fmouhart
/
thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bit->bin

This commit is contained in:
Fabrice Mouhartem 2018-06-18 14:11:43 +02:00
parent 219c22cd9d
commit 4c75b25509
1 changed files with 47 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
chap-GS-LWE.tex
View File

@ -72,7 +72,7 @@ $\mathsf{bin}(\mathbf{v}_i) $ of $\mathbf{v}_i$. The vector $\mathsf{bin}(\mathb
$(\tau,\mathbf{v},\mathbf{s}) $ as a membership certificate, the group member is able to sign a message by proving that: (i) He holds a valid signature
$(\tau,\mathbf{v},\mathbf{s})$ on some secret binary message $\mathsf{bin}(\mathbf{v}_i) $; (ii) The latter vector $\mathsf{bin}(\mathbf{v}_i) $ is the binary expansion of
some syndrome $\mathbf{v}_i$ of which he knows a GPV pre-image $\mathbf{z}_i $. We remark that condition (ii) can be proved by providing evidence that we have $
\mathbf{v}_i = \mathbf{H} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
\mathbf{v}_i = \mathbf{H} \cdot \textsf{bin}(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \bmod q$, for some short integer vector $\mathbf{z}_i $ and some binary $\mathsf{bin}(\mathbf{v}_i) $,
where $\mathbf{H}$ is the ``powers-of-$2$'' matrix. Our abstraction of Stern-like protocols \cite{Ste96,KTX08,LNSW13} allows us to efficiently argue such
statements. The fact that the underlying chameleon hash function smoothly interacts with Stern-like zero-knowledge arguments is the property that maintains
the user's capability of efficiently proving knowledge of the underlying secret key.
@ -106,7 +106,7 @@ $\mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k$
We assume that messages are vectors of $N$ blocks $\mathsf{Msg}=(\mathfrak{m}_1,\ldots,\mathfrak{m}_N)$, where each
block is a $2m$-bit string $\mathfrak{m}_k = \mathfrak{m}_k[1] \ldots \mathfrak{m}_k[2m] \in \{0,1\}^{2m}$ for $k \in \{1,\ldots, N\}$.
For each vector $\mathbf{v} \in \Zq^L$, we denote by $\bit(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
For each vector $\mathbf{v} \in \Zq^L$, we denote by $\textsf{bin}(\mathbf{v}) \in \{0,1\}^{L \lceil \log q \rceil}$ the vector obtained by replacing each
coordinate of $\mathbf{v}$ by its binary representation.
@ -139,7 +139,7 @@ coordinate of $\mathbf{v}$ by its binary representation.
\end{eqnarray}
\item Sample a vector $\mathbf{s} \sample D_{\ZZ^{2m},\sigma_1 }$. Compute $\mathbf{c}_M \in \Zq^{2n}$ as a chameleon hash of $\left(\mathfrak{m}_1,\ldots,\mathfrak{m}_N \right)$: i.e., compute
$\mathbf{c}_M = \mathbf{D}_{0} \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k \in \mathbb{Z}_q^{2n} ,$
which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M) \in \Zq^n .$
which is used to define $\mathbf{u}_M=\mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M) \in \Zq^n .$
Then,
using the delegated basis $\mathbf{T}_\tau \in \ZZ^{2m \times 2m}$, sample a short vector $\mathbf{v} \in \ZZ^{2m}$ in $D_{\Lambda_q^{\mathbf{u}_M}(\mathbf{A}_\tau), \sigma}$.
\end{enumerate}
@ -148,7 +148,7 @@ coordinate of $\mathbf{v}$ by its binary representation.
signature $sig=(\tau,\mathbf{v},\mathbf{s}) \in \{0,1\}^\ell \times \ZZ^{2m} \times \ZZ^{2m}$,
return $1$ if
\begin{eqnarray} \label{ver-eq-block}
\mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
\mathbf{A}_{\tau} \cdot \mathbf{v} &=& \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{D}_0 \cdot \mathbf{s} + \sum_{k=1}^N \mathbf{D}_k \cdot \mathfrak{m}_k ) \bmod q.
\end{eqnarray}
and $\| \mathbf{v} \| < \sigma \sqrt{2m}$, $\| \mathbf{s} \| < \sigma_1 \sqrt{2m}$.
\end{description}
@ -358,7 +358,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right]
- \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q$, where
- \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M ) \bmod q$, where
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} &=& \left[
\begin{array}{c|c} \mathbf{A} ~ & ~ \mathbf{A}_0 +
@ -384,7 +384,7 @@ We prove the result using a sequence of games. For each $i$, we denote by $W_i$
\end{eqnarray*}
with $h_{\tau^{(i)}} = h_0 + \sum_{j=1}^\ell \tau^{(i)}[j] \cdot h_j \neq 0$. This implies that $\bdv$ can use the trapdoor $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ to generate a signature.
To this end, $\bdv$ first samples a discrete Gaussian vector $\vec{s}^{(i)} \sample D_{\ZZ^{2m},\sigma_1}$ and computes $\mathbf{u}_M \in \Zq^n$ as
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \bit( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~ \bmod q.$$ Then,
$$\mathbf{u}_M = \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{(i)} } + \mathbf{D}_{0} \cdot {\mathbf{s}^{(i)} } ) ~~ \bmod q.$$ Then,
using $\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$, it samples a short vector $\mathbf{v}^{(i)} \in \ZZ^{2m}$ in $D^{\mathbf{u}_M}_{\Lambda^{\perp}(\mathbf{A}_{\tau^{(i)}}), \sigma}$ such
that $(\tau^{(i)},\mathbf{v}^{(i)},\mathbf{s}^{(i)})$ satisfies (\ref{ver-eq-block}).
\item At the $i^\dagger$-th signing query $ (\mathfrak{m}_1^{(i^\dagger)},\ldots,\mathfrak{m}_N^{(i^\dagger)})$, we have
@ -440,15 +440,15 @@ such that
\begin{eqnarray} \label{second-sol} \mathbf{A}_{\tau^{(i^\dagger)}} \cdot
\left[\begin{array}{c}
\mathbf{v}_1 \\ \hline \mathbf{v}_2
\end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \bit( \mathbf{c}_M ) \bmod q. \end{eqnarray}
\end{array} \right] = \mathbf{u} + \mathbf{D} \cdot \textsf{bin}( \mathbf{c}_M ) \bmod q. \end{eqnarray}
Relation (\ref{sim-s}) implies that $ \mathbf{c}_M \neq \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \bmod q$ by hypothesis. It follows that $\textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) $ is a non-zero vector in $\{-1,0,1\}^m$. Subtracting (\ref{second-sol}) from (\ref{first-sol}), we get
\begin{eqnarray*}
\mathbf{A}_{\tau^{(i^\dagger)}} \cdot \left[\begin{array}{c}
\mathbf{v}_1^\star - \mathbf{v}_1 \\ \hline \mathbf{v}_2^\star - \mathbf{v}_1
\end{array} \right]
&=& \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
&=& \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q,
\end{eqnarray*}
which implies
@ -456,22 +456,22 @@ which implies
\left[
\begin{array}{c|c} \mathbf{D} \cdot \mathbf{S} ~ &~ \mathbf{D} \cdot (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j)
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \bit(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
\end{array} \right] \cdot \left[ \begin{array}{c} {\mathbf{v}_1^\star -\mathbf{v}_1 } \\ \hline {\mathbf{v}_2^\star - \mathbf{v}_2 } \end{array} \right] \\ = \mathbf{D} \cdot \bigl( \textsf{bin}(\mathbf{c}_M) - \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) \bigr) \mod q .
\end{multline}
The above implies that the vector
\begin{eqnarray} \nonumber
\mathbf{w} &=&
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 + \sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\
\nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \bit(\mathbf{c}_M)
\nonumber && \hspace{2.75cm} ~+ \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} } + \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) - \textsf{bin}(\mathbf{c}_M)
\end{eqnarray}
is a short integer vector of $\Lambda_q^{\perp}(\mathbf{D})$. Indeed, its norm can be bounded as $\| \mathbf{w} \| \leq \beta'' = \sqrt{2} (\ell+2) \sigma^2 m^{3/2} + m^{1/2} $. We argue that it is non-zero with overwhelming probability. We already observed that
$ \bit ( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \bit(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } ) - \textsf{bin}(\mathbf{c}_M)$ is a non-zero vector of $\{-1,0,1\}^m$, which rules out the event that
$({\mathbf{v}_1^\star}, {\mathbf{v}_2^\star} ) =({\mathbf{v}_1} , {\mathbf{v}_2}) $. Hence, we can only have $\mathbf{w}=\mathbf{0}^m$ when the equality
\begin{multline} \label{final-eq}
\mathbf{S} \cdot (\mathbf{v}_1^\star - \mathbf{v}_1) + (\mathbf{S}_0 +
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \bit(\mathbf{c}_M) - \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
\sum_{j=1}^\ell \tau^{(i^\dagger)}[j] \cdot \mathbf{S}_j ) \cdot (\mathbf{v}_2^\star - \mathbf{v}_2) \\ = \textsf{bin}(\mathbf{c}_M) - \bit \big( \mathbf{D}_0 \cdot {\mathbf{s}^{\star} }
+ \sum_{k=1}^N \mathbf{D}_k \cdot {\mathfrak{m}_k^{\star} } \big) \qquad
\end{multline}
holds over $\ZZ$. However, as long as either $\mathbf{v}_1^\star \neq \mathbf{v}_1$ or $\mathbf{v}_2^\star \ne \mathbf{v}_2$, the left-hand-side member of (\ref{final-eq})
@ -824,8 +824,8 @@ In the notations hereunder, for any positive integers $\mathfrak{n}$, and $q \ge
\begin{eqnarray*}
\mathbf{H}_{\mathfrak{n} \times \mathfrak{n} \lceil\log q\rceil } &=& \mathbf{I}_{\mathfrak{n}} \otimes [1 \mid 2 \mid 4 \mid \ldots \mid 2^{\lceil\log q\rceil-1} ] .
\end{eqnarray*}
Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\bit(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \bit(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
Also, for each vector $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$, we define $\textsf{bin}(\mathbf{v}) \in \{0,1\}^{\mathfrak{n}\lceil\log q\rceil}$ to be the vector obtained by replacing each entry of $\mathbf{v}$ by its binary expansion.
Hence, we have $\mathbf{v}=\mathbf{H}_{\mathfrak{n} \times \mathfrak{n}\lceil\log q\rceil} \cdot \textsf{bin}(\mathbf{v})$ for any $\mathbf{v} \in \ZZ_q^{\mathfrak{n}}$.
In our scheme, each group membership certificate is a
signature generated by the group manager on the user's public key. Since the group manager only needs to sign known (rather than committed) messages, we can
@ -847,7 +847,7 @@ identify $\mathcal{U}_i$.
providing evidence that the membership certificate is a valid signature on some binary message $\mathsf{bin}(\mathbf{v}_i) \in \{0,1\}^{4n \lceil \log q \rceil }$
for which he also knows a short $\mathbf{z}_i \in \ZZ^{4m}$
such that
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
$ \mathbf{v}_i = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v}_i) = \mathbf{F} \cdot \mathbf{z}_i \in \mathbb{Z}_q^{4n}$.
Interestingly, the process does not require any proof of knowledge of the membership secret $\mathbf{z}_i$ during the joining phase, which is round-optimal. Analogously to the Kiayias-Yung technique \cite{KY05} and constructions based on structure-preserving signatures
\cite{AFG+10}, the joining protocol thus remains secure in environments where many users want
@ -925,7 +925,7 @@ $\mathbf{d}_i = \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end
\mathbf{A}_{\mathsf{id}_i} \cdot \mathbf{d}_i &=& \left[ \begin{array}{c|c} \mathbf{A} ~& ~ \mathbf{A}_0 +
\sum_{j=1}^\ell \mathsf{id}_i[j] \mathbf{A}_j
\end{array} \right] \cdot \mathbf{d}_i\\
\label{rel-cert} &=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) \bmod q. \quad
\label{rel-cert} &=& \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) \bmod q. \quad
\end{eqnarray}
The triple $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ is sent to $\mathcal{U}_i$. Then,
$\mathsf{J}_{\user}$ verifies that the received $(\mathsf{id}_i,\mathbf{d}_i,\mathbf{s}_i)$ satisfies (\ref{rel-cert}) and that
@ -948,10 +948,10 @@ member $\mathcal{U}_i$ generates a one-time signature key pair $(\mathsf{VK},\ma
\begin{itemize}
\item[1.] Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{ n \times 2m}$ and use it as an IBE public key to encrypt
$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
$\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}$, where $\mathbf{v}_i=\mathbf{F} \cdot \mathbf{z}_i \in \ZZ_q^{4n}$ is the syndrome of
$\scr_i=\mathbf{z}_i \in \mathbb{Z}^{4m}$ for the matrix $\mathbf{F}$. Namely, compute $ \mathbf{c}_{\mathbf{v}_i} \in \ZZ_q^m \times \ZZ_q^{2m}$ as
\begin{eqnarray} \label{enc1}
\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \bit(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad
\mathbf{c}_{\mathbf{v}_i}=(\mathbf{c}_1,\mathbf{c}_2) &=& \big( \mathbf{B}^T \cdot \mathbf{e}_0 + \mathbf{x}_1 ,~ \mathbf{G}_0^T \cdot \mathbf{e}_0 + \mathbf{x}_2 + \textsf{bin}(\mathbf{v}_i) \cdot \lfloor q/2 \rfloor \big) \qquad
\end{eqnarray}
for randomly chosen $\mathbf{e}_0 \sample \chi^n$, $\mathbf{x}_1 \sample \chi^m, \mathbf{x}_2 \sample \chi^{2m} $.
Notice that, as in the construction of \cite{LNW15}, the columns of $\mathbf{G}_0$ can be interpreted as public keys for the multi-bit version
@ -959,7 +959,7 @@ of the dual Regev encryption scheme.
\item[2.] Run the protocol in Section~\ref{subsection:zk-for-group-signature} to prove the knowledge of $\mathsf{id}_i
\in \{0,1\}^{\ell}$,
vectors $\mathbf{s}_i \in \ZZ^{2m}, \mathbf{d}_{i,1},\mathbf{d}_{i,2} \in \ZZ^{m},\mathbf{z}_i \in \ZZ^{4m}$ with infinity norm bound $\beta $; $\mathbf{e}_0 \in \ZZ^n$, $\mathbf{x}_1 \in \ZZ^m, \mathbf{x}_2 \in \ZZ^{2m} $ with infinity norm bound $B$
and $\bit(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that satisfy
and $\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}, \mathbf{w}_{i} \in \{0,1\}^m$, that satisfy
\eqref{enc1} as well as
\begin{eqnarray} \label{rel-deux}
\mathbf{A} \cdot \mathbf{d}_{i,1} + \mathbf{A}_0 \cdot \mathbf{d}_{i,2} + \sum_{j=1}^{\ell} ( \mathsf{id}_i[j] \cdot \mathbf{d}_{i,2}) \cdot \mathbf{A}_j
@ -970,8 +970,8 @@ and
\begin{eqnarray} \label{eq:rel-3}
\left\{
\begin{array}{l}
\mathbf{H}_{2n \times m} \cdot \mathbf{w}_{i} = \mathbf{D}_0 \cdot \bit(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \in \ZZ_q^{2n} \\
\mathbf{F} \cdot \mathbf{z}_i = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v}_i) \in \ZZ_q^{4n}.
\mathbf{H}_{2n \times m} \cdot \mathbf{w}_{i} = \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_i) + \mathbf{D}_1 \cdot \mathbf{s}_i \in \ZZ_q^{2n} \\
\mathbf{F} \cdot \mathbf{z}_i = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v}_i) \in \ZZ_q^{4n}.
\end{array}
\right.
\end{eqnarray}
@ -1006,9 +1006,9 @@ in~(\ref{eq:sig-final}). \smallskip
Compute $\mathbf{G}_0=H_0(\mathsf{VK}) \in \ZZ_q^{n \times 2m}$. Then, using $\mathbf{T}_{\mathbf{B}}$
to compute a small-norm matrix
$\mathbf{E}_{0,\mathsf{VK}} \in \ZZ^{m \times 2m }$ such that $ \mathbf{B} \cdot \mathbf{E}_{0,\mathsf{VK}} = \mathbf{G}_0 \bmod q $.
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\bit(\mathbf{v} ) \in \{0,1\}^{2m}$
\item[2.] Using $\mathbf{E}_{0,\mathsf{VK}}$, decrypt $\mathbf{c}_{\mathbf{v}_i}$ to obtain a string $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m}$
(i.e., by computing $\lfloor (\mathbf{c}_2 - \mathbf{E}_{0,\mathsf{VK}}^T \cdot \mathbf{c}_1) / (q/2) \rceil$). \smallskip
\item[3.] Determine if the $\bit(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \bit(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
\item[3.] Determine if the $\textsf{bin}(\mathbf{v} ) \in \{0,1\}^{2m} $ obtained at step 2 corresponds to a vector $\mathbf{v} = \mathbf{H}_{4n \times 2m} \cdot \textsf{bin}(\mathbf{v} ) \bmod q$ that appears in a record $\transcript_i=(\mathbf{v} , \crt_i, i,\mathsf{upk}[i],sig_i)$ of the database $St_{trans}$ for some $i$. If so,
output the corresponding $i$ (and, optionally, $\mathsf{upk}[i]$). Otherwise, output $\perp$.
\end{itemize}
\end{description}
@ -1017,7 +1017,7 @@ We remark that the scheme readily extends to provide a mechanism whereby the ope
The difference between the dynamic group signature models suggested by Kiayias and Yung \cite{KY06} and Bellare \textit{et al.} \cite{BSZ05} is that, in the latter, the opening authority
($\mathsf{OA}$) must be able to convince a judge that the $\mathsf{Open}$ algorithm was run correctly.
Here, such a mechanism can be realized using the techniques of public-key encryption with non-interactive opening \cite{DHKT08}. Namely, since
$\bit(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}} $,
$\textsf{bin}(\mathbf{v}_i)$ is encrypted using an IBE scheme for the identity $\vk$, the $\mathsf{OA}$ can simply reveal the decryption matrix $\mathbf{E}_{0,\mathsf{VK}} $,
that satisfies $\mathbf{B} \cdot \mathbf{E}_{0,\vk} = \mathbf{G}_0 \bmod q$ (which corresponds to the verification of a GPV signature) and allows the verifier to perform step 2 of the opening
algorithm himself. The resulting construction is easily seen to satisfy the notion of opening soundness of Sakai \textit{et al.} \cite{SSE+12}.
@ -1077,7 +1077,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
extractor will reveal an $\ell$-bit identifier that coincides with the identifier $\mathsf{id}^\dagger$ assigned to the user introduced at the $i^\star$-th $\mathcal{Q}_{\ajoin}$-query.
The last case $coin=2$ corresponds to $\bdv$'s expectation that decrypting $\mathbf{c}_{\mathbf{v}_i}^\star$ (which is part of $\Sigma^\star$) and running
the knowledge extractor on $\adv$ will uncover vectors $\bit ( \mathbf{v}^\star ) \in \{0,1\}^{2m}$, $\mathbf{w}^\star \in \{0,1\}^m$ and $\mathbf{s}^\star \in \ZZ^{2m}$
such that $\mathbf{w}^\star= \bit(\mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
such that $\mathbf{w}^\star= \textsf{bin}(\mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )$ and
\begin{eqnarray} \label{collide}
\bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}^\star ) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) = \bit \bigl( \mathbf{D}_0 \cdot \bit ( \mathbf{v}_{i^\star} ) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} \bigr)
\end{eqnarray}
@ -1178,7 +1178,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\begin{bmatrix}
\mathbf{d}_{i^\star,1} \\ \hline \mathbf{d}_{i^\star,2}
\end{bmatrix}
- \mathbf{D} \cdot \bit(\mathbf{c}_M),
- \mathbf{D} \cdot \textsf{bin}(\mathbf{c}_M),
\end{eqnarray}
where
$\mathbf{c}_{M} \sample (\Zq^{2n})$ is a randomly chosen vector. Observe that, since $\mathbf{A}$ is statistically uniform over $\Zq^{n \times m}$ and $ \mathbf{d}_{i^\star,1}
@ -1208,7 +1208,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
$\mathrm{Verify}_{\mathsf{upk}[i]}(\mathbf{v}_{i},sig_i)=1$, $\bdv$ samples $\mathbf{s}_i \sample D_{\ZZ^{2m},\sigma}$ and uses the trapdoor $\mathbf{T}_{\mathbf{C}}$ to compute a short vector
$\mathbf{d}_i=[\mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T]^T \in \ZZ^{2m}$ such that
\begin{eqnarray} \label{sim-cert}
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\end{eqnarray}
where $\mathbf{A}_{\mathsf{id}_i} \in \Zq^{n \times 2m}$ is the matrix in (\ref{sim-matr}). Note that $\bdv$ is able to compute such a vector using the $\mathsf{SampleRight}$
algorithm of \cite{ABB10} (since the Hamming distance $h_{\mathsf{id}_i}$ between $\mathsf{id}_i$ and $\mathsf{id}^\star$ is non-zero). The membership certificate
@ -1235,7 +1235,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
Since $h_{\mathsf{id}_i} \neq 0$, $\bdv$ can use the trapdoor
$\mathbf{T}_{\mathbf{C}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{C})$ to compute a short vector $\mathbf{d}_i = [ \mathbf{d}_{i,1}^T ~|~\mathbf{d}_{i,2}^T ]^T \in \ZZ^{2m}$ such that
\begin{eqnarray*}
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\mathbf{A}_{\mathsf{id}_i} \cdot \begin{bmatrix} \mathbf{d}_{i,1} \\ \hline \mathbf{d}_{i,2} \end{bmatrix} = \mathbf{u} + \mathbf{D} \cdot \bit \bigl( \mathbf{D}_0 \cdot (\textsf{bin}(\mathbf{v}_{i}) + \mathbf{D}_1 \cdot \mathbf{s}_i \bigr) ,
\end{eqnarray*}
where $\mathbf{v}_{i} \in \Zq^{4n}$ is the syndrome chosen by $\adv$ at step 1 of the joining protocol.
\item[-] If $i = i^\star$, $\bdv$ undertakes to generate a membership certificate $\crt_{i^\star}$ for the $\ell$-bit identifier $\mathsf{id}^\dagger \in \{0,1\}^\ell$ that was
@ -1244,9 +1244,9 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
the vector $\mathbf{d}_{i^\star,1},\mathbf{d}_{i^\star,2} \in \ZZ^m$ and $\mathbf{c}_M \in \Zq^{2n}$ that were used to define $\mathbf{u} \in \Zq^n$ in (\ref{def-u}) and using $\mathbf{T}_{\mathbf{D}_1}$. If $\adv$ provides a correct signature
$sig_{i^\star}$ such that
$\mathrm{Verify}_{\mathsf{upk}[i^\star]}(\mathbf{v}_{i^\star},sig_{i^\star})=1$,
$\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) \bmod q $,
$\bdv$ uses the trapdoor $\mathbf{T}_{\mathbf{D}_1}$ of $\Lambda_q^\perp (\mathbf{D}_1)$ to sample a short vector $\mathbf{s}_{i^\star} \in \ZZ^{2m}$ of $D_{\Lambda_q^{\mathbf{c}_{i^\star}}(\mathbf{D}_1),\sigma}$, where $\mathbf{c}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star}) \bmod q $,
satisfying
$$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \bit( \mathbf{v}_{i^\star}) ~\bmod q , $$
$$ \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} = \mathbf{c}_M - \mathbf{D}_0 \cdot \textsf{bin}( \mathbf{v}_{i^\star}) ~\bmod q , $$
before returning $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} =[ \mathbf{d}_{i^\star,1}^T \mid \mathbf{d}_{i^\star,2}^T]^T,\mathbf{s}_{i^\star})$
to $\adv$. From the definition of $\mathbf{u} \in \Zq^n$ (\ref{def-u}), it is easy to see that $\crt_{i^\star}=(\mathsf{id}^\dagger,\mathbf{d}_{i^\star} ,\mathbf{s}_{i^\star})$ forms a valid membership certificate for
any membership secret $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ corresponding to the syndrome $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$.
@ -1261,7 +1261,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\textbf{Forgery.} When $\adv$ halts, it outputs a
signature $ \Sigma^\star=\big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}_i}^\star, \pi_K^\star,sig^\star \big)$ on some message $M^\star$. At this point, $\bdv$ uses the
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\bit(\mathbf{v}^\star) \in \{0,1\}^m$.
trapdoor $\mathbf{T}_{\mathbf{B}}$ to decrypt $\mathbf{c}_{\mathbf{v}_i}^\star$ and obtain an $m$-bit string $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^m$.
If we parse the proof $\pi_K^\star$ as
$(\{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t,\mathsf{Chall}_K^\star,\{\mathsf{Resp}_{K,j}^\star \}_{j=1}^t)$,
@ -1301,7 +1301,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
such that
\begin{eqnarray*}
\mathbf{A}_{\mathsf{id}^\star } \cdot \begin{bmatrix} \mathbf{d}_{1}^\star \\ \hline \mathbf{d}_{2}^\star \end{bmatrix} &=& \mathbf{u} + \mathbf{D} \cdot \mathbf{w}^\star \\
\mathbf{w}^\star &=& \bit \bigl( \mathbf{D}_0 \cdot (\bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) ,
\mathbf{w}^\star &=& \bit \bigl( \mathbf{D}_0 \cdot (\textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star \bigr) ,
\end{eqnarray*}
At this point, $\bdv$ aborts and
declares failure in the following situations:
@ -1312,11 +1312,11 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\item[-] $coin=1$ but $\mathsf{id}^\star \in \{0,1\}^\ell$ never appeared in a membership certificate returned by the $\mathcal{Q}_{\ajoin}$ oracle.
\item[-] $coin=1$ and $\mathsf{id}^\star \in \{0,1\}^{\ell}$ belongs to some user in $U^a$, but this user is not the one introduced at the $i^\star$-th
$\mathcal{Q}_{\ajoin}$-query (i.e., $i^\star \neq i^\dagger$ and $\mathsf{id}^\star \neq \mathsf{id}^\dagger$).
\item[-] $coin=1$ and the knowledge extractor revealed vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
\item[-] $coin=1$ and the knowledge extractor revealed vectors $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$
satisfying the collision (\ref{collide}),
where $ \bit(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
where $ \textsf{bin}(\mathbf{v}_{i^\star})$ and $\mathbf{s}_{i^\star}$ are the vectors
involved in the $i^\star$-th $\mathcal{Q}_{\ajoin}$ query.
\item[-] $coin=2$ and the knowledge extraction yields vectors $\bit(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
\item[-] $coin=2$ and the knowledge extraction yields vectors $\textsf{bin}(\mathbf{v}^\star) \in \{0,1\}^{2m}$ and $\mathbf{s}^\star \in \ZZ^{2m}$ such that the collision
(\ref{collide}) does not occur.
\end{itemize}
We call $\mathsf{fail}$ the event that one of the above situations occurs. Given that the choices of $coin \sample (\{0,1,2\})$ and $i^\star \sample ([1,Q_a])$ are completely independent of $\adv$'s view,
@ -1331,7 +1331,7 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
\item If $coin=0$, we have $\mathsf{id}^\star=\mathsf{id}^\dagger$ and $\bdv$ knows a short vector $\mathbf{e}_u \in \ZZ^m$ such that $\mathbf{u} = \bar{\mathbf{A}}_1 \cdot \mathbf{e}_u \bmod q$. Hence, it can obtain a short integer vector
\begin{eqnarray*}
\mathbf{h} = {\mathbf{d}_1^\star} + \big( \mathbf{Q}_0 + \sum_{i=1}^\ell \mathsf{id}^\dagger [i] \mathbf{Q}_i \big) \cdot {\mathbf{d}_2^\star} - \mathbf{Q}_D
\cdot \bit(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
\cdot \textsf{bin}(\mathbf{v}^\star) - \mathbf{e}_u \in \ZZ^m
\end{eqnarray*}
such that $ \bar{\mathbf{A}}_1 \cdot \mathbf{h} = \mathbf{0}^m \bmod q$. Moreover,
we have $\mathbf{h} \neq \mathbf{0}^m$ w.h.p. since the syndrome $\mathbf{u} \in \Zq^n$ statistically hides
@ -1340,9 +1340,9 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
This implies that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ is a short non-zero vector of $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ and solves the initial $\mathsf{SIS}$ instance.
\item If $coin=1$, the extracted
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\bit(\mathbf{v}^\star)$
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
\neq \bit( \mathbf{D}_0 \cdot \bit(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
witnesses $(\mathbf{d}_{1}^\star,\mathbf{d}_{2}^\star,\mathbf{s}^\star,\mathsf{id}^\star)$ and the decrypted $\textsf{bin}(\mathbf{v}^\star)$
satisfy $\mathsf{id}^\star=\mathsf{id}^\dagger$, $$\mathbf{w}^\star = \textsf{bin}( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}^\star) + \mathbf{D}_1 \cdot \mathbf{s}^\star )
\neq \textsf{bin}( \mathbf{D}_0 \cdot \textsf{bin}(\mathbf{v}_{i^\star}) + \mathbf{D}_1 \cdot \mathbf{s}_{i^\star} ) = \mathbf{w}_{i^\star} $$
(since $\neg \mathsf{fail}$ implies that the collision (\ref{collide}) did not occur if $coin=1$)
and
\begin{align} \label{rel1}
@ -1382,10 +1382,10 @@ The scheme is secure against misidentification attacks under the $\SIS_{n,2m,q,\
so that $(\mathbf{h}^T \mid \mathbf{0}^m)^T$ solves the original $\mathsf{SIS}$ instance.
\item If $coin=2$, $\bdv$ is done as well since the collision (\ref{collide}) directly provides a vector
$$\mathbf{h}=\bit(\mathbf{v}^\star) - \bit(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
$$\mathbf{h}=\textsf{bin}(\mathbf{v}^\star) - \textsf{bin}(\mathbf{v}_i^\star) + \mathbf{Q} \cdot (\mathbf{s}^\star - \mathbf{s}_i^\star) ~ \in \ZZ^{2m}$$ of $\Lambda_q^{\perp}(\mathbf{D}_0)$ (which is also in
the lattice $\Lambda_q^{\perp}(\bar{\mathbf{A}})$ by construction) and has
norm $\| \mathbf{h} \|_2 \leq 2(\sigma^2 (2m)^{3/2} + (2m)^{1/2}) $. Moreover, $\mathbf{h} \in \ZZ^{2m}$ is non-zero with overwhelming probability
given that $\bit(\mathbf{v}^\star) \neq \bit(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
given that $\textsf{bin}(\mathbf{v}^\star) \neq \textsf{bin}(\mathbf{v}_i^\star)$ and the large amount of entropy retained by the columns $\mathbf{Q} \in \ZZ^{2m \times 2m}$ given $\mathbf{D}_1= \mathbf{D}_0 \cdot \mathbf{Q}$.
\end{itemize}
\end{proof}
@ -1431,7 +1431,7 @@ Then, $\bdv$ starts interacting with $\adv$ as follows.
$\bdv$ recalls the vector $\mathbf{z}_i \in \ZZ^{4m}$ that was chosen to define the syndrome $\mathbf{v}_i = \mathbf{F} \cdot \mathbf{z}_i$ at step 1 of the $\mathsf{Join}$ protocol as well as
the identifier $\mathsf{id}_i \in \{0,1\}^\ell$ and the short vectors $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i) $
that were supplied by $\adv$ in an earlier $Q_{\bjoin}$-query. It faithfully computes a signature by IBE-encrypting
$\bit(\mathbf{v}_i) \in \{0,1\}^{2m}$ and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$ to compute a witness indistinguishable proof $\pi_K=(
$\textsf{bin}(\mathbf{v}_i) \in \{0,1\}^{2m}$ and using $(\mathbf{d}_{i,1},\mathbf{d}_{i,2},\mathbf{s}_i,\mathbf{z}_i,\mathbf{s}_i,\mathsf{id}_i)$ to compute a witness indistinguishable proof $\pi_K=(
\{\mathsf{Comm}_{K,j}\}_{j=1}^t,\mathsf{Chall}_K,\{\mathsf{Resp}_{K,j}\}_{j=1}^t)$.
Finally, $\bdv$ computes a one-time signature
$sig=\mathcal{S}(\mathsf{SK},(\mathbf{c}_{\mathbf{v}_i},\pi_K))$ and returns the signature
@ -1442,7 +1442,7 @@ $ \Sigma^\star = \big( \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \pi_
for
some message $M^\star$, which opens to ${i^\star} \in
U^b$ although user $i^\star$ did not sign the message $M^\star$ at any time. Since $(M^\star,\Sigma^\star)$ supposedly frames user $i^\star$, the opening of
$\Sigma^\star$ must reveal the $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$. We note that the reduction $\bdv$ has
$\Sigma^\star$ must reveal the $m$-bit string $\textsf{bin}(\mathbf{v}_{i^\star}) \in \{0,1\}^m$. We note that the reduction $\bdv$ has
recollection of a short vector $\mathbf{z}_{i^\star} \in \ZZ^{4m}$ (of norm $\| \mathbf{z}_{i^\star} \| < 2\sigma \sqrt{m}$)
such that $\mathbf{v}_{i^\star} = \mathbf{F} \cdot \mathbf{z}_{i^\star} \bmod q$ which it
chose when running $\mathsf{J}_{\mathsf{user}}$ on behalf of user $i^\star$ when this user was introduced in the group. Hence,
@ -1481,9 +1481,9 @@ tuple $ (M^\star, \mathsf{VK}^\star ,\mathbf{c}_{\mathbf{v}}^\star, \{\maths
pairwise distinct answers
$\mathsf{Chall}_{\kappa^\star}^{(1)} ,
\mathsf{Chall}_{\kappa^\star}^{(2)}, \mathsf{Chall}_{\kappa^\star}^{(3)} \in \{1,2,3\}^t$. Since the forgeries of the $3$-fork all correspond to the tuple $ (M^\star, \mathsf{VK}^\star ,
\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\bit(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
\mathbf{c}_{\mathbf{v}}^\star, \{\mathsf{Comm}_{K,j}^\star\}_{j=1}^t)$, they open to the same $m$-bit string $\textsf{bin}(\mathbf{v}_{i^\star}) \in \{0,1\}^m$ and
which is uniquely determined
by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same $\bit(\mathbf{v}_{i^\star})$
by $\mathbf{c}_{\mathbf{v}}^\star$. In turn, this implies that the three forgeries all reveal the same $\textsf{bin}(\mathbf{v}_{i^\star})$
at the second step of $\mathsf{Open}$.
With probability $1-(7/9)^t$ it can be shown that there exists $j \in \{1,\ldots,t\}$ such that the $j$-th bits
of $\mathsf{Chall}_{\kappa^\star}^{(1)} ,
@ -1568,7 +1568,7 @@ Hence, the difference $\mathbf{h} = \mathbf{z}' - \mathbf{z}_{i^\star} \in \ZZ^{
Instead of using the real encryption algorithm of the GPV IBE to compute $\mathbf{c}_{\mathbf{v}_d}^\star$ as the encryption of $\mathbf{v}_d^\star = \mathbf{F} \cdot \mathbf{z}_d \in \Zq^{4n}$, we return truly random
ciphertexts. In other words, we let
\[ \mathbf{c}_{\mathbf{v}_d}^\star = \begin{pmatrix}
\mathbf{r}_1 \\ \mathbf{r}_2 + \bit(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
\mathbf{r}_1 \\ \mathbf{r}_2 + \textsf{bin}(\mathbf{v}_{d}^\star) \lfloor q/2 \rfloor
\end{pmatrix}, \]
%where $\mathbf{v}_{i_b}^\star= \mathbf{F} \cdot \mathbf{z}_{i_b}^\star $, and
where $\mathbf{r}_1 \sample (\Zq^{m})$, $\mathbf{r}_2 \sample (\Zq^{2m})$ are uniformly random.