indent
This commit is contained in:
@@ -1532,7 +1532,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
|
||||
|
||||
\begin{description}
|
||||
\item[$\textsf{Game}^{(d)}$~0:] This is the real anonymity experiment $\Expt^\textrm{anon$-d$}_\adv(\lambda)$ as described in Definition~\ref{def:anon}.
|
||||
More precisely, the challenger starts by running the algorithm $\mathsf{Setup}(1^\lambda, 1^{\Ngs})$ to obtain $(\gspk, \mathcal{S}_\GM = \mathbf{T_A} \in \ZZ^{m \times m}, \mathcal{S}_\OA = \mathbf{T_B} \in \ZZ^{m \times m})$ along with state information $St$. The challenger next hands the public parameters $\gspk$ and the group manager key $\mathcal{S}_\GM$ to the adversary $\adv$.
|
||||
More precisely, the challenger starts by running the~$\mathsf{Setup}(1^\lambda, 1^{\Ngs})$ algorithm to obtain $(\gspk, \mathcal{S}_\GM = \mathbf{T_A} \in \ZZ^{m \times m}, \mathcal{S}_\OA = \mathbf{T_B} \in \ZZ^{m \times m})$ along with state information $St$. The challenger next hands the public parameters $\gspk$ and the group manager key $\mathcal{S}_\GM$ to the adversary $\adv$.
|
||||
On the following adversary signature opening queries on signatures $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_d}, \pi_K, sig)$, the challenger uses the opening authority key $\mathbf{T_A} \in \ZZ^{m \times m}$ he possesses to decrypt the GPV encryption of the signer identity $\mathbf{c}_{\mathbf{v}_d} \in \Zq^m \times \Zq^{2m}$.
|
||||
At some point, the adversary $\adv$ requests a challenge by outputting a target message $M^\star \in \bit^*$ and two user key pairs
|
||||
\[ \bigl(\scr_i^\star = \mathbf{z}^\star_i \in \ZZ^{4m}, \crt_i^\star \in (\mathsf{id}^\star_i, \mathbf{d}^\star_i, \mathbf{s}^\star_i) \in \bit^\ell \times \ZZ^{2m} \times \ZZ^{2m} \bigr)_{i \in \bit} \]
|
||||
@@ -1775,29 +1775,30 @@ By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) a
|
||||
\subsection{Proving the Possession of a Signature on a Committed Value}\label{subsection:zk-for-signature}
|
||||
We now describe how to derive the protocol for proving the possession of a signature on a committed value, that is used in Section~\ref{commit-sig}.
|
||||
\begin{description}
|
||||
\item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D} \in \ZZ_q^{n \times m}$; $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$; $\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$;
|
||||
$\mathbf{G}_0 \in \mathbb{Z}_q^{n \times \ell}$; vectors
|
||||
$ \{\mathbf{c}_{k,1}\}_{k=1}^N, \mathbf{c}_{\tau,1}, \mathbf{c}_{\mathbf{v}, 1}, \mathbf{c}_{s, 1} \in \ZZ_q^m$; $\{\mathbf{c}_{k,2}\}_{k=1}^N,\mathbf{c}_{\mathbf{v}, 2}, \mathbf{c}_{s,2} \in \ZZ_q^{2m}$; $\mathbf{c}_{\tau,2} \in \ZZ_q^\ell$; $\mathbf{u} \in \mathbb{Z}_q^n$.
|
||||
|
||||
\smallskip
|
||||
|
||||
\item[Prover's Input:] $\mathbf{v} = \left(
|
||||
\begin{array}{c}
|
||||
\mathbf{v}_1 \\
|
||||
\mathbf{v}_2 \\
|
||||
\end{array}
|
||||
\right)
|
||||
$, where $\mathbf{v}_1, \mathbf{v}_2\in [-\beta, \beta]^m$ and $\beta = \sigma\cdot \omega(\log m)$ - the infinity norm bound of signatures; $\tau \in \{0,1\}^\ell$; $\mathbf{s} \in [-(p-1), (p-1)]^{2m}$;
|
||||
|
||||
\smallskip
|
||||
$\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$; $\{\mathbf{s}_{k}\}_{k=1}^N$, $\mathbf{s}_{\mathbf{v}}$, $\mathbf{s}_0$, $\mathbf{s}_\tau \in [-B,B]^n$;
|
||||
|
||||
\smallskip
|
||||
$\{\mathbf{e}_{k,1}\}_{k=1}^N$, $\mathbf{e}_{\mathbf{v}, 1}$, $\mathbf{e}_{0,1}$, $\mathbf{e}_{\tau,1} \in [-B,B]^m$;
|
||||
$\{\mathbf{e}_{k,2}\}_{k=1}^N, \mathbf{e}_{0,2},\mathbf{e}_{\mathbf{v},2} \in [-B,B]^{2m}$;
|
||||
\item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D} \in \ZZ_q^{n \times m}$; $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$;$\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$;
|
||||
$\mathbf{G}_0 \in \mathbb{Z}_q^{n \times \ell}$;\\
|
||||
vectors
|
||||
$ \{\mathbf{c}_{k,1}\}_{k=1}^N, \mathbf{c}_{\tau,1}, \mathbf{c}_{\mathbf{v}, 1}, \mathbf{c}_{s, 1} \in \ZZ_q^m$; $\{\mathbf{c}_{k,2}\}_{k=1}^N,\mathbf{c}_{\mathbf{v}, 2}, \mathbf{c}_{s,2} \in \ZZ_q^{2m}$; $\mathbf{c}_{\tau,2} \in \ZZ_q^\ell$; $\mathbf{u} \in \mathbb{Z}_q^n$.
|
||||
|
||||
\smallskip
|
||||
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
|
||||
|
||||
\item[Prover's Input:] $\mathbf{v} = \left(
|
||||
\begin{array}{c}
|
||||
\mathbf{v}_1 \\
|
||||
\mathbf{v}_2 \\
|
||||
\end{array}
|
||||
\right)
|
||||
$, where $\mathbf{v}_1, \mathbf{v}_2\in [-\beta, \beta]^m$ and $\beta = \sigma\cdot \omega(\log m)$ - the infinity norm bound of signatures; $\tau \in \{0,1\}^\ell$; $\mathbf{s} \in [-(p-1), (p-1)]^{2m}$;
|
||||
|
||||
\smallskip
|
||||
$\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$; $\{\mathbf{s}_{k}\}_{k=1}^N$, $\mathbf{s}_{\mathbf{v}}$, $\mathbf{s}_0$, $\mathbf{s}_\tau \in [-B,B]^n$;
|
||||
|
||||
\smallskip
|
||||
$\{\mathbf{e}_{k,1}\}_{k=1}^N$, $\mathbf{e}_{\mathbf{v}, 1}$, $\mathbf{e}_{0,1}$, $\mathbf{e}_{\tau,1} \in [-B,B]^m$;
|
||||
$\{\mathbf{e}_{k,2}\}_{k=1}^N, \mathbf{e}_{0,2},\mathbf{e}_{\mathbf{v},2} \in [-B,B]^{2m}$;
|
||||
|
||||
\smallskip
|
||||
$\mathbf{e}_{\tau,2} \in [-B,B]^\ell$.
|
||||
\end{description}
|
||||
|
||||
\textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that:
|
||||
@@ -1809,29 +1810,29 @@ and that (modulo $q$)
|
||||
\begin{eqnarray}\label{equation:R-sign-ciphertext}
|
||||
\hspace*{-12.5pt}
|
||||
\begin{cases}
|
||||
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
||||
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
||||
|
||||
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
||||
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt}
|
||||
\begin{array}{c}
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\mathbf{0}\\
|
||||
\end{array}
|
||||
\hspace*{-2pt}\right)\cdot \mathbf{v}_1
|
||||
\hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt}
|
||||
\begin{array}{c}
|
||||
\mathbf{0}\\
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\end{array}
|
||||
\hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2
|
||||
; \\
|
||||
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
||||
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt}
|
||||
\begin{array}{c}
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\mathbf{0}\\
|
||||
\end{array}
|
||||
\hspace*{-2pt}\right)\cdot \mathbf{v}_1
|
||||
\hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt}
|
||||
\begin{array}{c}
|
||||
\mathbf{0}\\
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\end{array}
|
||||
\hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2
|
||||
; \\
|
||||
|
||||
%\mathbf{c}_{\mathbf{v}_2, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ; \hspace*{2.5pt}
|
||||
%\mathbf{c}_{\mathbf{v}_2,2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2}+ \lfloor\frac{q}{p}\rfloor \cdot %\mathbf{v}_2 ; \\
|
||||
|
||||
\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\
|
||||
\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\
|
||||
|
||||
\mathbf{c}_{\tau,1} = \mathbf{B}^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,1} ; \hspace*{2.5pt} \mathbf{c}_{\tau,2}= \mathbf{G}_0^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,2} + \lfloor q/2 \rfloor\cdot \tau .
|
||||
\mathbf{c}_{\tau,1} = \mathbf{B}^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,1} ; \hspace*{2.5pt} \mathbf{c}_{\tau,2}= \mathbf{G}_0^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,2} + \lfloor q/2 \rfloor\cdot \tau .
|
||||
\end{cases}
|
||||
\end{eqnarray}
|
||||
$~$ \\
|
||||
|
||||
Reference in New Issue
Block a user