diff --git a/chap-GS-background.tex b/chap-GS-background.tex index 642a99e..c634304 100644 --- a/chap-GS-background.tex +++ b/chap-GS-background.tex @@ -6,7 +6,7 @@ An implementation is available and the timing are detailed in \cref{ch:sigmasig} The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups. This construction has been the first fully secure group signature scheme from lattices. -Before describing those scheme, let us recall in this Chapter the definition of a dynamic group signature and its related security definitions. +Before describing those scheme, let us recall in this Chapter the definition of dynamic group signatures and their related security definitions. \section{Background} \label{sse:gs-background} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique} diff --git a/chap-ZK.tex b/chap-ZK.tex index 317ebf6..5d8e827 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -147,7 +147,7 @@ It is then possible to use this hash function $h_{\mathbf{A}}$ to construct the Given parameters $n,m,q \in \ZZ$, let us define the following commitment scheme due to~\cite{KTX08}. \begin{description} \item[\textsf{Setup}$(1^\lambda)$:] Pick two random matrices $\mathbf{A}_M, \mathbf{A}_\rho \in \U(\Zq^{n \times m})$ and define the public parameters as the matrix $\mathbf{A} = [ \mathbf{A}_M \mid \mathbf{A}_\rho]$. - \item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \{0,1\}^\star$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm, + \item[$\textsf{Commit}(\mathbf{A}, M; \rho)$:] To commit to a string $M \in \bit^\star_{}$ under randomness $\rho \in \{0,1\}^{m}$, first parse $\mathbf{A} \in \Zq^{n \times 2m}$ as $[\mathbf{A}_M \mid \mathbf{A}_\rho]$ as in the \textsf{\textbf{Setup}} algorithm, then compute $\com = h_{\mathbf{A}_M}(M) + f_{\mathbf{A}_\rho}(\rho) \in \Zq^n$, where $h_{\mathbf{A}_M}$ and $f_{\mathbf{A}_\rho}$ are the hash function and the one-way collision resistant function defined in \cref{de:sis-hash}. The opening corresponds to the randomness $\rho$ used in the computation. diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 9731bce..dca1d5b 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -1,6 +1,9 @@ %-------------------------------------------------- In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction. -Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove +Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message. +Akin to blind signatures, while being less restrictive, this scheme allows is a building block that can be used to construct anonymous credentials~\cite{Cha85,CL01}, compact e-cash~\cite{CHL05a}, revocable group signatures~\cite{NFHF09}, oblivious transfer with access control~\cite{CDN09} or certified private set intersection protocols~\cite{CZ09}. + + %-------------------------------------------------- \section{Building blocks} @@ -33,29 +36,32 @@ Kiltz and Wee \cite{KW15} suggested the following construction which simplifies We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}_1\cdots\vec{M}_t)^T$. \begin{description} -\item[\boldmath$\mathsf{Keygen}(\mathsf{cp},\mathbf{M})$:] - Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. - Then, choose $\hat{g_z} \sample \Gh$. Pick $\mathsf{tk}=(\chi_1,\ldots,\chi_n) \sample \Zp^n$ - and compute $\hat{g}_j=\hat{g_z}^{\chi_j}$, for all $j=1$ to $n$. - Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and - output $\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) - \in \GG^t\times\Gh^{n+1}$. + \item[\textsf{Keygen}$(\mathsf{cp},\mathbf{M})$:] + Given public parameters $\mathsf{cp}=(\GG,\Gh,\GT,p)$ and the matrix $\mathbf{M}=(M_{i,j})\in\GG^{t\times n}$. -\item[\boldmath$\mathsf{Prove}(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:] - To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, - for some witness $\omega_1,\ldots,\omega_t \in \Zp$, - where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, - parse $\mathsf{crs}$ as above - and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$. + First, choose $\hat{g_z} \sample \U(\Gh)$. Pick $\mathsf{tk}=(\chi_1^{},\ldots,\chi_n^{}) \sample \U(\Zp^n)$ + and compute $\hat{g}_j=\hat{g_z^{}}^{\chi_j}$, for all $j=1$ to $n$. -\item[\boldmath$\mathsf{Sim}(\mathsf{tk}, {\boldsymbol{v}})$:] - In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, - output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $. + Then, for $i=1$ to $t$, compute $z_i=\prod_{j=1}^n M_{i,j}^{-\chi_j}$ and + output + \[\mathsf{crs}=\big(\{ z_i \}_{i=1}^t,~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^n \big) + \in \GG^t\times\Gh^{n+1}.\] -\item[\boldmath$\mathsf{Verify}(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:] - Given $\pi \in \GG$ and ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$, - return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies - $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ + \item[\textsf{Prove}$(\mathsf{crs}, {\boldsymbol{v}}, \{\omega_i\}_{i=1}^t)$:] + To prove that ${\boldsymbol{v}}=\vec{M}_1^{\omega_1}\cdots\vec{M}_t^{\omega_t}$, + for some witness $\omega_1,\ldots,\omega_t \in \Zp$, + where $\vec{M}_i$ denotes the $i$-th row of $\mathbf{M}$, + parse $\mathsf{crs}$ as above + and return $\pi=\prod_{i=1}^t z_{i}^{\omega_i}$. + + \item[\textsf{Sim}$(\mathsf{tk}, {\boldsymbol{v}})$:] + In order to simulate a proof for a vector ${\boldsymbol{v}} \in \GG^n$ using $\mathsf{tk}= \{ \chi_i \}_{i=1}^n $, + output $\pi = \prod_{j=1}^n v_j^{-\chi_j} $. + + \item[\textsf{Verify}$(\mathsf{crs}, {\boldsymbol{v}}, \pi)$:] + Given $\pi \in \GG$, ${\boldsymbol{v}}=(v_1,\dotsc,v_n)$ and $\mathsf{crs}$ parsed as above, + return $1$ if and only if $(v_1,\dotsc,v_n)\neq (1_{\GG},\dotsc,1_{\GG})$ and $\pi$ satisfies + $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ \end{description} The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. @@ -64,20 +70,22 @@ This requirement is compatible with our security proofs. \section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig} -In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the $\SXDH$ assumption. We show that their scheme +In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature% +\footnote{In F-unforgeability, the adversary only has to output a forgery for a message $M$ without outputting the message, but the image $F(M)$ for an injective function $F$ that is not necessarily efficiently invertible instead~\cite{BCKL08}. In~\cite{LPY15}, the function $F$ is $M \mapsto \hat{g}^M$.} +based on the $\SXDH$ assumption. We show that their scheme implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption. \begin{description} \item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ - of prime order $p>2^{\lambda}$ with $g \sample \GG$, $\hat{g} \sample \Gh$. + of prime order $p>2^{\lambda}$ with $g \sample \U(\GG)$, $\hat{g} \sample \U(\Gh)$. \end{description} \begin{enumerate} -\item Choose $\omega,a \sample \Zp$, +\item Choose $\omega,a \sample \U(\Zp)$, and set $h=g^a$, $\Omega=h^{\omega}$. -\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \GG^{\ell+1}$. +\item Choose $\vec{v}=(v_1,\ldots,v_\ell,w) \sample \U(\GG^{\ell+1})$. \item Define a matrix $\mathbf{{M}}=(M_{j,i})_{j,i} \in {\GG}^{ (\ell+2) \times (2\ell+4) }$ \begin{equation}\label{matrix-scal-sig} \mathbf{{M}} = %\big({M}_{i,j} \big)_{i,j} = @@ -89,8 +97,9 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump \end{array}\right) , \end{equation} where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$. -\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} - to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. +\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of \cref{sse:sigmasig-qa-nizk} + to get the common reference string + $\mathsf{crs}=\left(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z^{},~\{ \hat{g}_j \}_{j=1}^{2\ell+4} \right)$. \bigskip \item[] The private key is $ \mathsf{sk}:=\omega $ and the public key is @@ -105,7 +114,7 @@ The private key is $ \mathsf{sk}:=\omega $ and the public key is \begin{description} \item[\textsf{Sign}$(\mathsf{sk},\vec{m}=(m_1,\ldots,m_\ell)):$] given the private key $\mathsf{sk}=\omega$ and a message -$\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute +$\vec{m}\in \Zp^\ell$, choose $s \sample \U(\Zp)$ to compute \begin{align*} \sigma_1 & = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & @@ -128,14 +137,14 @@ Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4 \begin{align} \label{sig-ver-1} e(\Omega,\hat{g}_{2\ell+4})^{-1} = &~ e(\pi,\hat{g}_z) \cdot e(\sigma_1,\hat{g_1}) \\ \nonumber - &~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) \\ \nonumber - &~~~ \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) . + &~ \cdot e(\sigma_2,\hat{g}_{2}^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell} \cdot \hat{g}_{\ell+2} ) %\\ \nonumber &~~~ + \cdot e(\sigma_3,\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2\ell+2}^{m_\ell} \cdot \hat{g}_{2\ell+3}) . \end{align} \end{description} -The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ -while the verification equation only involves a computation of 5 pairings. +The signature on $\ell$ scalars thus only consists of $4$ elements in $\GG$ +while the verification equation only involves a computation of $5$ pairings\footnote{Actually only $4$ pairing computations are necessary, as $e(\Omega, \hat{g}_{2\ell+4})$ is independent of the inputs $\pi$ and $\vec{m}$, and can hence be precomputed.}. \begin{theorem} \label{th:eu-cma-1} The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$. @@ -176,7 +185,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \smallskip \begin{description} - \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \Zp$ and + \item[Type B signatures:] These use a random value $\omega' \in_R \Zp$ instead of the secret key $\omega$. We pick random $\omega', s, s_1 \sample \U(\Zp)$ and compute: \begin{equation*} \begin{gathered} @@ -265,7 +274,7 @@ The above signature scheme is existentially unforgeable under chosen-message att reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the \QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$. - After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$. + After that, $\bdv$ picks $\omega \sample \U(\Zp)$ and $\hat g \sample \U(\Gh)$, and set $\Omega = h^\omega$. Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key: \begin{align*} \mathsf{pk} = \bigl( g,h,\hat g, \vec{v}, \omega,\mathsf{crs} \bigr). @@ -292,7 +301,7 @@ If DDH holds in $\GG$, for each $k \in \\ Algorithm $\bdv$ takes in $(g^a, g^b, \eta) \in \GG^3$, where $\eta = g^{a(b+c)}$, and decides if $c=0$ or $c \in_R \Zp$. To do this, $\bdv$ sets $h = g^a$. It - picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \Zp$ + picks $\omega, a_{v_1}, b_{v_1}, \ldots, a_{v_\ell}, b_{v_\ell}, a_{w}, b_{w} \sample \U(\Zp)$ and sets $\Omega = h^\omega$ as well as: \[ \forall i \in \{1,\dots, \ell \}:~~ v_i = g^{a_{v_i}} \cdot h^{b_{v_i}}, \quad w = g^{a_w} \cdot h^{b_w}. \] % in order to have the discrete logs of $v_i$ and $w$. \medskip @@ -419,7 +428,7 @@ If DDH holds in $\GG$, for each $k \in We will build an algorithm $\bdv$ for solving the Computational Diffie Hellman problem~(CDH) which is at least as hard as the DDH problem. The reduction $\bdv$ takes as input a tuple $(g, h, \Omega = h^\omega)$ and computes $g^\omega$. To generate $\mathsf{pk}$, $\bdv$ picks $\hat g - \sample \Gh$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \Zp$ and computes + \sample \U(\Gh)$, $a_{v_1}, \ldots, a_{v_\ell}, a_w \sample \U(\Zp)$ and computes $ v_1 = g^{a_{v_1}},$ \ldots, $ v_\ell = g^{a_{v_\ell}}$, and $w = g^{a_w}.$ Then $\bdv$ generates $\mathsf{tk} = \{ \chi_i \}_{i=1}^{2\ell + 4}$, $\mathsf{crs} = (\{ z_j\}_{j=1}^{\ell + 2}, \hat g_z, \{\hat g_i\}_{i=1}^{2\ell + 4})$ @@ -452,7 +461,7 @@ In this section, we give $\Sigma$-protocols (\cref{sse:sigma-protocols}) for iss %------------------------------------------------------------------------ \subsection{Proof of Knowledge of a Signature on a Committed Message} -We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation of the scheme of Section~\ref{scal-sig} +We give $\Sigma$-protocols for proving the knowledge of a signature-message pair $({\sigma},\vec{m})$ satisfying the verification equation~\eqref{sig-ver-1} of the scheme of Section~\ref{scal-sig} \begin{align} \label{eq-mult-sig} e(\Omega,\hat{g}_{2 \ell+4})^{-1} @@ -484,14 +493,16 @@ clear), proving knowledge of a valid signature still requires proving a statem \item Commit to $d_1:=\hat{g}_2^{m_1}\cdots\hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}\in\hat{\GG}$ and $d_2:=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}\in\hat{\GG}$. To this end, choose - $r_1,r_2\sample\ZZ_p$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$. - \item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\ZZ_p^\ell$, - choose $s_1,s_2,u_1,\ldots,u_\ell \sample\ZZ_p$ + $r_1,r_2\sample\U(\Zp)$ and compute $\hat{D}_1=d_1\cdot \hat{g}^{r_1}$ and $\hat{D}_2=d_2\cdot \hat{g}^{r_2}$. + + \item In order to prove knowledge of an opening of commitments $\hat{D}_1,\hat{D}_2\in\Gh$ to the same message $\vec{m}=(m_1,\ldots,m_\ell)\in\Zp^\ell$, + choose $s_1,s_2,u_1,\ldots,u_\ell \sample\U(\Zp)$ and compute $\hat{E}_1=\hat{g}_2^{u_1}\cdots\hat{g}_{\ell+1}^{u_\ell}\cdot \hat{g}^{s_1}$ and $\hat{E}_2=\hat{g}_{\ell+3}^{u_1}\cdots\hat{g}_{2 \ell+2}^{u_\ell}\cdot \hat{g}^{s_2}$. - \item Using $r_1,r_2 \in \ZZ_p$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$ + + \item Using the randomness $r_1,r_2 \in \Zp$ from step 1, define $\sigma_0 = \sigma_2^{r_1} \cdot \sigma_3^{r_2}$ and commit to $(\pi,\sigma_0 ,\sigma_1,\sigma_2,\sigma_3)\in\GG^5.$ - For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\ZZ_p$ at random and set $C_z=\pi \cdot g^{t_z}$, + For this purpose, choose $t_z,t_0,t_1,t_2,t_3\sample\U(\Zp)$ at random and set $C_z=\pi \cdot g^{t_z}$, $C_i=\sigma_i \cdot g^{t_i}$, for $i \in \{0,\ldots,3\}$, and $\hat{D}_0=\hat{g}_z^{t_z} \cdot \hat{g}_1^{t_1} \cdot \hat{D}_{1}^{t_2} \cdot \hat{D}_{2}^{t_3} \cdot \hat{g}^{-t_0}.$ @@ -499,15 +510,15 @@ clear), proving knowledge of a valid signature still requires proving a statem \item In order to prove (partial) knowledge of an opening to $(C_z,C_0,C_1,C_2,C_3,\hat{D}_0)$, compute $\hat{E}_0=\hat{g}_z^{v_z} \cdot \hat{g}_1^{v_1} \cdot \hat{D}_{1}^{v_2} \cdot \hat{D}_{2}^{v_3} \cdot \hat{g}^{-v_0}$ - for random $v_z,v_0,v_1,v_2,v_3\sample\ZZ_p$. + for random $v_z,v_0,v_1,v_2,v_3\sample \U(\Zp)$. \item Prove that $C_0$ is well-formed relatively to the committed values in $C_1,C_2$ and the coins - $r_1,r_2 \in \ZZ_p$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation + $r_1,r_2 \in \Zp$ used in $\hat{D}_1,\hat{D}_2$. To this end, prove knowledge of the representation $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot {g}^{t_4},$ where $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$. To do this, compute - $F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample\ZZ_p$ and where $s_1,s_2 \in \ZZ_p$ are the random coins used in $\hat{E}_1,\hat{E}_2$. - \item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \ZZ_p$ by picking $x_2,x_3,x_4\sample\ZZ_p$ and computing + $F_0=C_2^{s_1} \cdot C_3^{s_2} \cdot {g}^{v_4}$, for $v_4\sample \U(\Zp)$ and where $s_1,s_2 \in \Zp$ are the random coins used in $\hat{E}_1,\hat{E}_2$. + \item To prove that $t_4=t_0-r_1 \cdot t_2-r_2 \cdot t_3$, (re-)commit to $t_0,t_2,t_3,t_4 \in \Zp$ by picking $x_2,x_3,x_4\sample \U(\Zp)$ and computing $$T_i=g^{t_i} \cdot f^{x_i} \qquad \forall i \in \{0,2,3, 4\}, $$ where $x_0=x_2 \cdot r_1+x_3 \cdot r_2+x_4$. Ensure that committed variables coincide with those of previous steps by computing $$\{V_i=g^{v_i} \cdot f^{y_i}\}_{i \in \{0,2,3,4\} },$$ where - $y_0,y_2,y_3,y_4\sample\ZZ_p$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \ZZ_p$ from steps 2 and 5 to compute + $y_0,y_2,y_3,y_4\sample \U(\Zp)$. To prove the equality $T_0=T_2^{r_1} \cdot T_3^{r_2} \cdot T_4$, re-use $s_1,s_2 \in \Zp$ from steps 2 and 5 to compute $S_0=T_2^{s_1} \cdot T_3^{s_2}$. \medskip \item[~~~Finally,] keep $C_z\in\GG$ and all the random coins in $\mathsf{aux}$, @@ -523,8 +534,8 @@ clear), proving knowledge of a valid signature still requires proving a statem \end{enumerate} \vspace{-2mm} % \begin{description} -\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample\ZZ_p $ uniformly at random and return $\mathsf{chall}=\rho $. -\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\ZZ_p$: +\item[\textsf{Challenge}] Given $\mathsf{com}$ as per (\ref{eq-comm-2}), pick $\rho\sample \U(\Zp) $ uniformly at random and return $\mathsf{chall}=\rho $. +\item[\textsf{Response}] On inputs $\mathsf{com}$, $\mathsf{aux}$ and $\mathsf{chall}=\rho$, compute: % the following elements over $\Zp$: \end{description}\vspace{-4mm} %set $t_5=[t_4-t_1r_1-t_2r_2 \!\mod p]$ and \begin{enumerate} @@ -533,7 +544,7 @@ clear), proving knowledge of a valid signature still requires proving a statem \item $w_z= \rho\cdot t_z + v_z $ and $w_i= \rho\cdot t_i + v_i $, for $i=0$ to $3$; \item $w_4= \rho\cdot t_4 + v_4 $, where $t_4:=t_0-t_1 \cdot r_1-t_2 \cdot r_2$; \item $z_i= \rho\cdot x_i + y_i $ for each $i \in \{0,2,3,4\}$. \smallskip - \item[~~~Output] $\mathsf{resp}\in \GG\times \ZZ_p^{\ell+12}$ as + \item[~~~Output] $\mathsf{resp}\in \GG\times \Zp^{\ell+12}$ as \begin{align*} %\mathsf{resp}= \bigl( C_z,\{\bar{m}_i\}_{i=1}^\ell,\bar{r}_1,\bar{r}_2, @@ -609,16 +620,17 @@ a constant additive overhead. Remaining verifications of items 1,2,3 follow from the correctness of the built-in $\Sigma$-protocols. \medskip -\noindent \emph{Special-Soundness.} Let us assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$. + \scbf{Special-Soundness.} + We assume two accepting transcripts $(\mathsf{com},\rho,\mathsf{resp})$, $(\mathsf{com},\rho',\mathsf{resp}')$ with $\rho \neq \rho'$. The special soundness of the sub-protocols involving $\hat{D}_1,\hat{D}_2$ (with $\hat{E}_1,\hat{E}_2$) - -- consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify} -- - ensures the extraction of $m_1,\ldots,m_\ell,r_1,r_2 $ satisfying - $\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and - $\hat{D}_2=d_2\cdot\hat{g}^{r_2}$, where $d_2=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}$. - From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such + --\,consisting of steps 1 and 2 of \textsf{Commit} and step 1 of \textsf{Verify}\,-- + ensures the extraction of $m_1,\ldots,m_\ell,r_1,r_2 $ satisfying + $\hat{D}_1=d_1\cdot\hat{g}^{r_1}$, where $d_1=\hat{g}_2^{m_1}\cdots \hat{g}_{\ell+1}^{m_\ell}\cdot\hat{g}_{\ell+2}$, and + $\hat{D}_2=d_2\cdot\hat{g}^{r_2}$, where $d_2=\hat{g}_{\ell+3}^{m_1}\cdots\hat{g}_{2 \ell+2}^{m_\ell}\cdot\hat{g}_{2\ell+3}$. + From step 2 of $\mathsf{Verify}$, a similar argument on $\hat{D}_0$ (with $\hat{E}_0$) implies the extractability of $(t_z,t_0,t_1,t_2,t_3,t_4)$ such that $\hat{D}_0={\hat{g}_z}^{t_z} \cdot {\hat{g}_1}^{t_1} \cdot {\hat{D}_{1}}^{t_2} \cdot {\hat{D}_{2}}^{t_3} \cdot {\hat{g}}^{-t_0}.$ - Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$. - % + Moreover, together with previously extracted $(r_1,r_2)$, step 2 of $\mathsf{Verify}$ also guarantees that $t_4$ satisfies $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$. + % We now state that quantities $\{\sigma_i=C_i\cdot {g}^{-t_i}\}_{i \in \{1,2,3\}}$ and $\pi=C_z\cdot {g}^{-t_z}$ satisfy (\ref{sig-ver-1}), so that, together with $\vec{m}=(m_1,\ldots,m_\ell)$, they form a valid witness for $R_{sig}$. Namely, @@ -635,7 +647,7 @@ a constant additive overhead. % We are thus left with showing that $\sigma_0=\sigma_2^{r_1} \cdot \sigma_3^{r_2}$ or, equivalently, $e(\sigma_0,\hat{g})=e(\sigma_2,\hat{g}^{r_1}) \cdot e(\sigma_3,\hat{g}^{r_2})$. Remember that, from step 2 of $\mathsf{Verify}$, we know that - extracted $(r_1,r_2,t_4) \in \ZZ_p^3$ form a representation of $C_0$ {w.r.t.} + extracted $(r_1,r_2,t_4) \in \Zp^3$ form a representation of $C_0$ {w.r.t.} the base $(C_0,C_2,g)$: i.e., $C_0=C_2^{r_1} \cdot C_3^{r_2} \cdot g^{t_4}$, which, from the definition of $\sigma_0,\sigma_2,\sigma_3$, yields $\sigma_0\cdot g^{t_0}=\sigma_2^{r_1} \cdot \sigma_3^{r_2} \cdot g^{t_2 \cdot r_1+t_3 \cdot r_2+t_4}$. Hence, we are done if we can show that $t_0=t_2r_1+t_3r_2+t_4$. But this exactly what step 3 of $\mathsf{Verify}$ and the @@ -646,30 +658,31 @@ a constant additive overhead. representation. \medskip -\noindent \emph{Perfect SHVZK.} + \scbf{Perfect SHVZK.} To show this property we must build a simulator that, on input of a challenge - $\mathsf{chall}=\rho \in_R \ZZ_p$, emulates a valid transcript without any witness. + $\mathsf{chall}=\rho \in_R \Zp$, emulates a valid transcript without any witness. First, we need to compute a random tuple $C_z,\{C_i\}_{i=0}^3,\{\hat{D}\}_{i=0}^2$ constrained to satisfy the verification equation (\ref{eq-vrf-2}). \vspace{-1mm} From the identity $e(\Omega,\hat{g}_{2\ell+4})^{-1}=e(\Omega^{-1},\hat{g}_{2\ell+4})$ we first pick - $a_0,a_1,a_2,a_z\gets\ZZ_p$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}= + $a_0,a_1,a_2,a_z\gets\Zp$, $\hat{D}_1\gets\Gh$ and we have $e(\Omega,\hat{g}_{2\ell+4})^{-1}= e(\Omega^{-1},\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}) \cdot e(\Omega^{a_0},\hat{g})\cdot e(\Omega^{a_1},\hat{g}_1)\cdot e(\Omega^{a_2},\hat{D}_1) \cdot e(\Omega^{a_z},\hat{g}_z)$, so that we can set $C_0=\Omega^{-a_0}$, $C_1=\Omega^{a_1}$, $C_2=\Omega^{a_2}$ and $C_z=\Omega^{a_z}$. Let $\hat{B}:=\hat{g}_{2\ell+4}\cdot\hat{g}^{a_0}\hat{g}_1^{a_1}\hat{D}_1^{a_2}\hat{g}_z^{a_z}$. - Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\ZZ_p$ since + Now, we can introduce the constant $g \in \GG$ in the equation by picking $a_g\gets\Zp$ since $e(\Omega^{-1},\hat{B})=e(\Omega^{-1} \cdot g^{a_g},\hat{B})\cdot e(g,\hat{B}^{-a_g})$. Then, we finally set $\hat{D}_0=\hat{B}^{a_g}$, $\hat{D}_2=\hat{B}^{a_3}$ and $C_3=(\Omega^{-1} \cdot g^{a_g})^{1/a_3}$ for a - random $a_3\gets\ZZ_p$. + random $a_3\gets\Zp$. %\vspace{-1mm} To complete the simulated transcript, we run a parallel execution of the simulators of all $\Sigma$-protocols used as subroutines. - More explicitly, first pick $\rho\sample\ZZ_p$ and - $\bar{m}_1,\ldots,\bar{m}_\ell,\bar{r}_1,\bar{r}_2,w_z,w_0,\ldots,w_4,z_0,z_2,z_3,z_4\sample\ZZ_p$. Also, - choose $T_0,T_2,T_3,T_4\sample\GG$ and do the following: + More explicitly, first pick $\rho\sample \U(\Zp)$ and + \[ \bar{m}_1, \ldots, \bar{m}_\ell, \bar{r}_1, \bar{r}_2, w_z, w_0, \ldots, w_4, z_0, z_2, z_3, z_4\sample \U(\Zp).\] + Also, + choose $T_0, T_2, T_3, T_4 \sample \U(\GG)$ and do the following: \begin{enumerate} \item Compute \[\hat{E}_1 = (\hat{D}_1/\hat{g}_{\ell+2})^{\,-\rho}\cdot \hat{g}_2^{\,\bar{m}_1}\cdots\hat{g}_{\ell+1}^{\,\bar{m}_\ell}\cdot g^{\bar{r}_1}\] and, similarly, @@ -695,7 +708,7 @@ In the protocol some randomizing steps are included as well as other additional \noindent \textbf{The protocol.} % At the beginning of a new run of the protocol, the committer has a vector ${\mathbf{m}}=(m_1,\ldots,m_\ell)$, the public-key of the signature scheme and the extra generator $u\in\GG$ (which can be a hashed point), the signer also has the secret key of the signature scheme but not ${\mathbf{m}}$. -To get a signature on ${\mathbf{m}}$, the committer picks $r\sample\ZZ_p$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. +To get a signature on ${\mathbf{m}}$, the committer picks $r\sample \U(\Zp)$ and computes a perfectly hiding commitment $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}\in\GG$. Besides, it also computes the elements $c_z = z_2^{m_1}\cdots z_{\ell+1}^{m_\ell}\cdot u^{t_z}$. %and $c_r = r_2^{m_1}\cdots r_{\ell+1}^{m_\ell}\cdot u^{t_r}$. The signer receives these commitments and they both engage in an interactive proof of knowledge of an equal representation of $c_v$ relatively to the basis $(v_1,\ldots,v_\ell;u)$ and $c_z$ relatively to the basis $(z_2,\ldots,z_{\ell+1};u)$, @@ -710,7 +723,7 @@ Depending on the success of the proof the signer computes what we can call a ``p %r_0 & = r_1^\omega \cdot c_r^s \cdot r_{\ell+2}^s , \end{align*} %and $(z_d,r_d)=(z_{\ell+3}^s,r_{\ell+3}^s)$, -for a random $s\sample\ZZ_p$. In the final step, the user received the pre-signature, then picks $s'\sample\ZZ_p$ and computes +for a random $s\sample \U(\Zp)$. In the final step, the user received the pre-signature, then picks $s'\sample \U(\Zp)$ and computes $(\sigma_1, \sigma_2, \sigma_3, \pi) \in \GG^4$ as follows \begin{align*} \sigma_1 & = \tau_1 \cdot\tau_0^{-r} @@ -729,7 +742,7 @@ In comparison, the construction of \cite{CL02a} requires groups of larger hidde \noindent \textbf{Security.} % We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. -In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip +In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\Zp$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip \noindent \textbf{Remark.} % @@ -770,7 +783,7 @@ with prospective users. However, this limitation can be removed using an extract where %$\Omega=h^\omega$ and $\mathsf{crs} = \big(\{{z}_j\}_{j=1}^{3}, \hat g_z, \{\hat g_i\}_{i=1}^{6} \big)$. - \item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \Zp$ and set + \item Pick $x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \sample \U(\Zp)$ and set \begin{align*} X_z & = g^{x_z} h^{y_z}, & X_\sigma & = g^{x_\sigma} h^{y_\sigma}, & X_\ID & = g^{x_\ID} h^{y_\ID}. \end{align*} @@ -790,7 +803,7 @@ with prospective users. However, this limitation can be removed using an extract %$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$ \end{description} \vspace{-2mm} \begin{enumerate} - \item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to + \item $\U_i$ chooses ${\ID \sample \U(\Zp)}$ and sends the following to $\GM$: $(V_\ID, Z_{\ID}, \hat G_{2, \ID}, \hat G_{4, \ID}) = (v^\ID, z_2^\ID, \hat g_2^\ID, \hat g_4^\ID)$ @@ -812,7 +825,7 @@ with prospective users. However, this limitation can be removed using an extract this purpose. Let $\pi_K(\ID)$ denote the interaction transcript. \item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of - section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and + section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \U(\Zp)$, and uses $\mathcal{S}_\GM = \omega$ to compute $\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$ and @@ -840,11 +853,11 @@ with prospective users. However, this limitation can be removed using an extract does the following: \end{description} \vspace{-2mm} \begin{enumerate} - \item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \Zp$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$, + \item Re-randomize the certificate $\crt_i$. Namely, choose $r \sample \U(\Zp)$ and compute $\tilde \sigma_2 = \sigma_2 \cdot g^r$, $\tilde \sigma_3 = \sigma_3 \cdot h^r$, $\tilde \sigma_1 = \sigma_1 \cdot (v^\ID \cdot w)^r$, $\tilde \pi = \pi \cdot (z_2^\ID \cdot z_3)^r$. \item Encrypt elements $\tilde \pi$, $\tilde \sigma_1$ and $v^\ID$ from the membership certificate. - Specifically, choose $\theta \sample \Zp$ and compute the Cramer-Shoup ciphertext + Specifically, choose $\theta \sample \U(\Zp)$ and compute the Cramer-Shoup ciphertext $C_{\mathsf{CS}}=(C_1,C_2,C_z,C_{\sigma},C_{\ID})$, where $C_1 = g^\theta$, $C_2 = h^\theta$, \begin{align*} C_z & = \tilde \pi \cdot X_z^\theta, & @@ -865,7 +878,7 @@ with prospective users. However, this limitation can be removed using an extract & = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta} \cdot\big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-\ID} . \end{align*} - Namely, sample random $r_\ID, r_\theta \sample \Zp$, compute + Namely, sample random $r_\ID, r_\theta \sample \U(\Zp)$, compute \begin{eqnarray*} &\begin{aligned} R_1 &= g^{r_\theta}, & @@ -997,7 +1010,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature. \begin{description} \item[Game 0:] This is the real CCA-anonymity game.\\ - In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that + In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d \sample \U(\bit)$. We define $W_0$ to be the event that the adversary outputs $d'=d$. \item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event, @@ -1015,7 +1028,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature. \item[Game 2:] We change the way to generate the challenge signature $ \Sigma^\star $. Instead of faithfully running the Schnorr-like protocol, we use the HVZK-simulator to produce the proofs $s_\theta, s_\ID$ without knowing the witnesses - $\theta, \ID$. Namely, we pick $c,~ s_\theta,~ s_\ID \sample \Zp$ at random and set $ R_1 = g^{s_\theta} \cdot C_1^{-c}$, $R_2 = h^{s_\theta} \cdot C_2^{-c},$ + $\theta, \ID$. Namely, we pick $c,~ s_\theta,~ s_\ID \sample \U(\Zp)$ at random and set $ R_1 = g^{s_\theta} \cdot C_1^{-c}$, $R_2 = h^{s_\theta} \cdot C_2^{-c},$ $R_3 = v^{s_\ID} \cdot X_{\ID}^{s_\theta} \cdot C_{\ID}^{-c}$ as well as %\begin{multline*} %R_4 = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \\ @@ -1037,11 +1050,11 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature. The distribution of $(C_z, C_\sigma, C_\ID)$ remains the same and we have $\Pr[W_3] = \Pr[W_2]$. \item[Game 4:] Here, we modify the distribution of the challenge signature and replace $C_2 = h^\theta$ by $C_2 = h^{\theta + \theta'}$, for a randomly chosen $\theta' - \sample \Zp$. We prove in Lemma~\ref{le-gsig-3} that + \sample \U(\Zp)$. We prove in Lemma~\ref{le-gsig-3} that $\left| \Pr[W_4] - \Pr[W_3] \right| \leq \advantage{\DDH}{\GG}(\lambda)$. \item[Game 5:] We introduce one more change. Instead of sampling $h \in_R \Zp$, - the challenger chooses a random $\alpha \sample \Zp$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that + the challenger chooses a random $\alpha \sample \U(\Zp)$ at the beginning of the game, sets $h = g^\alpha$ and retains the information $\alpha = \log_g(h)$ (note that we are done with the DDH assumption and we can henceforth use $\alpha=\log_g(h)$). At each signature opening query, the challenger returns $\perp$ on any signature $\Sigma=(C_1, C_2, C_z, C_\sigma, C_\ID, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)$ such @@ -1113,7 +1126,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip Our reduction $\bdv$ takes as input a DDH instance $(g^a, g^b, \eta)$, where $\eta = g^{a(b+c)}$ and has to decide with non-negligible probability $\varepsilon$ whether $c = 0$ or $c \in_R \Zp$. To achieve this, $\bdv$ sets $h = g^a$ and computes the challenge signature as $ C_1 = g^b$ and $ C_2 = \eta$. The rest of the game continues like in Game $3$ (which is also the same as in Game $2$). - If $\adv$ wins and correctly guesses $d'=d \in \{0,1\}$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$. + If $\adv$ wins and correctly guesses $d'=d \in \bit$, $\bdv$ outputs $1$, meaning that $C_2 = h^{b } = g^{ab}$. Otherwise, $\bdv$ returns $0$ meaning that $(g^a, g^b, \eta) \in_R \GG^3$. \\ It is easy to see that $\bdv$'s advantage as a DDH distinguisher is $\varepsilon$ if $|\Pr[W_4]-\Pr[W_3]|=\varepsilon$. %\vspace{-1mm} @@ -1238,7 +1251,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ \indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. -At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$. +At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \U(\Zp)$. In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip \\ @@ -1252,7 +1265,7 @@ In addition, $\bdv$ must be able to answer the following queries. %\item[-] If $j \neq j^\star$, $\bdv$ follows the exact specification of $\mathsf{J}_{\mathsf{user}}$. %\item[-] If $j=j^\star$,... %\end{itemize} -At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \Zp$ and uses $\mathsf{tk}$ to compute the tuple +At step 1 of $\mathsf{Join}$, $\bdv$ picks a random $\delta_i \sample \U(\Zp)$ and uses $\mathsf{tk}$ to compute the tuple $(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$, for an unknown $\scr_{i}=\ID_i=a\cdot\delta_i \in \Zp$, that $\mathsf{J}_{\mathsf{GM}}$ expects at step 1 of the join protocol. Namely, $\bdv$ computes the vector $ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as @@ -1277,8 +1290,8 @@ Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$. \item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm. While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the - non-interactive proof $(c, s_\ID, s_\theta)$, for a randomly chosen challenge $c \sample \Zp$ by programming the random oracle. -More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \Zp$ and computing + non-interactive proof $(c, s_\ID, s_\theta)$, for a randomly chosen challenge $c \sample \U(\Zp)$ by programming the random oracle. +More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \sample \U(\Zp)$ and computing \begin{align*} \tilde\sigma_1 & = \sigma_1 \cdot (V_i\cdot w)^r & \tilde \sigma_2 & = \sigma_2 \cdot g^r, \\ \tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r. @@ -1369,7 +1382,7 @@ Another caveat is that, unlike the two previous systems, the opening complexity In 2015, Pointcheval and Sanders~\cite{PS16} gave another instantiation of~\cite{BCN+10} based on a variant of the LRSW assumption in the asymmetric setting (meaning using only Type III pairings), which provides even shorter signatures than \cite{BCN+10} with the same downsides. -Their scheme provides signatures composed of only $2$ group elements in $\GG$ and $2$ scalars in $\Zp$. +Their scheme provides signatures composed of only $2$ group elements in $\GG$ and $2$ scalars in~$\Zp$. Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is diff --git a/these.bib b/these.bib index f29ad8e..c9033b3 100644 --- a/these.bib +++ b/these.bib @@ -1,13 +1,4 @@ % Encoding: UTF-8 -@InCollection{BCKL08, - author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna}, - title = {{P}-signatures and Noninteractive Anonymous Credentials}, - booktitle = {{TCC}}, - publisher = {Springer}, - year = {2008}, - number = {4948}, - series = {LNCS}, -} @InCollection{CL04, author = {Camenisch, Jan and Lysyanskaya, Anna}, @@ -210,10 +201,10 @@ pages = {1--5}, } -@InProceedings{BCKL08a, +@InProceedings{BCKL08, author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna}, - title = {P-signatures and Noninteractive Anonymous Credentials}, - booktitle = {{TCC'08}}, + title = {{P-signatures and Noninteractive Anonymous Credentials}}, + booktitle = {{TCC}}, year = {2008}, number = {4948}, series = {LNCS}, @@ -2726,4 +2717,27 @@ publisher = {Springer}, } +@InProceedings{NFHF09, + author = {Nakanishi, Toru and Fujii, Hiroki and Hira, Yuta and Funabiki, Nobuo}, + title = {{Revocable Group Signature Schemes with Constant Costs for Signing and Verifying}}, + booktitle = {{PKC}}, + year = {2009}, + series = {LNCS}, + pages = {463--480}, + publisher = {Springer}, + abstract = {Lots of revocable group signature schemes have been proposed so far. In one type of revocable schemes, signing and/or verifying algorithms have O(N) or O(R) complexity, where N is the group size and R is the number of revoked members. On the other hand, in Camenisch-Lysyanskaya scheme and the followers, signing and verifying algorithms have O(1) complexity. However, before signing, updates of the secret key are required. The complexity is O(R) in the worst case. In this paper, we propose a revocable scheme with signing and verifying of O(1) complexity, where no updates of secret key are required. The compensation is the long public key of O(N). In addition, we extend it to the scheme with {\$}O({\backslash}sqrt{\{}N{\}}){\$} -size public key, where signing and verifying have constant extra costs.}, + isbn = {978-3-642-00468-1}, +} + +@InProceedings{CZ09, + author = {Camenisch, Jan and Zaverucha, Gregory M.}, + title = {Private Intersection of Certified Sets}, + booktitle = {Financial Cryptography}, + year = {2009}, + pages = {108--127}, + address = {Berlin, Heidelberg}, + publisher = {Springer}, + isbn = {978-3-642-03549-4}, +} + @Comment{jabref-meta: databaseType:bibtex;}