Add definitions for QA-NIZK

chap-ZK.tex

@@ -105,6 +105,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
 \end{figure}
 
 \begin{definition}[Commitment schemes] \index{Commitment scheme}
+  \label{de:commitment}
   A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that acts as follows:
   \begin{description}
     \item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's parameters $\param$.
@@ -159,8 +160,8 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the
   If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
 \end{lemma}
 
-\subsection{Non interactive Proofs and Fiat-Shamir Transform}
-\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives et transformation de Fiat-Shamir}
+\subsection{Non Interactive Proofs}
+\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives}
 
 Another useful primitives are the non-interactive version of zero-knowledge proofs.
 
@@ -202,6 +203,9 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
 
 For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
 
+In the trusted setup model described in \cref{se:games-sim}, there are also another type of $\NIZK$ proofs that are useful for us, for instance in \cref{ch:sigmasig}.
+Namely, the quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} which are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated. A formal definition can be found in~\cite{JR13,KW15,LPJY13}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
+
 \section{Schnorr Proofs}
 \addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
 \label{sse:schnorr}

chap-proofs.tex

@@ -294,3 +294,10 @@ For $\PKE$, the simulation-based definition for chosen plaintext security is the
 As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
 For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
 Therefore, it is preferable to have security proofs of the strongest \emph{possible} definitions in theoretical cryptography.
+
+Even though, the question of which security model is the strongest remains a complex one, as it depends on many parameters. If some security models implies others, it's not necessary always the case. For instance, we know from the work of Canetti and Fischlin~\cite{CF01} that it is impossible to construct a $\UC$-secure bit commitment scheme\footnote{The definition of a commitment scheme is given in~\cref{de:commitment}. To put it short, it is the digital equivalent of a safe.} in the plain model, while the design of such a primitive is possible assuming a \textit{trusted setup}.
+Hence, the question of quantifying if a standard-model commitment scheme has a stronger security than an UC commitment scheme in the trusted setup setting under similar assumptions is not a trivial question. The answer mainly depends on the manner the scheme will be used as well as the adversarial model.
+
+\begin{definition}[The CRS model] \label{de:trusted-setup} \index{Universal Composability!Common Reference String}
+  In the \textit{trusted setup} model or \textit{common reference string} (\textsf{CRS}) model, all the participants are assumed to have access to a common string $\crs \in \{0,1\}^\star$ that is drawn from some specific distribution $D_\crs$.
+\end{definition}

chap-sigmasig.tex

@@ -498,15 +498,15 @@ break the anonymity of the scheme (e.g., by linking two authentications involvin
 of a possibly maliciously generated signature.
 
 We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who,  {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against  such attacks.
-\vspace{-1mm}
+
 
 A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations.
 Even though a quadratic pairing-product equation  $e(x_1,\hat{a})  \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be  linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the
 clear),   proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown.
-\vspace{-1mm}
+
 
 \begin{description}
-\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps. \vspace{-1mm}
+\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps. 
 \end{description}
   \begin{enumerate}
 	\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
@@ -550,12 +550,12 @@ clear),   proving knowledge of a valid signature still requires proving a statem
 		\Bigr) \in \GG^{14} \times \hat{\GG}^{6}
   \end{aligned}
 	\end{equation}
-  \end{enumerate}  \vspace{-2mm}
+  \end{enumerate}  
 	%
 \begin{description}
 \item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $.
 \item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$,  compute: % the following elements over $\Zp$:
-\end{description}\vspace{-4mm}
+\end{description}
   %set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
 	\begin{enumerate}
 	\item $\bar{m}_i= \rho\cdot m_i + u_i  $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1  $,
@@ -568,11 +568,11 @@ clear),   proving knowledge of a valid signature still requires proving a statem
 	  %\mathsf{resp}=
 		\bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2,
 		w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr).
-	\end{align*} \vspace{-5mm}
+	\end{align*} 
 	\end{enumerate}
 	%
 \begin{description}
-\item[\textsf{Verify}] Given   $(\mathsf{com};\mathsf{chall};\mathsf{resp})$  return $0$ if it does not parse correctly or if the following relations do not hold:  \vspace{-2mm}
+\item[\textsf{Verify}] Given   $(\mathsf{com};\mathsf{chall};\mathsf{resp})$  return $0$ if it does not parse correctly or if the following relations do not hold:  
 \end{description}
 	\begin{enumerate}
 		\item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1
@@ -586,7 +586,7 @@ clear),   proving knowledge of a valid signature still requires proving a statem
 		\item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$  for each $i \in \{0,2,3,4\}$  and
 		\begin{eqnarray} \label{last-ver-sig}
 		      (T_0/T_4)^\rho \cdot S_0 = T_2^{\bar{r}_1}  \cdot T_3^{\bar{r}_2}.
-					\end{eqnarray} \vspace{-5mm}
+					\end{eqnarray} 
 	%\end{enumerate}
 	%
 	\item[~~~Then,] return $1$ if and only if
@@ -597,7 +597,7 @@ clear),   proving knowledge of a valid signature still requires proving a statem
        \cdot e(C_3,\hat{D}_2)  \cdot e(C_z,\hat{g}_z) .
   \end{align}
   %
-	% and $0$ otherwise. \vspace{-1mm}
+	% and $0$ otherwise. 
 \end{enumerate}
 
 \noindent
@@ -605,7 +605,7 @@ It is worth noticing that no pairing evaluation is required until the final step
 underlying signatures.
 Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
 a constant additive overhead.
-\vspace{-1mm}
+
 
 
 \begin{theorem}
@@ -681,7 +681,7 @@ a constant additive overhead.
   To show this property we must build a simulator that, on input of a challenge
 	$\mathsf{chall}=\rho \in_R \Zp$,  emulates a valid transcript without any witness.
 	First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}).
-	\vspace{-1mm}
+	
 
 	From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick
 	$a_0,a_1,a_2,a_z\gets\Zp$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}=
@@ -694,7 +694,7 @@ a constant additive overhead.
 	$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
 	$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
 	random $a_3\gets\Zp$.
-	%\vspace{-1mm}
+	%
 
 	To complete the simulated transcript, we run a parallel execution of the simulators of all  $\Sigma$-protocols used as  subroutines.
 
@@ -790,7 +790,7 @@ with prospective users. However, this limitation can be removed using an extract
   \item[\textsf{Keygen}$(\lambda, N)$:] given  $\lambda \in \NN$,
     and the maximum number of users $N \in \poly(\lambda)$, choose asymmetric
     bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$.
-\end{description} \vspace{-2mm}
+\end{description} 
     \begin{enumerate}
       \item Generate a key pair $(\pk_s, \sk_s)$ for the  scheme of
         section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is
@@ -814,13 +814,13 @@ with prospective users. However, this limitation can be removed using an extract
        $\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
        The   group manager's private key is  $\mathcal{S}_\GM = \omega = \sk_s$ whereas  the opening authority's private key consists of
 				$ \mathcal{S}_\mathrm{OA}  = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
-    \end{enumerate} \vspace{-1mm}
+    \end{enumerate} 
 %
 \begin{description}
   \item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
     prospective user $\U_i$ run the following interactive protocol:
     %$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
-\end{description} \vspace{-2mm}
+\end{description} 
   \begin{enumerate}
   \item $\U_i$ chooses ${\ID \sample \U(\Zp)}$ and sends the following to
 	  $\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) =
@@ -864,13 +864,13 @@ with prospective users. However, this limitation can be removed using an extract
        \!\!\!\!\transcript_i & \! = \!
 					\Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr)
     \end{align}
-    and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$.  %\vspace{-1mm}
+    and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$.  %
     \end{enumerate}
 %
 \begin{description}
   \item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
     does the following:
-\end{description}  \vspace{-2mm}
+\end{description}  
     \begin{enumerate}
       \item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \U(\Zp)$ and compute $\tilde \sigma_2  = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$,
 			$\tilde \sigma_1  = \sigma_1 \cdot (v^\ID \cdot  w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$.
@@ -971,11 +971,11 @@ with prospective users. However, this limitation can be removed using an extract
       \item Return $1$ if
 			$
          c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise.
-    \end{enumerate} \vspace{-1mm}
+    \end{enumerate} 
 %
 \begin{description}
   \item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair   $(M,\Sigma)$
-    and the $\mathsf{OA}$'s private key  $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm}
+    and the $\mathsf{OA}$'s private key  $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: 
 \end{description}
     \begin{enumerate}
       %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as  $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
@@ -1027,7 +1027,7 @@ The security of the above dynamic group signature scheme, namely full anonymity,
 The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
 
 \begin{theorem} \label{th:sgsig-anonymity}
-  If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
+  If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %
 \end{theorem}
 
 \begin{proof}
@@ -1035,7 +1035,7 @@ We use  a sequence of games where, for each $i$,  $W_i$ is the event that the ad
 \\
 At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and
 $\tilde \sigma_3$ appear un-encrypted in each group signature.
-\vspace{-2mm}
+
 
 \begin{description}
     \item[Game 0:] This is the real CCA-anonymity game.\\
@@ -1090,7 +1090,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
 		that  $C_2 \neq  C_1^\alpha$.  Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature
 		that properly verifies although $C_2 \neq  C_1^\alpha$.   Lemma~\ref{le-gsig-4} states  that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening
 		queries and $q_H$ is the number of random oracle queries.
-		\vspace{-1mm}
+		
   \end{description}
 
 In Game $5$,   $ \Sigma^\star $   perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$.  Indeed,
@@ -1116,14 +1116,14 @@ It comes that $\Pr[W_5]=1/2$. \medskip
       \advantage{\DDH}{\GG}(\lambda) + \advantage{\DDH}{\Gh}(\lambda)+ \frac{q_O \cdot q_H}{p} + \frac{1}{p^3},
     \]
   which concludes the proof.
-	%\vspace{-2mm}
+	%
 \end{proof}
 
 \begin{comment}
 
 \begin{lemma} \label{le-gsig-1}
   In Game $1$ we have $\Pr[F_1] \leq \Advt{\Gh}{\mathrm{DDH}}{\lambda}$.
-	\vspace{-2mm}
+	
 \end{lemma}
 
 \begin{proof}
@@ -1158,11 +1158,11 @@ It comes that $\Pr[W_5]=1/2$. \medskip
   If $\adv$ wins and correctly guesses $d'=d \in \bit$, $\bdv$ outputs $1$,  meaning that $C_2 = h^{b } = g^{ab}$. Otherwise,  $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$.
   \\
 It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$.
-%\vspace{-1mm}
+%
 \end{proof}
 
 \begin{lemma} \label{le-gsig-4}
- In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$. \vspace{-1mm}
+ In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$. 
 \end{lemma}
 %
 \begin{proof}
@@ -1189,7 +1189,7 @@ It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon
    For  all hash queries, the probability that one of them be answered with  the uniquely determined $c \in \ZZ_q$ is \emph{at most}
   $q_H/p$. A union bound over  all opening queries implies that the probability that the event $E_4$ happens is smaller than
   $\Pr[E_4] \leq q_O \cdot q_H/p.$
-	%\vspace{-1mm}
+	%
 \end{proof}
 
 
@@ -1268,7 +1268,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
   Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
   $\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
   for the signature scheme of Section~\ref{scal-sig}.
-	%\vspace{-1mm}
+	%
 \end{proof}
 
 
@@ -1354,7 +1354,7 @@ which identifies $V_i^\star=v^{\ID^\star}$. At this stage,  $\bdv$ can  compute
  $a:=\ID^\star/\delta_i$ in $\Zp$.
 \\
 This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making   $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.
-\vspace{-2mm}
+
 \end{proof}
 
 We stress that the proofs can be easily adapted to the case where  the opening algorithm has linear complexity in the number of users.

macros.tex

@@ -36,6 +36,8 @@
 \newcommand{\Verify}{\ensuremath{\mathsf{Verify}}\xspace}
 \newcommand{\open}{\ensuremath{\mathsf{open}}\xspace}
 \newcommand{\Open}{\textsf{Open}\xspace}
+%% CRS
+\newcommand{\crs}{\ensuremath{\mathsf{crs}}\xspace}
 
 % Assumptions/Problems
 %% Pairings