fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Corrections

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-06-19 13:22:35 +02:00
parent 0db1043246
commit 7029acd8c2
2 changed files with 31 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
chap-GS-LWE.tex
View File

@ -1,10 +1,10 @@
In this chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
As a consequence, it is possible to construct lattice-based anonymous credential from this building block.
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} in order to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
In this chapter, we present the first dynamic group signature scheme based on lattice assumptions.
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, which is used in a similar manner.
As a consequence, it is possible to design lattice-based anonymous credentials from this building block.
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
The group signature security is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
For security parameter $\lambda$ and for group of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
@ -29,7 +29,7 @@ In particular, the cost of moving to dynamic group is reasonable: while using th
\label{table:lattice-gs-comparison}
\end{table}
The signature scheme with efficient protocols is here built upon the $\SIS$-based signature of Böhl \textit{et al.}~\cite{BHJ+15}, which is itself a variant of Boyen's signature~\cite{Boy10}.
The signature scheme with efficient protocols is built upon the $\SIS$-based signature of Böhl \textit{et al.}~\cite{BHJ+15}, which is itself a variant of Boyen's signature~\cite{Boy10}.
The latter scheme involves a public key containing matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell \in \Zq^{n \times m}$ and signs an $\ell$-bit message $\mathfrak m \in \bit^\ell$ by computing a short vector $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \mathfrak m[j] \mathbf{A}_j ]} \cdot \mathbf{v} = \mathbf 0^n \bmod q$.
The variant proposed by Böhl \textit{et al.} only uses a constant number of matrices $\mathbf{A}, \mathbf{A}_0, \mathbf{A}_1 \in \Zq^{n \times m}$ where each signature is assigned with a single-use tag $\tau$ and the public key involves an extra matrix $\mathbf{D} \in \Zq^{n \times m}$ and a vector $\mathbf{u} \in \Zq^n$.
A message $\mathfrak m$ is then signed by first applying a chameleon hash function $\mathbf{h} = \mathcal{H}(\mathfrak m, \mathbf{s}) \in \bit^m_{}$ and signing $\mathbf{h}$ by computing a short $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \tau \mathbf{A}_1 ]} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$.