From 224eb18e88e7ffe45b5d38604e55c7e67d192ebc Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Fri, 13 Apr 2018 15:41:25 +0200 Subject: [PATCH] sigmasig --- chap-GS-background.tex | 19 +- chap-ZK.tex | 20 +- chap-proofs.tex | 6 +- chap-sigmasig.tex | 957 ++++++++++++++++++++++++++++++++++++++++- fig-gs-relations.tex | 18 + macros.tex | 4 + main.tex | 5 + sec-lattices.tex | 2 +- sec-pairings.tex | 2 + 9 files changed, 994 insertions(+), 39 deletions(-) create mode 100644 fig-gs-relations.tex diff --git a/chap-GS-background.tex b/chap-GS-background.tex index bd90491..2617fcf 100644 --- a/chap-GS-background.tex +++ b/chap-GS-background.tex @@ -30,7 +30,7 @@ Then, the public transportation company is unable to learn anything from seeing Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building. As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful. -Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group ---\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,--- we do not consider this approach. +Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- we do not consider this approach. \section{Formal Definition and Correctness} \label{sse:gs-definitions} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} @@ -40,23 +40,10 @@ This section recalls the syntax and the security definitions of dynamic group s %A \emph{group signature} allows a group member to attest that a message was provided by a member of a \emph{group} without being altered during the process and preserving the \emph{anonymity} of the users. + \begin{figure} \centering - \begin{tikzpicture} - \node (GM) {Group manager}; - \node[right=of GM] (User) {User $i$}; - \node[right=of User] (OA) {Opening Authority}; - \node[below=of User] (M) {$\sigma$, M}; - \node[right=of M] (Other) {Anyone}; - \node[above=of User] (Setup) {Trusted Setup}; - - \draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User); - \draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M); - \draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M); - \draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M); - \draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM); - \draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA); - \end{tikzpicture} + \input fig-gs-relations \caption{Relations between the protagonists in a dynamic group signature scheme} \label{fig:relations} diff --git a/chap-ZK.tex b/chap-ZK.tex index 2ce6be5..12643e9 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -14,6 +14,8 @@ In this section, we first present the general principles and basic tools to hand \section{Definitions} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions} +\subsection{Zero-Knowledge proofs and arguments} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Preuves et arguments à divulgation nulle de connaissance} \begin{definition}[Zero-knowledge proofs and arguments] \label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument} @@ -38,6 +40,10 @@ In this section, we first present the general principles and basic tools to hand If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}. \end{definition} +\subsection{$\Sigma$-protocols} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Protocoles $\Sigma$} +\label{sse:sigma-protocols} + \begin{figure} \centering \footnotesize @@ -55,19 +61,22 @@ In this section, we first present the general principles and basic tools to hand \caption{Abstract description of a $\Sigma$-protocol.} \label{fig:sigma} \end{figure} -A way to construct zero-knowledge proofs --- that will be described with more details in \cref{sse:schnorr} -- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}. +A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers. -\begin{definition}[$\Sigma$-protocol~{\cite[De.~1]{Dam10}}] \index{Zero Knowledge!$\Sigma$-protocol} - Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is three move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties. +\begin{definition}[$\Sigma$-protocol~{\cite{Cra96}}] \index{Zero Knowledge!$\Sigma$-protocol} + Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is three-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties. \begin{description} \item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts. - \item[Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$: $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that takes as input the two aforementioned transcripts and outputs an element $w$ such that $(x,w) \in R$. + \item[Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$ of the form $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that takes as input the two aforementioned transcripts and outputs an element $w$ such that $(x,w) \in R$. \item[Honest-Verifier Zero-Knowledge.] There exists a $\ppt$ simulator $S$, such that the two probability distributions $\{\trans(P(x,w), V(x))\}$ and $\{S(x)\}$ with honest $P$ and $V$ are the same. \end{description} \end{definition} An example of $\Sigma$-protocol will be given in \cref{sse:schnorr}, and its transformation into a Zero-Knowledge proof using a commitment scheme as well. +\subsection{Commitment schemes} +\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Mise en gage cryptographique} + Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal is to commit a message $M$ into a commitment $\com$ such that once a message is committed, it is impossible to know what is inside (hiding property), and it is as well impossible to modify a commitment to change the underlying message (binding property). \begin{figure} @@ -153,6 +162,9 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model. \end{lemma} +\subsection{Non interactive Proofs and Fiat-Shamir Transform} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives et transformation de Fiat-Shamir} + Another useful primitives are the non-interactive version of zero-knowledge proofs. \begin{definition}[Non Interactive Zero Knowledge] diff --git a/chap-proofs.tex b/chap-proofs.tex index 5536f00..7037424 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -248,7 +248,7 @@ This definition of advantages models the fact that the adversary is unable to di Which means that the adversary cannot get a single bit of information about the ciphertext. This kind of definition are also useful to model anonymity. -For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion. +For instance in \cref{sec:RGSdefsecAnon}, the definition of anonymity for group signatures is defined in a similar fashion (\cref{def:anon}). On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game. The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries. @@ -279,8 +279,8 @@ The security definition of $\indcpa$ is defined as an indistinguishability game. The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}. In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments. In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments. -Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ ---\,in the \emph{Real world}\,--- that interacts with a challenger $\cdv$ -there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ ---\,in the \emph{Ideal world}\,--- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}. +Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --\,in the \emph{Real world}\,-- that interacts with a challenger $\cdv$ +there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal world}\,-- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}. In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality. diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 141625b..4b773ed 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -5,6 +5,7 @@ %----------------------------------------------------------------------- \section{Building blocks} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Briques de base} We use bilinear maps $e:\GG \times \Gh \to \GT$ over groups of prime order $p$ and we rely on the assumed security of the \SDL and \SXDH problems defined in \cref{se:pairings}. All these definitions are recalled below. @@ -15,9 +16,8 @@ groups of prime order $p$ and we rely on the assumed security of the \SDL and \ \defSDL* -\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Briques de base} \subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk} -\addcontentsline{tof}{section}{\protect\numberline{\thechapter} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS) may depend on the language for which proofs have to be generated. @@ -26,8 +26,8 @@ Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. In the description below, we assume that all algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric -bilinear groups $(\GG,\Gh,\GG_T,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. -In this setting the problem is to convince that $\boldsymbol v$ is a linear combination of the rows of a given +bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. +In this setting the problem is to convince that $\boldsymbol{v}$ is a linear combination of the rows of a given $\mathbf{M}\in\GG^{t\times n}$. Kiltz and Wee \cite{KW15} suggested the following construction which simplifies \cite{LPJY14} and remains secure under \SXDH. @@ -35,28 +35,28 @@ We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M} \begin{description} \item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] - Given public parameters $\mathsf{cp}=(\GG,\Gh,\GG_T,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. + Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$. Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) \in \GG^t\times\Gh^{n+1}$. -\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol v}, \{\omega_i\}_{i=1}^t)$:] - To prove that ${\boldsymbol v}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, +\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:] + To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, for some witness $\omega_1,\ldots,\omega_t \in \Zp$, where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, parse $\mathsf{crs}$ as above and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$. -\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol v})$:] - In order to simulate a proof for a vector ${\boldsymbol v} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, +\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol{v}})$:] + In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $. -\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol v}, \pi)$:] - Given $\pi \in \GG$ and ${\boldsymbol v}=(v_1,\dotsc,v_n)$, +\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:] + Given $\pi \in \GG$ and ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$, return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies - $ 1_{\GG_T} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ + $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ \end{description} The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. @@ -139,7 +139,7 @@ The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ while the verification equation only involves a computation of 5 pairings. \begin{theorem} \label{th:eu-cma-1} -The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GG_T)$. +The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GT)$. \end{theorem} \begin{proof} @@ -261,7 +261,7 @@ The above signature scheme is existentially unforgeable under chosen-message att If $(M^\star, \sigma^\star)$ is not a type $\mathrm{A}'$ forgery, $\ssigma$ is then not in the row space of $\mathbf{M}$. - Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\hat\GG,\GG_T,p)$, a matrix ${\mathbf{M}}$ as in + Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in (\ref{matrix-scal-sig}) and a common reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. @@ -445,8 +445,935 @@ If DDH holds in $\GG$, for each $k \in which contradicts the DDH assumption in $\GG$. \end{proof} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\section{Companion Protocols } \label{new-proto} + +In this section, we give $\Sigma$-protocols (\cref{sse:sigma-protocols}) for issuing a signature on a committed multi-block message and for proving knowledge of a valid message-signature pair. + +%------------------------------------------------------------------------ +\subsection{Proof of Knowledge of a Signature on a Committed Message} + +We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation of the scheme of Section~\ref{scal-sig} + +\begin{align} \label{eq-mult-sig} + e(\Omega,\hat{g}_{2 \ell+4})^{-1} + & = \, e(\sigma_1,\hat{g_1}) \cdot + e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot \hat{g}_{\ell+2} ) + \\ \nonumber + & \quad \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot \hat{g}_{2 \ell+3} ) + \cdot e(\pi,\hat{g}_z), +\end{align} +% +where ${\sigma}=(\sigma_1,\sigma_2,\sigma_3,\pi)$ and $\vec{m}=(m_1,\ldots,m_\ell)$. +We note that, as shown in the proof of Theorem \ref{th:eu-cma-1}, a candidate signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ may satisfy the verification equation +although $\log_g(\sigma_2)\neq \log_h(\sigma_3)$. In applications to anonymous credentials, a malicious credential issuer could take advantage of this fact in attempts to +break the anonymity of the scheme (e.g., by linking two authentications involving the same credential). For this reason, we consider a protocol for proving possession +of a possibly maliciously generated signature. + +We thus consider the case of arbitrary valid signatures that may have been maliciously computed by a signer who, {e.g.}, aims at tracing provers across different authentications. In this setting, we can still obtain a perfect SHVZK $\Sigma$-protocol to hedge against such attacks. +\vspace{-1mm} + +A first attempt to efficiently build such a protocol is to ``linearize'' the verification equation (\ref{eq-mult-sig}) by making sure that two witnesses are never paired together. However, we will still have to deal with (parallelizable) intermediate $\Sigma$-protocols for quadratic scalar relations. +Even though a quadratic pairing-product equation $e(x_1,\hat{a}) \cdot e(x_2,\hat{y})$ -- for variables $x_1,x_2,\hat{y}$ and constant $\hat{a}$ -- can be linearized by partially randomizing the variables so as to get the equation $e(x_1\cdot x_2^{r},\hat{a}) \cdot e(x_2,\hat{y}\cdot \hat{a}^{-r})$ (which allows $\hat{y}'=\hat{y}\cdot \hat{a}^{-r}$ to appear in the +clear), proving knowledge of a valid signature still requires proving a statement about some representation of $\hat{y}$ which now appears in committed form. Somehow, going through the randomizing factor $\hat{a}^{-r}$ involves a quadratic relation between some known exponents to get special-soundness. To ease the entire proof we rather directly commit to the variables in $\GG$ and $\hat{\GG}$ using their available generator $g$ and $\hat{g}$ which are not among the constants of the verification equation of the signature. We additionally need an extra generator $f$ of $\GG$ whose discrete logarithm is unknown. +\vspace{-1mm} + +\begin{description} +\item[\textsf{Commit}] Given $({\sigma},\vec{m})$, conduct the following steps. \vspace{-1mm} +\end{description} + \begin{enumerate} + \item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$ + and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$. + To this end, choose + $r_1,r_2\sample\ZZ_p$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$. + \item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\ZZ_p^\ell$, + choose $s_1,s_2,u_1,\ldots,u_\ell \sample\ZZ_p$ + and compute $\hat{E}_1=\hat{g}_2^{u_1}\cdots\hat{g}_{\ell+1}^{u_\ell}\cdot \hat{g}^{s_1}$ + and $\hat{E}_2=\hat{g}_{\ell+3}^{u_1}\cdots\hat{g}_{2 \ell+2}^{u_\ell}\cdot \hat{g}^{s_2}$. + \item Using $r_1,r_2 \in \ZZ_p$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$ + and commit to $(\pi,\sigma_0 ,\sigma_1,\sigma_2,\sigma_3)\in\GG^5.$ + For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\ZZ_p$ at random and set $C_z=\pi \cdot g^{t_z}$, + $C_i=\sigma_i \cdot g^{t_i}$, for $i \in \{0,\ldots,3\}$, and + $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_{1}^{t_2} + \cdot \hat{D}_{2}^{t_3} \cdot \hat{g}^{-t_0}.$ + + \item In order to prove (partial) knowledge of an opening to $(C_z,C_0,C_1,C_2,C_3,\hat{D}_0)$, compute + $\hat{E}_0=\hat{g}_z^{v_z} \cdot \hat{g}_1^{v_1} \cdot \hat{D}_{1}^{v_2} + \cdot \hat{D}_{2}^{v_3} \cdot \hat{g}^{-v_0}$ + for random $v_z,v_0,v_1,v_2,v_3\sample\ZZ_p$. + \item Prove that $C_0$ is well-formed relatively to the committed values in $C_1,C_2$ and the coins + $r_1,r_2 \in \ZZ_p$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation + $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot {g}^{t_4},$ where $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$. To do this, compute + $F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample\ZZ_p$ and where $s_1,s_2 \in \ZZ_p$ are the random coins used in $\hat{E}_1,\hat{E}_2$. + \item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \ZZ_p$ by picking $x_2,x_3,x_4\sample\ZZ_p$ and computing + $$T_i=g^{t_i} \cdot f^{x_i} \qquad \forall i \in \{0,2,3, 4\}, $$ where $x_0=x_2 \cdot r_1+x_3 \cdot r_2+x_4$. Ensure that committed + variables coincide with those of previous steps by computing $$\{V_i=g^{v_i} \cdot f^{y_i}\}_{i \in \{0,2,3,4\} },$$ where + $y_0,y_2,y_3,y_4\sample\ZZ_p$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \ZZ_p$ from steps 2 and 5 to compute + $S_0=T_2^{s_1} \cdot T_3^{s_2}$. + \medskip + \item[~~~Finally,] keep $C_z\in\GG$ and all the random coins in $\mathsf{aux}$, + \item[~~~and] output + \begin{equation} \label{eq-comm-2} + \begin{aligned} + \mathsf{com}=\Bigl( + \{C_i\}_{i=0}^3, F_0, \{(T_i,V_i)\}_{i=0,2,3,4},~~~\\ + S_0, \{(\hat{D}_i,\hat{E}_i)\}_{i=0}^2 + \Bigr) \in \GG^{14} \times \hat{\GG}^{6} + \end{aligned} + \end{equation} + \end{enumerate} \vspace{-2mm} + % +\begin{description} +\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample\ZZ_p $ uniformly at random and return $\mathsf{chall}=\rho $. +\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\ZZ_p$: +\end{description}\vspace{-4mm} + %set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and + \begin{enumerate} + \item $\bar{m}_i= \rho\cdot m_i + u_i $, for $i=1$ to $\ell$, $\bar{r}_1= \rho \cdot r_1 +s_1 $, + and $\bar{r}_2= \rho\cdot r_2 +s_2 $; + \item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$; + \item $w_4= \rho\cdot t_4 + v_4 $, where $t_4:=t_0-t_1 \cdot r_1-t_2 \cdot r_2$; + \item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip + \item[~~~Output] $\mathsf{resp}\in \GG\times \ZZ_p^{\ell+12}$ as + \begin{align*} + %\mathsf{resp}= + \bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2, + w_z,\{w_i\}_{i=0}^4,\{z_i\}_{i=0,2,3,4} \bigr). + \end{align*} \vspace{-5mm} + \end{enumerate} + % +\begin{description} +\item[\textsf{Verify}] Given $(\mathsf{com};\mathsf{chall};\mathsf{resp})$ return $0$ if it does not parse correctly or if the following relations do not hold: \vspace{-2mm} +\end{description} + \begin{enumerate} + \item $(\hat{D}_1/\hat{g}_{\ell+2})^{\,\rho}\cdot\hat{E}_1 + =\hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}$ and + $(\hat{D}_2/\hat{g}_{2\ell+3})^{\,\rho}\cdot\hat{E}_2 + =\hat{g}_{\ell+3}^{\,\bar{m}_1}\cdots\hat{g}_{2 \ell+2}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_2}$ ; + \item $\hat{D}_0^{\,\rho}\cdot\hat{E}_0 + =\hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} \cdot \hat{D}_{1}^{w_2} \cdot \hat{D}_{2}^{w_3} + \cdot \hat{g}^{-w_0}$ and + $C_0^{\,\rho}\cdot F_0=C_2^{\,\bar{r}_1} \cdot C_3^{\,\bar{r}_2} \cdot {g}^{w_4}$. + \item $T_i^{\rho}\cdot V_i=g^{w_i}f^{z_i}$ for each $i \in \{0,2,3,4\}$ and + \begin{eqnarray} \label{last-ver-sig} + (T_0/T_4)^\rho \cdot S_0 = T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}. + \end{eqnarray} \vspace{-5mm} + %\end{enumerate} + % + \item[~~~Then,] return $1$ if and only if + % + \begin{align} \label{eq-vrf-2} + \lefteqn{e(C_0,\hat{g}) \cdot e(g,\hat{D}_0) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1}} \\ \nonumber + & \quad = \, e(C_1,\hat{g_1}) \cdot e(C_2,\hat{D}_1) %\\ \qquad + \cdot e(C_3,\hat{D}_2) \cdot e(C_z,\hat{g}_z) . + \end{align} + % + % and $0$ otherwise. \vspace{-1mm} +\end{enumerate} + +\noindent +It is worth noticing that no pairing evaluation is required until the final step of $\mathsf{Verify}$, which is almost as efficient as the verification of +underlying signatures. +Moreover, the prover's first message $\mathsf{com}$ is of constant-size and the communication complexity of the protocol exceeds the length of the witness by +a constant additive overhead. +\vspace{-1mm} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{theorem} + The above interactive scheme is a secure $\Sigma$-protocol for the language $L_{sig}$ induced by the relation + $R_{sig}(\mathsf{pk},(\vec{\sigma},\vec{m}))=1$ if and only if $\mathsf{Verify}'(\mathsf{pk},\vec{\sigma},\vec{m})=1$, + where $(\mathsf{KeyGen},\mathsf{Sign},\mathsf{Verify}')$ is the signature of Section~\ref{scal-sig}. +\end{theorem} +\begin{proof} +\emph{Correctness.} + Expanding an honestly generated $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_1^{t_2} \cdot + \hat{D}_2^{t_3} \cdot \hat{g}^{-t_0}$ in equation (\ref{eq-vrf-2}) and regrouping the pairing factors gives + % + \begin{multline*} %\label{eq-vrf-corr-1} + \quad + e(C_0\cdot {g}^{-t_0},\hat{g}) \cdot e(\Omega,\hat{g}_{2\ell+4})^{-1} \\ %& \quad \!\! + = \, e(C_1\cdot {g}^{-t_1},\hat{g_1}) \cdot e(C_2\cdot {g}^{-t_2},\hat{D}_1) \\ %\nonumber & + \cdot \, e(C_3\cdot {g}^{-t_3},\hat{D}_2) \cdot e(C_z\cdot {g}^{-t_z},\hat{g}_z) . + \end{multline*} + % + Now, expanding the commitments to group elements in $\GG$ reduces this equation to + % + \begin{align*} %\label{eq-vrf-corr-2} + \lefteqn{e(\sigma_2^{r_1} \cdot \sigma_3^{r_2},\hat{g}) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1} } + \\ %\nonumber + & \quad = \, e(\sigma_1,\hat{g_1}) \cdot e(\sigma_2,\hat{D}_1) \cdot e(\sigma_3,\hat{D}_2) \cdot e(\pi ,\hat{g}_z) + \end{align*} + % + which holds true for valid witnesses when $\hat{D}_1=d_1 \cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2 \cdot \hat{g}^{r_2}$. + Remaining verifications of items 1,2,3 follow from the correctness of the built-in $\Sigma$-protocols. + \medskip + +\noindent \emph{Special-Soundness.} Let us assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$. + The special soundness of the sub-protocols involving $\hat{D}_1,\hat{D}_2$ (with $\hat{E}_1,\hat{E}_2$) + -- consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify} -- + ensures the extraction of $m_1,\ldots,m_\ell,r_1,r_2 $ satisfying + $\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and + $\hat{D}_2=d_2\cdot\hat{g}^{r_2}$, where $d_2=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}$. + From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such + that $\hat{D}_0={\hat{g}_z}^{t_z} \cdot {\hat{g}_1}^{t_1} \cdot {\hat{D}_{1}}^{t_2} \cdot {\hat{D}_{2}}^{t_3} \cdot {\hat{g}}^{-t_0}.$ + Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$. + % + + We now state that quantities $\{\sigma_i=C_i\cdot {g}^{-t_i}\}_{i \in \{1,2,3\}}$ and $\pi=C_z\cdot {g}^{-t_z}$ satisfy (\ref{sig-ver-1}), + so that, together with $\vec{m}=(m_1,\ldots,m_\ell)$, they form a valid witness for $R_{sig}$. Namely, + $({\sigma},\vec{m})=((\sigma_1,\sigma_2,\sigma_3,\pi),(m_1,\ldots,m_\ell))$ is a valid message-signature pair. + + To see this, define $\sigma_0=C_0\cdot g^{-t_0}$. Since equation (\ref{eq-vrf-2}) holds by hypothesis, if we expand + all commitments using extracted values, we find + % + \begin{align*} %\label{eq-sound-1} + \lefteqn{e(\sigma_0,\hat{g}) \cdot e(\Omega,\hat{g}_{2 \ell+4})^{-1}} \\ %\nonumber + & \; = \, e(\sigma_1,\hat{g_1}) \cdot e(\sigma_2,d_1\cdot \hat{g}^{r_1}) + \cdot e(\sigma_3,d_2\cdot \hat{g}^{r_2}) \cdot e(\pi,\hat{g}_z) . + \end{align*} + % + We are thus left with showing that $\sigma_0=\sigma_2^{r_1} \cdot \sigma_3^{r_2}$ or, equivalently, + $e(\sigma_0,\hat{g})=e(\sigma_2,\hat{g}^{r_1}) \cdot e(\sigma_3,\hat{g}^{r_2})$. Remember that, from step 2 of $\mathsf{Verify}$, we know that + extracted $(r_1,r_2,t_4) \in \ZZ_p^3$ form a representation of $C_0$ {w.r.t.} + the base $(C_0,C_2,g)$: i.e., $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$, which, from the definition of + $\sigma_0,\sigma_2,\sigma_3$, yields + $\sigma_0\cdot g^{t_0}=\sigma_2^{r_1} \cdot \sigma_3^{r_2} \cdot g^{t_2 \cdot r_1+t_3 \cdot r_2+t_4}$. Hence, we are done if we can show that $t_0=t_2r_1+t_3r_2+t_4$. But this exactly what step 3 of $\mathsf{Verify}$ and the + special soundness of the sub-protocol involving $(T_0,T_2,T_3,T_4)$ tells us. First, we have a representation of these + $T_i$'s {w.r.t.} the basis $(g,f)\in \GG^2$ which guarantees that we are working on the already extracted $(t_0,t_2,t_3,t_4)$ involved in the expressions of $\hat{D}_0$ and + $C_0$. + Second, the verification equation (\ref{last-ver-sig}) ensures that $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$ and the final result follows by replacing them by their + representation. + \medskip + +\noindent \emph{Perfect SHVZK.} + To show this property we must build a simulator that, on input of a challenge + $\mathsf{chall}=\rho \in_R \ZZ_p$, emulates a valid transcript without any witness. + First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}). + \vspace{-1mm} + + From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick + $a_0,a_1,a_2,a_z\gets\ZZ_p$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}= + e(\Omega^{-1},\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}) + \cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1) + \cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$, + $C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$. + Let $\hat{B}:=\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$. + Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\ZZ_p$ since + $e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set + $\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a + random $a_3\gets\ZZ_p$. + %\vspace{-1mm} + + To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines. + + More explicitly, first pick $\rho\sample\ZZ_p$ and + $\bar{m}_1,\ldots,\bar{m}_\ell,\bar{r}_1,\bar{r}_2,w_z,w_0,\ldots,w_4,z_0,z_2,z_3,z_4\sample\ZZ_p$. Also, + choose $T_0,T_2,T_3,T_4\sample\GG$ and do the following: + \begin{enumerate} + \item Compute \[\hat{E}_1 = (\hat{D}_1/\hat{g}_{\ell+2})^{\,-\rho}\cdot + \hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}\] and, similarly, + \[\hat{E}_2 = (\hat{D}_2/\hat{g}_{2\ell+3})^{\,-\rho}\cdot + \hat{g}_{\ell+3}^{\,\bar{m}_1}\cdots\hat{g}_{2 \ell+2}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_2};\] + \item Compute \[F_0 = C_0^{\,-\rho}\cdot C_2^{\,\bar{r}_1} \cdot C_3^{\,\bar{r}_2} \cdot {g}^{w_4}\] + as well as + \[\hat{E}_0 = \hat{D}_0^{\,\rho}\cdot \hat{g}_z^{w_z} \cdot \hat{g}_1^{w_1} + \cdot \hat{D}_{1}^{w_2} \cdot \hat{D}_{2}^{w_3} \cdot \hat{g}^{-w_0} ; \] + \item Compute \[V_i = T_i^{-\rho}\cdot g^{v_i}f^{z_i},\] for each $i \in \{0,2,3,4\}$, and + \[S_0 = (T_0/T_4)^{-\rho} \cdot T_2^{\bar{r}_1} \cdot T_3^{\bar{r}_2}.\] + \end{enumerate} +This concludes the proof. % TODO: ugly +\end{proof} + + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\subsection{Signing a Committed Message} + +At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$. +In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QA-NIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip + +\noindent \textbf{The protocol.} +% +At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$. +To get a signature on ${\mathbf{m}}$, the committer picks $r\sample\ZZ_p$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. +Besides, it also computes the elements $c_z = z_2^{m_1}\cdots z_{\ell+1}^{m_\ell}\cdot u^{t_z}$. +%and $c_r = r_2^{m_1}\cdots r_{\ell+1}^{m_\ell}\cdot u^{t_r}$. +The signer receives these commitments and they both engage in an interactive proof of knowledge of an equal representation of $c_v$ relatively to the basis $(v_1,\ldots,v_\ell;u)$ and $c_z$ relatively to the basis $(z_2,\ldots,z_{\ell+1};u)$, +%and $c_r$ relatively to the basis $(r_2,\ldots,r_{\ell+1};u)$, +where the signer plays the role of the verifier. +Depending on the success of the proof the signer computes what we can call a ``pre-signature'' consisting of the following group elements +% +\begin{align*} + \tau_1 & = g^\omega\cdot(c_v\cdot w)^s , & + \tau_3 & = h^s , & \pi_0 & = z_1^\omega \cdot c_z^s \cdot z_{\ell+2}^s , \\ + \tau_2 & = g^s , & \tau_0 & = u^s , & + %r_0 & = r_1^\omega \cdot c_r^s \cdot r_{\ell+2}^s , +\end{align*} +%and $(z_d,r_d)=(z_{\ell+3}^s,r_{\ell+3}^s)$, +for a random $s\sample\ZZ_p$. In the final step, the user received the pre-signature, then picks $s'\sample\ZZ_p$ and computes +$(\sigma_1, \sigma_2, \sigma_3, \pi) \in \GG^4$ as follows +\begin{align*} + \sigma_1 & = \tau_1 \cdot\tau_0^{-r} + \cdot(v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s'}, & + \sigma_2 & = \tau_2 \cdot g^{s'} , \\ + \pi & = \pi_0 \cdot \tau_0^{-t_z} + \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell}\cdot z_{\ell+2})^{s'}, & + \sigma_3 & = \tau_3 \cdot h^{s'} . + %\\ r & = r_0 \cdot \tau_0^{-t_r} \cdot (r_2^{m_1}\cdots r_{\ell+1}^{m_\ell}\cdot r_{\ell+2})^{s'} . +\end{align*} +Finally the user checks the validity of the signature. Depending on the validity, the user outputs the signature or a failure symbol $\bot$. + +We notice that the number of transmitted group elements is constant and no pairing is needed before the signature verification phase. +In comparison, the construction of \cite{CL02a} requires groups of larger hidden order and their protocol for signing committed message blocks requires a linear number of range proofs. \smallskip + +\noindent \textbf{Security.} +% +We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. +In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip + +\noindent \textbf{Remark.} +% +Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying QA-NIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form. + + + +%~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~% +\section{Our Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique} + +We adapt the protocol of section~\ref{scal-sig} to build a dynamic group +signature~\cite{BSZ05,KY06}. +\indent At a high level, each group member obtains a membership certificate consisting of a signature $(\sigma_1,\sigma_2,\sigma_3,\pi)$ on +a message $\ID \in \Zp$ which is only known to the group member. During the joining protocol, each group member thus obtains a signature +on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to $\ID$, which suffices to ensure security against framing attacks and allows for a better +efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). +For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using +the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using +$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier NIZK proofs \cite{CS98}. \\ +\indent +In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact +with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. + +\begin{description} + \item[\textsf{Keygen}$(\lambda, N)$:] given $\lambda \in \NN$, + and the maximum number of users $N \in \poly(\lambda)$, choose asymmetric + bilinear groups $\mathsf{cp}=(\GG, \Gh, \GT,p)$ of order $p > 2^\lambda$. +\end{description} \vspace{-2mm} + \begin{enumerate} + \item Generate a key pair $(\pk_s, \sk_s)$ for the scheme of + section~\ref{scal-sig} for a one-block message (i.e., $\ell=1$). The secret key is + $\sk_s = \omega$, while the public key is + \begin{align*} + \pk_s = \bigl( \mathsf{cp},~g,~h,~\hat{g}, ~\vec{v}=(v,w), + ~\Omega=h^\omega,~\mathsf{crs} \bigr), + \end{align*} + where %$\Omega=h^\omega$ and + $\mathsf{crs} = \big(\{{z}_j\}_{j=1}^{3}, \hat g_z, \{\hat g_i\}_{i=1}^{6} \big)$. + + \item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \Zp$ and set + \begin{align*} + X_z & = g^{x_z} h^{y_z}, & X_\sigma & = g^{x_\sigma} h^{y_\sigma}, & X_\ID & = g^{x_\ID} h^{y_\ID}. + \end{align*} + + \item Choose a hash function $H : \bit^* \times \GG^{10} \times \GT \to \Zp$ + that will be modeled as a random oracle. + + \item Define + $\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key. + The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of + $ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. + \end{enumerate} \vspace{-1mm} +% +\begin{description} + \item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the + prospective user $\U_i$ run the following interactive protocol: + %$[ \mathsf J_{\user}(\lambda, \mathcal Y), \mathsf J_\GM(\lambda, St, \mathcal Y, \mathcal S_{\GM}) ]$ +\end{description} \vspace{-2mm} + \begin{enumerate} + \item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to + $\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) = + (v^\ID, z_2^\ID, \hat g_2^\ID, \hat g_4^\ID)$ + + \item $\GM$ checks that $V_\ID$ does not appear in any transcript of + $St$ and abort if it does. Otherwise (i.e., if $V_\ID$ is fresh), + $\GM$ verifies that: for $k=2,4$, + \begin{align*} + e(V_\ID,\hat g_k) & \iseq e( v, \hat G_{k,\ID}) , + & e(Z_{\ID},\hat g_k) & \iseq e( z_2, \hat G_{k,\ID}) . + %\\ + %& e(V_\ID, \hat G_{4,\ID}^{-1}) &\iseq 1. + \end{align*} + If all tests pass, samples a fresh index $i \in \Zp$ and sends it to + $\U_i$, otherwise abort. + + \item $\U_i$ runs an interactive zero-knowledge proof of knowledge of + $\ID =\log_v(V_\ID)$ in interaction with $\GM$. For instance, the + 4-round protocol of Cramer~\textit{et al.}~\cite{CDM00} can be used for + this purpose. Let $\pi_K(\ID)$ denote the interaction transcript. + + \item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of + section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and + uses $\mathcal S_\GM = \omega$ to compute + $\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$ + and + \begin{align*} + \sigma_2 & = g^s, & \sigma_3 & = h^s. + \end{align*} + Then $\GM$ uses $Z_{\ID}$ to generate the QA-NIZK proof $\pi\in \GG$ as + \begin{align*} + \pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s + = z_1^\omega \cdot (z_2^\ID \cdot z_3)^s + \end{align*} + and finally sends + $\crt_i = (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi)$ + + \item Finally $\GM$ and $\mathcal{U}_i$ respectively store + \begin{align} \label{gsig-trans} + \!\!\!\!\transcript_i & \! = \! + \Bigl(\! \bigl( Z_{\ID}, \hat G_{2,\ID}, \hat G_{4,\ID} \bigr), \pi_K(\ID),\crt_i \!\Bigr) + \end{align} + and $(\crt_i,\scr_i) =\bigl( (i, V_\ID, \sigma_1, \sigma_2, \sigma_3, \pi), \ID \bigr)$. %\vspace{-1mm} + \end{enumerate} +% +\begin{description} + \item[\textsf{Sign}$(\mathcal Y, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$ + does the following: +\end{description} \vspace{-2mm} + \begin{enumerate} + \item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \Zp$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$, + $\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$. + + \item Encrypt elements $\tilde \pi$, $\tilde \sigma_1$ and $v^\ID$ from the membership certificate. + Specifically, choose $\theta \sample \Zp$ and compute the Cramer-Shoup ciphertext + $C_{\mathsf{CS}}=(C_1,C_2,C_z,C_{\sigma},C_{\ID})$, where $C_1 = g^\theta$, $C_2 = h^\theta$, + \begin{align*} + C_z & = \tilde \pi \cdot X_z^\theta, & + C_\sigma & = \tilde \sigma_1 \cdot X_\sigma^\theta, & + C_\ID & = v^\ID \cdot X_\ID^\theta. + \end{align*} + + \item Then, prove knowledge of $(\ID, \theta) \in \Zp^2$ such that + \begin{align*} %\label{sham-rel-1} + C_1 & = g^\theta ,& + C_2 & = h^\theta, & + C_\ID & = v^\ID \cdot X_\ID^\theta, %\quad + \end{align*} + % and + \begin{align*} %\label{sham-rel-3} + \lefteqn{\big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) \cdot e(\tilde \sigma_2, \hat g_3) + \cdot e(\tilde \sigma_3, \hat g_5) \cdot e(\Omega, \hat g_6) \big)} \\ %\nonumber + & = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta} + \cdot\big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-\ID} . + \end{align*} + Namely, sample random $r_\ID, r_\theta \sample \Zp$, compute + \begin{eqnarray*} + &\begin{aligned} + R_1 &= g^{r_\theta}, & + R_2 &= h^{r_\theta}, & + R_3 &= v^{r_\ID} \cdot X_\ID^{r_\theta}, + \end{aligned}\\ + &\begin{aligned} + R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta} \\ & ~\qquad + \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID} + \end{aligned} + \end{eqnarray*} + and then $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$. + Finally compute $ s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~in~$\Zp$. + \item Return the signature $\Sigma $ which consists of + \begin{equation} \label{gsig-sigma} + \hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta) + \in\GG^7\times\Zp^3 \vspace{-1mm} + \end{equation} + % + \end{enumerate} +% +\begin{description} + \item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:] + Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as + $(C_1, C_2, C_z, C_\sigma, C_\ID)$. + Then, output 1 if the the zero-knowledge proof verifies. Namely, +\end{description} + \begin{enumerate} + \item Compute the group elements $R_1$, $R_2$, $R_3\in\GG$ as: + %\begin{eqnarray} + %&\begin{gathered} + %\begin{aligned} + %R_1 & = g^{s_\theta} \cdot C_1^{-c}, & + %R_2 & = h^{s_\theta} \cdot C_2^{-c}, + %\end{aligned}\\ + %\begin{aligned} + %R_3 & = v^{s_\ID} \cdot X_\ID^{s_\theta} \cdot C_\ID^{-c}, \label{gsig-verif-1} + %\end{aligned} + %\end{gathered} \\ + %&\begin{aligned} + %R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \\& + %\qquad \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID} \\& + %\quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1)\\& + %\qquad \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \big)^{-c} + %\end{aligned} \label{gsig-verif-2} + %\end{eqnarray} + % + \begin{eqnarray} + &\begin{gathered} + \begin{aligned} + R_1 & = g^{s_\theta} \cdot C_1^{-c}, & \; + R_2 & = h^{s_\theta} \cdot C_2^{-c}, + \end{aligned}\\ + \begin{aligned} + R_3 & = v^{s_\ID} \cdot X_\ID^{s_\theta} \cdot C_\ID^{-c}; \label{gsig-verif-1} + \end{aligned} + \end{gathered} + \end{eqnarray} + and the element $R_4\in\GT$ as + \begin{align} \nonumber + \lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} + \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} + \\ \label{gsig-verif-2} + & \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) + \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \nonumber \\ + & \qquad \cdot e(\Omega, \hat g_6) \big)^{-c} . + \end{align} + + \item Return $1$ if + $ + c = H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$ and $0$ otherwise. + \end{enumerate} \vspace{-1mm} +% +\begin{description} + \item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$ + and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm} +\end{description} + \begin{enumerate} + %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. + \item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing + $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, + $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. + %\begin{align*} + % \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, & + % r &= C_r \cdot C_1^{-x_r} \cdot C_2^{-y_r},& \\ + % z &= C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}, & + % V_\ID &=C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}. & + %\end{align*} + \item Search $V_\ID$ in the database of joining transcripts~\eqref{gsig-trans} and + check that it corresponds to a + valid signature $\big(\tilde \sigma_1, \tilde \sigma_2, \tilde \sigma_3, \tilde \pi \big)$ for the + committed value $V_\ID$. If so, return the corresponding $i$, otherwise return $\bot$. \medskip + +% \item Look for $V_\ID$ in the records parsed as in~\eqref{gsig-trans}, and checks that +% $\big(\tilde \sigma_1, \tilde \sigma_2, \tilde \sigma_3, \tilde z, \tilde r \big)$ correspond to a valid +% signature for the signature scheme of section~\ref{scal-sig} for the committed value $V_\ID$: using the +% corresponding $\hat G_{2,\ID}, \hat G_{4,\ID}$ verify that +% \[ 1 \iseq e(\tilde z, \hat g_z) \cdot e(\tilde r, \hat g_r) \cdot e(\tilde \sigma_2, \hat G_{2, \ID} \cdot \hat g_3) \cdot e(\tilde \sigma_3, \hat G_{4,\ID} \cdot \hat g_5) \cdot e(\Omega, \hat g_6) \] +% If everything went correctly, return the corresponding $i$, otherwise return $\bot$. + +% \item For each element in the records parsed as in~\eqref{gsig-trans}, checks that +% $\big(\tilde \sigma_1, \tilde \sigma_2, \tilde \sigma_3, \tilde z, \tilde r \big)$ +% is a valid signature for the signature scheme of section~\ref{scal-sig} for $v_\ID$: using +% the corresponding $\hat g_{2,\ID}, \hat g_{4,\ID}$ verify that +% \[ 1 \iseq e(\tilde z, \hat g_z) \cdot e(\tilde r, \hat g_r) \cdot e(\tilde \sigma_2, \hat g_{2, \ID} \cdot \hat g_3) \cdot e(\tilde \sigma_3, \hat g_{4,\ID} \cdot \hat g_5) \cdot e(\Omega, \hat g_6) \] +% If one and only one of them corresponds, then return the corresponding $i$, otherwise return $\bot$. + \end{enumerate} + +It is possible to spare one group element in the signature by eliminating the encryption $C_{\ID}$ of $v^\ID$ which is only used to open signatures in constant time. +Then, the opening algorithm has to check for each transcript if +$(\tilde \sigma_1, \tilde \sigma_2, \tilde \sigma_3, \tilde \pi)$ corresponds to the identifier $\ID$ embedded +in $(\sigma_1, \hat G_{2,\ID}, \hat G_{4, \ID})$ by testing the relation +\[ 1 \iseq e(\tilde \pi, \hat g_z) \cdot e(\tilde \sigma_1, \hat g_1) \cdot e(\tilde \sigma_2, \hat G_{2, \ID} \cdot \hat g_3) \cdot e(\tilde \sigma_3, \hat G_{4,\ID} \cdot \hat g_5) \cdot e(\Omega, \hat g_6). \] +This results in a modified opening algorithm which takes $O(N)$ in the worst-case. In applications where signature openings are infrequent, this is acceptable. + +%--------------------------------------------------------------------- +\subsection{Security} + +\begin{theorem} \label{gsig-anon} + If SXDH holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} +\end{theorem} + +\begin{proof} +We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$. +\\ +At the first transition, we need to rely on the security of the computational soundness of the QA-NIZK argument of Section~\ref{QA-NIZK-scheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and +$\tilde \sigma_3$ appear un-encrypted in each group signature. +\vspace{-2mm} + +\begin{description} + \item[Game 0:] This is the real CCA-anonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that + the adversary outputs $d'=d$. + + \item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event, + which we call $F_1$, that $\adv$ chooses + membership certificates $\crt_0^\star, \crt_1^\star$ for which one of the underlying signatures + $ \bigl( \sigma_1^\star, \sigma_2^\star, \sigma_3^\star, \pi^\star \bigr) $ + correctly verifies but $\log_g(\sigma_2^\star) \neq \log_h(\sigma_3^\star)$. + This implies that the vector + $(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$ + is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict + the soundness of the QA-NIZK proof of \cite{KW15} + (via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here) + and thus the DDH assumption in $\Gh$. We have + $ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$ + + \item[Game 2:] We change the way to generate the challenge signature $ \Sigma^\star $. Instead of faithfully running the + Schnorr-like protocol, we use the HVZK-simulator to produce the proofs $s_\theta, s_\ID$ without knowing the witnesses + $\theta, \ID$. Namely, we pick $c,~ s_\theta,~ s_\ID \sample \Zp$ at random and set $ R_1 = g^{s_\theta} \cdot C_1^{-c}$, $R_2 = h^{s_\theta} \cdot C_2^{-c},$ + $R_3 = v^{s_\ID} \cdot X_{\ID}^{s_\theta} \cdot C_{\ID}^{-c}$ as well as + %\begin{multline*} + %R_4 = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \\ + %\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID} \\ + %\cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \big)^{-c}. + %\end{multline*} + $R_4\in\GT$ as in~(\ref{gsig-verif-2}). + Then, we program the random oracle and assign the output $c$ to the hash value $H(M,C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, + R_4)$. In the unlikely event that this value was previously defined (which only happens with probability at most $1/p^3$), the challenger aborts. + Thus $|\Pr[W_2] - \Pr[W_1] | \leq 1/p^3$ + + \item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes + $C_z, C_\sigma, C_\ID$ using $\mathcal S_\OA$ as follows + \begin{align*} + C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\ + C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, & + C_\ID &= v^\ID \cdot C_1^{x_\ID} \cdot C_2^{y_\ID}. + \end{align*} + The distribution of $(C_z, C_\sigma, C_\ID)$ remains the same and we have $\Pr[W_3] = \Pr[W_2]$. + + \item[Game 4:] Here, we modify the distribution of the challenge signature and replace $C_2 = h^\theta$ by $C_2 = h^{\theta + \theta'}$, for a randomly chosen $\theta' + \sample \Zp$. We prove in Lemma~\ref{le-gsig-3} that + $\left| \Pr[W_4] - \Pr[W_3] \right| \leq \advantage{\DDH}{\GG}(\lambda)$. + + \item[Game 5:] We introduce one more change. Instead of sampling $h \in_R \Zp$, + the challenger chooses a random $\alpha \sample \Zp$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that + we are done with the DDH assumption and we can henceforth use $\alpha=\log_g(h)$). At each signature opening query, + the challenger returns $\perp$ on any signature + $\Sigma=(C_1, C_2, C_z, C_\sigma, C_\ID, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)$ such + that $C_2 \neq C_1^\alpha$. Game $5$ remains the same as Game $4$. until the event $E_5$ that $\adv$ queries the opening of a signature + that properly verifies although $C_2 \neq C_1^\alpha$. Lemma~\ref{le-gsig-4} states that $\Pr[E_5] \leq q_O \cdot q_H/ p$, where $q_O$ is the number of opening + queries and $q_H$ is the number of random oracle queries. + \vspace{-1mm} + \end{description} + +In Game $5$, $ \Sigma^\star $ perfectly hides $(\tilde{\pi},\tilde{\sigma}_1,v^{\mathsf{ID}})$. Indeed, + \begin{equation*} + \begin{gathered} + \begin{aligned} + C_1 &= g^\theta, \, & C_2 &= h^{\theta + \theta'}, \, + & C_z &= (\tilde z \cdot h^{\theta' \cdot y_z} ) \cdot X_z^\theta , + \end{aligned}\\ + \begin{aligned} + C_\sigma &= (\tilde \sigma_1 \cdot h^{\theta' \cdot y_\sigma} ) \cdot X_\sigma^\theta, + & \; C_\ID &= ( v^\ID \cdot h^{\theta' \cdot y_{\ID}} ) \cdot X_\ID^\theta + \end{aligned} + \end{gathered} + \end{equation*} +and $(y_{\sigma},y_z,y_{\mathsf{ID}}) \in \Zp^3$ are completely independent of $\adv$'s view. +The only way for $\adv$ to infer information about $(y_{\sigma},y_z,y_{\mathsf{ID}}) $ is to make +opening queries on signatures such that $C_2 \neq C_1^\alpha$. However, all such signatures are declared invalid in Game $5$. +It comes that $\Pr[W_5]=1/2$. \medskip + \\ + Finally, $\adv$'s advantage $\bigl| \Pr[W_0] - 1/2 \bigr|$ is bounded by + \[ + \advantage{\DDH}{\GG}(\lambda) + \advantage{\DDH}{\Gh}(\lambda)+ \frac{q_O \cdot q_H}{p} + \frac{1}{p^3}, + \] + which concludes the proof. + %\vspace{-2mm} +\end{proof} + +\begin{comment} + +\begin{lemma} \label{le-gsig-1} + In Game $1$ we have $\Pr[F_1] \leq \Advt{\Gh}{\mathrm{DDH}}{\lambda}$. + \vspace{-2mm} +\end{lemma} + +\begin{proof} + Let us assume that $F_1$ occurs with non-negligible probability, we build a LHSPS forger $\bdv$ that receives as input a + public key $\pk_{hsps}$. + + $\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme + of Section~\ref{scal-sig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$ + on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a + group public key $\mathcal Y$. Since $\bdv$ knows $\mathcal S_\OA$, it an perfectly simulate the opening oracle. If + $F_1$ occurs -- which it does by hypothesis --, one of the two membership certificate $\crt_d^\star$ of the challenge + phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this + point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2, + \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$, and the corresponding signature $(z^\star, r^\star)$. + Since the LHSPS scheme is secure under the DDH assumption in $\hat G$, we therefore obtains the claimed inequality. +\end{proof} + +\end{comment} + +\begin{lemma} \label{le-gsig-3} + In Game $4$, the adversary $\adv$ wins the anonymity game with negligibly different probabilities than in Game $3$ if + the DDH assumption holds in $\GG$. +\end{lemma} +% +\begin{proof} + Let us assume that an adversary $\adv$ wins with noticeably different probabilities in Game $4$ and Game $3$. We + then construct a DDH distinguisher $\bdv$ from $\adv$. + \\ \indent + Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to + decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$. + The rest of the game continues like in Game $3$ (which is also the same as in Game $2$). + If $\adv$ wins and correctly guesses $d'=d \in \{0,1\}$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$. + \\ +It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$. +%\vspace{-1mm} +\end{proof} + +\begin{lemma} \label{le-gsig-4} + In Game $5$, we have $\Pr[E_5] \leq q_O \cdot q_H/ p$. \vspace{-1mm} +\end{lemma} +% +\begin{proof} + This proof uses idea similar to the security proof of the Katz-Wang~\cite{KW03} signature scheme. + In Game $5$, event $E_5$ happens if $\log_g(C_1) \neq \log_h(C_2)$ and the verification + equations~\eqref{gsig-verif-1} and \eqref{gsig-verif-2} holds. + In particular, we have $ R_1 = g^{s_\theta} \cdot C_1^{-c}$ and $R_2 = h^{s_\theta} \cdot C_2^{-c}$, + %\begin{align*} + % R_1 &= g^{s_\theta} \cdot C_1^{-c}, & + % R_2 &= h^{s_\theta} \cdot C_2^{-c}, + %\end{align*} + which can be interpreted as a linear system with unknowns $(c,s_\theta) \in \Zp^2$ + \begin{equation} \label{gsig-proof-sys} + \begin{cases} + \log_g(R_1) = s_\theta - \log_g(C_1) \cdot c &\bmod p, \\ + \log_h(R_2) = s_\theta - \log_h(C_2) \cdot c &\bmod p. + \end{cases} + \end{equation} + We can assume w.l.o.g. that each opening query is preceded by the corresponding random oracle query (otherwise, the reduction can simply make the hash query for itself). + The input of each hash query contains a pair $(R_1, R_2)$ determining the non-homogeneous terms of the linear + system~\eqref{gsig-proof-sys}. Since $\log_g(C_1) \neq \log_h(C_2)$, the system is full-rank, so that for each $(R_1,R_2)$, there is exactly + one pair $(c, s_\theta) \in \Zp^2$ that satisfies (\ref{gsig-proof-sys}). The probability that, in response to a random oracle query, the reduction returns + the value of $c$ which is uniquely determined by (\ref{gsig-proof-sys}) is at most $1/p$. + For all hash queries, the probability that one of them be answered with the uniquely determined $c \in \ZZ_q$ is \emph{at most} + $q_H/p$. A union bound over all opening queries implies that the probability that the event $E_4$ happens is smaller than + $\Pr[E_4] \leq q_O \cdot q_H/p.$ + %\vspace{-1mm} +\end{proof} + + +The proof of security against misidentification attacks requires the reduction to rewind a +the proof of knowledge of $\ID$ at each execution of the join protocol with the adversary attempting to escape traceability. +For this +reason, we need to assume that users join the system sequentially, rather than concurrently. +However, this problem can be solved as in \cite{DP06} by having the user send an extractable commitment to $\ID$ and non-interactively prove (via the Fiat-Shamir heuristic) that he did so correctly. +This allows the reduction to +extract $\ID$ without rewinding the user at each execution of $\mathsf{Join}$. Then, the proof of security against framing attacks must be modified by having the reduction +simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment. + + +\begin{theorem} + In the ROM, the scheme is secure against + mis-identification attacks under the SXDH assumption in $(\GG,\Gh)$. + \vspace{-1mm} +\end{theorem} +% +\begin{proof} + The proof uses the forking technique \cite{PS00} % {\em rewinding extractor} method + %from Bernhard~{\em et~al.}~\cite{BFW15}, + which consists in implicitly rewinding the zero-knowledge proof by running the adversary twice and changing the outputs of the random oracle after the hash query that involves + the forgery message. The Forking Lemma~\cite{PS00} -- more precisely, its generalization given by Bellare and Neven~\cite{BN06} -- ensures that, after two runs of the adversary, + the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\ + %After the extraction, the reduction can then call the corresponding oracles to simulate the game without having + %information it does not hold. + \indent Let us assume an attacker $\adv$ against the mis-identification game that wins with non-negligible + probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature + scheme of section~\ref{scal-sig}. \medskip + \\ + \noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the + public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\mathcal Y$. Except for $\mathcal S_\GM$, all keys + are generated as in the normal + \textsf{Keygen} algorithm. \medskip + \\ + \noindent \textit{Join.} To answer joining queries without knowing $\sk_s$, $\bdv$ uses the knowledge extractor of the proof + of knowledge of $\ID = \log_v(V_\ID)$ to extract the identity to be signed. Namely, on a + \textsf{Join} query, the reduction $\bdv$ rewinds the adversary $\adv$ in order to extract the witness $\ID=\log_v(V_{\ID})$ of which $\adv$ demonstrates knowledge at step 3 of the + join protocol. Having extracted $\ID \in \Zp$, $\bdv$ invokes its own + signing oracle on the message $\ID$ to obtain $(\sigma_1, \sigma_2, \sigma_3, z, r)$. Then, $\bdv$ returns $\crt_i=(i,V_{\ID},\sigma_1,\sigma_2,\sigma_3,z,r)$ as in a normal execution + of the join protocol. + \medskip + \\ + \noindent At some point, the attacker $\adv$ produces a valid forgery + $(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, + \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))$ for + which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value + $H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ which would have been unpredictable otherwise. \medskip + \\ + Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query + $H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. At this point, + the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains + two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts + $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$, + $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$ + of the $\Sigma$-protocol for the commitment message + $\mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. + From the responses + $s_\ID^\star$ and + $s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain + $\ID^\star \in \Zp$. Namely, given $(c^\star ,c'^\star , s_\theta^\star , s_\theta'^\star ,s_\ID^\star , s_\ID'^\star ) \in \Zp^6$ with + \begin{align*} + c^\star &\neq c^\dag, & + s_\theta^\star &\neq s_\theta^\dag & + s_\ID^\star &\neq s_\ID^\dag + \end{align*} + which verifies the relation~\eqref{gsig-verif-1} , \eqref{gsig-verif-2} for the same commitment $(R_1^\star, + R_2^\star, R_3^\star, R_4^\star) \in \GG^4$, one can compute the secrets $\ID^\star = \frac{s_\ID^\dag - s_\ID^\star}{c^\star-c^\dag} \bmod p$ and $\theta^\star = \frac{s_\theta^\dag - s_\theta^\star}{c^\star - c^\dag} \bmod p$. + %\begin{align*} + % \ID^\star &= \frac{s_\ID^\dag - s_\ID^\star}{c^\star-c^\dag} \bmod p, & + % \theta^\star &= \frac{s_\theta^\dag - s_\theta^\star}{c^\star - c^\dag} \bmod p. + %\end{align*} + \medskip + \\ + Finally $\bdv$ uses $\mathcal S_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs + $\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery + for the signature scheme of Section~\ref{scal-sig}. + %\vspace{-1mm} +\end{proof} + + +\begin{theorem} %[Non-frameability] +\label{non-frame} + In the ROM, the scheme is secure against framing attacks under the SDL assumption \vspace{-1mm} +\end{theorem} +\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ +\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. +To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. +At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$. +In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are QA-NIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) +As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\mathcal{Y}:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip +\\ +Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested. +%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows. +In addition, $\bdv$ must be able to answer the following queries. +\begin{itemize} + % \item[-] $Q_{\mathsf{keyGM}}$-queries: if $\adv$ decides to corrupt the group manager, $\bdv$ surrenders $\mathcal{S}_{\GM}=\omega=\sk_s$. + \item[-] $Q_{\bjoin}$-queries: At any time $\adv$ can act as a corrupted group manager and introduce a new honest user $i$ in the group by invoking the $Q_{\bjoin}$ oracle. Then, $\bdv$ runs $\mathsf{J}_{\mathsf{user}}$ on behalf of the honest user in an execution of $\mathsf{Join}$. %The actions taken by $\bdv$ are dictated by the index $j \in \{1,\ldots,q_b\}$ of the $Q_{\bjoin}$-query. \\ +%\begin{itemize} +%\item[-] If $j \neq j^\star$, $\bdv$ follows the exact specification of $\mathsf{J}_{\mathsf{user}}$. +%\item[-] If $j=j^\star$,... +%\end{itemize} +At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \Zp$ and uses $\mathsf{tk}$ to compute the tuple +$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$, for an unknown $\scr_{i}=\ID_i=a\cdot\delta_i \in \Zp$, that +$\mathsf{J}_{\mathsf{GM}}$ expects at step 1 of the join protocol. Namely, $\bdv$ computes the vector +$ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as + \[ + V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i}, + \] +and then computes $Z_i$ as a simulated QA-NIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$. +A straightforward calculation + shows that $Z_i=z_2^{\ID_i}$ since the QA-NIZK argument of Section \ref{QA-NIZK-scheme} has a deterministic proving algorithm, so that +$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2. +As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes +\begin{eqnarray*} + \quad\hat{G}_{j,i} := (\hat{g}^a)^{\delta_i(\alpha_z\chi_j+\alpha_r\gamma_j)} + = (\hat{g}_z^{\chi_j}\hat{g}_r^{\gamma_j})^{\ID_i} = \hat{g}_j^{\ID_i}, +\end{eqnarray*} +%where $g^a$ is a component of the discrete logarithm problem it is trying to solve. +At step 3 of $\mathsf{Join}$, $\bdv$ simulates the interactive proof of knowledge of $\ID_i=\log_{v}(V_i)$ using the simulator. +In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$. +Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$. +% \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return +%$\mathcal{Y}$. + \item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use + the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm. + While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the + non-interactive proof $(c, s_\ID, s_\theta)$, for a randomly chosen challenge $c \sample \Zp$ by programming the random oracle. +More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \Zp$ and computing + \begin{align*} + \tilde\sigma_1 & = \sigma_1 \cdot (V_i\cdot w)^r & \tilde \sigma_2 & = \sigma_2 \cdot g^r, \\ + \tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r. + \end{align*} + Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real + signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$ +chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in + (\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$ + programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point, + $\bdv$ aborts. + The probability to fail at one signing query is $\leq q_s/p^3$, where +$q_s$ is the number of signing queries. +\end{itemize} +% +\noindent When $\adv$ halts, it presumably frames some honest user ${i^\star} \in U^b$ by outputting a signature +\begin{align*} +\Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star) , \quad +\end{align*} +for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value + $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise. +Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run. +The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery +$\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)$ on + the same message $M^\star$, +with distinct challenges + $c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses + $(\theta^\star,\ID^\star)$ satisfying ${C}_\ID^\star=v^{\ID^\star}X_\ID^{\theta^\star}$ and +which identifies $V_i^\star=v^{\ID^\star}$. At this stage, $\bdv$ can compute and output the sought-after SDL solution + $a:=\ID^\star/\delta_i$ in $\Zp$. +\\ +This observation tells us that, if $\adv$ has advantage $\varepsilon$ as a framing adversary making $q_H$ random oracle queries, then $\bdv$ implies an algorithm solving the SDL problem with probability $\varepsilon (\varepsilon / q_H -1/p) $. +\vspace{-2mm} +\end{proof} + +We stress that the proofs can be easily adapted to the case where the opening algorithm has linear complexity in the number of users. + +%------------------------------------------------------------------------ + +\subsection{Comparison with Existing Schemes} + +\begin{table*} + \centering + \begin{tabular}{|c|c|c|c|c|c|c|} + \hline + Name & \multicolumn{3}{c|}{Signature length} & Assumptions & Group Type & Anonymity \\ \cline{2-4} + & $\GG$ & $\Zp$ & bits & & & + \\ \hline + Ours & $7$ & $3$ & $2560$ bits& \textsf{SXDH} + \textsf{SDL} & Dynamic & CCA \\ \hline + Boneh-Boyen-Shacham & $3$ & $6$ & $2304$ bits & \textsf{SDH} + \textsf{DLIN} & Static & CPA \\ \hline + + Delerabl\'ee-Pointcheval & $4$ & $5$ & $2304$ bits & \textsf{SDH} + \textsf{XDH} & Dynamic & CCA \\ \hline + Bichsel {\em et al.} & $3$ & $2$ &$1280$ bits & \textsf{LRSW} + \textsf{SDL} & Dynamic & CCA- \\ \hline + Pointcheval-Sanders & $2$ & $2$ & $1024$ bits & \textsf{LRSW} & Dynamic & CCA- \\ \hline + +\end{tabular} +\caption{Comparison between different group signature schemes} +\label{sig-comp} +\end{table*} + +Table~\ref{sig-comp} compares our scheme with previous practical group signatures based on pairing-related assumptions. +Since we focus on practical schemes, we only consider those in the random oracle model. +To make the comparison possible, we use $256$-bit group orders, so that elements of $\GG$ and $\Zp$ are encoded using +$256$ bits each. + +The scheme of Boneh, Boyen and Shacham~\cite{BBS04} is the first scheme providing short signatures: each signature is +comprised of $3$ group elements and $6$ elements of $\Zp$. However, this scheme is designed for static groups only and +relies on the Strong Diffie-Hellmann assumption, which is a non-standard $q$-type assumption, and its anonymity is only +proved in the CPA sense. + +Delerablée and Pointcheval~\cite{DP06} presented a scheme designed for a dynamically growing group and which is also +fully (i.e., CCA) anonymous. The security of their scheme is based on the eXternal Diffie-Hellman assumption (XDH), +which we also use here, and the $q$-SDH assumption. In \cite{DP06}, each signature consists of $4$ group elements and $5$ +scalars in $\Zp$, which leads to the same signature size as previously. They also proposed a variant to get rid of the +XDH assumption at the cost of $2$ more group elements and one more scalar, but they still rely on the $q$-SDH +assumption. + +Bichsel~{\em et al.} \cite{BCN+10} proposed a very short group signature for dynamic groups, where each +signature consists of $3$ group elements and $2$ elements in $\Zp$. +The downsides are their use the LRSW assumption~\cite{LRSW99}, which is a very {\em ad-hoc} interactive assumption, and +their security notion is not fully-anonymous, but is an hybrid security with selfless-anonymity, which is marked ``CCA-'' in Table~\ref{sig-comp}. +%they don't provide full-CCA anonymity but an hybrid security with selfless anonymity, which is marked ``CCA*'' in Table~\ref{sig-comp}. +Another caveat is that, unlike the two previous systems, the opening complexity of their scheme is linear in the number of group members. + + +In 2015, Pointcheval and Sanders~\cite{PS16} gave another instantiation of~\cite{BCN+10} based on a variant of the LRSW +assumption in the asymmetric setting (meaning using only Type III pairings), which provides even shorter signatures than +\cite{BCN+10} with the same downsides. +Their scheme provides signatures composed of only $2$ group elements in $\GG$ and $2$ scalars in $\Zp$. + + +Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is +composed of $7$ group elements and $3$ scalars in $\Zp$\,-- while relying on standard, constant-size assumptions. +Moreover, we can notice that we can save one element in $\GG$ at the expense of a linear-time opening algorithm in the +number $N$ of group users (like \cite{BCN+10}). + +%On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation + +\section{Implementation results} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation} diff --git a/fig-gs-relations.tex b/fig-gs-relations.tex new file mode 100644 index 0000000..80925a4 --- /dev/null +++ b/fig-gs-relations.tex @@ -0,0 +1,18 @@ +\begin{tikzpicture} + \node[minimum size=1cm,businessman] (GM) {Group manager}; + \node[right=2.5cm of GM,bob, minimum size=1cm] (User) {}; + \node[right=0cm of User] {User $i$}; + \node[right=2.5cm of User, police, minimum size=1cm] (OA) {}; + \node[right=0cm of OA] {Opening authority}; + \node[below=2.5cm of User] (M) {$\sigma$, M}; + \node[right=2.5cm of M, maninblack, minimum size=1cm] (Other) {}; + \node[below=0cm of Other] {Anyone}; + \node[above=2.5cm of User] (Setup) {Trusted Setup}; + + \draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User); + \draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M); + \draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M); + \draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M); + \draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM); + \draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA); +\end{tikzpicture} diff --git a/macros.tex b/macros.tex index a8be67f..52222f1 100644 --- a/macros.tex +++ b/macros.tex @@ -22,6 +22,8 @@ \newcommand{\Setup}{\ensuremath{\mathsf{Setup}}\xspace} \newcommand{\Keygen}{\ensuremath{\mathsf{Keygen}}\xspace} \newcommand{\param}{\ensuremath{\mathsf{par}}\xspace} +\newcommand{\pk}{\ensuremath{\mathsf{pk}}\xspace} +\newcommand{\sk}{\ensuremath{\mathsf{sk}}\xspace} %% ZK \newcommand{\trans}{\textsf{trans}\xspace} \newcommand{\cmt}{\textsf{cmt}\xspace} @@ -59,6 +61,7 @@ \newcommand{\Proba}[1]{\ensuremath{\Pr\left[#1\right]}\xspace} % Operators +\newcommand{\iseq}{\overset{?}{=}} \newcommand{\sample}{\xspace\ensuremath{\hookleftarrow}\xspace} \newcommand{\bigO}{\ensuremath{\mathcal{O}}} \newcommand{\softO}{\ensuremath{\tilde{\mathcal{O}}}} @@ -107,6 +110,7 @@ \newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}} \newcommand{\interface}{\mathcal{I}} \newcommand{\ssigma}{\boldsymbol{\sigma}\xspace} +\newcommand{\ID}{\ensuremath{\mathsf{ID}}\xspace} % Other \newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}} diff --git a/main.tex b/main.tex index 9052586..cd65dce 100644 --- a/main.tex +++ b/main.tex @@ -1,5 +1,6 @@ %\documentclass[a4paper, 11pt, draft]{memoir} \documentclass[a4paper, 11pt]{memoir} +\semiisopage \usepackage[utf8x]{inputenc} \usepackage[french,english]{babel} @@ -43,6 +44,7 @@ \usepackage{thm-restate} \usepackage{comment} \usepackage{tikz} +\usepackage{tikzpeople} \usetikzlibrary{positioning,patterns,shapes} % theorems, definitions @@ -144,5 +146,8 @@ \backmatter \listoffigures \addcontentsline{tof}{chapter}{Liste des figures} +\clearpage +\listoftables +\addcontentsline{tof}{chapter}{Liste des tableaux} \end{document} % vim: spl=en diff --git a/sec-lattices.tex b/sec-lattices.tex index d9935ee..1c03953 100644 --- a/sec-lattices.tex +++ b/sec-lattices.tex @@ -60,7 +60,7 @@ This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and These links are important as those are ``worst-case to average-case'' reductions. In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs. -On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes. +On the other hand, the $\LWE$ and $\SIS$ assumptions --\,which are ``average-case'' assumptions\,-- are more suitable to design cryptographic schemes. In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice). diff --git a/sec-pairings.tex b/sec-pairings.tex index e5ac460..f0bb494 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -33,6 +33,8 @@ This hypothesis, from which the Diffie-Hellman key exchange relies its security The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$. \end{restatable} +The advantages of the best $\ppt$ adversary against $\DDH$ in group $\GG$ and $\Gh$ are written $\advantage{\DDH}{\GG}$ and $\advantage{\DDH}{\Gh}$ respectively. Both of those quantities are assumed negligible under the $\SXDH$ assumption. + In \cref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption. Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.