thesis/chap-sigmasig.tex

1453 lines
97 KiB
TeX
Raw Normal View History

2018-04-19 13:05:11 +00:00
% \chapter{Pairing-Based Dynamic Group Signatures}
% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
% \label{ch:sigmasig}
%-------------------------------------------------
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
2018-04-30 12:54:55 +00:00
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
2018-04-19 13:05:11 +00:00
2018-05-02 13:50:49 +00:00
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret keys as well as a set of attributes.
Later on, users can make themselves known to verifiers under a different pseudonym and demonstrate possession of the issuer's certificate on their secret key withour revealing neither the signature nor the key.
In this context, signature with efficient protocols can typically be used as follows:
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
2018-04-19 13:05:11 +00:00
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
2018-04-30 12:54:55 +00:00
We note that beside the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
2018-04-19 13:05:11 +00:00
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
2018-04-18 07:28:32 +00:00
2018-04-19 13:05:11 +00:00
In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
2018-04-30 12:54:55 +00:00
From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
2018-04-19 13:05:11 +00:00
2018-04-30 12:54:55 +00:00
This signature length is made possible by using efficient $\QANIZK$ arguments -- as presented in~\cref{sse:zk-nizk} and formally defined in~\cite{JR13} -- to prove the belonging to some linear subspace spanned by the rows of a matrix.
For this purpose, it was shown that for this specific task, the size of the argument may be independent of the dimension of the considered subspace~\cite{JR14,LPJY14,KW15}.
The signature scheme described in this chapter (\cref{scal-sig}) crucially takes advantage of this observation as $\ell$-block messages are certified using a $\QANIZK$ argument for a subspace of dimension $\bigO(\ell)$.
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
2018-04-18 07:28:32 +00:00
2018-04-30 12:54:55 +00:00
As another showcase for this signature, we also design another primitives.
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
In this Chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
2018-04-12 16:42:39 +00:00
2018-04-13 13:46:34 +00:00
%--------------------------------------------------
2018-04-12 16:42:39 +00:00
\section{Building blocks}
2018-04-13 13:41:25 +00:00
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Briques de base}
2018-04-12 16:42:39 +00:00
We use bilinear maps $e:\GG \times \Gh \to \GT$ over
groups of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below.
\defPairings*
\defSXDH*
\defSDL*
2018-04-13 16:52:15 +00:00
\subsection{Quasi-Adaptive $\NIZK$ Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument $\NIZK$ quasi-adaptatif pour un sous-espace linéaire}
2018-04-12 16:42:39 +00:00
2018-04-13 16:52:15 +00:00
Quasi-Adaptive $\NIZK$ (\QANIZK) proofs \cite{JR13} are $\NIZK$ proofs where the common reference string (CRS)
2018-04-13 13:50:34 +00:00
may depend on the language for which proofs have to be generated.
2018-04-13 16:52:15 +00:00
Formal definitions are given in \cite{JR13,LPJY14,KW15}.
2018-04-12 16:42:39 +00:00
2018-04-13 16:52:15 +00:00
This section recalls the \QANIZK argument of \cite{KW15} for proving membership in the row space of a matrix.
2018-04-13 13:50:34 +00:00
In the description below, we assume that all
algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric
2018-04-13 13:41:25 +00:00
bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.
2018-04-13 13:50:34 +00:00
In this setting the problem is to convince that $\boldsymbol{v}$ is a linear combination of the rows of a given
2018-04-12 16:42:39 +00:00
$\mathbf{M}\in\GG^{t\times n}$.
Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH.
We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$.
\begin{description}
2018-04-18 07:28:32 +00:00
\item[\textsf{Keygen}$(\mathsf{cp},\mathbf{M})$:]
Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$.
First, choose $\hat{g_z} \sample \U(\Gh)$. Pick $\mathsf{tk}=(\chi_1^{},\ldots,\chi_n^{}) \sample \U(\Zp^n)$
and compute $\hat{g}_j=\hat{g_z^{}}^{\chi_j}$, for all $j=1$ to $n$.
Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and
output
\[\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big)
\in \GG^t\times\Gh^{n+1}.\]
\item[\textsf{Prove}$(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:]
To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$,
for some witness $\omega_1,\ldots,\omega_t \in \Zp$,
where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$,
parse $\mathsf{crs}$ as above
and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$.
\item[\textsf{Sim}$(\mathsf{tk}, {\boldsymbol{v}})$:]
In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $,
output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $.
\item[\textsf{Verify}$(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:]
Given $\pi \in \GG$, ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$ and $\mathsf{crs}$ parsed as above,
return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies
$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
2018-04-12 16:42:39 +00:00
\end{description}
2018-04-13 16:52:15 +00:00
The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
2018-04-12 16:42:39 +00:00
This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.
This requirement is compatible with our security proofs.
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
2018-04-18 07:28:32 +00:00
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature%
\footnote{In F-unforgeability, the adversary only has to output a forgery for a message $M$ without outputting the message, but the image $F(M)$ for an injective function $F$ that is not necessarily efficiently invertible instead~\cite{BCKL08}. In~\cite{LPY15}, the function $F$ is $M \mapsto \hat{g}^M$.}
based on the $\SXDH$ assumption. We show that their scheme
2018-04-13 13:50:34 +00:00
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
2018-04-13 16:52:15 +00:00
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption.
2018-04-12 16:42:39 +00:00
\begin{description}
2018-04-13 13:50:34 +00:00
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
2018-04-18 07:28:32 +00:00
of prime order $p>2^{\lambda}$ with $g \sample \U(\GG)$, $\hat{g} \sample \U(\Gh)$.
2018-04-12 16:42:39 +00:00
\end{description}
\begin{enumerate}
2018-04-18 07:28:32 +00:00
\item Choose $\omega,a \sample \U(\Zp)$,
2018-04-12 16:42:39 +00:00
and set $h=g^a$,
$\Omega=h^{\omega}$.
2018-04-18 07:28:32 +00:00
\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \U(\GG^{\ell+1})$.
2018-04-13 13:50:34 +00:00
\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$
\begin{equation}\label{matrix-scal-sig}
\mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} =
\setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}
\left(\begin{array}{c|c|c|c}
g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline
2018-05-17 12:15:14 +00:00
\vec{v}^T & g^{\mathbf{I}_{\ell+1}} & h^{\mathbf{I}_{\ell+1}}
& \mathbf{1}_{{}_{\ell+1}}^T
2018-04-12 16:42:39 +00:00
\end{array}\right) ,
\end{equation}
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
2018-04-18 07:28:32 +00:00
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of \cref{sse:sigmasig-qa-nizk}
to get the common reference string
$\mathsf{crs}=\left(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z^{},~\{ \hat{g}_j \}_{j=1}^{2\ell+4} \right)$.
2018-04-12 16:42:39 +00:00
\bigskip
\item[]
2018-05-02 13:50:49 +00:00
The private key is $ \mathsf{sk}\coloneqq \omega $ and the public key is
2018-04-12 16:42:39 +00:00
\begin{align*}
\mathsf{pk}=\Bigl(
\mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}%=(v_1,\ldots,v_\ell,w)
,~\Omega=h^\omega,~\mathsf{crs}
\Bigr).
\end{align*}
\end{enumerate}
\begin{description}
2018-04-13 13:50:34 +00:00
\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given
the private key $\mathsf{sk}=\omega$ and a message
2018-04-18 07:28:32 +00:00
$\vec{m}\in \Zp^\ell$, choose $s \sample \U(\Zp)$ to compute
2018-04-12 16:42:39 +00:00
\begin{align*}
2018-04-13 13:50:34 +00:00
\sigma_1 &
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
2018-04-12 16:42:39 +00:00
\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .
\end{align*}
2018-04-13 16:52:15 +00:00
Then, run $\mathsf{Prove}$ of the \QANIZK argument to prove that
2018-04-12 16:42:39 +00:00
the following vector of $\GG^{2\ell+4}$
\begin{align} \label{eq:vector}
2018-04-13 13:50:34 +00:00
(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,
\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)
2018-04-12 16:42:39 +00:00
\end{align}
2018-04-13 16:52:15 +00:00
is in the row space of $\mathbf{M}$. This \QANIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
2018-04-13 13:50:34 +00:00
z_{\ell+2})^{s}.$
2018-04-12 16:42:39 +00:00
Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.
2018-04-13 13:50:34 +00:00
\item[\textsf{Verify}$(\mathsf{pk},\sigma,\vec{m}):$]
parse $\sigma$ as above and $\vec{m}$ as a tuple $(m_1,\ldots,m_\ell)$ in $\Zp^\ell$ and return $1$
if and only if
2018-04-12 16:42:39 +00:00
\begin{align} \label{sig-ver-1}
e(\Omega,\hat{g}_{2\ell+4})^{-1} =
&~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber
2018-04-18 07:28:32 +00:00
&~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) %\\ \nonumber &~~~
\cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) .
2018-04-12 16:42:39 +00:00
\end{align}
\end{description}
2018-04-18 07:28:32 +00:00
The signature on $\ell$ scalars thus only consists of $4$ elements in $\GG$
while the verification equation only involves a computation of $5$ pairings\footnote{Actually only $4$ pairing computations are necessary, as $e(\Omega, \hat{g}_{2\ell+4})$ is independent of the inputs $\pi$ and $\vec{m}$, and can hence be precomputed.}.
2018-04-12 16:42:39 +00:00
\begin{theorem} \label{th:eu-cma-1}
2018-04-13 16:52:15 +00:00
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$.
2018-04-12 16:42:39 +00:00
\end{theorem}
\begin{proof}
2018-04-13 13:50:34 +00:00
We will proceed as in~\cite{LPY15} to prove that the scheme of
2018-04-12 16:42:39 +00:00
section~\ref{scal-sig} is secure under chosen-message attacks. Namely we will consider a sequence of hybrid games involving two
kinds of signatures. \vspace{-0.1 cm}
\begin{description}
\item[Type A signatures:] These are real signatures:
\begin{equation} \label{eq:rel-sig-A}
\begin{aligned}
\sigma_1 &= g^\omega \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, &
\sigma_2 &= g^s, \\
2018-04-13 13:50:34 +00:00
\pi &= z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot
z_{\ell+2})^{s} ,&
2018-04-12 16:42:39 +00:00
\sigma_3 &= h^s.
\end{aligned}
\end{equation}
2018-04-13 13:50:34 +00:00
Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$
2018-04-13 16:52:15 +00:00
is in the row space of $\mathbf{M}$, the \QANIZK proof $\pi$ has the same distribution as if it were computed as
2018-04-12 16:42:39 +00:00
\begin{equation}
\label{eq:rel-sim-A}
\begin{aligned}
2018-04-13 13:50:34 +00:00
\pi &= \sigma_1^{-\chi_1} \cdot \left( \prod_{i=2}^{\ell+1} \sigma_2^{-\chi_i m_{i-1}} \right) \cdot \sigma_2^{-\chi_{\ell + 2}} \cdot \quad \\ \quad &
2018-04-12 16:42:39 +00:00
\left( \prod_{i=\ell + 3}^{2 \ell + 2} \sigma_3^{-\chi_i m_{i - \ell - 2}} \right) \cdot
2018-04-13 13:50:34 +00:00
\sigma_3^{-\chi_{2\ell+3}} \cdot \Omega^{-\chi_{2 \ell + 4}} .
2018-04-12 16:42:39 +00:00
\end{aligned}
\end{equation}
\end{description} \smallskip
2018-04-30 14:12:03 +00:00
We also define \textbf{Type $\mathbf{A'}$} signatures as a generalization of
2018-04-12 16:42:39 +00:00
Type A signatures where only condition~\eqref{eq:rel-sig-A} are imposed and no
restriction is given on $\pi$ beyond the fact that it should be a valid
homomorphic signature on vector~\eqref{eq:vector}.
\smallskip
\begin{description}
2018-04-18 07:28:32 +00:00
\item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \U(\Zp)$ and
2018-04-12 16:42:39 +00:00
compute:
\begin{equation*}
\begin{gathered}
(\sigma_1,\sigma_2,\sigma_3) =( g^{\omega'} \cdot ( v_1^{m_1} \cdots v_\ell^{m_\ell} \cdot w)^s, ~ g^s, ~ h^{s+s_1}),
\end{gathered}
\label{eq:rel-sig-B}
\end{equation*}
2018-04-13 16:52:15 +00:00
The \QANIZK proof $\pi$ is
2018-04-12 16:42:39 +00:00
computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.
\end{description}
\smallskip
2018-04-13 13:50:34 +00:00
We consider a sequence of games.
2018-04-12 16:42:39 +00:00
In Game $i$, $S_i$ denotes the event that $\adv$
produces a valid signature $\sigma^\star$ on $M^\star$ such that
$(M^\star, \sigma^\star)$ was not queried before, and by $E_i$ the event that
$\adv$ produces a Type $\mathrm{A}'$ signature.
\begin{description}
\item[Game 0:] This is the real game. The challenger $\bdv$ produces
a key pair $(\mathsf{sk}, \mathsf{pk})$ and sends $\mathsf{pk}$ to $\adv$. Then $\adv$
makes $Q$ signature queries: $\adv$ sends messages $M_i$ to $\bdv$, and $\bdv$
answers by sending $\sigma_i = \Sign(\mathsf{sk}, M_i)$ to $\adv$. Finally $\adv$
2018-04-13 13:50:34 +00:00
sends a pair $(M^\star, \sigma^\star) \notin \{ (M_i, \sigma_i) \}_{i=1}^Q$
2018-04-12 16:42:39 +00:00
and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.
\item[Game 1:] We change the way $\bdv$ answers signing queries.
2018-04-13 16:52:15 +00:00
The \QANIZK proofs $\pi$ are then computed as simulated \QANIZK proofs
2018-04-12 16:42:39 +00:00
using $\mathsf{tk}$
2018-04-13 16:52:15 +00:00
as in~\eqref{eq:rel-sim-A}. These \QANIZK proofs are thus simulated
2018-04-12 16:42:39 +00:00
proofs for true statements, and then their distribution remains unchanged.
We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge
2018-04-13 13:50:34 +00:00
\neg E_1]$.
Lemma~\ref{le:type-a-sig} states
2018-04-12 16:42:39 +00:00
that the event $S_1 \wedge
\neg E_1$ happens with all but negligible probability: $\Pr[S_1 \wedge
\neg E_1] \leq \advantage{\DDH}{\Gh}(\lambda) - 1/p$. Thus our task is now
to upper-bound the probability $\Pr[S_1 \wedge E_1]$.
\item[Game 2.$\boldsymbol{k~(0 \leq k \leq Q)}$:] In Game $2.k$, the
challenger returns a Type B signature for the first $k$ queries. At the
last $Q - k$ signature queries, the challenger answers a type $A$
signature. \cref{le:type-b-sig} ensures that
\[\left| \Pr\Bigl[S_{2.k} \wedge E_{2.k}\Bigr] - \Pr\Bigl[S_{2.(k-1)} \wedge E_{2.(k-1)}\Bigr] \right|\]
2018-04-13 13:50:34 +00:00
is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.
2018-04-12 16:42:39 +00:00
\end{description}
2018-04-13 16:52:15 +00:00
In Game $2.Q$, we know that if $\SXDH$ holds, $\adv$ can only output a type $\mathrm{A}'$
2018-04-12 16:42:39 +00:00
forgery even if it only obtains type B signatures during the game.
2018-04-13 13:50:34 +00:00
Nevertheless, lemma~\ref{le:final-forgery} shows
2018-04-12 16:42:39 +00:00
that a type $\mathrm{A}'$ forgery in Game
$2.Q$ contradicts the DDH assumptions in $\GG$. Therefore we have
2018-04-13 13:50:34 +00:00
$\Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda)$. Putting the above altogether, the probability $\Pr[S_0]$ is upper-bounded by
2018-04-12 16:42:39 +00:00
\begin{multline*}
\advantage{\DDH}{\Gh}(\lambda) + \frac{1}{p} + Q \left( \advantage{\DDH}{\GG}(\lambda) + \frac{1}{p} \right) + \advantage{\DDH}{\GG}(\lambda) \\
2018-04-13 13:50:34 +00:00
< (Q + 2) \cdot \left( \advantage{\mathrm{SXDH}{\GG, \Gh}}(\lambda) + \frac{1}{p} \right).
\end{multline*}
2018-04-12 16:42:39 +00:00
\end{proof}
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{lemma} \label{le:type-a-sig}
In \textbf{Game 1}, if the DDH assumption holds in $\Gh$, $\adv$ can only output a type $A'$
forgery.
\end{lemma}
\begin{proof}
Let $\adv$ be an attacker that does not
2018-04-13 13:50:34 +00:00
output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the
2018-04-13 16:52:15 +00:00
Quasi-Adaptive $\NIZK$ (\QANIZK) scheme, which security is implied from the double-pairing
2018-04-12 16:42:39 +00:00
problem that reduces from DDH as explained in~\cite{LPJY13}.
2018-04-13 13:50:34 +00:00
Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as
2018-04-12 16:42:39 +00:00
\[
2018-04-13 13:50:34 +00:00
\ssigma \triangleq (\sigma_1^\star, \sigma_2^{\star m_1}, \ldots, \sigma_2^{\star m_\ell}, \sigma_2^\star, \sigma_3^{\star m_1}, \ldots, \sigma_3^{\star m_\ell}, \sigma_3^\star, \Omega)
2018-04-12 16:42:39 +00:00
\in \GG^{2\ell + 4}.
\]
If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row
space of $\mathbf{M}$.
2018-04-13 13:50:34 +00:00
Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in
(\ref{matrix-scal-sig}) and a common
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
2018-04-13 16:52:15 +00:00
\QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
2018-04-12 16:42:39 +00:00
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
2018-04-18 07:28:32 +00:00
After that, $\bdv$ picks $\omega \sample \U(\Zp)$ and $\hat g \sample \U(\Gh)$, and set $\Omega = h^\omega$.
2018-04-12 16:42:39 +00:00
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
\begin{align*}
2018-04-13 13:50:34 +00:00
\mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr).
2018-04-12 16:42:39 +00:00
\end{align*}
Since $\bdv$ knows the secret key $\omega \in \Zp$, it can answer all signing queries by honestly
running the $\Sign$ algorithm, in particular, it does not need to know $\mathsf{tk}$ to do this.
When $\adv$ halts, it outputs $(M^\star, \sigma^\star)$ where $\sigma^\star$ is not a Type $\mathrm{A}'$ forgery, so that $\ssigma$ is not in the row space of $\mathbf{M}$.
Therefore, outputting $\pi^\star$ constitutes a valid proof against the soundness property of the
2018-04-13 13:50:34 +00:00
scheme, and thus implies an algorithm against DDH as in~\cite{KW15} since the matrix can be
witness-samplable.
2018-04-12 16:42:39 +00:00
\end{proof}
\begin{lemma} \label{le:type-b-sig}
If DDH holds in $\GG$, for each $k \in
\{1,\ldots, Q \}$, $\adv$ produces a type $A'$ forgery with negligibly different probabilities in \textbf{Game $\boldsymbol{2.k}$} and \textbf{Game $\boldsymbol{2.(k-1)}$}.
\end{lemma}
%
\begin{proof}
Let us assume there exists an index $k \in \{1, \ldots, Q\}$ and an adversary $\adv$ that outputs a
Type $\mathrm{A}'$ forgery with smaller probability in Game $2.k$ than in Game
$2.(k-1)$. We build a DDH distinguisher $\bdv$. \medskip
\\
Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta =
g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It
2018-04-18 07:28:32 +00:00
picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \U(\Zp)$
2018-04-12 16:42:39 +00:00
and sets $\Omega = h^\omega$ as well as:
\[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \]
% in order to have the discrete logs of $v_i$ and $w$. \medskip
% \\
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
The reduction $\bdv$ also chooses $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ and
2018-04-13 13:50:34 +00:00
computes $\mathsf{crs} = ( \{z_j\}_{j=1}^{2\ell+4}, \hat g_z, \{ \hat g_i \}_{i=1}^{2\ell + 4})$
2018-04-12 16:42:39 +00:00
as in steps 3-4 of \textsf{Keygen}. It then outputs $\mathsf{pk}=(g,h,\hat g, \vec{v}, \omega,\mathsf{crs})$.
\smallskip
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
Then, queries are answered depending on their index~$j$:\\
\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,
2018-04-13 16:52:15 +00:00
\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator
2018-04-12 16:42:39 +00:00
to computes $\pi$.
2018-04-30 14:12:03 +00:00
\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as
2018-04-12 16:42:39 +00:00
Type A signatures, which $\bdv$ is able to generate using the secret key $\omega \in \Zp$ he knows
and $\mathsf{crs}$ or $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ to produces valid proofs.
2018-04-30 14:12:03 +00:00
\textbf{Case $\boldsymbol{j = k}$:} In the $k$-th signing query $(m_1,\dots,m_\ell)$, $\bdv$
2018-04-12 16:42:39 +00:00
embeds the DDH instance in the signature and simulates either Game $2.k$ or Game $2.(k-1)$
2018-04-13 13:50:34 +00:00
depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,
2018-04-12 16:42:39 +00:00
and
2018-04-13 13:50:34 +00:00
$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $
2018-04-13 16:52:15 +00:00
Then $\bdv$ simulates \QANIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.
2018-04-12 16:42:39 +00:00
\smallskip
If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is
a Type A signature with $s=b$. If $\eta = g^{a(b+c)}$ for some $c
\in_R \Zp$, we have:
\begin{align*}
\sigma_1 & = g^\omega g^{ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b\\
& = g^{\omega'} (v_1^{m_1} \cdots v_\ell^{m_\ell} w)^b \\
\sigma_2 &= g^b, \qquad \qquad \qquad \qquad \qquad
2018-04-13 13:50:34 +00:00
\sigma_3 = h^{b+c}
2018-04-12 16:42:39 +00:00
\end{align*}
Where $\omega' = \omega + ac\cdot(b_w + \sum_{i=1}^\ell b_{v_i} m_i)$. Since the term $b_w +
\sum_{i=1}^\ell b_{v_i}m_i$ is uniform and independent of $\adv$'s view, $\sigma$ is
distributed as a Type B signature if $\eta = g^{a(b+c)}$.
When $\adv$ terminates, it outputs a couple $(m_1^\star\cdots m_\ell^\star, \sigma^\star)$ that has not been queried
during the signing queries. Now the reduction $\bdv$ has to determine whether $\sigma^\star$ is a
Type $\mathrm{A}'$ forgery or not. To this end, it tests if the equality:
\begin{equation} \label{eq:verif-proof}
2018-04-13 13:50:34 +00:00
\sigma_1^\star = g^\omega \sigma_2^{\star a_w + \sum_{i=1}^\ell a_{v_i} m_i^\star} \sigma_3^{\star b_w + \sum_{i=1}^\ell b_{v_i} m_i^\star}
2018-04-12 16:42:39 +00:00
\end{equation}
is satisfied. If it is, $\bdv$ outputs $1$ to indicate that $\eta = g^{ab}$. Otherwise it outputs
$0$ and rather bets that $\eta \in_R \GG$.
To see why this test allows recognizing Type $\mathrm{A}'$ forgeries,
2018-04-13 13:50:34 +00:00
we remark that $\sigma^\star$ is of the form:
2018-04-12 16:42:39 +00:00
\begin{align*}
\sigma^\star_2 & = g^s , &
\sigma^\star_3 & = h^{s + s_1} , &
\sigma^\star_1 & = g^{\omega + s_0} (v_1^{m^\star_1} \cdots v_\ell^{m^\star_\ell} w)^s ,
\end{align*}
2018-04-13 13:50:34 +00:00
and the goal of $\bdv$ is to decide whether $(s_0, s_1) = (0, 0)$ or not. We notice that
2018-04-12 16:42:39 +00:00
$s_0 = a\cdot s_1 \cdot (b_w + \sum_{i=1}^\ell b_{v_i} \cdot m_i^\star)$ if the forgery fulfills
relation~\eqref{eq:verif-proof} and we show this to only happen with probability $1/p$ for any $s_1\neq 0$
meaning that Type $\mathrm{B}$ forgery passes the test with the same probability.
2018-04-13 13:50:34 +00:00
2018-04-12 16:42:39 +00:00
From the entire game, and assuming a forgery which passes the test, we have the following linear system:
\[
\left(
\bgroup
\def\arraystretch{1.5}
\begin{array}{c|c}
\mathbf{I}_{\ell+1} & a \cdot \mathbf{I}_{\ell + 1}\\ \hline
2018-05-17 12:15:14 +00:00
\boldsymbol{0}_{\ell + 1}^{T} & ac \cdot( m_1 | \cdots | m_\ell | 1) \\ \hline
\boldsymbol{0}_{\ell + 1}^{T} & a s_1 \cdot( m_1^\star | \cdots | m_\ell^\star | 1)
2018-04-12 16:42:39 +00:00
\end{array}
\egroup
\right) \cdot
% \begin{pmatrix}
% 1 & & & a & & \\
% & \ddots & & & \ddots & \\
% & & 1 & & & & a \\
% & & & a c \cdot m_1 & \cdots & a c \cdot m_\ell & ac \\
% & & & a c \cdot m_1^\star & \cdots & a c \cdot m_\ell^\star & ac
% \end{pmatrix} \cdot
\begin{pmatrix}
a_{v_1} \\ \vdots \\ a_{v_\ell} \\ a_w\\
b_{v_1} \\ \vdots \\ b_{v_\ell} \\ b_w
2018-04-13 13:50:34 +00:00
\end{pmatrix}
2018-04-12 16:42:39 +00:00
=
\begin{pmatrix}
\log_g(v_1) \\ \vdots \\ \log_g(v_\ell) \\ \log_g(w) \\
\omega' - \omega \\ s_0
\end{pmatrix}
\]
2018-04-13 13:50:34 +00:00
where, $\boldsymbol{0}_{\ell + 1}$ denotes the zero vector of length $\ell + 1$ and $m_1, \ldots, m_\ell$
is the message involved in the $k$-th signing query. Note that the $(l+2)$-th equation is meaningless when
2018-04-12 16:42:39 +00:00
$c=0$ since then $\omega' = \omega$. However, even if $c\neq 0$ the information that $\adv$ can infer about
$(a_{v_1},\ldots, a_{v_\ell}, a_w, b_{v_1}, \ldots, b_{v_\ell}, b_w) \in \Zp^{2 \ell + 2}$
2018-04-13 13:50:34 +00:00
during the game amounts to the first $\ell+2$ equations of the system which is of full rank. It means that
this vector is unpredictable since all the solutions of this linear system live in a sub-space of dimension
2018-04-12 16:42:39 +00:00
at least one (actually $\ell=(2\ell+2) -(\ell+2)$). Finally, as long as $s_1\neq 0$, the right value $s_0$
2018-04-13 13:50:34 +00:00
can only be guessed with probability $1/p$ since the last row of the matrix is independent of the others
2018-04-12 16:42:39 +00:00
as soon as $(m_1, \ldots, m_\ell) \neq (m^\star_1, \ldots, m^\star_\ell) \neq 0$.
2018-04-13 13:50:34 +00:00
To conclude the proof, since $\bdv$ is able the tell apart the type of the forgery, if $\adv$'s probability to
output a forgery of some Type in Game $k-1$ (\textit{i.e.}, $c=0$) was significantly different than in Game $k$
(\textit{i.e.}, $c\neq0$) then $B$ would be able to solve the DDH problem with non-negligible advantage.
2018-04-12 16:42:39 +00:00
\end{proof}
\begin{lemma} \label{le:final-forgery}
In \textbf{Game $\boldsymbol{2.Q}$}, a PPT adversary outputting a type $A'$ forgery would contradict
the DDH assumption in $\GG$:
$ \Pr[S_{2.Q} \wedge E_{2.Q}] \leq \advantage{\DDH}{\GG}(\lambda).$
\end{lemma}
\begin{proof}
We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at
least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega =
h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g
2018-04-18 07:28:32 +00:00
\sample \U(\Gh)$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \U(\Zp)$ and computes
2018-04-13 13:50:34 +00:00
$ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates
2018-04-12 16:42:39 +00:00
$\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$,
$\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$
2018-04-13 13:50:34 +00:00
as in step 3-4 of the key generation algorithm, then sends the public key
2018-04-12 16:42:39 +00:00
$ pk = \bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega, \mathsf{crs}\bigr) $ to $\adv$.
%\begin{multline*}
2018-04-13 13:50:34 +00:00
% pk = \Bigl(g, h, \hat g, \boldsymbol{v} , \Omega=h^\omega,
% \mathsf{pk}_{hsps}, \{ (z_j, r_j) \}_{j=1}^{\ell + 2} \Bigr)
2018-04-12 16:42:39 +00:00
%\end{multline*}
2018-04-30 14:12:03 +00:00
$\bdv$ also retains $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$ to handle
2018-04-12 16:42:39 +00:00
signing queries. We recall that during the game, signing queries are answered by returning a
Type B signature so that, using $\mathsf{tk}$, $\bdv$ can answer all queries without knowing the
$\omega = \log_h(\Omega)$ which is part of the CDH challenge.
The results of Lemma~\ref{le:type-b-sig} implies that even if $\adv$ only obtains Type B signatures,
it will necessarily output a Type $\mathrm{A}'$ forgery
$\sigma^\star = (\sigma^\star_1, \sigma^\star_2, \sigma^\star_3, \pi^\star)$
2018-04-13 13:50:34 +00:00
unless the DDH assumption does not hold in $\GG$.
This event thus allows $\bdv$ to compute
2018-04-12 16:42:39 +00:00
\[g^\omega = \sigma_1^\star \cdot {\sigma_2^\star}^{-a_w - \sum_{i=1}^\ell a_{v_i} m_i^\star}_{},\]
which contradicts the DDH assumption in $\GG$.
\end{proof}
2018-04-13 13:41:25 +00:00
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\section{Companion Protocols } \label{new-proto}
2018-04-12 16:42:39 +00:00
2018-04-13 13:41:25 +00:00
In this section, we give $\Sigma$-protocols (\cref{sse:sigma-protocols}) for issuing a signature on a committed multi-block message and for proving knowledge of a valid message-signature pair.
2018-04-12 16:42:39 +00:00
2018-04-13 13:41:25 +00:00
%------------------------------------------------------------------------
\subsection{Proof of Knowledge of a Signature on a Committed Message}
2018-04-12 16:42:39 +00:00
2018-04-18 07:28:32 +00:00
We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation~\eqref{sig-ver-1} of the scheme of Section~\ref{scal-sig}
2018-04-12 09:03:12 +00:00
2018-04-13 13:41:25 +00:00
\begin{align} \label{eq-mult-sig}
2018-04-13 13:50:34 +00:00
e(\Omega,\hat{g}_{2 \ell+4})^{-1}
& = \, e(\sigma_1,\hat{g_1}) \cdot
e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot \hat{g}_{\ell+2} )
\\ \nonumber
& \quad \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot \hat{g}_{2 \ell+3} )
\cdot e(\pi,\hat{g}_z),
2018-04-13 13:41:25 +00:00
\end{align}
%
2018-04-13 13:50:34 +00:00
where ${\sigma}=(\sigma_1,\sigma_2,\sigma_3,\pi)$ and $\vec{m}=(m_1,\ldots,m_\ell)$.
We note that, as shown in the proof of Theorem \ref{th:eu-cma-1}, a candidate signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ may satisfy the verification equation
although $\log_g(\sigma_2)\neq \log_h(\sigma_3)$. In applications to anonymous credentials, a malicious credential issuer could take advantage of this fact in attempts to
break the anonymity of the scheme (e.g., by linking two authentications involving the same credential). For this reason, we consider a protocol for proving possession
of a possibly maliciously generated signature.
2018-04-13 13:41:25 +00:00
We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against such attacks.
2018-04-19 16:23:51 +00:00
2018-04-13 13:41:25 +00:00
A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations.
2018-04-13 13:50:34 +00:00
Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the
clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown.
2018-04-19 16:23:51 +00:00
2018-04-13 13:41:25 +00:00
\begin{description}
2018-04-19 16:23:51 +00:00
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps.
2018-04-13 13:50:34 +00:00
\end{description}
2018-04-13 13:41:25 +00:00
\begin{enumerate}
2018-05-02 13:50:49 +00:00
\item Commit to $d_1\coloneqq \hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
and $d_2\coloneqq \hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$.
2018-04-13 13:50:34 +00:00
To this end, choose
2018-04-18 07:28:32 +00:00
$r_1,r_2\sample\U(\Zp)$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$.
\item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\Zp^\ell$,
choose $s_1,s_2,u_1,\ldots,u_\ell \sample\U(\Zp)$
2018-04-13 13:50:34 +00:00
and compute $\hat{E}_1=\hat{g}_2^{u_1}\cdots\hat{g}_{\ell+1}^{u_\ell}\cdot \hat{g}^{s_1}$
2018-04-13 13:41:25 +00:00
and $\hat{E}_2=\hat{g}_{\ell+3}^{u_1}\cdots\hat{g}_{2 \ell+2}^{u_\ell}\cdot \hat{g}^{s_2}$.
2018-04-18 07:28:32 +00:00
\item Using the randomness $r_1,r_2 \in \Zp$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$
2018-04-13 13:50:34 +00:00
and commit to $(\pi,\sigma_0 ,\sigma_1,\sigma_2,\sigma_3)\in\GG^5.$
2018-04-18 07:28:32 +00:00
For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\U(\Zp)$ at random and set $C_z=\pi \cdot g^{t_z}$,
2018-04-13 13:50:34 +00:00
$C_i=\sigma_i \cdot g^{t_i}$, for $i \in \{0,\ldots,3\}$, and
$\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_{1}^{t_2}
\cdot \hat{D}_{2}^{t_3} \cdot \hat{g}^{-t_0}.$
2018-04-13 13:41:25 +00:00
\item In order to prove (partial) knowledge of an opening to $(C_z,C_0,C_1,C_2,C_3,\hat{D}_0)$, compute
2018-04-13 13:50:34 +00:00
$\hat{E}_0=\hat{g}_z^{v_z} \cdot \hat{g}_1^{v_1} \cdot \hat{D}_{1}^{v_2}
\cdot \hat{D}_{2}^{v_3} \cdot \hat{g}^{-v_0}$
2018-04-18 07:28:32 +00:00
for random $v_z,v_0,v_1,v_2,v_3\sample \U(\Zp)$.
2018-04-13 13:50:34 +00:00
\item Prove that $C_0$ is well-formed relatively to the committed values in $C_1,C_2$ and the coins
2018-04-18 07:28:32 +00:00
$r_1,r_2 \in \Zp$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation
2018-04-13 13:41:25 +00:00
$C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot {g}^{t_4},$ where $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$. To do this, compute
2018-04-18 07:28:32 +00:00
$F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample \U(\Zp)$ and where $s_1,s_2 \in \Zp$ are the random coins used in $\hat{E}_1,\hat{E}_2$.
\item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \Zp$ by picking $x_2,x_3,x_4\sample \U(\Zp)$ and computing
2018-04-13 13:50:34 +00:00
$$T_i=g^{t_i} \cdot f^{x_i} \qquad \forall i \in \{0,2,3, 4\}, $$ where $x_0=x_2 \cdot r_1+x_3 \cdot r_2+x_4$. Ensure that committed
variables coincide with those of previous steps by computing $$\{V_i=g^{v_i} \cdot f^{y_i}\}_{i \in \{0,2,3,4\} },$$ where
2018-04-18 07:28:32 +00:00
$y_0,y_2,y_3,y_4\sample \U(\Zp)$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \Zp$ from steps 2 and 5 to compute
2018-04-13 13:41:25 +00:00
$S_0=T_2^{s_1} \cdot T_3^{s_2}$.
\medskip
2018-04-13 13:50:34 +00:00
\item[~~~Finally,] keep $C_z\in\GG$ and all the random coins in $\mathsf{aux}$,
2018-04-13 13:41:25 +00:00
\item[~~~and] output
\begin{equation} \label{eq-comm-2}
\begin{aligned}
\mathsf{com}=\Bigl(
\{C_i\}_{i=0}^3, F_0, \{(T_i,V_i)\}_{i=0,2,3,4},~~~\\
S_0, \{(\hat{D}_i,\hat{E}_i)\}_{i=0}^2
2018-04-13 13:50:34 +00:00
\Bigr) \in \GG^{14} \times \hat{\GG}^{6}
2018-04-13 13:41:25 +00:00
\end{aligned}
\end{equation}
2018-04-19 16:23:51 +00:00
\end{enumerate}
2018-04-13 13:41:25 +00:00
%
\begin{description}
2018-04-18 07:28:32 +00:00
\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $.
\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\Zp$:
2018-04-19 16:23:51 +00:00
\end{description}
2018-04-13 13:50:34 +00:00
%set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
2018-04-13 13:41:25 +00:00
\begin{enumerate}
2018-04-13 13:50:34 +00:00
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
2018-04-13 13:41:25 +00:00
and $\bar{r}_2= \rho\cdot r_2 +s_2 $;
\item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$;
2018-05-02 13:50:49 +00:00
\item $w_4= \rho\cdot t_4 + v_4 $, where $t_4\coloneqq t_0-t_1 \cdot r_1-t_2 \cdot r_2$;
2018-04-13 13:41:25 +00:00
\item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip
2018-04-18 07:28:32 +00:00
\item[~~~Output] $\mathsf{resp}\in \GG\times \Zp^{\ell+12}$ as
2018-04-13 13:50:34 +00:00
\begin{align*}
2018-04-13 13:41:25 +00:00
%\mathsf{resp}=
\bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2,
w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr).
2018-04-19 16:23:51 +00:00
\end{align*}
2018-04-13 13:41:25 +00:00
\end{enumerate}
%
\begin{description}
2018-04-19 16:23:51 +00:00
\item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold:
2018-04-13 13:50:34 +00:00
\end{description}
2018-04-13 13:41:25 +00:00
\begin{enumerate}
\item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1
=\hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}$ and
$(\hat{D}_2/\hat{g}_{2\ell+3})^{\,\rho}\cdot\hat{E}_2
=\hat{g}_{\ell+3}^{\,\bar{m}_1}\cdots\hat{g}_{2 \ell+2}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_2}$ ;
\item $\hat{D}_0^{\,\rho}\cdot\hat{E}_0
2018-04-13 13:50:34 +00:00
=\hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} \cdot \hat{D}_{1}^{w_2} \cdot \hat{D}_{2}^{w_3}
\cdot \hat{g}^{-w_0}$ and
2018-04-13 13:41:25 +00:00
$C_0^{\,\rho}\cdot F_0=C_2^{\,\bar{r}_1} \cdot C_3^{\,\bar{r}_2} \cdot {g}^{w_4}$.
\item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$ for each $i \in \{0,2,3,4\}$ and
\begin{eqnarray} \label{last-ver-sig}
(T_0/T_4)^\rho \cdot S_0 = T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}.
2018-04-19 16:23:51 +00:00
\end{eqnarray}
2018-04-13 13:41:25 +00:00
%\end{enumerate}
%
2018-04-13 13:50:34 +00:00
\item[~~~Then,] return $1$ if and only if
2018-04-13 13:41:25 +00:00
%
\begin{align} \label{eq-vrf-2}
\lefteqn{e(C_0,\hat{g}) \cdot e(g,\hat{D}_0) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1}} \\ \nonumber
& \quad = \, e(C_1,\hat{g_1}) \cdot e(C_2,\hat{D}_1) %\\ \qquad
\cdot e(C_3,\hat{D}_2) \cdot e(C_z,\hat{g}_z) .
\end{align}
2018-04-13 13:50:34 +00:00
%
2018-04-19 16:23:51 +00:00
% and $0$ otherwise.
2018-04-13 13:41:25 +00:00
\end{enumerate}
2018-04-13 13:50:34 +00:00
It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of
2018-04-13 13:41:25 +00:00
underlying signatures.
2018-04-13 13:50:34 +00:00
Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
2018-04-13 13:41:25 +00:00
a constant additive overhead.
2018-04-19 16:23:51 +00:00