Corrections
- WI - overfull hbox - other stuff
This commit is contained in:
@ -3,7 +3,7 @@ This construction relies on a signature scheme with efficient protocols as in~\c
|
||||
As a consequence, it is possible to design lattice-based anonymous credentials from this building block.
|
||||
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
|
||||
|
||||
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
|
||||
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well-studied assumptions.
|
||||
As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
|
||||
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
|
||||
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
|
||||
@ -1008,7 +1008,7 @@ to compute a small-norm matrix
|
||||
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
|
||||
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
|
||||
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
|
||||
\item[3.] Determine if the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
|
||||
\item[3.] Determine whether the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step~2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
|
||||
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
|
||||
\end{itemize}
|
||||
\end{description}
|
||||
@ -1784,8 +1784,9 @@ and that (modulo $q$)
|
||||
\begin{cases}
|
||||
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
||||
|
||||
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
||||
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
|
||||
\mathbf{c}_{\mathbf{v}, 1} = \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
||||
\mathbf{c}_{\mathbf{v},2} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} \\
|
||||
\hphantom{\mathbf{c}_{\mathbf{v},2}} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
|
||||
\begin{array}{c}
|
||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||
\mathbf{0}\\
|
||||
|
||||
Reference in New Issue
Block a user