|
|
|
|
@ -498,15 +498,15 @@ break the anonymity of the scheme (e.g., by linking two authentications involvin
|
|
|
|
|
of a possibly maliciously generated signature.
|
|
|
|
|
|
|
|
|
|
We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against such attacks.
|
|
|
|
|
\vspace{-1mm}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations.
|
|
|
|
|
Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the
|
|
|
|
|
clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown.
|
|
|
|
|
\vspace{-1mm}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps. \vspace{-1mm}
|
|
|
|
|
\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps.
|
|
|
|
|
\end{description}
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
|
|
|
|
|
@ -550,12 +550,12 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|
|
|
|
\Bigr) \in \GG^{14} \times \hat{\GG}^{6}
|
|
|
|
|
\end{aligned}
|
|
|
|
|
\end{equation}
|
|
|
|
|
\end{enumerate} \vspace{-2mm}
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
%
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $.
|
|
|
|
|
\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\Zp$:
|
|
|
|
|
\end{description}\vspace{-4mm}
|
|
|
|
|
\end{description}
|
|
|
|
|
%set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $,
|
|
|
|
|
@ -568,11 +568,11 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|
|
|
|
%\mathsf{resp}=
|
|
|
|
|
\bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2,
|
|
|
|
|
w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr).
|
|
|
|
|
\end{align*} \vspace{-5mm}
|
|
|
|
|
\end{align*}
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
%
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold: \vspace{-2mm}
|
|
|
|
|
\item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold:
|
|
|
|
|
\end{description}
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1
|
|
|
|
|
@ -586,7 +586,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|
|
|
|
\item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$ for each $i \in \{0,2,3,4\}$ and
|
|
|
|
|
\begin{eqnarray} \label{last-ver-sig}
|
|
|
|
|
(T_0/T_4)^\rho \cdot S_0 = T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}.
|
|
|
|
|
\end{eqnarray} \vspace{-5mm}
|
|
|
|
|
\end{eqnarray}
|
|
|
|
|
%\end{enumerate}
|
|
|
|
|
%
|
|
|
|
|
\item[~~~Then,] return $1$ if and only if
|
|
|
|
|
@ -597,7 +597,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
|
|
|
|
|
\cdot e(C_3,\hat{D}_2) \cdot e(C_z,\hat{g}_z) .
|
|
|
|
|
\end{align}
|
|
|
|
|
%
|
|
|
|
|
% and $0$ otherwise. \vspace{-1mm}
|
|
|
|
|
% and $0$ otherwise.
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
|
|
|
|
|
\noindent
|
|
|
|
|
@ -605,7 +605,7 @@ It is worth noticing that no pairing evaluation is required until the final step
|
|
|
|
|
underlying signatures.
|
|
|
|
|
Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by
|
|
|
|
|
a constant additive overhead.
|
|
|
|
|
\vspace{-1mm}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{theorem}
|
|
|
|
|
@ -681,7 +681,7 @@ a constant additive overhead.
|
|
|
|
|
To show this property we must build a simulator that, on input of a challenge
|
|
|
|
|
$\mathsf{chall}=\rho \in_R \Zp$, emulates a valid transcript without any witness.
|
|
|
|
|
First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}).
|
|
|
|
|
\vspace{-1mm}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick
|
|
|
|
|
$a_0,a_1,a_2,a_z\gets\Zp$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}=
|
|
|
|
|
@ -694,7 +694,7 @@ a constant additive overhead.
|
|
|
|
|
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
|
|
|
|
|
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
|
|
|
|
|
random $a_3\gets\Zp$.
|
|
|
|
|
%\vspace{-1mm}
|
|
|
|
|
%
|
|
|
|
|
|
|
|
|
|
To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines.
|
|
|
|
|
|
|
|
|
|
@ -790,7 +790,7 @@ with prospective users. However, this limitation can be removed using an extract
|
|
|
|
|
\item[\textsf{Keygen}$(\lambda, N)$:] given $\lambda \in \NN$,
|
|
|
|
|
and the maximum number of users $N \in \poly(\lambda)$, choose asymmetric
|
|
|
|
|
bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$.
|
|
|
|
|
\end{description} \vspace{-2mm}
|
|
|
|
|
\end{description}
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item Generate a key pair $(\pk_s, \sk_s)$ for the scheme of
|
|
|
|
|
section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is
|
|
|
|
|
@ -814,13 +814,13 @@ with prospective users. However, this limitation can be removed using an extract
|
|
|
|
|
$\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.
|
|
|
|
|
The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of
|
|
|
|
|
$ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
|
|
|
|
\end{enumerate} \vspace{-1mm}
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
%
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the
|
|
|
|
|
prospective user $\U_i$ run the following interactive protocol:
|
|
|
|
|
%$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
|
|
|
|
|
\end{description} \vspace{-2mm}
|
|
|
|
|
\end{description}
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item $\U_i$ chooses ${\ID \sample \U(\Zp)}$ and sends the following to
|
|
|
|
|
$\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) =
|
|
|
|
|
@ -864,13 +864,13 @@ with prospective users. However, this limitation can be removed using an extract
|
|
|
|
|
\!\!\!\!\transcript_i & \! = \!
|
|
|
|
|
\Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr)
|
|
|
|
|
\end{align}
|
|
|
|
|
and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$. %\vspace{-1mm}
|
|
|
|
|
and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$. %
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
%
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$
|
|
|
|
|
does the following:
|
|
|
|
|
\end{description} \vspace{-2mm}
|
|
|
|
|
\end{description}
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
\item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \U(\Zp)$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$,
|
|
|
|
|
$\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$.
|
|
|
|
|
@ -971,11 +971,11 @@ with prospective users. However, this limitation can be removed using an extract
|
|
|
|
|
\item Return $1$ if
|
|
|
|
|
$
|
|
|
|
|
c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise.
|
|
|
|
|
\end{enumerate} \vspace{-1mm}
|
|
|
|
|
\end{enumerate}
|
|
|
|
|
%
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair $(M,\Sigma)$
|
|
|
|
|
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm}
|
|
|
|
|
and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$:
|
|
|
|
|
\end{description}
|
|
|
|
|
\begin{enumerate}
|
|
|
|
|
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
|
|
|
|
@ -1027,7 +1027,7 @@ The security of the above dynamic group signature scheme, namely full anonymity,
|
|
|
|
|
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
|
|
|
|
|
|
|
|
|
|
\begin{theorem} \label{th:sgsig-anonymity}
|
|
|
|
|
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
|
|
|
|
|
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %
|
|
|
|
|
\end{theorem}
|
|
|
|
|
|
|
|
|
|
\begin{proof}
|
|
|
|
|
@ -1035,7 +1035,7 @@ We use a sequence of games where, for each $i$, $W_i$ is the event that the ad
|
|
|
|
|
\\
|
|
|
|
|
At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and
|
|
|
|
|
$\tilde \sigma_3$ appear un-encrypted in each group signature.
|
|
|
|
|
\vspace{-2mm}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
\begin{description}
|
|
|
|
|
\item[Game 0:] This is the real CCA-anonymity game.\\
|
|
|
|
|
@ -1090,7 +1090,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
|
|
|
|
|
that $C_2 \neq C_1^\alpha$. Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature
|
|
|
|
|
that properly verifies although $C_2 \neq C_1^\alpha$. Lemma~\ref{le-gsig-4} states that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening
|
|
|
|
|
queries and $q_H$ is the number of random oracle queries.
|
|
|
|
|
\vspace{-1mm}
|
|
|
|
|
|
|
|
|
|
\end{description}
|
|
|
|
|
|
|
|
|
|
In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$. Indeed,
|
|
|
|
|
@ -1116,14 +1116,14 @@ It comes that $\Pr[W_5]=1/2$. \medskip
|
|
|
|
|
\advantage{\DDH}{\GG}(\lambda) + \advantage{\DDH}{\Gh}(\lambda)+ \frac{q_O \cdot q_H}{p} + \frac{1}{p^3},
|
|
|
|
|
\]
|
|
|
|
|
which concludes the proof.
|
|
|
|
|
%\vspace{-2mm}
|
|
|
|
|
%
|
|
|
|
|
\end{proof}
|
|
|
|
|
|
|
|
|
|
\begin{comment}
|
|
|
|
|
|
|
|
|
|
\begin{lemma} \label{le-gsig-1}
|
|
|
|
|
In Game $1$ we have $\Pr[F_1] \leq \Advt{\Gh}{\mathrm{DDH}}{\lambda}$.
|
|
|
|
|
\vspace{-2mm}
|
|
|
|
|
|
|
|
|
|
\end{lemma}
|
|
|
|
|
|
|
|
|
|
\begin{proof}
|
|
|
|
|
@ -1158,11 +1158,11 @@ It comes that $\Pr[W_5]=1/2$. \medskip
|
|
|
|
|
If $\adv$ wins and correctly guesses $d'=d \in \bit$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$.
|
|
|
|
|
\\
|
|
|
|
|
It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$.
|
|
|
|
|
%\vspace{-1mm}
|
|
|
|
|
%
|
|
|
|
|
\end{proof}
|
|
|
|
|
|
|
|
|
|
\begin{lemma} \label{le-gsig-4}
|
|
|
|
|
In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$. \vspace{-1mm}
|
|
|
|
|
In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$.
|
|
|
|
|
\end{lemma}
|
|
|
|
|
%
|
|
|
|
|
\begin{proof}
|
|
|
|
|
@ -1189,7 +1189,7 @@ It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon
|
|
|
|
|
For all hash queries, the probability that one of them be answered with the uniquely determined $c \in \ZZ_q$ is \emph{at most}
|
|
|
|
|
$q_H/p$. A union bound over all opening queries implies that the probability that the event $E_4$ happens is smaller than
|
|
|
|
|
$\Pr[E_4] \leq q_O \cdot q_H/p.$
|
|
|
|
|
%\vspace{-1mm}
|
|
|
|
|
%
|
|
|
|
|
\end{proof}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -1268,7 +1268,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|
|
|
|
Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs
|
|
|
|
|
$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery
|
|
|
|
|
for the signature scheme of Section~\ref{scal-sig}.
|
|
|
|
|
%\vspace{-1mm}
|
|
|
|
|
%
|
|
|
|
|
\end{proof}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -1354,7 +1354,7 @@ which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute
|
|
|
|
|
$a:=\ID^\star/\delta_i$ in $\Zp$.
|
|
|
|
|
\\
|
|
|
|
|
This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $.
|
|
|
|
|
\vspace{-2mm}
|
|
|
|
|
|
|
|
|
|
\end{proof}
|
|
|
|
|
|
|
|
|
|
We stress that the proofs can be easily adapted to the case where the opening algorithm has linear complexity in the number of users.
|
|
|
|
|
|
