Add definitions for QA-NIZK
This commit is contained in:
parent
48b14956eb
commit
00577d2153
@ -105,6 +105,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i
|
|||||||
\end{figure}
|
\end{figure}
|
||||||
|
|
||||||
\begin{definition}[Commitment schemes] \index{Commitment scheme}
|
\begin{definition}[Commitment schemes] \index{Commitment scheme}
|
||||||
|
\label{de:commitment}
|
||||||
A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that acts as follows:
|
A \textit{commitment scheme} is given by a triple of algorithms $(\Setup, \Commit, \Open)$ that acts as follows:
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's parameters $\param$.
|
\item[\textsf{Setup}$(1^\lambda)$:] This algorithm outputs the commitment scheme's parameters $\param$.
|
||||||
@ -159,8 +160,8 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the
|
|||||||
If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
|
If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
|
||||||
\end{lemma}
|
\end{lemma}
|
||||||
|
|
||||||
\subsection{Non interactive Proofs and Fiat-Shamir Transform}
|
\subsection{Non Interactive Proofs}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives et transformation de Fiat-Shamir}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives}
|
||||||
|
|
||||||
Another useful primitives are the non-interactive version of zero-knowledge proofs.
|
Another useful primitives are the non-interactive version of zero-knowledge proofs.
|
||||||
|
|
||||||
@ -202,6 +203,9 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK
|
|||||||
|
|
||||||
For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
|
For the sake of completeness, we can also mention $\NIZK$ in the standard model, such at Groth-Sahai proofs~\cite{GOS06,GS08} for bilinear groups, but these will not be used in the context of this thesis.
|
||||||
|
|
||||||
|
In the trusted setup model described in \cref{se:games-sim}, there are also another type of $\NIZK$ proofs that are useful for us, for instance in \cref{ch:sigmasig}.
|
||||||
|
Namely, the quasi-adaptive \NIZK (\QANIZK)~\cite{JR13} which are \NIZK where the common reference string $\crs$ may depend on the language for which proofs have to be generated. A formal definition can be found in~\cite{JR13,KW15,LPJY13}, where completeness, soundness and zero-knowledge properties are adapted to take into account the \crs.
|
||||||
|
|
||||||
\section{Schnorr Proofs}
|
\section{Schnorr Proofs}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves de Schnorr}
|
||||||
\label{sse:schnorr}
|
\label{sse:schnorr}
|
||||||
|
@ -294,3 +294,10 @@ For $\PKE$, the simulation-based definition for chosen plaintext security is the
|
|||||||
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
|
As indistinguishability based model are easier to manipulate, that's why this is the most common definition for security against chosen plaintext attacks for $\PKE$.
|
||||||
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
|
For other primitives, such as Oblivious Transfer ($\OT$) described in Chapter~\ref{ch:ac-ot}, the simulation-based definitions are strictly stronger than indistinguishability definitions~\cite{CF01}.
|
||||||
Therefore, it is preferable to have security proofs of the strongest \emph{possible} definitions in theoretical cryptography.
|
Therefore, it is preferable to have security proofs of the strongest \emph{possible} definitions in theoretical cryptography.
|
||||||
|
|
||||||
|
Even though, the question of which security model is the strongest remains a complex one, as it depends on many parameters. If some security models implies others, it's not necessary always the case. For instance, we know from the work of Canetti and Fischlin~\cite{CF01} that it is impossible to construct a $\UC$-secure bit commitment scheme\footnote{The definition of a commitment scheme is given in~\cref{de:commitment}. To put it short, it is the digital equivalent of a safe.} in the plain model, while the design of such a primitive is possible assuming a \textit{trusted setup}.
|
||||||
|
Hence, the question of quantifying if a standard-model commitment scheme has a stronger security than an UC commitment scheme in the trusted setup setting under similar assumptions is not a trivial question. The answer mainly depends on the manner the scheme will be used as well as the adversarial model.
|
||||||
|
|
||||||
|
\begin{definition}[The CRS model] \label{de:trusted-setup} \index{Universal Composability!Common Reference String}
|
||||||
|
In the \textit{trusted setup} model or \textit{common reference string} (\textsf{CRS}) model, all the participants are assumed to have access to a common string $\crs \in \{0,1\}^\star$ that is drawn from some specific distribution $D_\crs$.
|
||||||
|
\end{definition}
|
||||||
|
@ -498,15 +498,15 @@ break the anonymity of the scheme (e.g., by linking two authentications involvin
|
|||||||
of a possibly maliciously generated signature.
|
of a possibly maliciously generated signature.
|
||||||
|
|
||||||
We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against such attacks.
|
We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against such attacks.
|
||||||
\vspace{-1mm}
|
|
||||||
|
|
||||||
A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations.
|
A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations.
|
||||||
Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the
|
Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the
|
||||||
clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown.
|
clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown.
|
||||||
\vspace{-1mm}
|
|
||||||
|
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps. \vspace{-1mm}
|
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps.
|
||||||
\end{description}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
|
\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
|
||||||
@ -550,12 +550,12 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|||||||
\Bigr) \in \GG^{14} \times \hat{\GG}^{6}
|
\Bigr) \in \GG^{14} \times \hat{\GG}^{6}
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
\end{equation}
|
\end{equation}
|
||||||
\end{enumerate} \vspace{-2mm}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $.
|
\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $.
|
||||||
\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\Zp$:
|
\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\Zp$:
|
||||||
\end{description}\vspace{-4mm}
|
\end{description}
|
||||||
%set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
|
%set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
|
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
|
||||||
@ -568,11 +568,11 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|||||||
%\mathsf{resp}=
|
%\mathsf{resp}=
|
||||||
\bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2,
|
\bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2,
|
||||||
w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr).
|
w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr).
|
||||||
\end{align*} \vspace{-5mm}
|
\end{align*}
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold: \vspace{-2mm}
|
\item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold:
|
||||||
\end{description}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1
|
\item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1
|
||||||
@ -586,7 +586,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|||||||
\item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$ for each $i \in \{0,2,3,4\}$ and
|
\item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$ for each $i \in \{0,2,3,4\}$ and
|
||||||
\begin{eqnarray} \label{last-ver-sig}
|
\begin{eqnarray} \label{last-ver-sig}
|
||||||
(T_0/T_4)^\rho \cdot S_0 = T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}.
|
(T_0/T_4)^\rho \cdot S_0 = T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}.
|
||||||
\end{eqnarray} \vspace{-5mm}
|
\end{eqnarray}
|
||||||
%\end{enumerate}
|
%\end{enumerate}
|
||||||
%
|
%
|
||||||
\item[~~~Then,] return $1$ if and only if
|
\item[~~~Then,] return $1$ if and only if
|
||||||
@ -597,7 +597,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|||||||
\cdot e(C_3,\hat{D}_2) \cdot e(C_z,\hat{g}_z) .
|
\cdot e(C_3,\hat{D}_2) \cdot e(C_z,\hat{g}_z) .
|
||||||
\end{align}
|
\end{align}
|
||||||
%
|
%
|
||||||
% and $0$ otherwise. \vspace{-1mm}
|
% and $0$ otherwise.
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
|
|
||||||
\noindent
|
\noindent
|
||||||
@ -605,7 +605,7 @@ It is worth noticing that no pairing evaluation is required until the final step
|
|||||||
underlying signatures.
|
underlying signatures.
|
||||||
Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
|
Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
|
||||||
a constant additive overhead.
|
a constant additive overhead.
|
||||||
\vspace{-1mm}
|
|
||||||
|
|
||||||
|
|
||||||
\begin{theorem}
|
\begin{theorem}
|
||||||
@ -681,7 +681,7 @@ a constant additive overhead.
|
|||||||
To show this property we must build a simulator that, on input of a challenge
|
To show this property we must build a simulator that, on input of a challenge
|
||||||
$\mathsf{chall}=\rho \in_R \Zp$, emulates a valid transcript without any witness.
|
$\mathsf{chall}=\rho \in_R \Zp$, emulates a valid transcript without any witness.
|
||||||
First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}).
|
First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}).
|
||||||
\vspace{-1mm}
|
|
||||||
|
|
||||||
From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick
|
From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick
|
||||||
$a_0,a_1,a_2,a_z\gets\Zp$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}=
|
$a_0,a_1,a_2,a_z\gets\Zp$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}=
|
||||||
@ -694,7 +694,7 @@ a constant additive overhead.
|
|||||||
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
|
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
|
||||||
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
|
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
|
||||||
random $a_3\gets\Zp$.
|
random $a_3\gets\Zp$.
|
||||||
%\vspace{-1mm}
|
%
|
||||||
|
|
||||||
To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines.
|
To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines.
|
||||||
|
|
||||||
@ -790,7 +790,7 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\item[\textsf{Keygen}$(\lambda, N)$:] given $\lambda \in \NN$,
|
\item[\textsf{Keygen}$(\lambda, N)$:] given $\lambda \in \NN$,
|
||||||
and the maximum number of users $N \in \poly(\lambda)$, choose asymmetric
|
and the maximum number of users $N \in \poly(\lambda)$, choose asymmetric
|
||||||
bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$.
|
bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$.
|
||||||
\end{description} \vspace{-2mm}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Generate a key pair $(\pk_s, \sk_s)$ for the scheme of
|
\item Generate a key pair $(\pk_s, \sk_s)$ for the scheme of
|
||||||
section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is
|
section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is
|
||||||
@ -814,13 +814,13 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
$\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
|
$\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
|
||||||
The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of
|
The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of
|
||||||
$ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
$ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
||||||
\end{enumerate} \vspace{-1mm}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
|
\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
|
||||||
prospective user $\U_i$ run the following interactive protocol:
|
prospective user $\U_i$ run the following interactive protocol:
|
||||||
%$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
|
%$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
|
||||||
\end{description} \vspace{-2mm}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item $\U_i$ chooses ${\ID \sample \U(\Zp)}$ and sends the following to
|
\item $\U_i$ chooses ${\ID \sample \U(\Zp)}$ and sends the following to
|
||||||
$\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) =
|
$\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) =
|
||||||
@ -864,13 +864,13 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\!\!\!\!\transcript_i & \! = \!
|
\!\!\!\!\transcript_i & \! = \!
|
||||||
\Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr)
|
\Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr)
|
||||||
\end{align}
|
\end{align}
|
||||||
and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$. %\vspace{-1mm}
|
and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$. %
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
|
\item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
|
||||||
does the following:
|
does the following:
|
||||||
\end{description} \vspace{-2mm}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \U(\Zp)$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$,
|
\item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \U(\Zp)$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$,
|
||||||
$\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$.
|
$\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$.
|
||||||
@ -971,11 +971,11 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\item Return $1$ if
|
\item Return $1$ if
|
||||||
$
|
$
|
||||||
c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise.
|
c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise.
|
||||||
\end{enumerate} \vspace{-1mm}
|
\end{enumerate}
|
||||||
%
|
%
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair $(M,\Sigma)$
|
\item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair $(M,\Sigma)$
|
||||||
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm}
|
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$:
|
||||||
\end{description}
|
\end{description}
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
||||||
@ -1027,7 +1027,7 @@ The security of the above dynamic group signature scheme, namely full anonymity,
|
|||||||
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
|
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
|
||||||
|
|
||||||
\begin{theorem} \label{th:sgsig-anonymity}
|
\begin{theorem} \label{th:sgsig-anonymity}
|
||||||
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
|
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
@ -1035,7 +1035,7 @@ We use a sequence of games where, for each $i$, $W_i$ is the event that the ad
|
|||||||
\\
|
\\
|
||||||
At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and
|
At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and
|
||||||
$\tilde \sigma_3$ appear un-encrypted in each group signature.
|
$\tilde \sigma_3$ appear un-encrypted in each group signature.
|
||||||
\vspace{-2mm}
|
|
||||||
|
|
||||||
\begin{description}
|
\begin{description}
|
||||||
\item[Game 0:] This is the real CCA-anonymity game.\\
|
\item[Game 0:] This is the real CCA-anonymity game.\\
|
||||||
@ -1090,7 +1090,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
|
|||||||
that $C_2 \neq C_1^\alpha$. Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature
|
that $C_2 \neq C_1^\alpha$. Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature
|
||||||
that properly verifies although $C_2 \neq C_1^\alpha$. Lemma~\ref{le-gsig-4} states that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening
|
that properly verifies although $C_2 \neq C_1^\alpha$. Lemma~\ref{le-gsig-4} states that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening
|
||||||
queries and $q_H$ is the number of random oracle queries.
|
queries and $q_H$ is the number of random oracle queries.
|
||||||
\vspace{-1mm}
|
|
||||||
\end{description}
|
\end{description}
|
||||||
|
|
||||||
In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$. Indeed,
|
In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$. Indeed,
|
||||||
@ -1116,14 +1116,14 @@ It comes that $\Pr[W_5]=1/2$. \medskip
|
|||||||
\advantage{\DDH}{\GG}(\lambda) + \advantage{\DDH}{\Gh}(\lambda)+ \frac{q_O \cdot q_H}{p} + \frac{1}{p^3},
|
\advantage{\DDH}{\GG}(\lambda) + \advantage{\DDH}{\Gh}(\lambda)+ \frac{q_O \cdot q_H}{p} + \frac{1}{p^3},
|
||||||
\]
|
\]
|
||||||
which concludes the proof.
|
which concludes the proof.
|
||||||
%\vspace{-2mm}
|
%
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
\begin{comment}
|
\begin{comment}
|
||||||
|
|
||||||
\begin{lemma} \label{le-gsig-1}
|
\begin{lemma} \label{le-gsig-1}
|
||||||
In Game $1$ we have $\Pr[F_1] \leq \Advt{\Gh}{\mathrm{DDH}}{\lambda}$.
|
In Game $1$ we have $\Pr[F_1] \leq \Advt{\Gh}{\mathrm{DDH}}{\lambda}$.
|
||||||
\vspace{-2mm}
|
|
||||||
\end{lemma}
|
\end{lemma}
|
||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
@ -1158,11 +1158,11 @@ It comes that $\Pr[W_5]=1/2$. \medskip
|
|||||||
If $\adv$ wins and correctly guesses $d'=d \in \bit$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$.
|
If $\adv$ wins and correctly guesses $d'=d \in \bit$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$.
|
||||||
\\
|
\\
|
||||||
It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$.
|
It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$.
|
||||||
%\vspace{-1mm}
|
%
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
\begin{lemma} \label{le-gsig-4}
|
\begin{lemma} \label{le-gsig-4}
|
||||||
In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$. \vspace{-1mm}
|
In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$.
|
||||||
\end{lemma}
|
\end{lemma}
|
||||||
%
|
%
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
@ -1189,7 +1189,7 @@ It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon
|
|||||||
For all hash queries, the probability that one of them be answered with the uniquely determined $c \in \ZZ_q$ is \emph{at most}
|
For all hash queries, the probability that one of them be answered with the uniquely determined $c \in \ZZ_q$ is \emph{at most}
|
||||||
$q_H/p$. A union bound over all opening queries implies that the probability that the event $E_4$ happens is smaller than
|
$q_H/p$. A union bound over all opening queries implies that the probability that the event $E_4$ happens is smaller than
|
||||||
$\Pr[E_4] \leq q_O \cdot q_H/p.$
|
$\Pr[E_4] \leq q_O \cdot q_H/p.$
|
||||||
%\vspace{-1mm}
|
%
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
|
|
||||||
@ -1268,7 +1268,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
|
Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
|
||||||
$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
|
$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
|
||||||
for the signature scheme of Section~\ref{scal-sig}.
|
for the signature scheme of Section~\ref{scal-sig}.
|
||||||
%\vspace{-1mm}
|
%
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
|
|
||||||
@ -1354,7 +1354,7 @@ which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute
|
|||||||
$a:=\ID^\star/\delta_i$ in $\Zp$.
|
$a:=\ID^\star/\delta_i$ in $\Zp$.
|
||||||
\\
|
\\
|
||||||
This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.
|
This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.
|
||||||
\vspace{-2mm}
|
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
We stress that the proofs can be easily adapted to the case where the opening algorithm has linear complexity in the number of users.
|
We stress that the proofs can be easily adapted to the case where the opening algorithm has linear complexity in the number of users.
|
||||||
|
@ -36,6 +36,8 @@
|
|||||||
\newcommand{\Verify}{\ensuremath{\mathsf{Verify}}\xspace}
|
\newcommand{\Verify}{\ensuremath{\mathsf{Verify}}\xspace}
|
||||||
\newcommand{\open}{\ensuremath{\mathsf{open}}\xspace}
|
\newcommand{\open}{\ensuremath{\mathsf{open}}\xspace}
|
||||||
\newcommand{\Open}{\textsf{Open}\xspace}
|
\newcommand{\Open}{\textsf{Open}\xspace}
|
||||||
|
%% CRS
|
||||||
|
\newcommand{\crs}{\ensuremath{\mathsf{crs}}\xspace}
|
||||||
|
|
||||||
% Assumptions/Problems
|
% Assumptions/Problems
|
||||||
%% Pairings
|
%% Pairings
|
||||||
|
Loading…
Reference in New Issue
Block a user