Corrections
This commit is contained in:
parent
0db1043246
commit
7029acd8c2
@ -122,7 +122,7 @@ $\mathcal{G}_r(1^\lambda)$ which samples public/secret parameters for the relati
|
||||
return $1$ whenever $(x,w)\in R$. To encrypt a witness $w$ such that $(x,w) \in R$ for some public $x$, the sender fetches the pair $(\pk,\crt_{\pk})$
|
||||
from $\mathsf{database}$ and runs the randomized encryption algorithm. The latter takes as input $w$, a label $L$, the receiver's pair $(\pk,\crt_{\pk})$ as
|
||||
well as public keys $\pk_{\GM}$ and $\pk_{\OA}$. Its output is a ciphertext
|
||||
$\Psi \leftarrow \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$.
|
||||
$\Psi \gets \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$.
|
||||
On input of the same elements, the certificate $\crt_{\pk}$, the ciphertext $\Psi$ and the random coins $coins_{\Psi}$ that were used to produce $\Psi$, the
|
||||
non-interactive algorithm $\mathsf{PP}$ generates a proof $\pi_{\Psi}$ that there exists a certified receiver whose public key was registered in $\mathsf{database}$ and
|
||||
who is able to decrypt $\Psi$ and obtain a witness $w$ such that $(x,w) \in R$. The verification algorithm $\mathcal{V}$ takes as input $\Psi$, $\pk_{\GM}$,
|
||||
@ -137,7 +137,7 @@ that pk belongs to the language of valid public keys. Here, we are implicitly as
|
||||
of valid public keys is dense (all matrices are valid keys, as is the case in our scheme).
|
||||
|
||||
In the upcoming definitions, we sometimes use the notation
|
||||
\[ \langle \mathsf{output}_A |\mathsf{output}_B \rangle \allowbreak \leftarrow \langle A(\mathsf{input}_A),B(\mathsf{input}_B) \rangle (\mathsf{common\textrm{-}input}) \]
|
||||
\[ \langle \mathsf{output}_A |\mathsf{output}_B \rangle \allowbreak \gets \langle A(\mathsf{input}_A),B(\mathsf{input}_B) \rangle (\mathsf{common\textrm{-}input}) \]
|
||||
to denote the execution of a protocol between $A$ and $B$ obtaining their own outputs from their respective inputs.
|
||||
\medskip
|
||||
|
||||
@ -148,7 +148,7 @@ probability.
|
||||
|
||||
\begin{center}
|
||||
\procedure{Experiment $\Expt^{\mathrm{correctness}}(\lambda)$}{
|
||||
\mathsf{param} \leftarrow
|
||||
\mathsf{param} \gets
|
||||
\mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{R},\sk_{R})
|
||||
\gets \mathcal{G}_r (\lambda); (x,w) \leftarrow \mathsf{sample}_{R}
|
||||
(\pk_{R},\sk_{R}); \\
|
||||
@ -384,11 +384,11 @@ encryption of a message of its choice from a random element of the ciphertext sp
|
||||
\procedure{Experiment $\Expt^{\mathrm{ROR}}_{\adv}(\lambda)$}{
|
||||
\ID^\star \gets \adv(\textsf{id}, \lambda); (\mathsf{PP}, \textsf{msk}) \gets \mathsf{Setup}(1^\lambda);~\\
|
||||
M \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}_\textsf{Ch}(\mathsf{PP});\\
|
||||
b \sample U(\bit);\\
|
||||
b \sample \U(\bit);\\
|
||||
\pcif b = 1 \pcthen\\
|
||||
\pcind C^\star \gets \mathsf{Encrypt}_\mathsf{PP}(M, \ID^\star) \\
|
||||
\pcelse\\
|
||||
\pcind C^\star \gets U(\mathcal{C});\\
|
||||
\pcind C^\star \sample \U(\mathcal{C});\\
|
||||
b' \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}(\textsf{guess},C^\star);\\
|
||||
\pcif b = b' \pcthen\\
|
||||
\pcind \pcreturn 1\\
|
||||
@ -413,8 +413,8 @@ encryption of a message of its choice from a random element of the ciphertext sp
|
||||
$q, n, \sigma, \alpha$ and define $k =\lfloor \log q \rfloor$, $\bar{m}= nk$, $m = 2 \bar{m}$ and choose a noise distribution $\chi$ for $\LWE$.
|
||||
\begin{enumerate}
|
||||
\item Compute $(\bar{\mathbf A}, \mathbf{T}_{\bar{\mathbf{A}}}) \gets \TrapGen(1^n, 1^m, q)$.
|
||||
\item Define $\mathbf{G} = \mathbf{I}_n \otimes [1|2|\ldots |2^{k-1}] \in \ZZ_q^{n \times \bar{m}}$. Sample matrices $\mathbf B \sample U(\ZZ_q^{ n \times \bar{m}}) $,
|
||||
$ \mathbf U \sample U(\Zq^{n \times m})$.
|
||||
\item Define $\mathbf{G} = \mathbf{I}_n \otimes [1|2|\ldots |2^{k-1}] \in \ZZ_q^{n \times \bar{m}}$. Sample matrices $\mathbf B \sample \U(\ZZ_q^{ n \times \bar{m}}) $,
|
||||
$ \mathbf U \sample \U(\Zq^{n \times m})$.
|
||||
\item Let $\mathsf{FRD}: \Zq^n \to \Zq^{n \times n}$ be the full-rank difference mapping from~\cite{ABB10}.
|
||||
\end{enumerate} Output
|
||||
$
|
||||
@ -431,7 +431,7 @@ encryption of a message of its choice from a random element of the ciphertext sp
|
||||
\item[\textsf{Encrypt}$_\mathsf{PP}(\ID,\mathbf m)$:] Given an identity $\ID$ and a message $\mathbf m \in \bit^m$, \smallskip
|
||||
\begin{enumerate}
|
||||
\item Compute the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
|
||||
Sample vectors $\mathbf s \sample U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute
|
||||
Sample vectors $\mathbf s \sample \U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute
|
||||
$\mathbf z = \mathbf R^T \cdot \mathbf y \in \ZZ^m$.
|
||||
\item Compute
|
||||
\begin{equation} \label{eq:ABB-c}
|
||||
@ -770,7 +770,7 @@ This relation is in the same spirit as the one of Kiayias, Tsiounis and Yung \ci
|
||||
\item[6.] Let $\mathsf{FRD}: \mathbb{Z}_q^{n} \rightarrow \mathbb{Z}_q^{n \times n}$ be the full-rank difference mapping from~\cite{ABB10}.
|
||||
\item[7.] Pick a random matrix $\mathbf{F} \leftarrow \mathbb{Z}_q^{2n \times n \bar{m}k}$, which will be used to hash users' public keys from $\Zq^{n \times \bar{m}}$ to $\mathbb{Z}_q^n$.
|
||||
% \item[7.] Pick matrices $\mathbf{A}_0,\mathbf{A}_1,\ldots,\mathbf{A}_{\ell}, \mathbf{D}_1 \xleftarrow{\$} \Zq^{n \times m}$, $\mathbf{D}, \mathbf{D}_0 \xleftarrow{\$} \mathbb{Z}_q^{n \times %nk}$ and vector $\mathbf{u} \xleftarrow{\$} \Zq^n$. These objects will be used for verifying the membership certificates issued by GM.
|
||||
\item[8.] Let $\mathbf{G} \in \Zq^{n \times \bar{m}}$ be the gadget matrix $\mathbf{G}= \mathbf{I}_n \otimes \begin{bmatrix} 1 & 2 & \ldots & 2^{k-1} \end{bmatrix}$ of \cite{MP12}. Pick matrices $\bar{\mathbf{A}}, \mathbf{U} \leftarrow U(\mathbb{Z}_q^{n \times m})$ and $\mathbf{V} \leftarrow U(\mathbb{Z}_q^{n \times m})$. Looking ahead, $\mathbf{U}$ will be used to encrypt for the receiver while $\mathbf{V}$ will be used
|
||||
\item[8.] Let $\mathbf{G} \in \Zq^{n \times \bar{m}}$ be the gadget matrix $\mathbf{G}= \mathbf{I}_n \otimes \begin{bmatrix} 1 & 2 & \ldots & 2^{k-1} \end{bmatrix}$ of \cite{MP12}. Pick matrices $\bar{\mathbf{A}}, \mathbf{U} \sample \U(\mathbb{Z}_q^{n \times m})$ and $\mathbf{V} \sample \U(\mathbb{Z}_q^{n \times m})$. Looking ahead, $\mathbf{U}$ will be used to encrypt for the receiver while $\mathbf{V}$ will be used
|
||||
to encrypt the user's public key under the $\OA$'s public key. As for $\bar{\mathbf{A}}$, it will be used in two instances of the ABB encryption scheme \cite{ABB10}. \smallskip \smallskip
|
||||
\end{itemize}
|
||||
Output
|
||||
@ -780,10 +780,10 @@ This relation is in the same spirit as the one of Kiayias, Tsiounis and Yung \ci
|
||||
\end{eqnarray*}
|
||||
\item[$\langle
|
||||
\mathcal{G}_r, \mathsf{sample}_{R}
|
||||
\rangle$:] Algorithm $\mathcal{G}_r(1^\lambda,1^n,1^m)$ proceeds by sampling a random matrix $\mathbf{A}_R \leftarrow U(\Zq^{n \times m})$ and outputting
|
||||
\rangle$:] Algorithm $\mathcal{G}_r(1^\lambda,1^n,1^m)$ proceeds by sampling a random matrix $\mathbf{A}_R \sample \U(\Zq^{n \times m})$ and outputting
|
||||
$(\pk_{R},\sk_{R})=(\mathbf{A}_R,\varepsilon)$. On input of a public key
|
||||
$\pk_{R}=\mathbf{A}_R \in \Zq^{n \times m}$ for the relation $\mathrm{R}_{\ISIS}$, algorithm
|
||||
$\mathsf{sample}_{R}$ picks $\mathbf{w} \leftarrow U(\{0,1\}^m)$ and outputs a pair $((\mathbf{A}_R,\mathbf{u}_R),\mathbf{w})$, where $\mathbf{u}_R =\mathbf{A}_R \cdot \mathbf{w} \in \Zq^n$.
|
||||
$\mathsf{sample}_{R}$ picks $\mathbf{w} \sample \U(\{0,1\}^m)$ and outputs a pair $((\mathbf{A}_R,\mathbf{u}_R),\mathbf{w})$, where $\mathbf{u}_R =\mathbf{A}_R \cdot \mathbf{w} \in \Zq^n$.
|
||||
|
||||
|
||||
\item[$\mathsf{SETUP_{\GM}}(\param)$:] The $\GM$ generates $(\sk_\GM,\pk_\GM) \leftarrow \mathsf{Keygen}(1^\lambda,q,n,m,\ell,\sigma)$ as a key pair for the $\SIS$-based signature scheme of \cite{LLM+16} (as recalled in \cref{se:gs-lwe-sigep}). This key pair
|
||||
@ -827,7 +827,7 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
|
||||
where $\tau= \tau[1] \ldots \tau[\ell] \in \{0,1\}^{\ell}$, as in the scheme of \cref{se:gs-lwe-sigep}. \smallskip
|
||||
\end{enumerate}
|
||||
$\mathsf{U}$ verifies that $\crt_{\mathsf{U}}$ is tuple of the form (\ref{eq:cert-description}) satisfying (\ref{eq:cert-verification}) and returns~$\perp$ if it is not the case.
|
||||
The $\GM$ stores $(\pk_{\mathsf{U}},\crt_\mathsf{U})$ in the user database $\mathsf{database}$ and returns the certificate $\crt_\mathsf{U}$ to the new user $\U$. \medskip
|
||||
The $\GM$ stores $(\pk_{\mathsf{U}},\crt_\mathsf{U})$ in the user database $\mathsf{database}$ and returns the certificate $\crt_\mathsf{U}$ to the new user $\mathsf{U}$. \medskip
|
||||
% \begin{eqnarray}\label{eq:cert-pk}
|
||||
%\mathsf{cert}_{\mathsf{pk}} = (\mathbf{h_M}, sig_{\mathbf{M}}).
|
||||
%\end{eqnarray}
|
||||
@ -842,7 +842,7 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
|
||||
%Define $\mathbf{B}_{\vk} = \mathbf{B}_\mathsf{U} + \mathbf{H}_{\vk}\cdot \mathbf{G} \in \mathbb{Z}_q^{n \times m}$.
|
||||
\item[3.] Encrypt the witness $\mathbf{w} \in \{0,1\}^m$ under $\mathsf{U}$'s public key $\mathbf{B}_\mathsf{U} \in \Zq^{n \times \bar{m}}$ using the tag $\vk$ by taking the following steps: \smallskip
|
||||
\begin{enumerate}
|
||||
\item[a.] Sample $\mathbf{s}_{\rec} \leftarrow U(\mathbb{Z}_q^n)$, $\mathbf{R}_{\rec} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}} $ and
|
||||
\item[a.] Sample $\mathbf{s}_{\rec} \leftarrow \U(\mathbb{Z}_q^n)$, $\mathbf{R}_{\rec} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}} $ and
|
||||
$\mathbf{x}_{\rec}, \mathbf{y}_{\rec} \leftarrow \chi^m$. Compute $\mathbf{z}_{\rec} = \mathbf{R}_{\rec}^T\cdot \mathbf{y}_{\rec} \in \mathbb{Z}^{\bar{m}}$.
|
||||
\item[b.] Compute
|
||||
\begin{eqnarray}\label{eq:c-recipient}
|
||||
@ -862,7 +862,7 @@ $(\sk_{\OA},\pk_{\OA})=(\mathbf{T}_{\OA},\mathbf{B}_{\OA})$.
|
||||
\item[4.] Encrypt the decomposition $\mathsf{vdec}_{n,q-1}(\mathbf{h_\mathsf{U}}) \in \{0,1\}^{m}$ of the hashed $\pk_\mathsf{U}$ under
|
||||
the $\OA$'s public key $\mathbf{B}_{\OA} \in \Zq^{n \times \bar{m}}$ w.r.t. the tag $\vk \in \Zq^n$. Namely, conduct the following steps: \smallskip
|
||||
\begin{enumerate}
|
||||
\item[a.] Sample $\mathbf{s}_{\mathsf{oa}} \leftarrow U( \mathbb{Z}_q^n)$, $\mathbf{R}_{\mathsf{oa}} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}}$,
|
||||
\item[a.] Sample $\mathbf{s}_{\mathsf{oa}} \leftarrow \U( \mathbb{Z}_q^n)$, $\mathbf{R}_{\mathsf{oa}} \leftarrow D_{\ZZ,\sigma}^{m \times \bar{m}}$,
|
||||
$\mathbf{x}_{\mathsf{oa}} \leftarrow \chi^{m}, \mathbf{y}_{\mathsf{oa}} \leftarrow \chi^m$. Set $\mathbf{z}_{\mathsf{oa}} = \mathbf{R}_{\mathsf{oa}}^T\cdot \mathbf{y}_{\mathsf{oa}} \in \ZZ^{\bar{m}}$.
|
||||
\item[b.] Compute
|
||||
\begin{eqnarray}\label{eq:c-open}
|
||||
@ -1112,7 +1112,7 @@ The security results are explicited in the following theorems.
|
||||
that $\mathbf{u}_R= \mathbf{A}_R \cdot \mathbf{w} \bmod q$, with $\mathbf{A}_R \in \ZZ_p^{n \times m}$, $\mathbf{u}_R \in \ZZ_q^n$ and $\mathbf{w} \in \{0,1\}^m$. In return, $\adv$ obtains, as a challenge, a
|
||||
group encryption
|
||||
$\Psi^\star= (\vk^\star,\mathbf{c}_{\rec}^\star, \mathbf{c}_{\oa}^\star, \Sigma^\star).$
|
||||
of the witness $\mathbf{w}$ under $\pk_{\USR,b} =\mathbf{B}_{\USR,b}$, for some random bit $b \leftarrow U( \{0,1\})$ of the challenger's
|
||||
of the witness $\mathbf{w}$ under $\pk_{\USR,b} =\mathbf{B}_{\USR,b}$, for some random bit $b \leftarrow \U( \{0,1\})$ of the challenger's
|
||||
choice. Then, the adversary obtains proofs $\pi_{\Psi^\star}^\star$ for
|
||||
$\Psi^\star$ and makes further opening and decryption queries under the
|
||||
natural restrictions of Definition \ref{anonymity-def}. When the adversary $\adv$ halts, it
|
||||
@ -1165,7 +1165,7 @@ The security results are explicited in the following theorems.
|
||||
|
||||
Next, the reduction runs the appropriate steps of the actual $\textsf{SETUP}_\textsf{init}$ algorithm to obtain
|
||||
$\mathsf{COM}_{\mathsf{par}}$, $\mathbf{F} \in \ZZ_q^{2n \times n\bar{m}k}$ and $\mathbf{U} \in \ZZ_q^{n \times m}$.
|
||||
Namely, $\bdv$ samples $\mathbf F \sample U(\Zq^{2m\times n \bar{m} k})$ and $\mathbf U \sample U(\Zq^{n \times m})$ like in the $\mathsf{SETUP}_\mathsf{init}$ algorithm and sends
|
||||
Namely, $\bdv$ samples $\mathbf F \sample \U(\Zq^{2m\times n \bar{m} k})$ and $\mathbf U \sample \U(\Zq^{n \times m})$ like in the $\mathsf{SETUP}_\mathsf{init}$ algorithm and sends
|
||||
$$ \param = \big\{\lambda, n, q, k, m, B, \chi, \sigma, \beta, \ell, \kappa, \mathcal{OTS}, \compar, \mathsf{FRD}, \bar{\mathbf{A}}, \mathbf{G}, \mathbf{F}, \mathbf{U}, \mathbf{V} \big\} $$
|
||||
along with $\pk_\OA = \mathbf B \in \ZZ_q^{n \times \bar{m}}$ to the adversary $\adv$.
|
||||
|
||||
@ -1182,8 +1182,8 @@ The security results are explicited in the following theorems.
|
||||
|
||||
After a number of queries, $\adv$ decides to move to the challenge phase and sends a challenge query $\big( (\mathbf{A}_R,\mathbf{u}_R), \mathbf w^\star, L^\star \big)$ such that
|
||||
$\mathbf{u}_R=\mathbf{A}_R \cdot \mathbf{w}^\star \bmod q$. The reduction
|
||||
handles this query by requesting a challenge ciphertext for the IBE security game with the messages $\mathbf{m}_0=\mathsf{vdec}_{n,q-1}(\mathbf h_{\mathsf U,b})$, for some random bit $b \sample U(\bit)$
|
||||
and $\mathbf{m}_1 \leftarrow U(\{0,1\}^m)$. In return, $\bdv$ obtains
|
||||
handles this query by requesting a challenge ciphertext for the IBE security game with the messages $\mathbf{m}_0=\mathsf{vdec}_{n,q-1}(\mathbf h_{\mathsf U,b})$, for some random bit $b \sample \U(\bit)$
|
||||
and $\mathbf{m}_1 \sample \U(\{0,1\}^m)$. In return, $\bdv$ obtains
|
||||
a challenge ciphertext $\mathbf c^\star_\OA$ under identity $\vk^\star$, which is embedded in $\adv$'s challenge ciphertext. Namely,
|
||||
$\mathbf{\Psi}^\star = (\vk^\star, \mathbf c_\rec^\star, \mathbf c_\OA^\star, \Sigma^\star)$ is obtained by computing $\mathbf c_\rec^\star$ as an ABB encryption
|
||||
of the witness $\mathbf w^\star$ using the matrix $\mathbf{B}_{\mathsf U,b} \in \ZZ_q^{n \times \bar{m}}$ as in~\eqref{eq:c-recipient}
|
||||
@ -1216,18 +1216,18 @@ we can assess % corresponds to \SFGame 3.
|
||||
\[ \mathsf{PP} = \big(\bar{\mathbf A}, \mathbf B, \mathbf U \big) \in \Zq^{n \times m} \times \Zq^{n \times \bar{m}} \times \Zq^{n \times m} \]
|
||||
from its real-or-random (ROR) challenger.
|
||||
|
||||
Our reduction uses $\mathsf{PP}$ to compute public parameters for our $\mathsf{GE}$ scheme. To this end, it samples $\mathbf F \sample U(\Zq^{2n \times n \bar{m}k})$,
|
||||
$\mathbf V \sample U(\Zq^{n\times m})$ as in the real $\mathsf{SETUP}_\mathsf{init}$ algorithm.
|
||||
Our reduction uses $\mathsf{PP}$ to compute public parameters for our $\mathsf{GE}$ scheme. To this end, it samples $\mathbf F \sample \U(\Zq^{2n \times n \bar{m}k})$,
|
||||
$\mathbf V \sample \U(\Zq^{n\times m})$ as in the real $\mathsf{SETUP}_\mathsf{init}$ algorithm.
|
||||
The reduction $\bdv$ also computes $\mathbf B_\OA =\bar{\mathbf{A}} \cdot \mathbf T_\OA \bmod q $,
|
||||
where the small-norm matrix $\mathbf{T}_\OA$ is sampled from $D_{\ZZ,\sigma}^{m \times \bar{m}}$, and sends $\adv$ the parameters
|
||||
\[ \mathsf{param}= \big\{\lambda, n, q, k, m, \sigma, \beta, \ell, \kappa, \mathcal{OTS}, \compar, \mathsf{FRD}, \bar{\mathbf{A}}, \mathbf{G}, \mathbf{F}, \mathbf{U}, \mathbf{V} \big\}, \]
|
||||
where $\bar{\mathbf{A}}$ is taken from $\mathsf{PP}$,
|
||||
along with $\pk_\OA = \mathbf B_\OA$. The rest of the keys are generated as in Game $4$.
|
||||
|
||||
The reduction $\bdv$ then tosses a coin $b \sample U(\bit)$. When the adversary $\adv$ triggers an execution of the join protocol,
|
||||
The reduction $\bdv$ then tosses a coin $b \sample \U(\bit)$. When the adversary $\adv$ triggers an execution of the join protocol,
|
||||
$\bdv$ generates the public keys $(\pk_i)_{i\in \bit}$ by defining $\pk_{\USR,b} = \mathbf B$ using the matrix $\mathbf B \in \ZZ_q^{n \times \bar{m}}$ supplied by
|
||||
the ROR challenger as part of $\mathsf{PP}$ and generates $(\pk_{\USR,1-b},\sk_{1-b}) =(\mathbf{B}_{\USR,1-b} = \bar{\mathbf{A}} \cdot \mathbf T_{1-b}, \mathbf{T}_{1-b})$ for
|
||||
a secret key $\mathbf{T}_{1-b} \leftarrow D_{\ZZ^m,\sigma}^{\bar{m}}$ of its own.
|
||||
a secret key $\mathbf{T}_{1-b} \sample D_{\ZZ^m,\sigma}^{\bar{m}}$ of its own.
|
||||
The two public keys $(\pk_{\USR,i})_{i\in \bit}$ are then certified by the adversarially-controlled $\GM$.
|
||||
Notice that in the adversary's view, both public keys $\pk_{\USR,b}$ and $\pk_{\USR,1-b}$ are identically distributed.
|
||||
|
||||
@ -1341,7 +1341,7 @@ of the ABB scheme, which would contradict the $\LWE$ assumption, as established
|
||||
At the very beginning of the IND-sID-CPA game, the reduction $\bdv$ generates a one-time signature key pair $(\sk^\star, \vk^\star)$ and hands $\vk^\star$ to its selective security challenger as the target identity under which the challenge ciphertext will later be computed. In response, $\bdv$ receives the public parameters
|
||||
$$\mathsf{PP} = (\bar{\mathbf A}, \mathbf B, \mathbf U) \in \Zq^{n \times m} \times \Zq ^{n \times \bar m} \times \Zq^{n \times m}$$ from its IBE challenger.
|
||||
|
||||
The reduction then runs the missing steps of the actual $\Setup_{\mathsf{init}}$ algorithm: namely, $\bdv$ samples $\mathbf F \leftarrow U(\Zq^{2m \times n\bar{m}k}), \mathbf V \leftarrow U(\Zq^{n \times m})$ and generates $\compar$ before sending the common public parameters
|
||||
The reduction then runs the missing steps of the actual $\Setup_{\mathsf{init}}$ algorithm: namely, $\bdv$ samples $\mathbf F \sample \U(\Zq^{2m \times n\bar{m}k}), \mathbf V \sample \U(\Zq^{n \times m})$ and generates $\compar$ before sending the common public parameters
|
||||
$$\param = \bigl\{\lambda, n, q, k, m, B, \chi, \sigma, \beta, \ell, \kappa, \mathcal{OTS}, \compar, \mathsf{FRD}, \bar{\mathbf{A}}, \mathbf{G}, \mathbf{F}, \mathbf{U}, \mathbf{V} \bigr\}$$
|
||||
to the adversary $\adv$.
|
||||
|
||||
@ -1357,7 +1357,7 @@ of the ABB scheme, which would contradict the $\LWE$ assumption, as established
|
||||
|
||||
At some point, the adversary $\adv$ queries a challenge ciphertext by outputting a triple $((\mathbf A_R, \mathbf u_R), \mathbf w, L)$ such that $\mathbf{w} \in \{0,1\}^m$ satisfies
|
||||
$\mathbf u_R = \mathbf A_R \cdot \mathbf{w} \bmod q$. Then, the reduction $\bdv$ requests a challenge ciphertext $\mathbf c^\star_\rec$ to its IBE
|
||||
challenger by sending it the messages $\mathbf m_1 = \mathbf{w} \in \{0,1\}^m$ and $\mathbf m_0 \leftarrow U(\{0,1\}^m)$. The resulting ciphertext $\mathbf c^\star_\rec$
|
||||
challenger by sending it the messages $\mathbf m_1 = \mathbf{w} \in \{0,1\}^m$ and $\mathbf m_0 \sample \U(\{0,1\}^m)$. The resulting ciphertext $\mathbf c^\star_\rec$
|
||||
is embedded in $\mathbf{\Psi}^\star = (\vk^\star, \mathbf c_\rec^\star, \mathbf c_\OA^\star, \Sigma^\star)$ by faithfully computing
|
||||
$\mathbf c_\OA^\star$ and $\Sigma^\star$ as in the actual $\textsf{Enc}$ algorithm.
|
||||
|
||||
|
||||
@ -1,10 +1,10 @@
|
||||
In this chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
|
||||
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
|
||||
As a consequence, it is possible to construct lattice-based anonymous credential from this building block.
|
||||
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} in order to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
|
||||
In this chapter, we present the first dynamic group signature scheme based on lattice assumptions.
|
||||
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, which is used in a similar manner.
|
||||
As a consequence, it is possible to design lattice-based anonymous credentials from this building block.
|
||||
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} transform to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.
|
||||
|
||||
The group signature security is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
|
||||
For security parameter $\lambda$ and for group of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
|
||||
The group signature is proven secure in the \ROM under the \SIS and \LWE assumptions, which are fixed-size and well studied assumptions.
|
||||
As of the security parameter $\lambda$ and groups of up to $\Ngs$ members, the scheme features public key size $\softO(\lambda^2) \cdot \log \Ngs$, user's secret key size $\softO(\lambda)$ and signature size $\softO(\lambda) \cdot \log \Ngs$.
|
||||
Our scheme thus achieves a level of efficiency comparable to recent proposals based on standard (i.e. non-ideal) lattices~\cite{LLLS13,NZZ15,LNW15,LLNW16} in the static setting as depicted in \cref{table:lattice-gs-comparison}.
|
||||
In particular, the cost of moving to dynamic group is reasonable: while using the scheme from~\cite{LNW15} as a building block, our construction lengthens the signature size only by a (small) constant factor.
|
||||
|
||||
@ -29,7 +29,7 @@ In particular, the cost of moving to dynamic group is reasonable: while using th
|
||||
\label{table:lattice-gs-comparison}
|
||||
\end{table}
|
||||
|
||||
The signature scheme with efficient protocols is here built upon the $\SIS$-based signature of Böhl \textit{et al.}~\cite{BHJ+15}, which is itself a variant of Boyen's signature~\cite{Boy10}.
|
||||
The signature scheme with efficient protocols is built upon the $\SIS$-based signature of Böhl \textit{et al.}~\cite{BHJ+15}, which is itself a variant of Boyen's signature~\cite{Boy10}.
|
||||
The latter scheme involves a public key containing matrices $\mathbf{A}, \mathbf{A}_0, \ldots, \mathbf{A}_\ell \in \Zq^{n \times m}$ and signs an $\ell$-bit message $\mathfrak m \in \bit^\ell$ by computing a short vector $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \sum_{j=1}^\ell \mathfrak m[j] \mathbf{A}_j ]} \cdot \mathbf{v} = \mathbf 0^n \bmod q$.
|
||||
The variant proposed by Böhl \textit{et al.} only uses a constant number of matrices $\mathbf{A}, \mathbf{A}_0, \mathbf{A}_1 \in \Zq^{n \times m}$ where each signature is assigned with a single-use tag $\tau$ and the public key involves an extra matrix $\mathbf{D} \in \Zq^{n \times m}$ and a vector $\mathbf{u} \in \Zq^n$.
|
||||
A message $\mathfrak m$ is then signed by first applying a chameleon hash function $\mathbf{h} = \mathcal{H}(\mathfrak m, \mathbf{s}) \in \bit^m_{}$ and signing $\mathbf{h}$ by computing a short $\mathbf{v} \in \ZZ^{2m}_{}$ such that ${[\mathbf{A} \mid \mathbf{A}_0 + \tau \mathbf{A}_1 ]} \cdot \mathbf{v} = \mathbf{u} + \mathbf{D} \cdot \mathbf{h} \bmod q$.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user