From 04d67f062254154074a01379db2afc94b4c71bc0 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Wed, 2 May 2018 16:04:27 +0200 Subject: [PATCH] indent --- chap-GS-LWE.tex | 79 +++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 39 deletions(-) diff --git a/chap-GS-LWE.tex b/chap-GS-LWE.tex index 2535070..dca31f3 100644 --- a/chap-GS-LWE.tex +++ b/chap-GS-LWE.tex @@ -1532,7 +1532,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{ \begin{description} \item[$\textsf{Game}^{(d)}$~0:] This is the real anonymity experiment $\Expt^\textrm{anon$-d$}_\adv(\lambda)$ as described in Definition~\ref{def:anon}. - More precisely, the challenger starts by running the algorithm $\mathsf{Setup}(1^\lambda, 1^{\Ngs})$ to obtain $(\gspk, \mathcal{S}_\GM = \mathbf{T_A} \in \ZZ^{m \times m}, \mathcal{S}_\OA = \mathbf{T_B} \in \ZZ^{m \times m})$ along with state information $St$. The challenger next hands the public parameters $\gspk$ and the group manager key $\mathcal{S}_\GM$ to the adversary $\adv$. + More precisely, the challenger starts by running the~$\mathsf{Setup}(1^\lambda, 1^{\Ngs})$ algorithm to obtain $(\gspk, \mathcal{S}_\GM = \mathbf{T_A} \in \ZZ^{m \times m}, \mathcal{S}_\OA = \mathbf{T_B} \in \ZZ^{m \times m})$ along with state information $St$. The challenger next hands the public parameters $\gspk$ and the group manager key $\mathcal{S}_\GM$ to the adversary $\adv$. On the following adversary signature opening queries on signatures $\Sigma = (\vk, \mathbf{c}_{\mathbf{v}_d}, \pi_K, sig)$, the challenger uses the opening authority key $\mathbf{T_A} \in \ZZ^{m \times m}$ he possesses to decrypt the GPV encryption of the signer identity $\mathbf{c}_{\mathbf{v}_d} \in \Zq^m \times \Zq^{2m}$. At some point, the adversary $\adv$ requests a challenge by outputting a target message $M^\star \in \bit^*$ and two user key pairs \[ \bigl(\scr_i^\star = \mathbf{z}^\star_i \in \ZZ^{4m}, \crt_i^\star \in (\mathsf{id}^\star_i, \mathbf{d}^\star_i, \mathbf{s}^\star_i) \in \bit^\ell \times \ZZ^{2m} \times \ZZ^{2m} \bigr)_{i \in \bit} \] @@ -1775,29 +1775,30 @@ By inspection, it can be seen that the properties in~(\ref{eq:zk-equivalence}) a \subsection{Proving the Possession of a Signature on a Committed Value}\label{subsection:zk-for-signature} We now describe how to derive the protocol for proving the possession of a signature on a committed value, that is used in Section~\ref{commit-sig}. \begin{description} - \item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D} \in \ZZ_q^{n \times m}$; $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$; $\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$; - $\mathbf{G}_0 \in \mathbb{Z}_q^{n \times \ell}$; vectors - $ \{\mathbf{c}_{k,1}\}_{k=1}^N, \mathbf{c}_{\tau,1}, \mathbf{c}_{\mathbf{v}, 1}, \mathbf{c}_{s, 1} \in \ZZ_q^m$; $\{\mathbf{c}_{k,2}\}_{k=1}^N,\mathbf{c}_{\mathbf{v}, 2}, \mathbf{c}_{s,2} \in \ZZ_q^{2m}$; $\mathbf{c}_{\tau,2} \in \ZZ_q^\ell$; $\mathbf{u} \in \mathbb{Z}_q^n$. - - \smallskip - - \item[Prover's Input:] $\mathbf{v} = \left( - \begin{array}{c} - \mathbf{v}_1 \\ - \mathbf{v}_2 \\ - \end{array} - \right) - $, where $\mathbf{v}_1, \mathbf{v}_2\in [-\beta, \beta]^m$ and $\beta = \sigma\cdot \omega(\log m)$ - the infinity norm bound of signatures; $\tau \in \{0,1\}^\ell$; $\mathbf{s} \in [-(p-1), (p-1)]^{2m}$; - - \smallskip - $\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$; $\{\mathbf{s}_{k}\}_{k=1}^N$, $\mathbf{s}_{\mathbf{v}}$, $\mathbf{s}_0$, $\mathbf{s}_\tau \in [-B,B]^n$; - - \smallskip - $\{\mathbf{e}_{k,1}\}_{k=1}^N$, $\mathbf{e}_{\mathbf{v}, 1}$, $\mathbf{e}_{0,1}$, $\mathbf{e}_{\tau,1} \in [-B,B]^m$; - $\{\mathbf{e}_{k,2}\}_{k=1}^N, \mathbf{e}_{0,2},\mathbf{e}_{\mathbf{v},2} \in [-B,B]^{2m}$; + \item[Common Input:] Matrices $\mathbf{A}, \{\mathbf{A}_j\}_{j=0}^\ell, \mathbf{D} \in \ZZ_q^{n \times m}$; $\{\mathbf{D}_k\in \ZZ_q^{2n \times 2m}\}_{k=0}^N$;$\mathbf{B}\in \ZZ_q^{n \times m}$; $\mathbf{G}_1 \in \mathbb{Z}_q^{n \times 2m}$; + $\mathbf{G}_0 \in \mathbb{Z}_q^{n \times \ell}$;\\ + vectors + $ \{\mathbf{c}_{k,1}\}_{k=1}^N, \mathbf{c}_{\tau,1}, \mathbf{c}_{\mathbf{v}, 1}, \mathbf{c}_{s, 1} \in \ZZ_q^m$; $\{\mathbf{c}_{k,2}\}_{k=1}^N,\mathbf{c}_{\mathbf{v}, 2}, \mathbf{c}_{s,2} \in \ZZ_q^{2m}$; $\mathbf{c}_{\tau,2} \in \ZZ_q^\ell$; $\mathbf{u} \in \mathbb{Z}_q^n$. \smallskip - $\mathbf{e}_{\tau,2} \in [-B,B]^\ell$. + + \item[Prover's Input:] $\mathbf{v} = \left( + \begin{array}{c} + \mathbf{v}_1 \\ + \mathbf{v}_2 \\ + \end{array} + \right) + $, where $\mathbf{v}_1, \mathbf{v}_2\in [-\beta, \beta]^m$ and $\beta = \sigma\cdot \omega(\log m)$ - the infinity norm bound of signatures; $\tau \in \{0,1\}^\ell$; $\mathbf{s} \in [-(p-1), (p-1)]^{2m}$; + + \smallskip + $\mathfrak{m} = (\mathfrak{m}_1^T \| \ldots \| \mathfrak{m}_N^T)^T \in \mathsf{CorEnc}(mN)$; $\{\mathbf{s}_{k}\}_{k=1}^N$, $\mathbf{s}_{\mathbf{v}}$, $\mathbf{s}_0$, $\mathbf{s}_\tau \in [-B,B]^n$; + + \smallskip + $\{\mathbf{e}_{k,1}\}_{k=1}^N$, $\mathbf{e}_{\mathbf{v}, 1}$, $\mathbf{e}_{0,1}$, $\mathbf{e}_{\tau,1} \in [-B,B]^m$; + $\{\mathbf{e}_{k,2}\}_{k=1}^N, \mathbf{e}_{0,2},\mathbf{e}_{\mathbf{v},2} \in [-B,B]^{2m}$; + + \smallskip + $\mathbf{e}_{\tau,2} \in [-B,B]^\ell$. \end{description} \textbf{Prover's Goal:} Convince the verifier in \textsf{ZK} that: @@ -1809,29 +1810,29 @@ and that (modulo $q$) \begin{eqnarray}\label{equation:R-sign-ciphertext} \hspace*{-12.5pt} \begin{cases} -\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\ + \forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \hspace*{5pt}\mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\ -\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\ -\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt} - \begin{array}{c} - \lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\ - \mathbf{0}\\ - \end{array} - \hspace*{-2pt}\right)\cdot \mathbf{v}_1 - \hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt} - \begin{array}{c} - \mathbf{0}\\ - \lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\ - \end{array} - \hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2 - ; \\ + \mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\ + \mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \lfloor\frac{q}{p}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v} \hspace*{-2pt}=\hspace*{-2pt} \mathbf{G}_1^T \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{s}_{\mathbf{v}} \hspace*{-2pt}+\hspace*{-2pt} \mathbf{e}_{\mathbf{v},2}\hspace*{-2pt}+\hspace*{-2pt} \left(\hspace*{-2pt} + \begin{array}{c} + \lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\ + \mathbf{0}\\ + \end{array} + \hspace*{-2pt}\right)\cdot \mathbf{v}_1 + \hspace*{-2pt}+ \hspace*{-2pt} \left(\hspace*{-2pt} + \begin{array}{c} + \mathbf{0}\\ + \lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\ + \end{array} + \hspace*{-2pt}\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{v}_2 + ; \\ %\mathbf{c}_{\mathbf{v}_2, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,1} ; \hspace*{2.5pt} %\mathbf{c}_{\mathbf{v}_2,2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}_2} + \mathbf{e}_{\mathbf{v}_2,2}+ \lfloor\frac{q}{p}\rfloor \cdot %\mathbf{v}_2 ; \\ -\mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\ + \mathbf{c}_{\mathbf{s}, 1}= \mathbf{B}^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,1} ; \hspace*{5pt}\mathbf{c}_{\mathbf{s},2}= \mathbf{G}_1^T\cdot \mathbf{s}_0 + \mathbf{e}_{0,2} + \lfloor q/p \rfloor\cdot \mathbf{s} ; \\ -\mathbf{c}_{\tau,1} = \mathbf{B}^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,1} ; \hspace*{2.5pt} \mathbf{c}_{\tau,2}= \mathbf{G}_0^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,2} + \lfloor q/2 \rfloor\cdot \tau . + \mathbf{c}_{\tau,1} = \mathbf{B}^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,1} ; \hspace*{2.5pt} \mathbf{c}_{\tau,2}= \mathbf{G}_0^T\cdot \mathbf{s}_\tau + \mathbf{e}_{\tau,2} + \lfloor q/2 \rfloor\cdot \tau . \end{cases} \end{eqnarray} $~$ \\