Corrections
- WI - overfull hbox - other stuff
This commit is contained in:
parent
62f7624397
commit
444641891c
24
abstract.tex
24
abstract.tex
@ -5,14 +5,14 @@
|
|||||||
|
|
||||||
\begin{otherlanguage}{french}
|
\begin{otherlanguage}{french}
|
||||||
Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.
|
Dans cette thèse, nous étudions les constructions cryptographiques prouvées pour la protection de la vie privée.
|
||||||
Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissances et leurs applications.
|
Pour cela nous nous sommes intéressés aux preuves et arguments à divulgation nulles de connaissance et leurs applications.
|
||||||
Un exemple de ces constructions est la signature de groupe. Ce protocole a pour but de permettre à un utilisateur de s'authentifier comme appartenant à un groupe, sans révéler son identité.
|
Un exemple de ces constructions est la signature de groupe. Ce protocole a pour but de permettre à un utilisateur de s'authentifier comme appartenant à un groupe, sans révéler son identité.
|
||||||
Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litiges.
|
Afin que les utilisateurs restent responsable de leurs agissements, une autorité indépendante est capable de lever l'anonymat d'un utilisateur en cas de litige.
|
||||||
Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transports en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transports ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.
|
Une telle construction peut ainsi être utilisée, par exemple, dans les systèmes de transport en commun. Un utilisateur qui rentre dans un bus prouve ainsi son appartenance aux utilisateurs possédant un abonnement valide, sans révéler qui il est, et évitant ainsi que la société de transport ne le trace. En revanche, en cas d'incident sur le réseau, la société peut faire appel à la police pour lever l'anonymat des usagers présents au moment de l'incident.
|
||||||
Nous avons proposé deux constructions de ces signatures de groupes, prouvées sous des hypothèses simples sur les couplages et les réseaux euclidiens.
|
Nous avons proposé deux constructions de ces signatures de groupe, prouvées sûres sous des hypothèses simples dans le monde des couplages et des réseaux euclidiens.
|
||||||
Dans la continuité de ces travaux, nous avons aussi proposé la première construction de chiffrement de groupe (l'équivalent de la signature de groupe pour le chiffrement) à base de réseaux euclidiens.
|
Dans la continuité de ces travaux, nous avons aussi proposé la première construction de chiffrement de groupe (l'équivalent de la signature de groupe pour le chiffrement) à base de réseaux euclidiens.
|
||||||
Finalement, ces travaux nous ont amené à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens.
|
Finalement, ces travaux nous ont amené à la construction d'un schéma de transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens.
|
||||||
Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern.
|
Ces constructions à base de réseaux ont été rendues possibles par des améliorations successives de l'expressivité du protocole de Stern, qui reposait initialement sur la difficulté du problème du décodage de syndrome.
|
||||||
\end{otherlanguage}
|
\end{otherlanguage}
|
||||||
\clearpage
|
\clearpage
|
||||||
|
|
||||||
@ -28,13 +28,13 @@
|
|||||||
In this thesis, we study provably secure privacy-preserving cryptographic constructions.
|
In this thesis, we study provably secure privacy-preserving cryptographic constructions.
|
||||||
We focus on zero-knowledge proofs and their applications.
|
We focus on zero-knowledge proofs and their applications.
|
||||||
Group signatures are an example of such constructions.
|
Group signatures are an example of such constructions.
|
||||||
This primitive allows users to sign messages on behalf of a group (which they formerly join), while staying anonymous inside this group.
|
This primitive allows users to sign messages on behalf of a group (which they formerly joined), while remaining anonymous inside this group.
|
||||||
Additionally, users remains accountable for their behavior as another independent authority, a judge, is empowered with a secret information to lift anonymity of given signatures.
|
Additionally, users remain accountable for their actions as another independent authority, a judge, is empowered with a secret information to lift the anonymity of any given signature.
|
||||||
This construction has applications in anonymous access control, such as public transportations.
|
This construction has applications in anonymous access control, such as public transportations.
|
||||||
Whenever someone enters a public transport, he signs a timestamp. Doing this proves that he belongs to the group of people with a valid subscription.
|
Whenever someone enters a public transportation, he signs a timestamp. Doing this proves that he belongs to the group of people with a valid subscription.
|
||||||
In case of problem, the transportation company hands the record of suspicious signatures to the police, which is able to un-anonymize them.
|
In case of problem, the transportation company hands the record of suspicious signatures to the police, which is able to un-anonymize them.
|
||||||
We propose two constructions for dynamically growing group signatures. The first is based on pairings assumptions and aims practicality, while the second one is proven secure under lattice assumptions for the sake of not putting all eggs in the same basket.
|
We propose two constructions of group signatures for dynamically growing groups. The first is based on pairing-related assumptions and is fairly practical. The second construction is proven secure under lattice assumptions for the sake of not putting all eggs in the same basket.
|
||||||
Following the same spirit, we also propose two constructions for privacy-preserving cryptography.
|
Following the same spirit, we also propose two constructions for privacy-preserving cryptography.
|
||||||
The first one is a group encryption scheme, which is the encryption analogue of group signatures. Here, the goal is to hide the recipient of a message who belongs to a group, while proving some properties on the message, like the absence of malwares.
|
The first one is a group encryption scheme, which is the encryption analogue of group signatures. Here, the goal is to hide the recipient of a ciphertext who belongs to a group, while proving some properties on the message, like the absence of malwares.
|
||||||
The second is an adaptive oblivious transfer scheme, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.
|
The second is an adaptive oblivious transfer protocol, which allows a user to anonymously query an encrypted database, while keeping the unrequested messages hidden.
|
||||||
These constructions were made possible through a series of work improving the expressiveness of Stern-like zero-knowledge arguments.
|
These constructions were made possible through a series of work improving the expressiveness of Stern's protocol, which was originally based on the syndrome decoding problem.
|
||||||
|
@ -3,7 +3,7 @@ This construction relies on a signature scheme with efficient protocols as in~\c
|
|||||||
As a consequence, it is possible to design lattice-based anonymous credentials from this building block.
|
As a consequence, it is possible to design lattice-based anonymous credentials from this building block.
|
||||||
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
|
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
|
||||||
|
|
||||||
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
|
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well-studied assumptions.
|
||||||
As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
|
As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
|
||||||
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
|
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
|
||||||
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
|
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
|
||||||
@ -1008,7 +1008,7 @@ to compute a small-norm matrix
|
|||||||
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
|
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
|
||||||
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
|
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
|
||||||
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
|
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
|
||||||
\item[3.] Determine if the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
|
\item[3.] Determine whether the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step~2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
|
||||||
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
|
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\end{description}
|
\end{description}
|
||||||
@ -1784,8 +1784,9 @@ and that (modulo $q$)
|
|||||||
\begin{cases}
|
\begin{cases}
|
||||||
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
\forall k\in [N]: \mathbf{c}_{k,1}= \mathbf{B}^T\cdot\mathbf{s}_{k} + \mathbf{e}_{k,1} ; \mathbf{c}_{k,2}= \mathbf{G}_1^T\cdot \mathbf{s}_{k} + \mathbf{e}_{k,2} + \lfloor q/2 \rfloor\cdot \mathfrak{m}_k ; \\
|
||||||
|
|
||||||
\mathbf{c}_{\mathbf{v}, 1}= \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
\mathbf{c}_{\mathbf{v}, 1} = \mathbf{B}^T\cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},1} ; \\
|
||||||
\mathbf{c}_{\mathbf{v},2}= \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
|
\mathbf{c}_{\mathbf{v},2} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} +\mathbf{e}_{\mathbf{v},2}+ \lfloor\frac{q}{p}\rfloor \cdot \mathbf{v} \\
|
||||||
|
\hphantom{\mathbf{c}_{\mathbf{v},2}} = \mathbf{G}_1^T \cdot \mathbf{s}_{\mathbf{v}} + \mathbf{e}_{\mathbf{v},2} + \left(
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
\lfloor\frac{q}{p}\rfloor \mathbf{I}_m \\
|
||||||
\mathbf{0}\\
|
\mathbf{0}\\
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
In this part, we will present two constructions for dynamic group signatures.
|
In this part, we will present two constructions of dynamic group signatures.
|
||||||
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain efficiency while keeping the assumptions simple.
|
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain in efficiency while keeping the assumptions simple.
|
||||||
This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions.
|
This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions such as the $\qSDH$ assumption.
|
||||||
An implementation is available and detailed in \cref{ch:sigmasig}.
|
An implementation is available and detailed in \cref{ch:sigmasig}.
|
||||||
|
|
||||||
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
|
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature based on the scheme of Ling, Nguyen and Wang~\cite{LNW15} for static groups.
|
||||||
|
This construction was improved to match the requirements for dynamic groups, which closes an open-problem~\cite{GKV10}.
|
||||||
This construction has been the first fully secure group signature scheme from lattices.
|
This construction has been the first fully secure group signature scheme from lattices.
|
||||||
|
|
||||||
Before describing those schemes, let us recall in this chapter the definition of dynamic group signatures and their related security definitions.
|
Before describing those schemes, this chapter recalls the definition of dynamic group signatures and their related security definitions.
|
||||||
|
|
||||||
\section{Background} \label{sse:gs-background}
|
\section{Background} \label{sse:gs-background}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}
|
||||||
@ -21,23 +22,23 @@ In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed formal security
|
|||||||
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. These two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
|
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. These two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
|
||||||
|
|
||||||
The \cite{BMW03}~model summarizes the security of a group signatures in two notions: \textit{anonymity} and \textit{traceability}.
|
The \cite{BMW03}~model summarizes the security of a group signatures in two notions: \textit{anonymity} and \textit{traceability}.
|
||||||
The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can trace a user from a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.
|
The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can identify the author of a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.
|
||||||
|
|
||||||
In the dynamic setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.
|
In the dynamic setting, the \textit{group signing-keys issuing} phase is replaced by an interactive \textit{join} protocol where a user who wants to join the group interacts with the group manager.
|
||||||
In this context, the two notions of the BMW model are retained, and a third one is added: the ``\textit{non-frameability}'' property.
|
In this context, the two notions of the BMW model are retained, and a third one is added: the ``\textit{non-frameability}'' property.
|
||||||
This notion expresses the impossibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.
|
This notion expresses the infeasibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.
|
||||||
|
|
||||||
One possible application of this primitive is anonymous access control for public transportation systems.
|
One possible application of this primitive is anonymous access control for public transportation systems.
|
||||||
In order to commute, a person should prove possession of a valid subscription to the transportation service.
|
In order to commute, a person should prove possession of a valid subscription to the transportation service.
|
||||||
Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}'' and when it uses the transportation service, it is asked to sign the timestamp of its entry in the name of the group.
|
Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}''. When he uses the transportation service, he is asked to sign the timestamp of his entry in the name of the group.
|
||||||
In case of misbehavior, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
|
In case of misbehavior, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
|
||||||
Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
|
Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to them.
|
||||||
|
|
||||||
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
|
Other applications of group signatures can be found as authentication of low-range communications for intelligent cars or anonymous access control of a building.
|
||||||
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
|
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
|
||||||
|
|
||||||
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rose the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures.
|
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} raised the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures.
|
||||||
As the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of some interests~\cite{LNWX17}.
|
As the main difficulty is to allow users to dynamically enroll in the group --\,revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of interest~\cite{LNWX17}.
|
||||||
|
|
||||||
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
|
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}
|
||||||
|
169
chap-OT-LWE.tex
169
chap-OT-LWE.tex
@ -525,7 +525,7 @@ Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{C
|
|||||||
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
|
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
|
||||||
all ciphertexts are signed using a signature scheme. At each
|
all ciphertexts are signed using a signature scheme. At each
|
||||||
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
|
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
|
||||||
homomorphism of Regev. Then, the receiver provides a witness indistinguishable (WI) argument that the modified ciphertext (which is
|
homomorphism of Regev. Then, the receiver provides a witness indistinguishable (\textsf{WI}) argument that the modified ciphertext (which is
|
||||||
submitted for oblivious decryption) is
|
submitted for oblivious decryption) is
|
||||||
a transformation of one of the original ciphertexts by arguing knowledge of a signature on this hidden ciphertext. In response,
|
a transformation of one of the original ciphertexts by arguing knowledge of a signature on this hidden ciphertext. In response,
|
||||||
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
|
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
|
||||||
@ -571,10 +571,9 @@ ${PK}_{sig}:=\big( \mathbf{A},
|
|||||||
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
|
Sample vectors $\mathbf{a}_1,\ldots ,\mathbf{a}_N \sample
|
||||||
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
|
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
|
||||||
compute
|
compute
|
||||||
\begin{eqnarray} \label{init-db}
|
\begin{align} \label{init-db}
|
||||||
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N].
|
(\mathbf{a}_i,\mathbf{b}_i) &= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} & \forall i \in [N].
|
||||||
\qquad
|
\end{align}
|
||||||
\end{eqnarray}
|
|
||||||
|
|
||||||
\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition
|
\item[4.] For each $i \in [N]$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the decomposition
|
||||||
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i^T |\mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
|
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i^T |\mathbf{b}_i^T )^T \in \{0,1\}^{m_d}$. % of $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
|
||||||
@ -600,7 +599,7 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}
|
|||||||
\qquad
|
\qquad
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
|
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
|
||||||
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
|
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a transformation of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some $\rho_i \in [N]$, and $\mathsf{R}_\mathsf{T}$ knows
|
||||||
a signature on $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_{\rho_i}^T | \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.
|
a signature on $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_{\rho_i}^T | \mathbf{b}_{\rho_i}^T)^T \in \{0,1\}^{m_d}$.
|
||||||
To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-3}.
|
To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-3}.
|
||||||
|
|
||||||
@ -609,9 +608,9 @@ To this end, $\mathsf{R}_\mathsf{T}$ runs the prover in the ZK argument system i
|
|||||||
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
|
obtain $M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$
|
||||||
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zero-knowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
|
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a zero-knowledge argument of knowledge of vector $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
|
||||||
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
|
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and small-norm matrices $\mathbf{E}\in \ZZ^{m \times t}$, $\mathbf{S} \in \ZZ^{n \times t}$ satisfying (modulo $q$)
|
||||||
\begin{eqnarray} \label{test-transfer}
|
\begin{align} \label{test-transfer}
|
||||||
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
|
\mathbf{P} &= \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} & \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T &= \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor.
|
||||||
\end{eqnarray}
|
\end{align}
|
||||||
To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-2}.
|
To this end, $\mathsf{S}_\mathsf{T}$ runs the prover in the ZK argument system in Section~\ref{subsection:ZK-protocol-2}.
|
||||||
\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls
|
\item[3.] If the ZK argument produced by $\mathsf{S}_\mathsf{T}$ does not properly verify at step 2, $\mathsf{R}_\mathsf{T}$ halts and outputs $\perp$. Otherwise, $\mathsf{R}_\mathsf{T}$ recalls
|
||||||
the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$
|
the random string $\mu \in \{0,1\}^t$ that was chosen at step 1 and computes $M_{\rho_i}=M' \oplus \mu$. The transfer ends with $\mathsf{S}_\mathsf{T}$ and $\mathsf{R}_\mathsf{T}$
|
||||||
@ -626,7 +625,7 @@ outputting $S_i=S_{i-1}$ and $R_i=R_{i-1}$, respectively.
|
|||||||
In the initialization phase, the sender has to repeat step 5 with each
|
In the initialization phase, the sender has to repeat step 5 with each
|
||||||
receiver to prove that $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are well-formed. Using the Fiat-Shamir heuristic \cite{FS86}, we can decrease this initialization
|
receiver to prove that $\left\{(\mathbf{a}_i,\mathbf{b}_i)\right\}_{i=1}^N$ are well-formed. Using the Fiat-Shamir heuristic \cite{FS86}, we can decrease this initialization
|
||||||
cost from $O(N \cdot U)$ to $O(N)$ (regardless of the number of users $U$) by making the proof non-interactive.
|
cost from $O(N \cdot U)$ to $O(N)$ (regardless of the number of users $U$) by making the proof non-interactive.
|
||||||
This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be non-interactive and the receiver's arguments only need to be WI, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
|
This modification also reduces each transfer to $5$ communication rounds since, even in the transfer phase, the sender's ZK arguments can be non-interactive and the receiver's arguments only need to be \textsf{WI}, which is preserved when the basic ZK protocol (which has a ternary challenge space) is repeated $\omega(\log n)$ times in parallel. To keep the security proof
|
||||||
simple, we derive the matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.
|
simple, we derive the matrix $\mathbf{F} \in \Zq^{n \times m}$ from a second random oracle.
|
||||||
%which the sender can build his $\LWE$-based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for small-norm matrices $\mathbf{S} \in \ZZ^{n \times t}$
|
%which the sender can build his $\LWE$-based public key $\mathbf{P}=\mathbf{F} \cdot \mathbf{S} + \mathbf{E}$, for small-norm matrices $\mathbf{S} \in \ZZ^{n \times t}$
|
||||||
%and $\mathbf{E} \in \ZZ^{m \times t}$.
|
%and $\mathbf{E} \in \ZZ^{m \times t}$.
|
||||||
@ -685,11 +684,11 @@ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$
|
|||||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,
|
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \ZZ_q^n \times \ZZ_q^t,
|
||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$.
|
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$.
|
||||||
Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
|
Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that
|
||||||
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
|
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
|
||||||
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
||||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
|
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}. %(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
|
||||||
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
|
By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$. Indeed, since we chose $B$ as a randomization parameter
|
||||||
such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always re-randomizing
|
such that $(m+1) \alpha q / B $ is negligible, the result of \cite[Section 4.1]{DS16} implies that always re-randomizing
|
||||||
$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.
|
$(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$ leaves the view of $\hat{\mathsf{S}}$ statistically unchanged.
|
||||||
We have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathsf{negl}(\lambda). $ \smallskip
|
We have $ | \Pr[W_2] -\Pr[W_1] | \leq \mathsf{negl}(\lambda). $ \smallskip
|
||||||
@ -927,7 +926,7 @@ the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desi
|
|||||||
satisfies \eqref{ver-eq-block} and that $\|\mathbf{v}_\USR\| \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets
|
satisfies \eqref{ver-eq-block} and that $\|\mathbf{v}_\USR\| \leq \sigma \sqrt{2m},\mathbf{r}_\USR \leq \sigma \sqrt{m}$. If so, $\USR$ sets
|
||||||
$C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$ does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip
|
$C_\USR := C_{\USR} \cup \{\mathbf{x}\}$, $\mathsf{Cred}_\USR := \mathsf{Cred}_\USR \cup \{\crt_{\USR,\mathbf{x}}\}$ and updates its state $st_\USR=(\mathbf{e}_\USR,P_\USR,f_{DB},C_\USR,\mathsf{Cred}_\USR)$. If $\crt_{\USR,\mathbf{x}}$ does not properly verify, $\USR$ aborts the interaction and leaves $st_{\USR}$ unchanged. \smallskip
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender \textsf{DB}
|
\item[\textsf{DBSetup}$\big(PK_I, \mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N \big)$:] The sender % \textsf{DB}
|
||||||
has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database of $N$ pairs made of a message
|
has $\mathsf{DB}=\{(M_i,\BPR_i)\}_{i=1}^N $ which is a database of $N$ pairs made of a message
|
||||||
$M_i \in \{0,1\}^{t}$ and a policy realized by a length-$L$
|
$M_i \in \{0,1\}^{t}$ and a policy realized by a length-$L$
|
||||||
branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$. %.of length $L \in \mathsf{poly}(n)$,
|
branching program $\BPR_i = \{\var_i(\theta),\pi_{i,\theta,0},\pi_{i,\theta,1}\}_{\theta=1}^L$. %.of length $L \in \mathsf{poly}(n)$,
|
||||||
@ -973,7 +972,7 @@ the maximal length $L \in \mathsf{poly}(n)$ of branching programs and their desi
|
|||||||
\end{itemize}
|
\end{itemize}
|
||||||
|
|
||||||
\item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:]
|
\item[\textsf{Transfer}$\big(\mathsf{DB}(SK_{\mathsf{DB}},PK_{\mathsf{DB}},PK_I),\USR(\rho,st_\USR,PK_I,PK_\mathsf{DB},ER_\rho,\BPR_\rho) \big)$:]
|
||||||
Given an index $\rho \in [N]$, a record
|
From an index $\rho \in [N]$, a record
|
||||||
$ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses
|
$ER_\rho =\big(\mathbf{a}_\rho,\mathbf{b}_\rho,(\tau_\rho,\mathbf{v}_\rho ) \big) $ and a policy $\BPR_{\rho}$, the user $\USR$ parses
|
||||||
$st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.
|
$st_\USR$ as $(\mathbf{e}_\USR,P_{\USR},f_{DB},C_\USR,\mathsf{Cred}_{\USR})$. If $C_\USR$ does not contain any $\mathbf{x} \in \{0,1\}^\kappa$ s.t.
|
||||||
$\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he
|
$\BPR_{\rho}(\mathbf{x})=1$ and $\mathsf{Cred}_{\USR}$ contains the corresponding $\crt_{\USR,\mathbf{x}}$, $\USR$ outputs $\perp$. Otherwise, he
|
||||||
@ -1020,7 +1019,7 @@ $t$-bit messages $\{M_i\}_{i=1}^N$ satisfying~\eqref{PK-gen-ac}-\eqref{init-db-a
|
|||||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
||||||
\qquad
|
\qquad
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
|
which is sent to $\mathsf{DB}$ as a re-randomization of $(\mathbf{a}_{\rho},\mathbf{b}_{\rho} + \mu \cdot \lfloor q/2 \rfloor )$. Then, $\USR$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of some $(\mathbf{a}_{\rho},\mathbf{b}_{\rho})$ associated
|
||||||
with a policy $\BPR_\rho$ for which $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.
|
with a policy $\BPR_\rho$ for which $\USR$ has a credential $\crt_{\USR,x}$ for some $\mathbf{x} \in \{0,1\}^\kappa$ such that $\BPR_\rho (\mathbf{x})=1$.
|
||||||
%To this end, $\USR$ uses the technique of Section \ref{ineff-method}.
|
%To this end, $\USR$ uses the technique of Section \ref{ineff-method}.
|
||||||
In addition, $\USR$
|
In addition, $\USR$
|
||||||
@ -1061,40 +1060,42 @@ satisfying the relations (modulo $q$)
|
|||||||
%\begin{eqnarray} \label{statement-rand-deux-ac}
|
%\begin{eqnarray} \label{statement-rand-deux-ac}
|
||||||
%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},
|
%\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u},
|
||||||
%\end{eqnarray}
|
%\end{eqnarray}
|
||||||
\begin{eqnarray}\label{statement-rand-trois-ac}
|
{\footnotesize
|
||||||
\begin{cases}
|
\begin{eqnarray}\label{statement-rand-trois-ac}
|
||||||
\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
|
\begin{cases}
|
||||||
\left[ \begin{array}{c|c|c|c}
|
\mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} +
|
||||||
~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
|
\left[ \begin{array}{c|c|c|c}
|
||||||
~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
|
~ \mathbf{F} ~& ~ &~ & ~ \\ \hline \rule{0pt}{2.6ex}
|
||||||
& & & - \mathbf{A}_{\mathrm{HBP}}
|
~\mathbf{P}^T ~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~ & ~ \\ \hline
|
||||||
\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
|
& & & - \mathbf{A}_{\mathrm{HBP}}
|
||||||
\mathbf{z}_{\BPR,\rho}
|
\end{array} \right] \cdot \begin{bmatrix} \mathbf{e} \\ \hline \mu \\ \hline \nu \\ \hline
|
||||||
\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
|
\mathbf{z}_{\BPR,\rho}
|
||||||
\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)}} \\[2.5pt]
|
\end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \\ \hline \mathbf{0}^n \end{bmatrix} \\ \qquad \quad \smallskip
|
||||||
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
|
\text{{\scriptsize // (recall that $(\mathbf{a}_\rho^T | \mathbf{b}_{\rho}^T | \mathbf{h}_{\BPR,\rho}^T )^T = \mathbf{H}_{2n+t,q-1} \cdot \mathfrak{m} $)}} \\[2.5pt]
|
||||||
\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
|
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \\[2.5pt]
|
||||||
\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) - \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]
|
\mathbf{A}_{I}\cdot \mathbf{v}_{\mathsf{U},1} + \mathbf{A}_{I,0}\cdot \mathbf{v}_{\mathsf{U},2} +
|
||||||
\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]
|
\sum_{j=1}^{\ell_I}\mathbf{A}_{I, j}\cdot (\tau_{\mathsf{U}}[j]\cdot \mathbf{v}_{\mathsf{U},2}) - \mathbf{D}_I\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{u}_I \\[2.5pt]
|
||||||
\left[
|
\mathbf{D}_{I,0}\cdot \mathbf{r}_{\mathsf{U}} + \mathbf{D}_{I,1}\cdot \mathfrak{m}_{\mathsf{U}, \mathbf{x}} - \mathbf{H}_{n,q-1}\cdot \widehat{\mathfrak{m}}_{\mathsf{U}, \mathbf{x}} = \mathbf{0} \\[2.5pt]
|
||||||
\begin{array}{c|c}
|
\left[
|
||||||
\mathbf{H}_{n,q-1} & \mathbf{0} \\
|
\begin{array}{c|c}
|
||||||
\hline \rule{0pt}{2.6ex}
|
\mathbf{H}_{n,q-1} & \mathbf{0} \\
|
||||||
\mathbf{0} & \mathbf{I}_\kappa \\
|
\hline \rule{0pt}{2.6ex}
|
||||||
\end{array}
|
\mathbf{0} & \mathbf{I}_\kappa \\
|
||||||
\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
|
\end{array}
|
||||||
\begin{array}{c}
|
\right]\cdot {\mathfrak{m}}_{\USR,\mathbf{x}} + \left[
|
||||||
-\bar{\mathbf{A}} \\
|
\begin{array}{c}
|
||||||
\mathbf{0} \\
|
-\bar{\mathbf{A}} \\
|
||||||
\end{array}
|
\mathbf{0} \\
|
||||||
\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
|
\end{array}
|
||||||
\begin{array}{c}
|
\right]\cdot \mathbf{e}_{\mathsf{U}} + \left[
|
||||||
\mathbf{0} \\
|
\begin{array}{c}
|
||||||
-\mathbf{I}_\kappa \\
|
\mathbf{0} \\
|
||||||
\end{array}
|
-\mathbf{I}_\kappa \\
|
||||||
\right]\cdot \mathbf{x} = \mathbf{0}
|
\end{array}
|
||||||
\end{cases}
|
\right]\cdot \mathbf{x} = \mathbf{0}
|
||||||
\end{eqnarray}
|
\end{cases}
|
||||||
|
\end{eqnarray}
|
||||||
|
}
|
||||||
and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes $\BPR_\rho$ such that $\BPR_\rho (\mathbf{x})=1$.
|
and such that $\mathbf{z}_{\BPR,\rho} \in [0,4]^\zeta$ encodes $\BPR_\rho$ such that $\BPR_\rho (\mathbf{x})=1$.
|
||||||
This is done by running the argument system described in Section~\ref{subsection:ZK-Protocol4-BP}.
|
This is done by running the argument system described in Section~\ref{subsection:ZK-Protocol4-BP}.
|
||||||
|
|
||||||
@ -1478,33 +1479,34 @@ Let $n, m , m_d, q, t, \ell, B$ be the parameters defined in Section~\ref{OT-sch
|
|||||||
$\mathbf{c}_0 \in \mathbb{Z}_q^n, \hspace*{2.5pt}\mathbf{c}_1 \in \mathbb{Z}_q^t, \hspace*{2.5pt}\mathbf{u} \in \mathbb{Z}_q^n$. \smallskip
|
$\mathbf{c}_0 \in \mathbb{Z}_q^n, \hspace*{2.5pt}\mathbf{c}_1 \in \mathbb{Z}_q^t, \hspace*{2.5pt}\mathbf{u} \in \mathbb{Z}_q^n$. \smallskip
|
||||||
\item[Prover's goal] is to prove knowledge of $\mathfrak{m} \in \{0,1\}^{m_d}$, $\mu \in \{0,1\}^t$, $\mathbf{e} \in \{-1,0,1\}^t$, $\nu \in [-B,B]^t$, $\tau = (\tau[1], \ldots, \tau[\ell])^T \in \{0,1\}^\ell$, $\mathbf{v}_1, \mathbf{v}_2 \in [-\beta, \beta]^m$ such that the following equations hold:
|
\item[Prover's goal] is to prove knowledge of $\mathfrak{m} \in \{0,1\}^{m_d}$, $\mu \in \{0,1\}^t$, $\mathbf{e} \in \{-1,0,1\}^t$, $\nu \in [-B,B]^t$, $\tau = (\tau[1], \ldots, \tau[\ell])^T \in \{0,1\}^\ell$, $\mathbf{v}_1, \mathbf{v}_2 \in [-\beta, \beta]^m$ such that the following equations hold:
|
||||||
\end{description}
|
\end{description}
|
||||||
|
{\small
|
||||||
\begin{eqnarray}\label{eq:protocol-3-original}
|
\begin{eqnarray}\label{eq:protocol-3-original}
|
||||||
\begin{cases}
|
\begin{cases}
|
||||||
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \bmod q; \\
|
\mathbf{A}\cdot \mathbf{v}_1 + \mathbf{A}_0 \cdot \mathbf{v}_2 + \sum_{j=1}^\ell \mathbf{A}_j \cdot (\tau[j]\cdot \mathbf{v}_2) - \mathbf{D}\cdot \mathfrak{m} = \mathbf{u} \bmod q; \\
|
||||||
\mathbf{H}_{n+t, q-1}\hspace*{-2pt}\cdot \hspace*{-2pt}\mathfrak{m} + \left(
|
\mathbf{H}_{n+t, q-1}\hspace*{-2pt}\cdot \hspace*{-2pt}\mathfrak{m} + \left(
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\mathbf{F} \\
|
\mathbf{F} \\
|
||||||
\mathbf{P}^T \\
|
\mathbf{P}^T \\
|
||||||
\end{array}
|
\end{array}
|
||||||
\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{e} + \left(
|
\right)\hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{e} + \left(
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\mathbf{0}^{n \times t} \\
|
\mathbf{0}^{n \times t} \\
|
||||||
\lfloor \frac{q}{2}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{I}_t\\
|
\lfloor \frac{q}{2}\rfloor \hspace*{-2pt}\cdot\hspace*{-2pt} \mathbf{I}_t\\
|
||||||
\end{array}
|
\end{array}
|
||||||
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \mu + \left(
|
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \mu + \left(
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\mathbf{0}^{n \times t} \\
|
\mathbf{0}^{n \times t} \\
|
||||||
\mathbf{I}_t \\
|
\mathbf{I}_t \\
|
||||||
\end{array}
|
\end{array}
|
||||||
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \nu = \left(
|
\right) \hspace*{-2pt}\cdot\hspace*{-2pt} \nu = \left(
|
||||||
\begin{array}{c}
|
\begin{array}{c}
|
||||||
\mathbf{c}_0 \\
|
\mathbf{c}_0 \\
|
||||||
\mathbf{c}_1 \\
|
\mathbf{c}_1 \\
|
||||||
\end{array}
|
\end{array}
|
||||||
\right) \bmod q. ~~~~~
|
\right) \bmod q. ~~~~~
|
||||||
\end{cases}
|
\end{cases}
|
||||||
\end{eqnarray}
|
\end{eqnarray}}
|
||||||
For this purpose, we perform the following transformations on the witnesses. \smallskip \smallskip
|
For this purpose, we perform the following transformations on the witnesses. \medskip
|
||||||
|
|
||||||
|
|
||||||
\noindent
|
\noindent
|
||||||
@ -2089,7 +2091,7 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}
|
|||||||
\qquad
|
\qquad
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The resulting ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
|
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The resulting ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
|
||||||
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.
|
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive \textsf{WI} argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.
|
||||||
To this end, $\mathsf{R}_\mathsf{T}$ argues knowledge of short vectors $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_i| \mathbf{b}_i) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
To this end, $\mathsf{R}_\mathsf{T}$ argues knowledge of short vectors $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_i| \mathbf{b}_i) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
||||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ such that
|
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ such that
|
||||||
\begin{eqnarray} \label{statement-rand-un-app}
|
\begin{eqnarray} \label{statement-rand-un-app}
|
||||||
@ -2105,7 +2107,7 @@ and
|
|||||||
\vdots \\ \hline \rule{0pt}{2.5ex} \tau[\ell] \cdot \mathbf{v}_2 \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \mathfrak{m} ~\bmod q
|
\vdots \\ \hline \rule{0pt}{2.5ex} \tau[\ell] \cdot \mathbf{v}_2 \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \mathfrak{m} ~\bmod q
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
|
|
||||||
\item[2.] If the WI argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
|
\item[2.] If the \textsf{WI} argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
|
||||||
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
|
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
|
||||||
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
|
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
|
||||||
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldots | \mathbf{e}_t] \in \chi^{m \times t}$ satisfying (modulo $q$)
|
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldots | \mathbf{e}_t] \in \chi^{m \times t}$ satisfying (modulo $q$)
|
||||||
@ -2114,16 +2116,17 @@ of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldot
|
|||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^T \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
|
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^T \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
|
||||||
of $\mathbf{s}_j \in \chi^n$, $\mathbf{y}[j] \in \ZZ$ such that $|\mathbf{y}[j] | < q/4$ and $\mathbf{e}_j \in \chi^m$, such that
|
of $\mathbf{s}_j \in \chi^n$, $\mathbf{y}[j] \in \ZZ$ such that $|\mathbf{y}[j] | < q/4$ and $\mathbf{e}_j \in \chi^m$, such that
|
||||||
\begin{eqnarray} \label{sender-proof-two-app}
|
\begin{align} \label{sender-proof-two-app}
|
||||||
\left[ \begin{array}{c|c|c}
|
\left[ \begin{array}{c|c|c}
|
||||||
~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
|
~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
|
||||||
\rule{0pt}{2.5ex} \mathbf{c}_0^T ~ & & 1
|
\rule{0pt}{2.5ex} \mathbf{c}_0^T ~ & & 1
|
||||||
\end{array} \right]
|
\end{array} \right]
|
||||||
\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} = \begin{pmatrix}
|
\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} &=
|
||||||
|
\begin{pmatrix}
|
||||||
\mathbf{p}_j \\ \hline
|
\mathbf{p}_j \\ \hline
|
||||||
\rule{0pt}{2.5ex} \mathbf{c}_1[j] - M'[j] \cdot \lfloor q/2 \rfloor
|
\rule{0pt}{2.5ex} \mathbf{c}_1[j] - M'[j] \cdot \lfloor q/2 \rfloor
|
||||||
\end{pmatrix} \qquad~ \forall j \in [t], \qquad
|
\end{pmatrix} & \forall j \in [t],
|
||||||
\end{eqnarray}
|
\end{align}
|
||||||
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^T $ and $M' = (M'[1],\ldots,M'[t])^T$. Let the NIZK argument be $\pi_T=(
|
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^T $ and $M' = (M'[1],\ldots,M'[t])^T$. Let the NIZK argument be $\pi_T=(
|
||||||
\{\mathsf{Comm}_{T,j}\}_{j=1}^\varsigma,\mathsf{Chall}_T,\{\mathsf{Resp}_{T,j}\}_{j=1}^\varsigma)$,
|
\{\mathsf{Comm}_{T,j}\}_{j=1}^\varsigma,\mathsf{Chall}_T,\{\mathsf{Resp}_{T,j}\}_{j=1}^\varsigma)$,
|
||||||
where $\mathsf{Chall}_T = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{c}_0, \mathbf{c}_{1}),
|
where $\mathsf{Chall}_T = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{c}_0, \mathbf{c}_{1}),
|
||||||
@ -2217,12 +2220,12 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
|
|||||||
\begin{eqnarray*}
|
\begin{eqnarray*}
|
||||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
|
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive \textsf{WI} argument that
|
||||||
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
|
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
|
||||||
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
It thus generates a \textsf{WI} argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
||||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
|
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
|
||||||
%(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
|
%(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
|
||||||
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.
|
By the statistically \textsf{WI} of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.
|
||||||
We have $ | \Pr[W_4] -\Pr[W_3] | \in \mathsf{negl}(\lambda). $ \smallskip
|
We have $ | \Pr[W_4] -\Pr[W_3] | \in \mathsf{negl}(\lambda). $ \smallskip
|
||||||
\end{description}
|
\end{description}
|
||||||
In $\textsf{Exp}_4$, we define the ideal-world cheating sender $\hat{\mathsf{S}}'$ in the following way. It programs the random oracle $H_F : \{0,1\}^\ast
|
In $\textsf{Exp}_4$, we define the ideal-world cheating sender $\hat{\mathsf{S}}'$ in the following way. It programs the random oracle $H_F : \{0,1\}^\ast
|
||||||
|
@ -5,18 +5,18 @@
|
|||||||
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
|
In this thesis, we presented new cryptographic schemes that rely on lattice or pairing assumptions.
|
||||||
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
|
These contributions focus on the design and analysis of new cryptographic schemes that target privacy-preserving applications.
|
||||||
|
|
||||||
In pairing-based cryptography, we propose a practical dynamic group signature scheme, for which security is well understood.
|
In pairing-based cryptography, we proposed a practical dynamic group signature scheme, for which security is well-understood.
|
||||||
It relies on broadly used assumptions with simple statements which exist for more than ten years.
|
It relies on broadly used assumptions with simple and constant-size descriptions which exist for more than ten years.
|
||||||
This work is also supported by an implementation in \texttt{C}.
|
This work is also supported by an implementation in \texttt{C}.
|
||||||
|
|
||||||
Our work in the lattice setting gives rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
|
The results in the lattice setting give rise to three fundamental schemes that were missing in the landscape of lattice-based privacy-preserving cryptography.
|
||||||
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that it's one step toward a quantum-secure privacy-friendly world.
|
Even if these schemes suffer from some efficiency issues due to their novelty, we do believe that they are one step towards a quantum-secure privacy-friendly world.
|
||||||
|
|
||||||
In the way of doing it, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting as well as providing building blocks that, we believe, are of independent interest.
|
On the road, improvements have been made in the state of the art of zero-knowledge proofs in the lattice setting by providing building blocks that, we believe, are of independent interest.
|
||||||
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
|
As of our signature with efficient protocols, it has already been used to design a lattice-based e-cash system~\cite{LLNW17}.
|
||||||
|
|
||||||
All these works are proven under strong security model within simple assumptions.
|
All these works are proven under strong security models under simple assumptions.
|
||||||
This made a breeding ground for new theoretical constructions, as well as going toward practicality.
|
This provides a breeding ground for new theoretical constructions.
|
||||||
|
|
||||||
\section*{Open Problems}
|
\section*{Open Problems}
|
||||||
|
|
||||||
@ -24,12 +24,12 @@ The path of providing new cryptographic primitives and proving them is dissemina
|
|||||||
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
|
The most obvious questions that stem from this work are about how to tackle the trade-offs we made in the design of those primitives.
|
||||||
|
|
||||||
\begin{question}
|
\begin{question}
|
||||||
Is it possible to build an adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
|
Is it possible to build a fully-simulatable adaptive oblivious transfer with access control secure under $\LWE$ with polynomially large modulus?
|
||||||
\end{question}
|
\end{question}
|
||||||
|
|
||||||
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the oblivious transfer scheme of~\cref{ch:ot-lwe}.
|
In other words, is it possible to avoid the use of smudging to guarantee message-privacy in the adaptive oblivious transfer scheme of~\cref{ch:ot-lwe}.
|
||||||
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this message privacy.
|
As is, this issue arises from the use of Regev's encryption scheme, which does not guarantee this index privacy.
|
||||||
However, finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}.
|
However, while finer analysis on GSW ciphertexts~\cite{GSW13} seems promising to achieve this at reasonable cost~\cite{BDPMW16}, they do not suffice in our setting because they wold leak the norm of the noise vector of ciphertexts.
|
||||||
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
|
Then, the main difficulty is to have zero-knowledge proofs compatible with the access control and the encryption layers.
|
||||||
|
|
||||||
\subsection*{Zero-Knowledge Proofs}
|
\subsection*{Zero-Knowledge Proofs}
|
||||||
@ -39,10 +39,11 @@ Then, the main difficulty is to have zero-knowledge proofs compatible with the a
|
|||||||
\end{question}
|
\end{question}
|
||||||
|
|
||||||
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
|
Extending the work of Groth, Ostrovsky and Sahai~\cite{GOS06} in the lattice setting would be a great improvement for lattice-based privacy-preserving cryptography.
|
||||||
Recent line of work goes toward this direction~\cite{RSS18}, but relies on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
|
This question remains open for more than $10$ years~\cite{KW18}.
|
||||||
|
Recent line of work makes steps forward in this direction~\cite{RSS18}, but rely on primitives that do not exist yet ($\NIZK$ proofs for a variant of the bounded decoding distance problem).
|
||||||
|
|
||||||
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
|
The Stern-like proof system we work on in during this thesis, despite being flexible enough to prove a large variety of statements, suffers from the stiffness of being combinatorial.
|
||||||
The choice of permutations used to ensure zero-knowledgeness (and so witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
|
The choice of permutations used to ensure zero-knowledgeness (and thus witness-indistinguishability) is quite strict, and force the challenge space to be ternary.
|
||||||
This proves to be a real bottleneck in the efficiency of such proof systems.
|
This proves to be a real bottleneck in the efficiency of such proof systems.
|
||||||
|
|
||||||
\begin{question}
|
\begin{question}
|
||||||
@ -53,7 +54,7 @@ As explained in~\cref{ch:zka}, nowadays lattice-based proof systems for $\SIS$/$
|
|||||||
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
|
If the natural structure of a lattice is a group, additive noise or witness-length restrictions forbid the use of standard group-based cryptography to undertake this problem.
|
||||||
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
|
However, lattices naturally carry a strong geometrical structure, as exploited in~\cite{MV03,PV08} to construct (interactive and non-interactive) zero-knowledge proofs for some worst-case lattice problems.
|
||||||
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
|
It may be an interesting question to see if the restricted geometry of average-case lattice problems can be exploited to provide such proofs.
|
||||||
If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
|
%If these proof systems can be used after applying a transformation from average-case to worst-case problem, this methodology is highly inefficient and does not close the question.
|
||||||
|
|
||||||
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
|
As we explained in the introduction, advanced cryptography from lattices often suffers from the use of lattice trapdoors.
|
||||||
Thus, a natural question may be:
|
Thus, a natural question may be:
|
||||||
@ -61,12 +62,12 @@ Thus, a natural question may be:
|
|||||||
\subsection*{Cryptographic Constructions}
|
\subsection*{Cryptographic Constructions}
|
||||||
|
|
||||||
\begin{question}
|
\begin{question}
|
||||||
Does a trapdoor-free (H)IBE exists?
|
Does an efficient trapdoor-free (H)IBE exists?
|
||||||
\end{question}
|
\end{question}
|
||||||
|
|
||||||
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
|
For instance, in the group encryption scheme of~\cref{ch:ge-lwe}, trapdoors are used in two places.
|
||||||
To have a secure public key encryption scheme under adaptive active attacks and for the signature scheme.
|
To have a secure public key encryption scheme under adaptive chosen-ciphertext attacks and for the signature scheme.
|
||||||
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transformations generically transform an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
|
Both these primitives are induced by identity-based encryption: the Canetti-Halevi-Katz transform generically turns an IBE into a \textsf{IND-CCA2} \PKE~\cite{CHK04}, and signatures are directly implied from \textsf{IND-CPA-}secure IBE~\cite{BF01,BLS01}.
|
||||||
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
|
Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public key encryption scheme still remains an open question.
|
||||||
|
|
||||||
\begin{question}
|
\begin{question}
|
||||||
@ -75,6 +76,6 @@ Actually, even the question of having a trapdoorless \textsf{IND-CCA2} public ke
|
|||||||
|
|
||||||
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
|
Our work during this thesis also focuses on the security proofs of cryptographic schemes.
|
||||||
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
|
As explained in~\cref{ch:proofs}, it is important to rely on simple assumptions to prove strong security notions.
|
||||||
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claim before~\cite{DSYC18}.
|
Given recent advances in cryptographic proofs~\cite{Hof16,KMP16,Hof17}, it is now possible to attain stronger security notions than what was claimed before~\cite{DSYC18}.
|
||||||
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17}.
|
Another line of work targets the quality of the reduction, aiming for \textit{tight security}~\cite{GHKW16,AHN+17,LJYP14,LPJY15,LSSS17}.
|
||||||
This improves the understanding of the links between cryptographic schemes and security assumptions, leading to more reliable constructions.
|
This improves the understanding of the links between cryptographic schemes and hardness assumptions, leading to more reliable constructions.
|
||||||
|
@ -55,7 +55,7 @@ In the context of this thesis, the developed cryptographic schemes rely on latti
|
|||||||
Lattice-based cryptography is used to step towards post-quantum cryptography, while the latter proves useful in the design of practical schemes.
|
Lattice-based cryptography is used to step towards post-quantum cryptography, while the latter proves useful in the design of practical schemes.
|
||||||
The details of these two structures are given in~\cref{ch:structures}.
|
The details of these two structures are given in~\cref{ch:structures}.
|
||||||
|
|
||||||
\subsection{Zero-knowledge Proofs}
|
\subsection{Zero-Knowledge Proofs}
|
||||||
|
|
||||||
As explained before, zero-knowledge proofs are a basic building block for privacy-preserving cryptography.
|
As explained before, zero-knowledge proofs are a basic building block for privacy-preserving cryptography.
|
||||||
They requires completeness, soundness and zero-knowledge properties.
|
They requires completeness, soundness and zero-knowledge properties.
|
||||||
|
@ -179,9 +179,12 @@ For instance, there is no security proofs for the El Gamal encryption scheme fro
|
|||||||
Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple to state'' or not.
|
Another criterion to evaluate the security of an assumption is to look if the assumption is ``simple to state'' or not.
|
||||||
This observation is buttressed by the statement of~\cite[p.25]{KL07}:~``\ldots\textit{there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute.}''.
|
This observation is buttressed by the statement of~\cite[p.25]{KL07}:~``\ldots\textit{there is a general preference for assumptions that are simpler to state, since such assumptions are easier to study and to refute.}''.
|
||||||
|
|
||||||
It is harder to evaluate the security of an assumption as $q$-Strong Diffie-Hellman, which is a variant of $\DDH$ where the adversary is given the tuple $(g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{})$ and has to devise $g^{a^{q+1}}$.
|
Indeed, it is complicated to evaluate the security of an assumption as $q$-Strong Diffie-Hellman assumptions defined as follows.
|
||||||
|
\begin{definition}[$q$-Strong Diffie-Hellman assumption~\cite{BB04,BBS04}]
|
||||||
|
In a cyclic group $\GG$, the $q$\textit{-Strong Diffie-Hellman} ($\qSDH$) problem is, given $g, g^a_{}, g^{a^2}_{}, \ldots, g^{a^q}_{}$, compute the element $g^{a^{q+1}}$.
|
||||||
|
\end{definition}
|
||||||
The security of this assumption inherently depends on the parameter $q$ of the assumption.
|
The security of this assumption inherently depends on the parameter $q$ of the assumption.
|
||||||
Cheon also proved that for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
|
Cheon additionally showed that, for large values of $q$, this assumption is no more trustworthy~\cite{Che06}.
|
||||||
These parameterized assumptions are called \emph{$q$-type assumptions}.
|
These parameterized assumptions are called \emph{$q$-type assumptions}.
|
||||||
There also exist other kinds of non-static assumptions, such as interactive assumptions.
|
There also exist other kinds of non-static assumptions, such as interactive assumptions.
|
||||||
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
|
An example can be the ``\emph{$1$-more-\textsf{DL}}'' assumption.
|
||||||
|
@ -2,8 +2,8 @@
|
|||||||
% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
|
% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
|
||||||
% \label{ch:sigmasig}
|
% \label{ch:sigmasig}
|
||||||
%-------------------------------------------------
|
%-------------------------------------------------
|
||||||
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an \textit{efficient} construction~\cite{BR93}.
|
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} to the random oracle model~\cite{BR93} in order to get an \textit{efficient} construction.
|
||||||
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with two companion protocols: a protocol whereby a signer can obliviously sign a committed message known only to the user and a zero-knowledge proof to efficiently attest possession of a hidden message-signature pair.
|
In the Camenish and Lysyanskaya terminology, signatures with efficient protocols~\cite{CL04a} are digital signatures which come with two companion protocols: a protocol whereby a signer can obliviously sign a committed message known only to the user and a zero-knowledge proof to efficiently attest possession of a hidden message-signature pair.
|
||||||
|
|
||||||
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
||||||
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
|
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
|
||||||
@ -12,16 +12,16 @@ Later on, users can make themselves known to verifiers under a different pseudon
|
|||||||
In this context, signature with efficient protocols can typically be used as follows:
|
In this context, signature with efficient protocols can typically be used as follows:
|
||||||
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
|
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
|
||||||
|
|
||||||
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
|
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the reliability of the assumptions it relies on.
|
||||||
Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
|
Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, BBS04, Oka06}.
|
||||||
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
|
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
|
||||||
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
|
Pointcheval and Sanders~\cite{PS18} improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
|
||||||
|
|
||||||
We note that beside the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
|
We note that besides the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) A variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
|
||||||
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
|
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime-order groups: for equivalent security levels, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
|
||||||
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
|
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} that unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
|
||||||
|
|
||||||
In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
|
In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well-studied assumption.
|
||||||
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
|
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
|
||||||
From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
|
From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
|
||||||
|
|
||||||
@ -31,7 +31,7 @@ The signature scheme described in this chapter (\cref{scal-sig}) crucially takes
|
|||||||
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
|
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
|
||||||
|
|
||||||
As another showcase for this signature, we also design another primitive.
|
As another showcase for this signature, we also design another primitive.
|
||||||
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
|
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely, \SXDH and \SDL).
|
||||||
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
|
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
|
||||||
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
|
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
|
||||||
|
|
||||||
@ -1392,7 +1392,7 @@ We stress that the proofs can be easily adapted to the case where the opening a
|
|||||||
|
|
||||||
\subsection{Comparison with Existing Schemes}
|
\subsection{Comparison with Existing Schemes}
|
||||||
|
|
||||||
\begin{table*}
|
\begin{table*}[h]
|
||||||
\small
|
\small
|
||||||
\centering
|
\centering
|
||||||
\begin{tabular}{|c|c|c|c|c|c|c|}
|
\begin{tabular}{|c|c|c|c|c|c|c|}
|
||||||
@ -1468,13 +1468,13 @@ number $\Ngs$ of group users (like \cite{BCN+10}).
|
|||||||
\label{ta:sigmasig-figures}
|
\label{ta:sigmasig-figures}
|
||||||
\end{table}
|
\end{table}
|
||||||
|
|
||||||
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following address:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
|
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following \textsc{URL}:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
|
||||||
|
|
||||||
The relic toolkit provides an implementation for pairing computations, hash functions (SHA-256 in this case) and benchmarking macros.
|
The relic toolkit provides an implementation for pairing computations, hash functions (SHA-256 in this case) and benchmarking macros.
|
||||||
The benchmarking was made on a single-core of an \textit{Intel\textregistered{} Core\texttrademark{} i5-7500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.
|
The benchmarking was made on a single-core of an \textit{Intel\textregistered{} Core\texttrademark{} i5-7500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.
|
||||||
To implement pairings, the relic library implements the Barreto-Naehrig~\cite{BN06} curve over a 256 bits curve.
|
To implement pairings, the relic library implements the Barreto-Naehrig~\cite{BN06} curve over a 256 bits curve.
|
||||||
As explained previously, since recent advances in pairing-friendly elliptic curve cryptanalysis, there is no curve anymore that shows the best timing results in every aspect.
|
As explained previously, since recent advances in pairing-friendly elliptic curve cryptanalysis, there is no more curve that shows the best timing results in every aspect.
|
||||||
Figures are available in Table~\ref{ta:sigmasig-figures}.
|
Figures are available in Table~\ref{ta:sigmasig-figures}.
|
||||||
|
|
||||||
Unfortunately, we didn't have time to implement other protocols from~\cref{sig-comp} in order to present fair comparison.
|
%Unfortunately, we didn't have time to implement other protocols from~\cref{sig-comp} in order to present fair comparison.
|
||||||
Moreover, those schemes hardly show implementation results, and providing timing comparisons seems compromised.
|
%Moreover, those schemes hardly show implementation results, and providing timing comparisons seems compromised.
|
||||||
|
@ -75,7 +75,7 @@ Devant le jury composé de :
|
|||||||
|
|
||||||
%\bigskip
|
%\bigskip
|
||||||
|
|
||||||
\textsc{Catalano} Dario, Professeur Associé, Università di Catania (Italie)\hfill Rapporteur
|
\textsc{Catalano} Dario, Associate Professor, Università di Catania (Italie)\hfill Rapporteur
|
||||||
|
|
||||||
\textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur
|
\textsc{Pointcheval} David, Directeur de Recherche, CNRS et ENS \hfill Rapporteur
|
||||||
|
|
||||||
|
@ -52,6 +52,7 @@
|
|||||||
%% Pairings
|
%% Pairings
|
||||||
\newcommand{\DLP}{\textsf{DLP}\xspace}
|
\newcommand{\DLP}{\textsf{DLP}\xspace}
|
||||||
\newcommand{\DDH}{\textsf{DDH}\xspace}
|
\newcommand{\DDH}{\textsf{DDH}\xspace}
|
||||||
|
\newcommand{\qSDH}{\textsf{$q$-SDH}\xspace}
|
||||||
\newcommand{\SXDH}{\textsf{SXDH}\xspace}
|
\newcommand{\SXDH}{\textsf{SXDH}\xspace}
|
||||||
\newcommand{\SDL}{\textsf{SDL}\xspace}
|
\newcommand{\SDL}{\textsf{SDL}\xspace}
|
||||||
%% Lattices
|
%% Lattices
|
||||||
|
18
main.tex
18
main.tex
@ -3,7 +3,7 @@
|
|||||||
\semiisopage
|
\semiisopage
|
||||||
|
|
||||||
%% Highlight overfull hbox
|
%% Highlight overfull hbox
|
||||||
\overfullrule=1mm
|
%\overfullrule=1mm
|
||||||
%% Show labels
|
%% Show labels
|
||||||
%\usepackage{showkeys}
|
%\usepackage{showkeys}
|
||||||
|
|
||||||
@ -17,7 +17,7 @@
|
|||||||
% Customization
|
% Customization
|
||||||
\usepackage{lmodern}
|
\usepackage{lmodern}
|
||||||
\usepackage{libertine}
|
\usepackage{libertine}
|
||||||
\usepackage{inconsolata}
|
\usepackage[scaled=.87]{inconsolata}
|
||||||
\chapterstyle{madsen}
|
\chapterstyle{madsen}
|
||||||
|
|
||||||
\usepackage{subfig}
|
\usepackage{subfig}
|
||||||
@ -25,12 +25,20 @@
|
|||||||
\floatstyle{boxed}
|
\floatstyle{boxed}
|
||||||
\restylefloat{figure}
|
\restylefloat{figure}
|
||||||
|
|
||||||
|
\let\theoldbibliography\thebibliography
|
||||||
|
\renewcommand\thebibliography[1]{
|
||||||
|
\theoldbibliography{#1}
|
||||||
|
\setlength{\parskip}{0pt}
|
||||||
|
\setlength{\itemsep}{4pt plus 0.3ex}
|
||||||
|
\small
|
||||||
|
}
|
||||||
|
|
||||||
\usepackage{xcolor, graphicx}
|
\usepackage{xcolor, graphicx}
|
||||||
\usepackage{multirow}
|
\usepackage{multirow}
|
||||||
\usepackage[pagebackref]{hyperref}
|
\usepackage[pagebackref]{hyperref}
|
||||||
\renewcommand*{\backref}[1]{}
|
\renewcommand*{\backref}[1]{}
|
||||||
\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#2}
|
\renewcommand*{\backrefalt}[4]{\small Citations: \S{}~#2}
|
||||||
\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!green, breaklinks=true}
|
\hypersetup{colorlinks=true, linkcolor=black!50!blue, urlcolor=black!50!red, citecolor=black!50!purple, breaklinks=true}
|
||||||
\hypersetup{pdftitle={Privacy-preserving cryptography from pairings and lattices},
|
\hypersetup{pdftitle={Privacy-preserving cryptography from pairings and lattices},
|
||||||
pdfauthor={Fabrice Mouhartem},
|
pdfauthor={Fabrice Mouhartem},
|
||||||
pdfsubject={Cryptography}}
|
pdfsubject={Cryptography}}
|
||||||
@ -84,14 +92,14 @@
|
|||||||
\cleardoublepage
|
\cleardoublepage
|
||||||
\vspace*{\stretch{1}}
|
\vspace*{\stretch{1}}
|
||||||
\begin{flushright}
|
\begin{flushright}
|
||||||
À \ldots
|
%À \ldots
|
||||||
\end{flushright}
|
\end{flushright}
|
||||||
\vspace*{\stretch{2}}
|
\vspace*{\stretch{2}}
|
||||||
%%%%%%%%%%%%%
|
%%%%%%%%%%%%%
|
||||||
|
|
||||||
\input abstract
|
\input abstract
|
||||||
|
|
||||||
\input acknowledgements
|
%\input acknowledgements
|
||||||
|
|
||||||
%\cleardoublepage
|
%\cleardoublepage
|
||||||
%\frenchtableofcontents
|
%\frenchtableofcontents
|
||||||
|
@ -31,7 +31,7 @@
|
|||||||
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
|
$\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\
|
||||||
$\NIZK$ & Non-Interactive Zero-Knowledge \\
|
$\NIZK$ & Non-Interactive Zero-Knowledge \\
|
||||||
$\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\
|
$\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\
|
||||||
$\textsf{WI}$ & Witness indistinguishable \\
|
$\textsf{WI}$ & Witness Indistinguishable \\
|
||||||
$\textsf{GS}$ & Group Signature \\
|
$\textsf{GS}$ & Group Signature \\
|
||||||
$\GE$ & Group Encryption \\
|
$\GE$ & Group Encryption \\
|
||||||
$\OT$ & Oblivious Transfer \\
|
$\OT$ & Oblivious Transfer \\
|
||||||
|
42
these.bib
42
these.bib
@ -192,7 +192,7 @@
|
|||||||
|
|
||||||
@InProceedings{BCKL09,
|
@InProceedings{BCKL09,
|
||||||
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
|
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
|
||||||
title = {Compact E-Cash and Simulatable VRFs Revisited},
|
title = {{Compact E-Cash and Simulatable VRFs Revisited}},
|
||||||
booktitle = {{Pairing}},
|
booktitle = {{Pairing}},
|
||||||
year = {2009},
|
year = {2009},
|
||||||
volume = {5671},
|
volume = {5671},
|
||||||
@ -3068,4 +3068,44 @@
|
|||||||
publisher = {Springer},
|
publisher = {Springer},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@InProceedings{KW18,
|
||||||
|
author = {Sam Kim and David J. Wu},
|
||||||
|
title = {{Multi-Theorem Preprocessing NIZKs from Lattices}},
|
||||||
|
booktitle = {Crypto},
|
||||||
|
year = {2018},
|
||||||
|
series = {LNCS},
|
||||||
|
pages = {To appear},
|
||||||
|
publisher = {Springen},
|
||||||
|
}
|
||||||
|
|
||||||
|
@InProceedings{LSSS17,
|
||||||
|
author = {Libert, Benoît and Sakzad, Amin and Stehlé, Damien and Steinfeld, Ron},
|
||||||
|
title = {{All-But-Many Lossy Trapdoor Functions and Selective Opening Chosen-Ciphertext Security from LWE}},
|
||||||
|
booktitle = {Crypto},
|
||||||
|
year = {2017},
|
||||||
|
series = {LNCS},
|
||||||
|
pages = {332--364},
|
||||||
|
publisher = {Springer},
|
||||||
|
}
|
||||||
|
|
||||||
|
@InProceedings{LJYP14,
|
||||||
|
author = {Libert, Benoît and Joye, Marc and Yung, Moti and Peters, Thomas},
|
||||||
|
title = {{Concise Multi-challenge CCA-Secure Encryption and Signatures with Almost Tight Security}},
|
||||||
|
booktitle = {Asiacrypt},
|
||||||
|
year = {2014},
|
||||||
|
series = {LNCS},
|
||||||
|
pages = {1--21},
|
||||||
|
publisher = {Springer},
|
||||||
|
}
|
||||||
|
|
||||||
|
@InProceedings{PS18,
|
||||||
|
author = {Pointcheval, David and Sanders, Olivier},
|
||||||
|
title = {{Reassessing Security of Randomizable Signatures}},
|
||||||
|
booktitle = {CT-RSA},
|
||||||
|
year = {2018},
|
||||||
|
series = {LNCS},
|
||||||
|
pages = {319--338},
|
||||||
|
publisher = {Springer},
|
||||||
|
}
|
||||||
|
|
||||||
@Comment{jabref-meta: databaseType:bibtex;}
|
@Comment{jabref-meta: databaseType:bibtex;}
|
||||||
|
Loading…
Reference in New Issue
Block a user