This commit is contained in:
Fabrice Mouhartem 2018-04-13 15:41:25 +02:00
parent ac6699be25
commit 224eb18e88
9 changed files with 994 additions and 39 deletions

View File

@ -30,7 +30,7 @@ Then, the public transportation company is unable to learn anything from seeing
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group ---\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,--- we do not consider this approach.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- we do not consider this approach.
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
@ -40,23 +40,10 @@ This section recalls the syntax and the security definitions of dynamic group s
%A \emph{group signature} allows a group member to attest that a message was provided by a member of a \emph{group} without being altered during the process and preserving the \emph{anonymity} of the users.
\begin{figure}
\centering
\begin{tikzpicture}
\node (GM) {Group manager};
\node[right=of GM] (User) {User $i$};
\node[right=of User] (OA) {Opening Authority};
\node[below=of User] (M) {$\sigma$, M};
\node[right=of M] (Other) {Anyone};
\node[above=of User] (Setup) {Trusted Setup};
\draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User);
\draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M);
\draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M);
\draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M);
\draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM);
\draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA);
\end{tikzpicture}
\input fig-gs-relations
\caption{Relations between the protagonists in a dynamic group signature
scheme}
\label{fig:relations}

View File

@ -14,6 +14,8 @@ In this section, we first present the general principles and basic tools to hand
\section{Definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définitions}
\subsection{Zero-Knowledge proofs and arguments}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Preuves et arguments à divulgation nulle de connaissance}
\begin{definition}[Zero-knowledge proofs and arguments]
\label{de:zk-proof} \index{Zero Knowledge!Proofs} \index{Zero Knowledge!Argument}
@ -38,6 +40,10 @@ In this section, we first present the general principles and basic tools to hand
If in the definition of \textit{zero-knowledge} the two ensembles are the same, then the proof is \textit{perfect zero-knowledge}.
\end{definition}
\subsection{$\Sigma$-protocols}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Protocoles $\Sigma$}
\label{sse:sigma-protocols}
\begin{figure}
\centering
\footnotesize
@ -55,19 +61,22 @@ In this section, we first present the general principles and basic tools to hand
\caption{Abstract description of a $\Sigma$-protocol.} \label{fig:sigma}
\end{figure}
A way to construct zero-knowledge proofs --- that will be described with more details in \cref{sse:schnorr} -- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}.
A way to construct zero-knowledge proofs --\,that will be described with more details in \cref{sse:schnorr}\,-- is a blackbox transformation from a \textit{$\Sigma$-protocol} and a \textit{commitment scheme}~\cite{Dam00,GMY03}. The resulting proof remains secure against malicious verifiers.
\begin{definition}[$\Sigma$-protocol~{\cite[De.~1]{Dam10}}] \index{Zero Knowledge!$\Sigma$-protocol}
Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is three move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
\begin{definition}[$\Sigma$-protocol~{\cite{Cra96}}] \index{Zero Knowledge!$\Sigma$-protocol}
Let $R = \{(x,w)\}$ be a binary relation. A \textit{$\Sigma$-protocol} is three-move interactive protocol between $P$ and $V$ that follows Figure~\ref{fig:sigma} and verifies the following properties.
\begin{description}
\item[Completeness.] For any $(x,w) \in R$, $P(x,w)$ and $V(x)$ that follows the protocol, the verifier always accepts.
\item[Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$: $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that takes as input the two aforementioned transcripts and outputs an element $w$ such that $(x,w) \in R$.
\item[Special soundness.] For any $x$ and any pair of accepting transcripts on input $x$ of the form $(\cmt, \chall, \rsp)$ and $(\cmt, \chall', \rsp')$, there exists a $\ppt$ algorithm $\extr$ that takes as input the two aforementioned transcripts and outputs an element $w$ such that $(x,w) \in R$.
\item[Honest-Verifier Zero-Knowledge.] There exists a $\ppt$ simulator $S$, such that the two probability distributions $\{\trans(P(x,w), V(x))\}$ and $\{S(x)\}$ with honest $P$ and $V$ are the same.
\end{description}
\end{definition}
An example of $\Sigma$-protocol will be given in \cref{sse:schnorr}, and its transformation into a Zero-Knowledge proof using a commitment scheme as well.
\subsection{Commitment schemes}
\addcontentsline{tof}{subsection}{\protect\numberline{\thesubsection} Mise en gage cryptographique}
Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal is to commit a message $M$ into a commitment $\com$ such that once a message is committed, it is impossible to know what is inside (hiding property), and it is as well impossible to modify a commitment to change the underlying message (binding property).
\begin{figure}
@ -153,6 +162,9 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the
If $m > 5n \log q$, the above commitment scheme is \emph{statistically hiding} and \emph{binding} under the $\SIS_{n,m,q,\sqrt{m}}$ assumption in the trusted setup model.
\end{lemma}
\subsection{Non interactive Proofs and Fiat-Shamir Transform}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Preuves non interactives et transformation de Fiat-Shamir}
Another useful primitives are the non-interactive version of zero-knowledge proofs.
\begin{definition}[Non Interactive Zero Knowledge]

View File

@ -248,7 +248,7 @@ This definition of advantages models the fact that the adversary is unable to di
Which means that the adversary cannot get a single bit of information about the ciphertext.
This kind of definition are also useful to model anonymity.
For instance in Part~\ref{pa:gs-ac}, the definition of anonymity for group signatures is defined in a similar fashion.
For instance in \cref{sec:RGSdefsecAnon}, the definition of anonymity for group signatures is defined in a similar fashion (\cref{def:anon}).
On the other hand, the security definition for signature scheme is no more an indistinguishability game, but an unforgeability game.
The goal of the adversary is not to distinguish between two distributions, but to forge a new signature from what it learns \emph{via} signature queries.
@ -279,8 +279,8 @@ The security definition of $\indcpa$ is defined as an indistinguishability game.
The first security definition for $\PKE$ was although a simulation-based definition~\cite{GM84}.
In this context, instead of distinguishing between two messages, the goal is to distinguish between two different environments.
In the following we will use the \emph{Real world}/\emph{Ideal world} paradigm~\cite{Can01} to describe those different environments.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ ---\,in the \emph{Real world}\,--- that interacts with a challenger $\cdv$
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ ---\,in the \emph{Ideal world}\,--- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.
Namely, for $\PKE$, it means that for any $\ppt$ adversary~$\widehat{\adv}$ --\,in the \emph{Real world}\,-- that interacts with a challenger $\cdv$
there exists a $\ppt$ \emph{simulator} $\widehat{\adv}'$ --\,in the \emph{Ideal world}\,-- that interacts with the same challenger $\cdv'$ with the difference that the functionality $F$ is replaced by a trusted third party in the \emph{Ideal word}.
In other words, it means that the information that $\widehat{\adv}$ obtains from its interaction with the challenger $\cdv$ does not allow $\widehat{\adv}$ to do more things that what it can do with blackbox accesses to the functionality.

File diff suppressed because it is too large Load Diff

18
fig-gs-relations.tex Normal file
View File

@ -0,0 +1,18 @@
\begin{tikzpicture}
\node[minimum size=1cm,businessman] (GM) {Group manager};
\node[right=2.5cm of GM,bob, minimum size=1cm] (User) {};
\node[right=0cm of User] {User $i$};
\node[right=2.5cm of User, police, minimum size=1cm] (OA) {};
\node[right=0cm of OA] {Opening authority};
\node[below=2.5cm of User] (M) {$\sigma$, M};
\node[right=2.5cm of M, maninblack, minimum size=1cm] (Other) {};
\node[below=0cm of Other] {Anyone};
\node[above=2.5cm of User] (Setup) {Trusted Setup};
\draw[<->, thick] (GM) -- node[anchor=south] {\textsf{Join}} node[anchor=north] {$\crt_i$} (User);
\draw[->, thick] (User) -- node[anchor=north east] {$\Sign$} (M);
\draw[<-, thick] (Other) -- node[anchor=north] {$\Verify$} (M);
\draw[<-, thick] (OA) -- node[anchor=west, yshift=-5pt] {$\Open$} (M);
\draw[->, thick, dashed] (Setup) -- node[xshift=-0.7cm] {$\mathcal S_\GM$} (GM);
\draw[->, thick, dashed] (Setup) -- node[xshift=0.7cm] {$\mathcal S_\OA$} (OA);
\end{tikzpicture}

View File

@ -22,6 +22,8 @@
\newcommand{\Setup}{\ensuremath{\mathsf{Setup}}\xspace}
\newcommand{\Keygen}{\ensuremath{\mathsf{Keygen}}\xspace}
\newcommand{\param}{\ensuremath{\mathsf{par}}\xspace}
\newcommand{\pk}{\ensuremath{\mathsf{pk}}\xspace}
\newcommand{\sk}{\ensuremath{\mathsf{sk}}\xspace}
%% ZK
\newcommand{\trans}{\textsf{trans}\xspace}
\newcommand{\cmt}{\textsf{cmt}\xspace}
@ -59,6 +61,7 @@
\newcommand{\Proba}[1]{\ensuremath{\Pr\left[#1\right]}\xspace}
% Operators
\newcommand{\iseq}{\overset{?}{=}}
\newcommand{\sample}{\xspace\ensuremath{\hookleftarrow}\xspace}
\newcommand{\bigO}{\ensuremath{\mathcal{O}}}
\newcommand{\softO}{\ensuremath{\tilde{\mathcal{O}}}}
@ -107,6 +110,7 @@
\newcommand{\pjoin}{\mathsf{p}\textrm{-}\mathsf{join}}
\newcommand{\interface}{\mathcal{I}}
\newcommand{\ssigma}{\boldsymbol{\sigma}\xspace}
\newcommand{\ID}{\ensuremath{\mathsf{ID}}\xspace}
% Other
\newcommand{\TODO}{\textbf{\textcolor{red}{TODO}}}

View File

@ -1,5 +1,6 @@
%\documentclass[a4paper, 11pt, draft]{memoir}
\documentclass[a4paper, 11pt]{memoir}
\semiisopage
\usepackage[utf8x]{inputenc}
\usepackage[french,english]{babel}
@ -43,6 +44,7 @@
\usepackage{thm-restate}
\usepackage{comment}
\usepackage{tikz}
\usepackage{tikzpeople}
\usetikzlibrary{positioning,patterns,shapes}
% theorems, definitions
@ -144,5 +146,8 @@
\backmatter
\listoffigures
\addcontentsline{tof}{chapter}{Liste des figures}
\clearpage
\listoftables
\addcontentsline{tof}{chapter}{Liste des tableaux}
\end{document}
% vim: spl=en

View File

@ -60,7 +60,7 @@ This problem reduces to the \textit{Learning With Errors}~($\LWE$) problems and
These links are important as those are ``worst-case to average-case'' reductions.
In other words, the $\SIVP$ assumption by itself is not very handy to manipulate in order to construct new cryptographic designs.
On the other hand, the $\LWE$ and $\SIS$ assumptions ---\,which are ``average-case'' assumptions\,--- are more suitable to design cryptographic schemes.
On the other hand, the $\LWE$ and $\SIS$ assumptions --\,which are ``average-case'' assumptions\,-- are more suitable to design cryptographic schemes.
In order to define the $\SIVP$ problem and assumption, let us first define the successive minima of a lattice, a generalization of the minimum of a lattice (the length of a shortest non-zero vector in a lattice).

View File

@ -33,6 +33,8 @@ This hypothesis, from which the Diffie-Hellman key exchange relies its security
The \emph{Symmetric eXternal Diffie-Hellman} ($\SXDH$) assumption holds if the $\DDH$ assumption holds both in $\GG$ and $\Gh$.
\end{restatable}
The advantages of the best $\ppt$ adversary against $\DDH$ in group $\GG$ and $\Gh$ are written $\advantage{\DDH}{\GG}$ and $\advantage{\DDH}{\Gh}$ respectively. Both of those quantities are assumed negligible under the $\SXDH$ assumption.
In \cref{ch:sigmasig}, the security of the group signature scheme relies on the $\SXDH$ assumption, which is a well-studied assumption.
Moreover, this assumption is static, meaning that the size of the assumption is independent of any parameters, and is non-interactive, in the sense that it does not involve any oracle.