^{b+c}
\end{align*}
Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w +
\sum_{i=1}^\ell b_{v_i}m_i$ is uniform and independent of $\adv$'s view, $\sigma$ is
distributed as a Type B signature if $\eta = g^{a(b+c)}$.
When $\adv$ terminates, it outputs a couple $(m_1^\star\cdots m_\ell^\star, \sigma^\star)$ that has not been queried
during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a
Type $\mathrm{A}'$ forgery or not. To this end, it tests if the equality:
\begin{equation} \label{eq:verif-proof}
\sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star}
\end{equation}
is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs
$0$ and rather bets that $\eta \in_R \GG$.
To see why this test allows recognizing Type $\mathrm{A}'$ forgeries,
we remark that $\sigma^\star$ is of the form:
\begin{align*}
\sigma^\star_2 & = g^s , &
\sigma^\star_3 & = h^{s + s_1} , &
\sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s ,
\end{align*}
and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that
$s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills
relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$
meaning that Type $\mathrm{B}$ forgery passes the test with the same probability.
%\noindent And the goal of $\bdv$ is to decide if $(s_0, s_1) = (0, 0)$ or not. We notice that if
%$s_0 \neq 0$ and $s_1 = 0$, then the relation~\eqref{eq:verif-proof} cannot be satisfied. We then
%have the case $s_1 \neq 0$ left which implies that $s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell
%b_{v_i} \cdot m_i^\star)$ to satisfy~\eqref{eq:verif-proof}, which can only happen with
%probability $1/p$.
From the entire game, and assuming a forgery which passes the test, we have the following linear system:
%On the other hand, the information that $\adv$ can infer about
%$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
%during the game amounts to the first
%$\ell + 2$ rows of the right-hand-side member in the following linear system:
\[
\left(
\bgroup
\def\arraystretch{1.5}
\begin{array}{c|c}
\mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline
\boldsymbol{0}_{\ell + 1}^{\top} & ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline
\boldsymbol{0}_{\ell + 1}^{\top} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1)
\end{array}
\egroup
\right) \cdot
% \begin{pmatrix}
% 1 & & & a & & \\
% & \ddots & & & \ddots & \\
% & & 1 & & & & a \\
% & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\
% & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac
% \end{pmatrix} \cdot
\begin{pmatrix}
a_{v_1} \\ \vdots \\ a_{v_\ell} \\ a_w\\
b_{v_1} \\ \vdots \\ b_{v_\ell} \\ b_w
\end{pmatrix}
=
\begin{pmatrix}
\log_g(v_1) \\ \vdots \\ \log_g(v_\ell) \\ \log_g(w) \\
\omega' - \omega \\ s_0
\end{pmatrix}
\]
where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$
is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when
$c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about
$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that
this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension
at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$
can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others
as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$.
To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to
output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$
(\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage.
\end{proof}
\begin{lemma} \label{le:final-forgery}
In \textbf{Game $\boldsymbol{2.Q}$}, a PPT adversary outputting a type $A'$ forgery would contradict
the DDH assumption in $\GG$:
$ \Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda).$
\end{lemma}
\begin{proof}
We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at
least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega =
h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g
\sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes
$ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates
$\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$,
$\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$
as in step 3-4 of the key generation algorithm, then sends the public key
$ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to $\adv$.
%\begin{multline*}
% pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega,
% \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr)
%\end{multline*}
\noindent $\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle
signing queries. We recall that during the game, signing queries are answered by returning a
Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the
$\omega = \log_h(\Omega)$ which is part of the CDH challenge.
The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures,
it will necessarily output a Type $\mathrm{A}'$ forgery
$\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$
unless the DDH assumption does not hold in $\GG$.
This event thus allows $\bdv$ to compute
\[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\]
which contradicts the DDH assumption in $\GG$.
\end{proof}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
2018-04-12 09:03:12 +00:00