fmouhart
/
thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corrections 

- WI
- overfull hbox
- other stuff
This commit is contained in:
Fabrice Mouhartem 2018-06-19 17:26:01 +02:00
parent 62f7624397
commit 444641891c
13 changed files with 217 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
abstract.tex
View File

@ -5,14 +5,14 @@
\begin{otherlanguage}{french}
Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.
Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissances et leurs applications.
Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissance et leurs applications.
Un exemple de ces constructions est la signature de groupe. Ce protocole a pour but de permettre à un utilisateur de s'authentifier comme appartenant à un groupe, sans révéler son identité.
Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litiges.
Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transports en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transports ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.
Nous avons proposé deux constructions de ces signatures de groupes, prouvées sous des hypothèses simples sur les couplages et les réseaux euclidiens.
Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige.
Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transport en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transport ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.
Nous avons proposé deux constructions de ces signatures de groupe, prouvées sûres sous des hypothèses simples dans le monde des couplages et des réseaux euclidiens.
Dans la continuité de ces travaux, nous avons aussi proposé la première construction de chiffrement de groupe (l'équivalent de la signature de groupe pour le chiffrement) à base de réseaux euclidiens.
Finalement, ces travaux nous ont amené à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens.
Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern.
Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern, qui reposait initialement sur la difficulté du problème du décodage de syndrome.
\end{otherlanguage}
\clearpage
@ -28,13 +28,13 @@
In this thesis, we study provably secure privacy-preserving cryptographic constructions.
We focus on zero-knowledge proofs and their applications.
Group signatures are an example of such constructions.
This primitive allows users to sign messages on behalf of a group (which they formerly join), while staying anonymous inside this group.
Additionally, users remains accountable for their behavior as another independent authority, a judge, is empowered with a secret information to lift anonymity of given signatures.
This primitive allows users to sign messages on behalf of a group (which they formerly joined), while remaining anonymous inside this group.
Additionally, users remain accountable for their actions as another independent authority, a judge, is empowered with a secret information to lift the anonymity of any given signature.
This construction has applications in anonymous access control, such as public transportations.
Whenever someone enters a public transport, he signs a timestamp. Doing this proves that he belongs to the group of people with a valid subscription.
Whenever someone enters a public transportation, he signs a timestamp. Doing this proves that he belongs to the group of people with a valid subscription.
In case of problem, the transportation company hands the record of suspicious signatures to the police, which is able to un-anonymize them.
We propose two constructions for dynamically growing group signatures. The first is based on pairings assumptions and aims practicality, while the second one is proven secure under lattice assumptions for the sake of not putting all eggs in the same basket.
We propose two constructions of group signatures for dynamically growing groups. The first is based on pairing-related assumptions and is fairly practical. The second construction is proven secure under lattice assumptions for the sake of not putting all eggs in the same basket.
Following the same spirit, we also propose two constructions for privacy-preserving cryptography.
The first one is a group encryption scheme, which is the encryption analogue of group signatures. Here, the goal is to hide the recipient of a message who belongs to a group, while proving some properties on the message, like the absence of malwares.
The second is an adaptive oblivious transfer scheme, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.
These constructions were made possible through a series of work improving the expressiveness of Stern-like zero-knowledge arguments.
The first one is a group encryption scheme, which is the encryption analogue of group signatures. Here, the goal is to hide the recipient of a ciphertext who belongs to a group, while proving some properties on the message, like the absence of malwares.
The second is an adaptive oblivious transfer protocol, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.
These constructions were made possible through a series of work improving the expressiveness of Stern's protocol, which was originally based on the syndrome decoding problem.

9
chap-GS-LWE.tex
View File

@ -3,7 +3,7 @@ This construction relies on a signature scheme with efficient protocols as in~\c
As a consequence, it is possible to design lattice-based anonymous credentials from this building block.
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well-studied assumptions.
As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
@ -1008,7 +1008,7 @@ to compute a small-norm matrix
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
\item[3.] Determine if the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
\item[3.] Determine whether the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step~2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
\end{itemize}
\end{description}
@ -1784,8 +1784,9 @@ and that (modulo $q$)
\begin{cases}
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
\mathbf{c}_{\mathbf{v}, 1} = \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
\mathbf{c}_{\mathbf{v},2} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} \\
\hphantom{\mathbf{c}_{\mathbf{v},2}} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
\begin{array}{c}
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
\mathbf{0}\\

27
chap-GS-background.tex
View File

@ -1,12 +1,13 @@
In this part, we will present two constructions for dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain efficiency while keeping the assumptions simple.
This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions.
In this part, we will present two constructions of dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain in efficiency while keeping the assumptions simple.
This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions such as the $\qSDH$ assumption.
An implementation is available and detailed in \cref{ch:sigmasig}.
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature based on the scheme of Ling, Nguyen and Wang~\cite{LNW15} for static groups.
This construction was improved to match the requirements for dynamic groups, which closes an open-problem~\cite{GKV10}.
This construction has been the first fully secure group signature scheme from lattices.
Before describing those schemes, let us recall in this chapter the definition of dynamic group signatures and their related security definitions.
Before describing those schemes, this chapter recalls the definition of dynamic group signatures and their related security definitions.
\section{Background} \label{sse:gs-background}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}
@ -21,23 +22,23 @@ In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed formal security
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. These two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
The \cite{BMW03}~model summarizes the security of a group signatures in two notions: \textit{anonymity} and \textit{traceability}.
The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can trace a user from a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.
The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can identify the author of a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.
In the dynamic setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.
In the dynamic setting, the \textit{group signing-keys issuing} phase is replaced by an interactive \textit{join} protocol where a user who wants to join the group interacts with the group manager.
In this context, the two notions of the BMW model are retained, and a third one is added: the ``\textit{non-frameability}'' property.
This notion expresses the impossibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.
This notion expresses the infeasibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.
One possible application of this primitive is anonymous access control for public transportation systems.
In order to commute, a person should prove possession of a valid subscription to the transportation service.
Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}'' and when it uses the transportation service, it is asked to sign the timestamp of its entry in the name of the group.
Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}''. When he uses the transportation service, he is asked to sign the timestamp of his entry in the name of the group.
In case of misbehavior, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to them.
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
Other applications of group signatures can be found as authentication of low-range communications for intelligent cars or anonymous access control of a building.
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rose the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures.
As the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of some interests~\cite{LNWX17}.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} raised the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures.
As the main difficulty is to allow users to dynamically enroll in the group --\,revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of interest~\cite{LNWX17}.
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}

169
chap-OT-LWE.tex
View File

@ -525,7 +525,7 @@ Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{C
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
all ciphertexts are signed using a signature scheme. At each
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
homomorphism of Regev. Then, the receiver provides a witness indistinguishable (WI) argument that the modified ciphertext (which is
homomorphism of Regev. Then, the receiver provides a witness indistinguishable (\textsf{WI}) argument that the modified ciphertext (which is
submitted for oblivious decryption) is
a transformation of one of the original ciphertexts by arguing knowledge of a signature on this hidden ciphertext. In response,
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
@ -571,10 +571,9 @@ ${PK}_{sig}:=\big( \mathbf{A},
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
compute
\begin{eqnarray} \label{init-db}
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N].
\qquad
\end{eqnarray}
\begin{align} \label{init-db}
(\mathbf{a}_i,\mathbf{b}_i) &= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} & \forall i \in [N].
\end{align}
\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i^T |\mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
@ -600,7 +599,7 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}
\qquad
\end{eqnarray}
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
a signature on $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_{\rho_i}^T | \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.
To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-3}.
@ -609,9 +608,9 @@ To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system i
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zero-knowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
\begin{eqnarray} \label{test-transfer}
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
\end{eqnarray}
\begin{align} \label{test-transfer}
\mathbf{P} &= \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} & \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T &= \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
\end{align}
To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-2}.
\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls
the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$
@ -626,7 +625,7 @@ outputting $S_i=S_{i-1}$ and $R_i=R_{i-1}$, respectively.
In the initialization phase, the sender has to repeat step 5 with each
receiver to prove that $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are well-formed. Using the Fiat-Shamir heuristic \cite{FS86}, we can decrease this initialization
cost from $O(N \cdot U)$ to $O(N)$ (regardless of the number of users $U$) by making the proof non-interactive.
This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be non-interactive and the receiver's arguments only need to be WI, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be non-interactive and the receiver's arguments only need to be \textsf{WI}, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
simple, we derive the matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.
%which the sender can build his $\LWE$-based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for small-norm matrices $\mathbf{S} \in \ZZ^{n \times t}$
%and $\mathbf{E} \in \ZZ^{m \times t}$.
@ -685,11 +684,11 @@ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,
\end{eqnarray*}
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$.
Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always re-randomizing
$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.
We have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathsf{negl}(\lambda). $ \smallskip
@ -927,7 +926,7 @@ the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desi
satisfies \eqref{ver-eq-block} and that $\|\mathbf{v}_\USR\| \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets
$C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$ does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip
\end{itemize}
\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender \textsf{DB}
\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender % \textsf{DB}
has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database of $N$ pairs made of a message
$M_i \in \{0,1\}^{t}$ and a policy realized by a length-$L$
branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$. %.of length $L \in \mathsf{poly}(n)$,
@ -973,7 +972,7 @@ the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desi
\end{itemize}
\item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:]
Given an index $\rho \in [N]$, a record
From an index $\rho \in [N]$, a record
$ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses
$st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.
$\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he
@ -1020,7 +1019,7 @@ $t$-bit messages $\{M_i\}_{i=1}^N$ satisfying~\eqref{PK-gen-ac}-\eqref{init-db-a
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
\qquad
\end{eqnarray}
which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
with a policy $\BPR_\rho$ for which $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.
%To this end, $\USR$ uses the technique of Section \ref{ineff-method}.
In addition, $\USR$
@ -1061,40 +1060,42 @@ satisfying the relations (modulo $q$)
%\begin{eqnarray} \label{statement-rand-deux-ac}
%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},
%\end{eqnarray}
\begin{eqnarray}\label{statement-rand-trois-ac}
\begin{cases}
\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
\left[ \begin{array}{c|c|c|c}
~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
& & & - \mathbf{A}_{\mathrm{HBP}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
\mathbf{z}_{\BPR,\rho}
\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)}} \\[2.5pt]
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) - \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]
\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]
\left[
\begin{array}{c|c}
\mathbf{H}_{n,q-1} & \mathbf{0} \\
\hline \rule{0pt}{2.6ex}
\mathbf{0} & \mathbf{I}_\kappa \\
\end{array}
\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
\begin{array}{c}
-\bar{\mathbf{A}} \\
\mathbf{0} \\
\end{array}
\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
\begin{array}{c}
\mathbf{0} \\
-\mathbf{I}_\kappa \\
\end{array}
\right]\cdot \mathbf{x} = \mathbf{0}
\end{cases}
\end{eqnarray}
{\footnotesize
\begin{eqnarray}\label{statement-rand-trois-ac}
\begin{cases}
\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
\left[ \begin{array}{c|c|c|c}
~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
& & & - \mathbf{A}_{\mathrm{HBP}}
\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
\mathbf{z}_{\BPR,\rho}
\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)}} \\[2.5pt]
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) - \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]
\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]
\left[
\begin{array}{c|c}
\mathbf{H}_{n,q-1} & \mathbf{0} \\
\hline \rule{0pt}{2.6ex}
\mathbf{0} & \mathbf{I}_\kappa \\
\end{array}
\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
\begin{array}{c}
-\bar{\mathbf{A}} \\
\mathbf{0} \\
\end{array}
\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
\begin{array}{c}
\mathbf{0} \\
-\mathbf{I}_\kappa \\
\end{array}
\right]\cdot \mathbf{x} = \mathbf{0}
\end{cases}
\end{eqnarray}
}
and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes $\BPR_\rho$ such that $\BPR_\rho (\mathbf{x})=1$.
This is done by running the argument system described in Section~\ref{subsection:ZK-Protocol4-BP}.
@ -1478,33 +1479,34 @@ Let $n, m , m_d, q, t, \ell, B$ be the parameters defined in Section~\ref{OT-sch
$\mathbf{c}_0 \in \mathbb{Z}_q^n, \hspace*{2.5pt}\mathbf{c}_1 \in \mathbb{Z}_q^t, \hspace*{2.5pt}\mathbf{u} \in \mathbb{Z}_q^n$. \smallskip
\item[Prover's goal] is to prove knowledge of $\mathfrak{m} \in \{0,1\}^{m_d}$, $\mu \in \{0,1\}^t$, $\mathbf{e} \in \{-1,0,1\}^t$, $\nu \in [-B,B]^t$, $\tau = (\tau[1], \ldots, \tau[\ell])^T \in \{0,1\}^\ell$, $\mathbf{v}_1, \mathbf{v}_2 \in [-\beta, \beta]^m$ such that the following equations hold:
\end{description}
{\small
\begin{eqnarray}\label{eq:protocol-3-original}
\begin{cases}
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \bmod q; \\
\mathbf{H}_{n+t, q-1}\hspace*{-2pt}\cdot \hspace*{-2pt}\mathfrak{m} + \left(
\begin{array}{c}
\mathbf{F} \\
\mathbf{P}^T \\
\end{array}
\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{e} + \left(
\begin{array}{c}
\mathbf{0}^{n \times t} \\
\lfloor \frac{q}{2}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{I}_t\\
\end{array}
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \mu + \left(
\begin{array}{c}
\mathbf{0}^{n \times t} \\
\mathbf{I}_t \\
\end{array}
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \nu = \left(
\begin{array}{c}
\mathbf{c}_0 \\
\mathbf{c}_1 \\
\end{array}
\right) \bmod q. ~~~~~
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \bmod q; \\
\mathbf{H}_{n+t, q-1}\hspace*{-2pt}\cdot \hspace*{-2pt}\mathfrak{m} + \left(
\begin{array}{c}
\mathbf{F} \\
\mathbf{P}^T \\
\end{array}
\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{e} + \left(
\begin{array}{c}
\mathbf{0}^{n \times t} \\
\lfloor \frac{q}{2}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{I}_t\\
\end{array}
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \mu + \left(
\begin{array}{c}
\mathbf{0}^{n \times t} \\
\mathbf{I}_t \\
\end{array}
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \nu = \left(
\begin{array}{c}
\mathbf{c}_0 \\
\mathbf{c}_1 \\
\end{array}
\right) \bmod q. ~~~~~
\end{cases}
\end{eqnarray}
For this purpose, we perform the following transformations on the witnesses. \smallskip \smallskip
\end{eqnarray}}
For this purpose, we perform the following transformations on the witnesses. \medskip
\noindent
@ -2089,7 +2091,7 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}
\qquad
\end{eqnarray}
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The resulting ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.
To this end, $\mathsf{R}_\mathsf{T}$ argues knowledge of short vectors $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_i| \mathbf{b}_i) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ such that
\begin{eqnarray} \label{statement-rand-un-app}
@ -2105,7 +2107,7 @@ and
\vdots \\ \hline \rule{0pt}{2.5ex} \tau[\ell] \cdot \mathbf{v}_2 \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \mathfrak{m} ~\bmod q
\end{eqnarray}
\item[2.] If the WI argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
\item[2.] If the \textsf{WI} argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldots | \mathbf{e}_t] \in \chi^{m \times t}$ satisfying (modulo $q$)
@ -2114,16 +2116,17 @@ of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldot
\end{eqnarray}
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^T \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
of $\mathbf{s}_j \in \chi^n$, $\mathbf{y}[j] \in \ZZ$ such that $|\mathbf{y}[j] | < q/4$ and $\mathbf{e}_j \in \chi^m$, such that
\begin{eqnarray} \label{sender-proof-two-app}
\begin{align} \label{sender-proof-two-app}
\left[ \begin{array}{c|c|c}
~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
\rule{0pt}{2.5ex} \mathbf{c}_0^T ~ & & 1
\end{array} \right]
\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} = \begin{pmatrix}
\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} &=
\begin{pmatrix}
\mathbf{p}_j \\ \hline
\rule{0pt}{2.5ex} \mathbf{c}_1[j] - M'[j] \cdot \lfloor q/2 \rfloor
\end{pmatrix} \qquad~ \forall j \in [t], \qquad
\end{eqnarray}
\end{pmatrix} & \forall j \in [t],
\end{align}
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^T $ and $M' = (M'[1],\ldots,M'[t])^T$. Let the NIZK argument be $\pi_T=(
\{\mathsf{Comm}_{T,j}\}_{j=1}^\varsigma,\mathsf{Chall}_T,\{\mathsf{Resp}_{T,j}\}_{j=1}^\varsigma)$,
where $\mathsf{Chall}_T = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{c}_0, \mathbf{c}_{1}),
@ -2217,12 +2220,12 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
\begin{eqnarray*}
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
\end{eqnarray*}
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
%(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.
By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.
We have $ | \Pr[W_4] -\Pr[W_3] | \in \mathsf{negl}(\lambda). $ \smallskip
\end{description}
In $\textsf{Exp}_4$, we define the ideal-world cheating sender $\hat{\mathsf{S}}'$ in the following way. It programs the random oracle $H_F : \{0,1\}^\ast

41
chap-conclusion.tex
View File

@ -5,18 +5,18 @@
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
In pairing-based cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
It relies on broadly used assumptions with simple statements which exist for more than ten years.
In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.
It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.
This work is also supported by an implementation in \texttt{C}.
Our work in the lattice setting gives rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.
The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.
In the way of doing it, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
All these works are proven under strong security model within simple assumptions.
This made a breeding ground for new theoretical constructions, as well as going toward practicality.
All these works are proven under strong security models under simple assumptions.
This provides a breeding ground for new theoretical constructions.
\section*{Open Problems}
@ -24,12 +24,12 @@ The path of providing new cryptographic primitives and proving them is dissemina
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
\begin{question}
Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
\end{question}
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
\subsection*{Zero-Knowledge Proofs}
@ -39,10 +39,11 @@ Then, the main difficulty is to have zero-knowledge proofs compatible with the a
\end{question}
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
Recent line of work goes toward this direction~\cite{RSS18}, but relies on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
This question remains open for more than $10$ years~\cite{KW18}.
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
This proves to be a real bottleneck in the efficiency of such proof systems.
\begin{question}
@ -53,7 +54,7 @@ As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
Thus, a natural question may be:
@ -61,12 +62,12 @@ Thus, a natural question may be:
\subsection*{Cryptographic Constructions}
\begin{question}
Does a trapdoor-free (H)IBE exists?
Does an efficient trapdoor-free (H)IBE exists?
\end{question}
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transformations generically transform an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
\begin{question}
@ -75,6 +76,6 @@ Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public ke
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.
This improves the understanding of the links between cryptographic schemes and security assumptions, leading to more reliable constructions.
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.

2
chap-introduction.tex
View File

@ -55,7 +55,7 @@ In the context of this thesis, the developed cryptographic schemes rely on latti
Lattice-based cryptography is used to step towards post-quantum cryptography, while the latter proves useful in the design of practical schemes.
The details of these two structures are given in~\cref{ch:structures}.
\subsection{Zero-knowledge Proofs}
\subsection{Zero-Knowledge Proofs}
As explained before, zero-knowledge proofs are a basic building block for privacy-preserving cryptography.
They requires completeness, soundness and zero-knowledge properties.

7
chap-proofs.tex
View File

@ -179,9 +179,12 @@ For instance, there is no security proofs for the El Gamal encryption scheme fro
Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple to state'' or not.
This observation is buttressed by the statement of~\cite[p.25]{KL07}:~``\ldots\textit{there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute.}''.
It is harder to evaluate the security of an assumption as $q$-Strong Diffie-Hellman, which is a variant of $\DDH$ where the adversary is given the tuple $(g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{})$ and has to devise $g^{a^{q+1}}$.
Indeed, it is complicated to evaluate the security of an assumption as $q$-Strong Diffie-Hellman assumptions defined as follows.
\begin{definition}[$q$-Strong Diffie-Hellman assumption~\cite{BB04,BBS04}]
In a cyclic group $\GG$, the $q$\textit{-Strong Diffie-Hellman} ($\qSDH$) problem is, given $g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{}$, compute the element $g^{a^{q+1}}$.
\end{definition}
The security of this assumption inherently depends on the parameter $q$ of the assumption.
Cheon also proved that for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
Cheon additionally showed that, for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
These parameterized assumptions are called \emph{$q$-type assumptions}.
There also exist other kinds of non-static assumptions, such as interactive assumptions.
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.

32
chap-sigmasig.tex
View File

@ -2,8 +2,8 @@
% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
% \label{ch:sigmasig}
%-------------------------------------------------
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an \textit{efficient} construction~\cite{BR93}.
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with two companion protocols: a protocol whereby a signer can obliviously sign a committed message known only to the user and a zero-knowledge proof to efficiently attest possession of a hidden message-signature pair.
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} to the random oracle model~\cite{BR93} in order to get an \textit{efficient} construction.
In the Camenish and Lysyanskaya terminology, signatures with efficient protocols~\cite{CL04a} are digital signatures which come with two companion protocols: a protocol whereby a signer can obliviously sign a committed message known only to the user and a zero-knowledge proof to efficiently attest possession of a hidden message-signature pair.
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
@ -12,16 +12,16 @@ Later on, users can make themselves known to verifiers under a different pseudon
In this context, signature with efficient protocols can typically be used as follows:
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the reliability of the assumptions it relies on.
Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, BBS04, Oka06}.
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
Pointcheval and Sanders~\cite{PS18} improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
We note that beside the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
We note that besides the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) A variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime-order groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} that unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well-studied assumption.
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
@ -31,7 +31,7 @@ The signature scheme described in this chapter (\cref{scal-sig}) crucially takes
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
As another showcase for this signature, we also design another primitive.
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely, \SXDH and \SDL).
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
@ -1392,7 +1392,7 @@ We stress that the proofs can be easily adapted to the case where the opening a
\subsection{Comparison with Existing Schemes}
\begin{table*}
\begin{table*}[h]
\small
\centering
\begin{tabular}{|c|c|c|c|c|c|c|}
@ -1468,13 +1468,13 @@ number $\Ngs$ of group users (like \cite{BCN+10}).
\label{ta:sigmasig-figures}
\end{table}
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following address:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following \textsc{URL}:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
The relic toolkit provides an implementation for pairing computations, hash functions (SHA-256 in this case) and benchmarking macros.
The benchmarking was made on a single-core of an \textit{Intel\textregistered{} Core\texttrademark{} i5-7500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.
To implement pairings, the relic library implements the Barreto-Naehrig~\cite{BN06} curve over a 256 bits curve.
As explained previously, since recent advances in pairing-friendly elliptic curve cryptanalysis, there is no curve anymore that shows the best timing results in every aspect.
As explained previously, since recent advances in pairing-friendly elliptic curve cryptanalysis, there is no more curve that shows the best timing results in every aspect.
Figures are available in Table~\ref{ta:sigmasig-figures}.
Unfortunately, we didn't have time to implement other protocols from~\cref{sig-comp} in order to present fair comparison.
Moreover, those schemes hardly show implementation results, and providing timing comparisons seems compromised.
%Unfortunately, we didn't have time to implement other protocols from~\cref{sig-comp} in order to present fair comparison.
%Moreover, those schemes hardly show implementation results, and providing timing comparisons seems compromised.

2
garde.tex
View File

@ -75,7 +75,7 @@ Devant le jury composé de :
%\bigskip
\textsc{Catalano} Dario, Professeur Associé, Università di Catania (Italie)\hfill Rapporteur
\textsc{Catalano} Dario, Associate Professor, Università di Catania (Italie)\hfill Rapporteur
\textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur

1
macros.tex
View File

@ -52,6 +52,7 @@
%% Pairings
\newcommand{\DLP}{\textsf{DLP}\xspace}
\newcommand{\DDH}{\textsf{DDH}\xspace}
\newcommand{\qSDH}{\textsf{$q$-SDH}\xspace}
\newcommand{\SXDH}{\textsf{SXDH}\xspace}
\newcommand{\SDL}{\textsf{SDL}\xspace}
%% Lattices

18
main.tex
View File

@ -3,7 +3,7 @@
\semiisopage
%% Highlight overfull hbox
\overfullrule=1mm
%\overfullrule=1mm
%% Show labels
%\usepackage{showkeys}
@ -17,7 +17,7 @@
% Customization
\usepackage{lmodern}
\usepackage{libertine}
\usepackage{inconsolata}
\usepackage[scaled=.87]{inconsolata}
\chapterstyle{madsen}
\usepackage{subfig}
@ -25,12 +25,20 @@
\floatstyle{boxed}
\restylefloat{figure}
\let\theoldbibliography\thebibliography
\renewcommand\thebibliography[1]{
\theoldbibliography{#1}
\setlength{\parskip}{0pt}
\setlength{\itemsep}{4pt plus 0.3ex}
\small
}
\usepackage{xcolor, graphicx}
\usepackage{multirow}
\usepackage[pagebackref]{hyperref}
\renewcommand*{\backref}[1]{}
\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#2}
\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!green, breaklinks=true}
\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!purple, breaklinks=true}
\hypersetup{pdftitle={Privacy-preserving cryptography from pairings and lattices},
pdfauthor={Fabrice Mouhartem},
pdfsubject={Cryptography}}
@ -84,14 +92,14 @@
\cleardoublepage
\vspace*{\stretch{1}}
\begin{flushright}
À \ldots
%À \ldots
\end{flushright}
\vspace*{\stretch{2}}
%%%%%%%%%%%%%
\input abstract
\input acknowledgements
%\input acknowledgements
%\cleardoublepage
%\frenchtableofcontents

2
symbols.tex
View File

@ -31,7 +31,7 @@
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
$\NIZK$ & Non-Interactive Zero-Knowledge \\
$\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\
$\textsf{WI}$ & Witness indistinguishable \\
$\textsf{WI}$ & Witness Indistinguishable \\
$\textsf{GS}$ & Group Signature \\
$\GE$ & Group Encryption \\
$\OT$ & Oblivious Transfer \\

42
these.bib
View File

@ -192,7 +192,7 @@
@InProceedings{BCKL09,
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
title = {Compact E-Cash and Simulatable VRFs Revisited},
title = {{Compact E-Cash and Simulatable VRFs Revisited}},
booktitle = {{Pairing}},
year = {2009},
volume = {5671},
@ -3068,4 +3068,44 @@
publisher = {Springer},
}
@InProceedings{KW18,
author = {Sam Kim and David J. Wu},
title = {{Multi-Theorem Preprocessing NIZKs from Lattices}},
booktitle = {Crypto},
year = {2018},
series = {LNCS},
pages = {To appear},
publisher = {Springen},
}
@InProceedings{LSSS17,
author = {Libert, Benoît and Sakzad, Amin and Stehlé, Damien and Steinfeld, Ron},
title = {{All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE}},
booktitle = {Crypto},
year = {2017},
series = {LNCS},
pages = {332--364},
publisher = {Springer},
}
@InProceedings{LJYP14,
author = {Libert, Benoît and Joye, Marc and Yung, Moti and Peters, Thomas},
title = {{Concise Multi-challenge CCA-Secure Encryption and Signatures with Almost Tight Security}},
booktitle = {Asiacrypt},
year = {2014},
series = {LNCS},
pages = {1--21},
publisher = {Springer},
}
@InProceedings{PS18,
author = {Pointcheval, David and Sanders, Olivier},
title = {{Reassessing Security of Randomizable Signatures}},
booktitle = {CT-RSA},
year = {2018},
series = {LNCS},
pages = {319--338},
publisher = {Springer},
}
@Comment{jabref-meta: databaseType:bibtex;}