fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Intro sigmasig beginning

Browse Source
This commit is contained in:
Fabrice Mouhartem 2018-04-18 09:28:32 +02:00
parent 779f186db1
commit 51dab3fb67
4 changed files with 127 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chap-GS-background.tex
View File

@ -6,7 +6,7 @@ An implementation is available and the timing are detailed in \cref{ch:sigmasig}
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
This construction has been the first fully secure group signature scheme from lattices.
Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions.
Before describing those scheme, let us recall in this Chapter the definition of dynamic group signatures and their related security definitions.
\section{Background} \label{sse:gs-background}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}

2
chap-ZK.tex
View File

@ -147,7 +147,7 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the
Given parameters $n,m,q \in \ZZ$, let us define the following commitment scheme due to~\cite{KTX08}.
\begin{description}
\item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf{A}_M, \mathbf{A}_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf{A} = [ \mathbf{A}_M \mid \mathbf{A}_\rho]$.
\item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
\item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \bit^\star_{}$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm,
then compute $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho) \in \Zq^n$,
where $h_{\mathbf{A}_M}$ and $f_{\mathbf{A}_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}.
The opening corresponds to the randomness $\rho$ used in the computation.

185
chap-sigmasig.tex
View File

@ -1,6 +1,9 @@
%--------------------------------------------------
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction.
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message.
Akin to blind signatures, while being less restrictive, this scheme allows is a building block that can be used to construct anonymous credentials~\cite{Cha85,CL01}, compact e-cash~\cite{CHL05a}, revocable group signatures~\cite{NFHF09}, oblivious transfer with access control~\cite{CDN09} or certified private set intersection protocols~\cite{CZ09}.
%--------------------------------------------------
\section{Building blocks}
@ -33,29 +36,32 @@ Kiltz and Wee \cite{KW15} suggested the following construction which simplifies
We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$.
\begin{description}
\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:]
Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$.
Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$
and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$.
Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and
output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big)
\in \GG^t\times\Gh^{n+1}$.
\item[\textsf{Keygen}$(\mathsf{cp},\mathbf{M})$:]
Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$.
\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:]
To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$,
for some witness $\omega_1,\ldots,\omega_t \in \Zp$,
where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$,
parse $\mathsf{crs}$ as above
and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$.
First, choose $\hat{g_z} \sample \U(\Gh)$. Pick $\mathsf{tk}=(\chi_1^{},\ldots,\chi_n^{}) \sample \U(\Zp^n)$
and compute $\hat{g}_j=\hat{g_z^{}}^{\chi_j}$, for all $j=1$ to $n$.
\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol{v}})$:]
In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $,
output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $.
Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and
output
\[\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big)
\in \GG^t\times\Gh^{n+1}.\]
\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:]
Given $\pi \in \GG$ and ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$,
return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies
$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
\item[\textsf{Prove}$(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:]
To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$,
for some witness $\omega_1,\ldots,\omega_t \in \Zp$,
where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$,
parse $\mathsf{crs}$ as above
and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$.
\item[\textsf{Sim}$(\mathsf{tk}, {\boldsymbol{v}})$:]
In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $,
output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $.
\item[\textsf{Verify}$(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:]
Given $\pi \in \GG$, ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$ and $\mathsf{crs}$ parsed as above,
return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies
$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $
\end{description}
The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable.
@ -64,20 +70,22 @@ This requirement is compatible with our security proofs.
\section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig}
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the $\SXDH$ assumption. We show that their scheme
In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature%
\footnote{In F-unforgeability, the adversary only has to output a forgery for a message $M$ without outputting the message, but the image $F(M)$ for an injective function $F$ that is not necessarily efficiently invertible instead~\cite{BCKL08}. In~\cite{LPY15}, the function $F$ is $M \mapsto \hat{g}^M$.}
based on the $\SXDH$ assumption. We show that their scheme
implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme
compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.
Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption.
\begin{description}
\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$
of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$.
of prime order $p>2^{\lambda}$ with $g \sample \U(\GG)$, $\hat{g} \sample \U(\Gh)$.
\end{description}
\begin{enumerate}
\item Choose $\omega,a \sample \Zp$,
\item Choose $\omega,a \sample \U(\Zp)$,
and set $h=g^a$,
$\Omega=h^{\omega}$.
\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$.
\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \U(\GG^{\ell+1})$.
\item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$
\begin{equation}\label{matrix-scal-sig}
\mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} =
@ -89,8 +97,9 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump
\end{array}\right) ,
\end{equation}
where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk}
to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.
\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of \cref{sse:sigmasig-qa-nizk}
to get the common reference string
$\mathsf{crs}=\left(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z^{},~\{ \hat{g}_j \}_{j=1}^{2\ell+4} \right)$.
\bigskip
\item[]
The private key is $ \mathsf{sk}:=\omega $ and the public key is
@ -105,7 +114,7 @@ The private key is $ \mathsf{sk}:=\omega $ and the public key is
\begin{description}
\item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given
the private key $\mathsf{sk}=\omega$ and a message
$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute
$\vec{m}\in \Zp^\ell$, choose $s \sample \U(\Zp)$ to compute
\begin{align*}
\sigma_1 &
= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &
@ -128,14 +137,14 @@ Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4
\begin{align} \label{sig-ver-1}
e(\Omega,\hat{g}_{2\ell+4})^{-1} =
&~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber
&~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) \\ \nonumber
&~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) .
&~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) %\\ \nonumber &~~~
\cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) .
\end{align}
\end{description}
The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$
while the verification equation only involves a computation of 5 pairings.
The signature on $\ell$ scalars thus only consists of $4$ elements in $\GG$
while the verification equation only involves a computation of $5$ pairings\footnote{Actually only $4$ pairing computations are necessary, as $e(\Omega, \hat{g}_{2\ell+4})$ is independent of the inputs $\pi$ and $\vec{m}$, and can hence be precomputed.}.
\begin{theorem} \label{th:eu-cma-1}
The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$.
@ -176,7 +185,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
\smallskip
\begin{description}
\item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and
\item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \U(\Zp)$ and
compute:
\begin{equation*}
\begin{gathered}
@ -265,7 +274,7 @@ The above signature scheme is existentially unforgeable under chosen-message att
reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the
\QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.
The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.
After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.
After that, $\bdv$ picks $\omega \sample \U(\Zp)$ and $\hat g \sample \U(\Gh)$, and set $\Omega = h^\omega$.
Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:
\begin{align*}
\mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr).
@ -292,7 +301,7 @@ If DDH holds in $\GG$, for each $k \in
\\
Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta =
g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It
picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$
picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \U(\Zp)$
and sets $\Omega = h^\omega$ as well as:
\[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \]
% in order to have the discrete logs of $v_i$ and $w$. \medskip
@ -419,7 +428,7 @@ If DDH holds in $\GG$, for each $k \in
We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at
least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega =
h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g
\sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes
\sample \U(\Gh)$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \U(\Zp)$ and computes
$ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates
$\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$,
$\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$
@ -452,7 +461,7 @@ In this section, we give $\Sigma$-protocols (\cref{sse:sigma-protocols}) for iss
%------------------------------------------------------------------------
\subsection{Proof of Knowledge of a Signature on a Committed Message}
We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation of the scheme of Section~\ref{scal-sig}
We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation~\eqref{sig-ver-1} of the scheme of Section~\ref{scal-sig}
\begin{align} \label{eq-mult-sig}
e(\Omega,\hat{g}_{2 \ell+4})^{-1}
@ -484,14 +493,16 @@ clear), proving knowledge of a valid signature still requires proving a statem
\item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$
and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$.
To this end, choose
$r_1,r_2\sample\ZZ_p$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$.
\item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\ZZ_p^\ell$,
choose $s_1,s_2,u_1,\ldots,u_\ell \sample\ZZ_p$
$r_1,r_2\sample\U(\Zp)$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$.
\item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\Zp^\ell$,
choose $s_1,s_2,u_1,\ldots,u_\ell \sample\U(\Zp)$
and compute $\hat{E}_1=\hat{g}_2^{u_1}\cdots\hat{g}_{\ell+1}^{u_\ell}\cdot \hat{g}^{s_1}$
and $\hat{E}_2=\hat{g}_{\ell+3}^{u_1}\cdots\hat{g}_{2 \ell+2}^{u_\ell}\cdot \hat{g}^{s_2}$.
\item Using $r_1,r_2 \in \ZZ_p$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$
\item Using the randomness $r_1,r_2 \in \Zp$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$
and commit to $(\pi,\sigma_0 ,\sigma_1,\sigma_2,\sigma_3)\in\GG^5.$
For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\ZZ_p$ at random and set $C_z=\pi \cdot g^{t_z}$,
For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\U(\Zp)$ at random and set $C_z=\pi \cdot g^{t_z}$,
$C_i=\sigma_i \cdot g^{t_i}$, for $i \in \{0,\ldots,3\}$, and
$\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_{1}^{t_2}
\cdot \hat{D}_{2}^{t_3} \cdot \hat{g}^{-t_0}.$
@ -499,15 +510,15 @@ clear), proving knowledge of a valid signature still requires proving a statem
\item In order to prove (partial) knowledge of an opening to $(C_z,C_0,C_1,C_2,C_3,\hat{D}_0)$, compute
$\hat{E}_0=\hat{g}_z^{v_z} \cdot \hat{g}_1^{v_1} \cdot \hat{D}_{1}^{v_2}
\cdot \hat{D}_{2}^{v_3} \cdot \hat{g}^{-v_0}$
for random $v_z,v_0,v_1,v_2,v_3\sample\ZZ_p$.
for random $v_z,v_0,v_1,v_2,v_3\sample \U(\Zp)$.
\item Prove that $C_0$ is well-formed relatively to the committed values in $C_1,C_2$ and the coins
$r_1,r_2 \in \ZZ_p$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation
$r_1,r_2 \in \Zp$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation
$C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot {g}^{t_4},$ where $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$. To do this, compute
$F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample\ZZ_p$ and where $s_1,s_2 \in \ZZ_p$ are the random coins used in $\hat{E}_1,\hat{E}_2$.
\item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \ZZ_p$ by picking $x_2,x_3,x_4\sample\ZZ_p$ and computing
$F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample \U(\Zp)$ and where $s_1,s_2 \in \Zp$ are the random coins used in $\hat{E}_1,\hat{E}_2$.
\item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \Zp$ by picking $x_2,x_3,x_4\sample \U(\Zp)$ and computing
$$T_i=g^{t_i} \cdot f^{x_i} \qquad \forall i \in \{0,2,3, 4\}, $$ where $x_0=x_2 \cdot r_1+x_3 \cdot r_2+x_4$. Ensure that committed
variables coincide with those of previous steps by computing $$\{V_i=g^{v_i} \cdot f^{y_i}\}_{i \in \{0,2,3,4\} },$$ where
$y_0,y_2,y_3,y_4\sample\ZZ_p$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \ZZ_p$ from steps 2 and 5 to compute
$y_0,y_2,y_3,y_4\sample \U(\Zp)$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \Zp$ from steps 2 and 5 to compute
$S_0=T_2^{s_1} \cdot T_3^{s_2}$.
\medskip
\item[~~~Finally,] keep $C_z\in\GG$ and all the random coins in $\mathsf{aux}$,
@ -523,8 +534,8 @@ clear), proving knowledge of a valid signature still requires proving a statem
\end{enumerate} \vspace{-2mm}
%
\begin{description}
\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample\ZZ_p $ uniformly at random and return $\mathsf{chall}=\rho $.
\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\ZZ_p$:
\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $.
\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\Zp$:
\end{description}\vspace{-4mm}
%set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and
\begin{enumerate}
@ -533,7 +544,7 @@ clear), proving knowledge of a valid signature still requires proving a statem
\item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$;
\item $w_4= \rho\cdot t_4 + v_4 $, where $t_4:=t_0-t_1 \cdot r_1-t_2 \cdot r_2$;
\item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip
\item[~~~Output] $\mathsf{resp}\in \GG\times \ZZ_p^{\ell+12}$ as
\item[~~~Output] $\mathsf{resp}\in \GG\times \Zp^{\ell+12}$ as
\begin{align*}
%\mathsf{resp}=
\bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2,
@ -609,16 +620,17 @@ a constant additive overhead.
Remaining verifications of items 1,2,3 follow from the correctness of the built-in $\Sigma$-protocols.
\medskip
\noindent \emph{Special-Soundness.} Let us assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$.
\scbf{Special-Soundness.}
We assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$.
The special soundness of the sub-protocols involving $\hat{D}_1,\hat{D}_2$ (with $\hat{E}_1,\hat{E}_2$)
-- consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify} --
ensures the extraction of $m_1,\ldots,m_\ell,r_1,r_2 $ satisfying
$\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and
$\hat{D}_2=d_2\cdot\hat{g}^{r_2}$, where $d_2=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}$.
From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such
--\,consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify}\,--
ensures the extraction of $m_1,\ldots,m_\ell,r_1,r_2 $ satisfying
$\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and
$\hat{D}_2=d_2\cdot\hat{g}^{r_2}$, where $d_2=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}$.
From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such
that $\hat{D}_0={\hat{g}_z}^{t_z} \cdot {\hat{g}_1}^{t_1} \cdot {\hat{D}_{1}}^{t_2} \cdot {\hat{D}_{2}}^{t_3} \cdot {\hat{g}}^{-t_0}.$
Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$.
%
Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$.
%
We now state that quantities $\{\sigma_i=C_i\cdot {g}^{-t_i}\}_{i \in \{1,2,3\}}$ and $\pi=C_z\cdot {g}^{-t_z}$ satisfy (\ref{sig-ver-1}),
so that, together with $\vec{m}=(m_1,\ldots,m_\ell)$, they form a valid witness for $R_{sig}$. Namely,
@ -635,7 +647,7 @@ a constant additive overhead.
%
We are thus left with showing that $\sigma_0=\sigma_2^{r_1} \cdot \sigma_3^{r_2}$ or, equivalently,
$e(\sigma_0,\hat{g})=e(\sigma_2,\hat{g}^{r_1}) \cdot e(\sigma_3,\hat{g}^{r_2})$. Remember that, from step 2 of $\mathsf{Verify}$, we know that
extracted $(r_1,r_2,t_4) \in \ZZ_p^3$ form a representation of $C_0$ {w.r.t.}
extracted $(r_1,r_2,t_4) \in \Zp^3$ form a representation of $C_0$ {w.r.t.}
the base $(C_0,C_2,g)$: i.e., $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$, which, from the definition of
$\sigma_0,\sigma_2,\sigma_3$, yields
$\sigma_0\cdot g^{t_0}=\sigma_2^{r_1} \cdot \sigma_3^{r_2} \cdot g^{t_2 \cdot r_1+t_3 \cdot r_2+t_4}$. Hence, we are done if we can show that $t_0=t_2r_1+t_3r_2+t_4$. But this exactly what step 3 of $\mathsf{Verify}$ and the
@ -646,30 +658,31 @@ a constant additive overhead.
representation.
\medskip
\noindent \emph{Perfect SHVZK.}
\scbf{Perfect SHVZK.}
To show this property we must build a simulator that, on input of a challenge
$\mathsf{chall}=\rho \in_R \ZZ_p$, emulates a valid transcript without any witness.
$\mathsf{chall}=\rho \in_R \Zp$, emulates a valid transcript without any witness.
First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}).
\vspace{-1mm}
From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick
$a_0,a_1,a_2,a_z\gets\ZZ_p$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}=
$a_0,a_1,a_2,a_z\gets\Zp$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}=
e(\Omega^{-1},\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z})
\cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1)
\cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$,
$C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$.
Let $\hat{B}:=\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$.
Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\ZZ_p$ since
Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\Zp$ since
$e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set
$\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a
random $a_3\gets\ZZ_p$.
random $a_3\gets\Zp$.
%\vspace{-1mm}
To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines.
More explicitly, first pick $\rho\sample\ZZ_p$ and
$\bar{m}_1,\ldots,\bar{m}_\ell,\bar{r}_1,\bar{r}_2,w_z,w_0,\ldots,w_4,z_0,z_2,z_3,z_4\sample\ZZ_p$. Also,
choose $T_0,T_2,T_3,T_4\sample\GG$ and do the following:
More explicitly, first pick $\rho\sample \U(\Zp)$ and
\[ \bar{m}_1, \ldots, \bar{m}_\ell, \bar{r}_1, \bar{r}_2, w_z, w_0, \ldots, w_4, z_0, z_2, z_3, z_4\sample \U(\Zp).\]
Also,
choose $T_0, T_2, T_3, T_4 \sample \U(\GG)$ and do the following:
\begin{enumerate}
\item Compute \[\hat{E}_1 = (\hat{D}_1/\hat{g}_{\ell+2})^{\,-\rho}\cdot
\hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}\] and, similarly,
@ -695,7 +708,7 @@ In the protocol some randomizing steps are included as well as other additional
\noindent \textbf{The protocol.}
%
At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$.
To get a signature on ${\mathbf{m}}$, the committer picks $r\sample\ZZ_p$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$.
To get a signature on ${\mathbf{m}}$, the committer picks $r\sample \U(\Zp)$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$.
Besides, it also computes the elements $c_z = z_2^{m_1}\cdots z_{\ell+1}^{m_\ell}\cdot u^{t_z}$.
%and $c_r = r_2^{m_1}\cdots r_{\ell+1}^{m_\ell}\cdot u^{t_r}$.
The signer receives these commitments and they both engage in an interactive proof of knowledge of an equal representation of $c_v$ relatively to the basis $(v_1,\ldots,v_\ell;u)$ and $c_z$ relatively to the basis $(z_2,\ldots,z_{\ell+1};u)$,
@ -710,7 +723,7 @@ Depending on the success of the proof the signer computes what we can call a ``p
%r_0 & = r_1^\omega \cdot c_r^s \cdot r_{\ell+2}^s ,
\end{align*}
%and $(z_d,r_d)=(z_{\ell+3}^s,r_{\ell+3}^s)$,
for a random $s\sample\ZZ_p$. In the final step, the user received the pre-signature, then picks $s'\sample\ZZ_p$ and computes
for a random $s\sample \U(\Zp)$. In the final step, the user received the pre-signature, then picks $s'\sample \U(\Zp)$ and computes
$(\sigma_1, \sigma_2, \sigma_3, \pi) \in \GG^4$ as follows
\begin{align*}
\sigma_1 & = \tau_1 \cdot\tau_0^{-r}
@ -729,7 +742,7 @@ In comparison, the construction of \cite{CL02a} requires groups of larger hidde
\noindent \textbf{Security.}
%
We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol.
In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip
In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\Zp$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip
\noindent \textbf{Remark.}
%
@ -770,7 +783,7 @@ with prospective users. However, this limitation can be removed using an extract
where %$\Omega=h^\omega$ and
$\mathsf{crs} = \big(\{{z}_j\}_{j=1}^{3}, \hat g_z, \{\hat g_i\}_{i=1}^{6} \big)$.
\item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \Zp$ and set
\item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \U(\Zp)$ and set
\begin{align*}
X_z & = g^{x_z} h^{y_z}, & X_\sigma & = g^{x_\sigma} h^{y_\sigma}, & X_\ID & = g^{x_\ID} h^{y_\ID}.
\end{align*}
@ -790,7 +803,7 @@ with prospective users. However, this limitation can be removed using an extract
%$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$
\end{description} \vspace{-2mm}
\begin{enumerate}
\item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to
\item $\U_i$ chooses ${\ID \sample \U(\Zp)}$ and sends the following to
$\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) =
(v^\ID, z_2^\ID, \hat g_2^\ID, \hat g_4^\ID)$
@ -812,7 +825,7 @@ with prospective users. However, this limitation can be removed using an extract
this purpose. Let $\pi_K(\ID)$ denote the interaction transcript.
\item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of
section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and
section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \U(\Zp)$, and
uses $\mathcal{S}_\GM = \omega$ to compute
$\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$
and
@ -840,11 +853,11 @@ with prospective users. However, this limitation can be removed using an extract
does the following:
\end{description} \vspace{-2mm}
\begin{enumerate}
\item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \Zp$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$,
\item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \U(\Zp)$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$,
$\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$.
\item Encrypt elements $\tilde \pi$, $\tilde \sigma_1$ and $v^\ID$ from the membership certificate.
Specifically, choose $\theta \sample \Zp$ and compute the Cramer-Shoup ciphertext
Specifically, choose $\theta \sample \U(\Zp)$ and compute the Cramer-Shoup ciphertext
$C_{\mathsf{CS}}=(C_1,C_2,C_z,C_{\sigma},C_{\ID})$, where $C_1 = g^\theta$, $C_2 = h^\theta$,
\begin{align*}
C_z & = \tilde \pi \cdot X_z^\theta, &
@ -865,7 +878,7 @@ with prospective users. However, this limitation can be removed using an extract
& = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta}
\cdot\big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-\ID} .
\end{align*}
Namely, sample random $r_\ID, r_\theta \sample \Zp$, compute
Namely, sample random $r_\ID, r_\theta \sample \U(\Zp)$, compute
\begin{eqnarray*}
&\begin{aligned}
R_1 &= g^{r_\theta}, &
@ -997,7 +1010,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
\begin{description}
\item[Game 0:] This is the real CCA-anonymity game.\\
In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that
In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d \sample \U(\bit)$. We define $W_0$ to be the event that
the adversary outputs $d'=d$.
\item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event,
@ -1015,7 +1028,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
\item[Game 2:] We change the way to generate the challenge signature $ \Sigma^\star $. Instead of faithfully running the
Schnorr-like protocol, we use the HVZK-simulator to produce the proofs $s_\theta, s_\ID$ without knowing the witnesses
$\theta, \ID$. Namely, we pick $c,~ s_\theta,~ s_\ID \sample \Zp$ at random and set $ R_1 = g^{s_\theta} \cdot C_1^{-c}$, $R_2 = h^{s_\theta} \cdot C_2^{-c},$
$\theta, \ID$. Namely, we pick $c,~ s_\theta,~ s_\ID \sample \U(\Zp)$ at random and set $ R_1 = g^{s_\theta} \cdot C_1^{-c}$, $R_2 = h^{s_\theta} \cdot C_2^{-c},$
$R_3 = v^{s_\ID} \cdot X_{\ID}^{s_\theta} \cdot C_{\ID}^{-c}$ as well as
%\begin{multline*}
%R_4 = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \\
@ -1037,11 +1050,11 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature.
The distribution of $(C_z, C_\sigma, C_\ID)$ remains the same and we have $\Pr[W_3] = \Pr[W_2]$.
\item[Game 4:] Here, we modify the distribution of the challenge signature and replace $C_2 = h^\theta$ by $C_2 = h^{\theta + \theta'}$, for a randomly chosen $\theta'
\sample \Zp$. We prove in Lemma~\ref{le-gsig-3} that
\sample \U(\Zp)$. We prove in Lemma~\ref{le-gsig-3} that
$\left| \Pr[W_4] - \Pr[W_3] \right| \leq \advantage{\DDH}{\GG}(\lambda)$.
\item[Game 5:] We introduce one more change. Instead of sampling $h \in_R \Zp$,
the challenger chooses a random $\alpha \sample \Zp$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that
the challenger chooses a random $\alpha \sample \U(\Zp)$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that
we are done with the DDH assumption and we can henceforth use $\alpha=\log_g(h)$). At each signature opening query,
the challenger returns $\perp$ on any signature
$\Sigma=(C_1, C_2, C_z, C_\sigma, C_\ID, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)$ such
@ -1113,7 +1126,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip
Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to
decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$.
The rest of the game continues like in Game $3$ (which is also the same as in Game $2$).
If $\adv$ wins and correctly guesses $d'=d \in \{0,1\}$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$.
If $\adv$ wins and correctly guesses $d'=d \in \bit$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$.
\\
It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$.
%\vspace{-1mm}
@ -1238,7 +1251,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$.
At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$.
In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)
As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip
\\
@ -1252,7 +1265,7 @@ In addition, $\bdv$ must be able to answer the following queries.
%\item[-] If $j \neq j^\star$, $\bdv$ follows the exact specification of $\mathsf{J}_{\mathsf{user}}$.
%\item[-] If $j=j^\star$,...
%\end{itemize}
At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \Zp$ and uses $\mathsf{tk}$ to compute the tuple
At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \U(\Zp)$ and uses $\mathsf{tk}$ to compute the tuple
$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$, for an unknown $\scr_{i}=\ID_i=a\cdot\delta_i \in \Zp$, that
$\mathsf{J}_{\mathsf{GM}}$ expects at step 1 of the join protocol. Namely, $\bdv$ computes the vector
$ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as
@ -1277,8 +1290,8 @@ Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$.
\item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use
the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm.
While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the
non-interactive proof $(c, s_\ID, s_\theta)$, for a randomly chosen challenge $c \sample \Zp$ by programming the random oracle.
More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \Zp$ and computing
non-interactive proof $(c, s_\ID, s_\theta)$, for a randomly chosen challenge $c \sample \U(\Zp)$ by programming the random oracle.
More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \U(\Zp)$ and computing
\begin{align*}
\tilde\sigma_1 & = \sigma_1 \cdot (V_i\cdot w)^r & \tilde \sigma_2 & = \sigma_2 \cdot g^r, \\
\tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r.
@ -1369,7 +1382,7 @@ Another caveat is that, unlike the two previous systems, the opening complexity
In 2015, Pointcheval and Sanders~\cite{PS16} gave another instantiation of~\cite{BCN+10} based on a variant of the LRSW
assumption in the asymmetric setting (meaning using only Type III pairings), which provides even shorter signatures than
\cite{BCN+10} with the same downsides.
Their scheme provides signatures composed of only $2$ group elements in $\GG$ and $2$ scalars in $\Zp$.
Their scheme provides signatures composed of only $2$ group elements in $\GG$ and $2$ scalars in~$\Zp$.
Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is

38
these.bib
View File

@ -1,13 +1,4 @@
% Encoding: UTF-8
@InCollection{BCKL08,
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
title = {{P}-signatures and Noninteractive Anonymous Credentials},
booktitle = {{TCC}},
publisher = {Springer},
year = {2008},
number = {4948},
series = {LNCS},
}
@InCollection{CL04,
author = {Camenisch, Jan and Lysyanskaya, Anna},
@ -210,10 +201,10 @@
pages = {1--5},
}
@InProceedings{BCKL08a,
@InProceedings{BCKL08,
author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},
title = {P-signatures and Noninteractive Anonymous Credentials},
booktitle = {{TCC'08}},
title = {{P-signatures and Noninteractive Anonymous Credentials}},
booktitle = {{TCC}},
year = {2008},
number = {4948},
series = {LNCS},
@ -2726,4 +2717,27 @@
publisher = {Springer},
}
@InProceedings{NFHF09,
author = {Nakanishi, Toru and Fujii, Hiroki and Hira, Yuta and Funabiki, Nobuo},
title = {{Revocable Group Signature Schemes with Constant Costs for Signing and Verifying}},
booktitle = {{PKC}},
year = {2009},
series = {LNCS},
pages = {463--480},
publisher = {Springer},
abstract = {Lots of revocable group signature schemes have been proposed so far. In one type of revocable schemes, signing and/or verifying algorithms have O(N) or O(R) complexity, where N is the group size and R is the number of revoked members. On the other hand, in Camenisch-Lysyanskaya scheme and the followers, signing and verifying algorithms have O(1) complexity. However, before signing, updates of the secret key are required. The complexity is O(R) in the worst case. In this paper, we propose a revocable scheme with signing and verifying of O(1) complexity, where no updates of secret key are required. The compensation is the long public key of O(N). In addition, we extend it to the scheme with {\$}O({\backslash}sqrt{\{}N{\}}){\$} -size public key, where signing and verifying have constant extra costs.},
isbn = {978-3-642-00468-1},
}
@InProceedings{CZ09,
author = {Camenisch, Jan and Zaverucha, Gregory M.},
title = {Private Intersection of Certified Sets},
booktitle = {Financial Cryptography},
year = {2009},
pages = {108--127},
address = {Berlin, Heidelberg},
publisher = {Springer},
isbn = {978-3-642-03549-4},
}
@Comment{jabref-meta: databaseType:bibtex;}