proofreading
This commit is contained in:
parent
9dd62d0c1d
commit
9d478c72fc

@ 8,6 +8,7 @@


*.ilg


*.ind


*.latexmain


*.lot


*.lof


*.log


*.out





@ 14,10 +14,19 @@ Before describing those scheme, let us recall in this Chapter the definition of


Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group.


On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key.


In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it.


This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang ({BSZ}) in 2005~\cite{BSZ05}.


These interactions are summarized in Figure~\ref{fig:gsrelations}.




The concept of group signatures was introduced by Chaum and van Heyst in 1991~\cite{CVH91}, but the works of Ateniese, Camenisch, Joye and Tsudik in 2001~\cite{ACJT00} were the first to provide scalable and secure group signatures.


In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed a formal definition for \textit{static} group signatures, where the group is defined once and for all at the setup phase.


This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. Those two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gsdefinitions}.




The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}.


The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user.




In the dynamically growing group setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.


In this context, the two notions of the BMW model are kept, and a third one is added: the ``\textit{nonframeability}''.


This notion expresses the impossibility to frame a group of honest users in order to provide a signature that opens to one on them, \textit{even if the group manager and the opening authority are colluding}.




One application of this primitive can be to handle anonymous access control for public transportation systems.


In order to commute, a person should prove the possession of a valid subscription to the transportation service.


Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.



@ 27,7 +36,7 @@ Then, the public transportation company is unable to learn anything from seeing


Other applications of group signatures can be advocated as authentication of lowrange communications for intelligent cars or anonymous access control of a building.


As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.




Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fullydynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group \,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\, we do not consider this approach.


Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fullydynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group \,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\, this approach is not considered here, even if it is of interest~\cite{LNWX17}.




\section{Formal Definition and Correctness} \label{sse:gsdefinitions}


\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}



@ 43,7 +52,7 @@ This section recalls the syntax and the security definitions of dynamic group s


\input figgsrelations


\caption{Relations between the protagonists in a dynamic group signature


scheme}


\label{fig:relations}


\label{fig:gsrelations}


\end{figure}




In the setting of \emph{dynamic groups}, the syntax of group signatures includes



@ 59,36 +68,22 @@ membership secret, $\scr_i$.


%\paragraph{Syntax.}


We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle.


\begin{definition}[Dynamic Group Signature]


A \emph{dynamic group signature} scheme consists of the following algorithms


or protocols.


A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows.




\begin{description}


\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$


and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm


is run by a trusted party to generate a group public key $\mathcal{Y}$,


the group manager's private key $\mathcal{S}_{\GM}$ and the opening


authority's private key $\mathcal{S}_{\OA}$. Each key is given to the


appropriate authority while $\mathcal{Y}$ is made public. The algorithm


also initializes a public state $St$ comprising a set data structure


$St_{\users}=\emptyset$ and a string data structure $St_{\trans}=


\epsilon$.\\


In the following, all algorithms have access to the public parameters


$\gspk$.


\item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm is run by a \textit{trusted party} to generate a group public key $\gspk$, the group manager's private key $\mathcal{S}_{\GM}$ and the opening authority's private key $\mathcal{S}_{\OA}$.


Each key is given to the appropriate authority while $\gspk$ is made public.


The algorithm also initializes a public state $\mathsf{st}$ comprising a set data structure $\mathsf{st}_{\users}=\emptyset$ and a string data structure $\mathsf{st}_{\trans}= \epsilon$.\\


In the following, all algorithms have access to the public parameters $\gspk$.


%


\item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager


GM and a user $\mathcal{U}_i$ where the latter becomes a group member.


The protocol involves two interactive Turing machines $\join_{\user}$ and


$\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution


$\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$,


ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$,


that no one else knows, and a membership certificate $\crt_{i }$. If the


protocol is successful, the group manager updates the public state $St$ by


setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as


$St_{\trans}:=St_{\trans}  \langle i ,\transcript_i \rangle$.


\item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member.


The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input.


The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$.


If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}:=\mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans}  ( i ,\transcript_i )$.


%


%\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM


%to generate an updated revocation list $RL_t$ for the new revocation period $t$.


%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$


%It takes as input a public key $\gspk$ and a set $\mathcal{R}_t \subset \mathsf{st}_{\users}$


%that identifies the users to be revoked.


%It outputs an updated revocation list $RL_t$ for period $t$.


%%



@ 101,15 +96,15 @@ We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that


%


\item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$,


%a revocation period $t $, the corresponding revocation list $RL_t$,


a message $M$ and a group public key $\mathcal{Y}$, this


a message $M$ and a group public key $\gspk$, this


\emph{deterministic} algorithm returns either $0$ or $1$.


%


\item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a


message $M$, a valid signature $\sigma$ w.r.t.


$\mathcal{Y}$ %for the indicated revocation period $t$


$\gspk$ %for the indicated revocation period $t$


, the opening authority's private key $\mathcal{S}_{\OA}$ and the public


state $St$.


It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of


state $\mathsf{st}$.


It outputs $i \in \mathsf{st}_{\users} \cup \{ \bot \}$, which is the identity of


a group member or a symbol indicating an opening failure.


%


\end{description}



@ 128,16 +123,16 @@ against them. And finally the \textit{anonymity} property is also formalized by




\paragraph{Correctness for Dynamic Group Signatures.}


Following the KiayiasYung terminology \cite{KY06}, we say that a public state


$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a


Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said


to \textit{extend} another state $St$ if it is within reach from $St$.


$\mathsf{st}$ is \textit{valid} if it can be reached from $\mathsf{st}=(\emptyset,\epsilon)$ by a


Turing machine having oracle access to $\join_{\GM}$. Also, a state $\mathsf{st}'$ is said


to \textit{extend} another state $\mathsf{st}$ if it is within reach from $\mathsf{st}$.




Moreover, as in \cite{KY06}, when we write


$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists


$\crt_{i}\leftrightharpoons_{\gspk} \scr_{i}$, it means that there exists


coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid


public state $St'$, the execution of the interactive protocol


$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$


provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.


public state $\mathsf{st}'$, the execution of the interactive protocol


$\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st}',\gspk,\mathcal{S}_{\GM}) \rangle_\varpi$


provides $\join_{\user}$ with $(i,\scr_{i },\crt_{i })$.




\begin{definition}[Correctness]


A dynamic group signature scheme is correct if the following conditions are



@ 146,26 +141,26 @@ provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$.


%


\begin{enumerate}[(1)]


%


\item In a valid state $St$, $St_{users}=St_{trans}$ always holds and


two distinct entries of $St_{trans}$ always contain certificates with


\item In a valid state $\mathsf{st}$, $\mathsf{st}_{users}=\mathsf{st}_{trans}$ always holds and


two distinct entries of $\mathsf{st}_{trans}$ always contain certificates with


distinct tag.


%


\item If


$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$


$\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$


is run by two honest parties following the protocol and


$\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then


we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$.


we have $\crt_{i} \leftrightharpoons_{\gspk} \scr_{i }$.


%


\item For each %revocation period $t$ and any


$\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i }


\leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have


$ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i


},M),M,\mathcal{Y}\big)=1$.


$(i, \crt_{i}, \scr_{i})$ such that $\crt_{i }


\leftrightharpoons_{\gspk} \scr_{i }$, satisfying condition 2, we have


$ \mathsf{Verify}\big(\mathsf{Sign}(\gspk, \crt_{i }, \scr_{i


},M),M,\gspk\big)=1$.


%


\item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid


$St$,


if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then


$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$


\item For any outcome $(i, \crt_{i }, \scr_{i })$ of


$\langle\join_{\user}(.,. ),\join_{\GM}(.,\mathsf{st},.,. )\rangle$


for some valid state information $\mathsf{st}$, if $\sigma =\mathsf{Sign}(\gspk,\crt_{i }, \scr_{i},M)$, then


$\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\gspk,\mathsf{st}')=i.$


%


\end{enumerate}


%



@ 186,17 +181,17 @@ variables:


\item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the


state of the interface as the adversary invokes the various oracles


available in the attack games. It is initialized as


$\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM},


$\mathsf{state}_{\mathcal{I}}=(\textsf{st},\gspk,\mathcal{S}_{\GM},


%\linebreak[4]


\mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$.


It includes the (initially empty) set $St_{users}$ of group members and a


dynamically growing database $St_{trans}$ storing the transcripts of


It includes the (initially empty) set $\textsf{st}_{users}$ of group members and a


dynamically growing database $\textsf{st}_{trans}$ storing the transcripts of


previously executed join protocols.


%Finally,


%$\mathsf{state}_{\mathcal{I}}$ includes a counter


%$t$ (which is initialized to $0$) indicating the number of user revocation


%queries so far.


\item $n=St_{users}<\Ngs$ denotes the current cardinality of the group.


\item $n=\textsf{st}_{users}<\Ngs$ denotes the current cardinality of the group.


%


\item $\mathsf{Sigs}$: is a database of signatures created by the signing


oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that



@ 219,7 +214,7 @@ following oracles:


%


\item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when


these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and


returns the group public key $\mathcal{Y}$, the GM's private key


returns the group public key $\gspk$, the GM's private key


$\mathcal{S}_{\GM}$ and the opening authority's private key


$\mathcal{S}_{\OA}$ respectively.


%



@ 227,16 +222,16 @@ following oracles:


in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in


interaction with the $\join_{\user}$executing adversary who plays the role of


the prospective user in the join protocol. If this protocol successfully


ends, the interface increments $n$, updates $St$ by inserting the new user


$n$ in both sets $St_{users}$ and $U^a$. It also sets


$St_{\trans}:=St_{\trans}  \langle n, \transcript_n \rangle$.


ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user


$n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets


$\mathsf{st}_{\trans}:=\mathsf{st}_{\trans}  \langle n, \transcript_n \rangle$.


%


\item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager,


to introduce new honest group members of its choice. The interface


triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in


interaction with the adversary who runs $\join_{\GM}$. If the protocol


successfully completes, the interface increments $n$, adds user $n$ to


$St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans}  \langle n,


$\mathsf{st}_{users}$ and $U^b$ and sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans}  \langle n,


\transcript_n \rangle$. It stores the membership certificate $\crt_{n }$


and the membership secret $\scr_{n }$ in a \textit{private} part of


$\mathsf{state}_{\interface}$.



@ 251,7 +246,7 @@ following oracles:


%


\item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid


pair $(M,\sigma)$,


the interface runs algorithm $\mathsf{Open}$ using the current state $St $.


the interface runs algorithm $\mathsf{Open}$ using the current state $\mathsf{st} $.


When $S$ is a set of pairs of the form $(M,\sigma)$,


$Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies


the opening algorithm to pairs $(M,\sigma)$ which are not in $S$.



@ 262,8 +257,8 @@ following oracles:


the public/private keys and the private part of $\mathsf{state}_{\interface}$ where


membership secrets are stored after $Q_{\bjoin}$queries. By using


$Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at


will as long as it does not remove or alter elements of $St_{users}$,


$St_{trans}$ or invalidate the public state $St$: for example, the adversary


will as long as it does not remove or alter elements of $\mathsf{st}_{users}$,


$\mathsf{st}_{trans}$ or invalidate the public state $\mathsf{st}$: for example, the adversary


is allowed to create dummy users as long as it does not reuse already


existing certificate tags.





@ 279,13 +274,13 @@ security properties are formalized as follows.


\begin{figure}[H]


\centering


\procedure{Experiment $\Exp{\textrm{misid}}{\adv}(\lambda)$}{%


\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})


\mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})


\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\


(M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin},


Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\


\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\


\pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\


\pcind \pcreturn{0}\\


i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\


i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \gspk,\mathsf{st}')\\


\pcif i \not\in U^a \pcthen \\


\pcind\pcreturn{1}\\


\pcelse\\



@ 320,16 +315,16 @@ adversariallycontrolled user.


\begin{figure}[H]


\centering


\procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{%


\mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})


\mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})


\gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\


(M^\star,\sigma^\star)


\gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM},


Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}},


Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\


\pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\


\pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\


\pcind \pcreturn 0 \\


\pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA},


\mathcal{Y},St') \not \in U^b \pcthen\\


\gspk,\mathsf{st}') \not \in U^b \pcthen\\


\pcind \pcreturn 0\\


\pcif


\bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast)



@ 376,23 +371,23 @@ The adversary eventually aims at framing an honest group member.


\begin{figure}[H]


\centering


\procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{


\mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA})


\mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA})


\gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\


\big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star),


(\scr_{1}^\star,\crt_{1}^\star )\big)


\gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}},


%Q_{\mathsf{revoke}},


Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\


%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit}


%\If{\neg(\crt_{b}^\star \leftrightharpoons_{\gspk} \scr_{b}^\star) for b\in\bit}


%{\Return \bot\\}


%\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\}


\pcif


\neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star)


\wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star)


\neg((\crt_{0}^\star \leftrightharpoons_{\gspk} \scr_{0}^\star)


\wedge (\crt_{1}^\star \leftrightharpoons_{\gspk} \scr_{1}^\star)


\wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\


\pcind\pcreturn \bot\\


%Pick random d \gets \bit;


\sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star,


\sigma^\star \leftarrow \mathsf{Sign}(\gspk,\crt_{d}^\star,


\scr_{d}^\star,M^\star)\\


d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}},


Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}},




11
chapZK.tex
11
chapZK.tex

@ 114,7 +114,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i




These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hidingbindinggames}.


\begin{description}


\item[Correctness.] For any $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.


\item[Correctness.] For any public parameters $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$.


\item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that


\[ \hspace{1cm}


\advantage{\mathrm{hiding}}{\adv}(\lambda) = \left \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right]  \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right \leq \negl[\lambda],



@ 180,7 +180,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK




\begin{definition}[FiatShamir Transform~{\cite{FS86}}]


\index{Zero Knowledge!FiatShamir Transform}


Let $(P, V)$ be a threeround zeroknowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.


Let $(P, V)$ be a threemove ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function.




Let $\hat P$ be the following noninteractive prover that takes as inputs $x$ and $w$:


\begin{enumerate}



@ 233,13 +233,14 @@ For the sake of completeness, we can also mention $\NIZK$ in the standard model,


Schnorr's methodology to construct proofs is based on the $\Sigma$protocol technique to design zeroknowledge proofs.


It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorrdlog}.




This methodology can be interpreted as follows. Given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in fixing the randomness used in the commitment scheme $r$ \emph{via} $\rho$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.


An interpretation of this methodology is the following: given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in binding the randomness used in the commitment scheme $r$ using the transmitted value $\rho = g^r$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$.


Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$.




In the protocol described in Figure~\ref{fig:schnorrdlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}.


In the protocol described in Figure~\ref{fig:schnorrdlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}: a commitment of a message $M \in \Zp$ is $g^m \cdot h^r \in \GG$ and the opening is the randomness $r$ used to commit.




Given its effiency, Schnorr's protocol is used along with FiatShamir heuristic in the pairingbased group signature described in~\cref{ch:sigmasig}.




This methodology has also been adapted in the ideal latticesetting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zeroknowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorrlwe}.


This methodology has also been adapted in the ideal latticesetting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorrlwe}.


In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$.


The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V.


This part induced a noticeable errorrate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}.





@ 93,8 +93,14 @@ That's why we'll now define the principle of polynomial time reduction.


In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a blackbox manner to solve $A$.


This is illustrated in Figure~\ref{fig:polyreduction}.




To write down that a TM has blackbox access to a TM $M_O$ that computes function $O$, we sometimes use the \textit{oracle} terminology.




\begin{definition}[Oracle machine] \index{Turing machine!Oracle machine}


A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$.


\end{definition}




We can notice that \textsf{P} and \textsf{PP} are both closed under polynomialtime reduction.


Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then this problem is also in \textsf{P} (resp. \textsf{PP}).


Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then the former problem is also in \textsf{P} (resp. \textsf{PP}).




Until know, we mainly focus on the running time of the algorithms.


In cryptology, it is also important to consider the success probability of algorithms:





@ 1,6 +1,6 @@


%


In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction.


Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zeroknowledge proofs that allows a signature holder to prove


Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zeroknowledge proofs that allows a signature holder to prove




%


\section{Building blocks}



@ 15,14 +15,14 @@ groups of prime order $p$ and we rely on the assumed security of the \SDL and \




\defSDL*




\subsection{QuasiAdaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasigqanizk}


\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument NIZK quasiadaptatif pour un sousespace linéaire}


\subsection{QuasiAdaptive $\NIZK$ Arguments for Linear Subspaces} \label{sse:sigmasigqanizk}


\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument $\NIZK$ quasiadaptatif pour un sousespace linéaire}




QuasiAdaptive NIZK (QANIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS)


QuasiAdaptive $\NIZK$ (\QANIZK) proofs \cite{JR13} are $\NIZK$ proofs where the common reference string (CRS)


may depend on the language for which proofs have to be generated.


Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QANIZK}.


Formal definitions are given in \cite{JR13,LPJY14,KW15}.




This section recalls the QANIZK argument of \cite{KW15} for proving membership in the row space of a matrix.


This section recalls the \QANIZK argument of \cite{KW15} for proving membership in the row space of a matrix.


In the description below, we assume that all


algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric


bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter.



@ 58,16 +58,16 @@ We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M}


$ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $


\end{description}




The proof of the soundness of this QANIZK argument system requires the matrix $\mathbf{M}$ to be witnesssamplable.


The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witnesssamplable.


This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$.


This requirement is compatible with our security proofs.




\section{A Randomizable Signature on MultiBlock Messages} \label{scalsig}




In \cite{LPY15}, Libert \textit{et al.} described an Funforgeable signature based on the SXDH assumption. We show that their scheme


In \cite{LPY15}, Libert \textit{et al.} described an Funforgeable signature based on the $\SXDH$ assumption. We show that their scheme


implies an efficient ordinary digital signature which makes it possible to efficiently sign multiblock messages in $\Zp^{\ell}$ while keeping the scheme


compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.


Moreover, we show that their scheme remains unforgeable under the SXDH assumption.


compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace.


Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption.




\begin{description}


\item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$



@ 89,7 +89,7 @@ Moreover, we show that their scheme remains unforgeable under the SXDH assumptio


\end{array}\right) ,


\end{equation}


where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$.


\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QANIZK argument of Section~\ref{sse:sigmasigqanizk}


\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of Section~\ref{sse:sigmasigqanizk}


to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$.


\bigskip


\item[]



@ 111,13 +111,13 @@ $\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute


= g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, &


\sigma_2 & = g^{s}, & \sigma_3 & = h^{s} .


\end{align*}


Then, run $\mathsf{Prove}$ of the QANIZK argument to prove that


Then, run $\mathsf{Prove}$ of the \QANIZK argument to prove that


the following vector of $\GG^{2\ell+4}$


\begin{align} \label{eq:vector}


(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2,


\sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)


\end{align}


is in the row space of $\mathbf{M}$. This QANIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot


is in the row space of $\mathbf{M}$. This \QANIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot


z_{\ell+2})^{s}.$




Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$.



@ 138,7 +138,7 @@ The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$


while the verification equation only involves a computation of 5 pairings.




\begin{theorem} \label{th:eucma1}


The above signature scheme is existentially unforgeable under chosenmessage attacks (\textsf{eucma}) if the SXDH assumption holds in $(\GG, \Gh, \GT)$.


The above signature scheme is existentially unforgeable under chosenmessage attacks (\textsf{eucma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$.


\end{theorem}




\begin{proof}



@ 158,7 +158,7 @@ The above signature scheme is existentially unforgeable under chosenmessage att


\end{aligned}


\end{equation}


Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$


is in the row space of $\mathbf{M}$, the QANIZK proof $\pi$ has the same distribution as if it were computed as


is in the row space of $\mathbf{M}$, the \QANIZK proof $\pi$ has the same distribution as if it were computed as


\begin{equation}


\label{eq:relsimA}


\begin{aligned}



@ 184,7 +184,7 @@ The above signature scheme is existentially unforgeable under chosenmessage att


\end{gathered}


\label{eq:relsigB}


\end{equation*}


The QANIZK proof $\pi$ is


The \QANIZK proof $\pi$ is


computed as in \eqref{eq:relsimA} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$.


\end{description}


\smallskip



@ 205,9 +205,9 @@ The above signature scheme is existentially unforgeable under chosenmessage att


and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$.




\item[Game 1:] We change the way $\bdv$ answers signing queries.


The QANIZK proofs $\pi$ are then computed as simulated QANIZK proofs


The \QANIZK proofs $\pi$ are then computed as simulated \QANIZK proofs


using $\mathsf{tk}$


as in~\eqref{eq:relsimA}. These QANIZK proofs are thus simulated


as in~\eqref{eq:relsimA}. These \QANIZK proofs are thus simulated


proofs for true statements, and then their distribution remains unchanged.


We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge


\neg E_1]$.



@ 225,7 +225,7 @@ The above signature scheme is existentially unforgeable under chosenmessage att


is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$.


\end{description}




In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$


In Game $2.Q$, we know that if $\SXDH$ holds, $\adv$ can only output a type $\mathrm{A}'$


forgery even if it only obtains type B signatures during the game.


Nevertheless, lemma~\ref{le:finalforgery} shows


that a type $\mathrm{A}'$ forgery in Game



@ 250,7 +250,7 @@ The above signature scheme is existentially unforgeable under chosenmessage att


\begin{proof}


Let $\adv$ be an attacker that does not


output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the


QuasiAdaptive NIZK (QANIZK) scheme, which security is implied from the doublepairing


QuasiAdaptive $\NIZK$ (\QANIZK) scheme, which security is implied from the doublepairing


problem that reduces from DDH as explained in~\cite{LPJY13}.


Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as


\[



@ 263,7 +263,7 @@ The above signature scheme is existentially unforgeable under chosenmessage att


Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in


(\ref{matrixscalsig}) and a common


reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the


QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.


\QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$.


The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$.


After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$.


Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key:



@ 305,7 +305,7 @@ If DDH holds in $\GG$, for each $k \in




Then, queries are answered depending on their index~$j$:\\


\textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2,


\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QANIZK simulator


\sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator


to computes $\pi$.




\noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q  k  1$ signing queries are computed as



@ 317,7 +317,7 @@ If DDH holds in $\GG$, for each $k \in


depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$,


and


$ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $


Then $\bdv$ simulates QANIZK proofs $\pi$ as recalled in \eqref{eq:relsimA}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.


Then $\bdv$ simulates \QANIZK proofs $\pi$ as recalled in \eqref{eq:relsimA}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$.


\smallskip




If $\eta = g^{ab}$, the $k$th signature $\sigma$ is



@ 690,7 +690,7 @@ This concludes the proof. % TODO: ugly


\subsection{Signing a Committed Message}




At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$.


In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip


In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip




\noindent \textbf{The protocol.}


%



@ 729,11 +729,11 @@ In comparison, the construction of \cite{CL02a} requires groups of larger hidde


\noindent \textbf{Security.}


%


We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol.


In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasigqanizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the publickey would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasigqanizk}. \smallskip


In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasigqanizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the publickey would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasigqanizk}. \smallskip




\noindent \textbf{Remark.}


%


Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scalsig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form.


Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scalsig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form.









@ 749,7 +749,7 @@ on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to


efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section).


For the sake of efficiency, we use a randomness reusing \cite{BBKS07} variant of the CramerShoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using


the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of CramerShoup ciphertexts is demonstrated using


$\Sigma$protocols and the FiatShamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier NIZK proofs \cite{CS98}. \\


$\Sigma$protocols and the FiatShamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. \\


\indent


In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zeroknowledge manner, which restricts the group manager to sequentially interact


with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}.



@ 779,15 +779,15 @@ with prospective users. However, this limitation can be removed using an extract


that will be modeled as a random oracle.




\item Define


$\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.


The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of


$ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.


$\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key.


The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of


$ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.


\end{enumerate} \vspace{1mm}


%


\begin{description}


\item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the


prospective user $\U_i$ run the following interactive protocol:


%$[ \mathsf J_{\user}(\lambda, \mathcal Y), \mathsf J_\GM(\lambda, St, \mathcal Y, \mathcal S_{\GM}) ]$


%$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$


\end{description} \vspace{2mm}


\begin{enumerate}


\item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to



@ 813,13 +813,13 @@ with prospective users. However, this limitation can be removed using an extract




\item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of


section~\ref{scalsig}: i.e., $\GM$ picks $s \sample \Zp$, and


uses $\mathcal S_\GM = \omega$ to compute


uses $\mathcal{S}_\GM = \omega$ to compute


$\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$


and


\begin{align*}


\sigma_2 & = g^s, & \sigma_3 & = h^s.


\end{align*}


Then $\GM$ uses $Z_{\ID}$ to generate the QANIZK proof $\pi\in \GG$ as


Then $\GM$ uses $Z_{\ID}$ to generate the \QANIZK proof $\pi\in \GG$ as


\begin{align*}


\pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s


= z_1^\omega \cdot (z_2^\ID \cdot z_3)^s



@ 836,7 +836,7 @@ with prospective users. However, this limitation can be removed using an extract


\end{enumerate}


%


\begin{description}


\item[\textsf{Sign}$(\mathcal Y, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$


\item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$


does the following:


\end{description} \vspace{2mm}


\begin{enumerate}



@ 888,7 +888,7 @@ with prospective users. However, this limitation can be removed using an extract


\end{enumerate}


%


\begin{description}


\item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:]


\item[\textsf{Verify}$(\gspk, M, \Sigma)$:]


Parse the signature $\Sigma$ as in \eqref{gsigsigma} and $C_{\mathsf{CS}}$ as


$(C_1, C_2, C_z, C_\sigma, C_\ID)$.


Then, output 1 if the the zeroknowledge proof verifies. Namely,



@ 940,11 +940,11 @@ with prospective users. However, this limitation can be removed using an extract


\end{enumerate} \vspace{1mm}


%


\begin{description}


\item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$


\item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a messagesignature pair $(M,\Sigma)$


and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{1mm}


\end{description}


\begin{enumerate}


%\item Parse the signature $\Sigma$ as per~\eqref{gsigsigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.


%\item Parse the signature $\Sigma$ as per~\eqref{gsigsigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.


\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing


$\sigma_1 = C_\sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}$,


$ \pi = C_z \cdot C_1^{x_z} \cdot C_2^{y_z}$ and $V_\ID =C_\ID \cdot C_1^{x_\ID} C_2^{y_\ID}$.



@ 985,18 +985,19 @@ This results in a modified opening algorithm which takes $O(N)$ in the worstcas


\subsection{Security}




\begin{theorem} \label{gsiganon}


If SXDH holds in $(\GG, \Gh, \GT)$, the scheme is CCAanonymous in the random oracle model. %\vspace{1mm}


If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCAanonymous in the random oracle model. %\vspace{1mm}


\end{theorem}




\begin{proof}


We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$.


\\


At the first transition, we need to rely on the security of the computational soundness of the QANIZK argument of Section~\ref{QANIZKscheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and


At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasigqanizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and


$\tilde \sigma_3$ appear unencrypted in each group signature.


\vspace{2mm}




\begin{description}


\item[Game 0:] This is the real CCAanonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that


\item[Game 0:] This is the real CCAanonymity game.\\


In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that


the adversary outputs $d'=d$.




\item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event,



@ 1007,7 +1008,7 @@ $\tilde \sigma_3$ appear unencrypted in each group signature.


This implies that the vector


$(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$


is outside the row space of the matrix $\mathbf{M}$ (\ref{matrixscalsig}), so that $F_1$ would contradict


the soundness of the QANIZK proof of \cite{KW15}


the soundness of the \QANIZK proof of \cite{KW15}


(via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witnesssamplable here)


and thus the DDH assumption in $\Gh$. We have


$ [\Pr[W_1]  P[W_0]  \leq \advantage{\DDH}{\Gh}(\lambda).$



@ 1027,7 +1028,7 @@ $\tilde \sigma_3$ appear unencrypted in each group signature.


Thus $\Pr[W_2]  \Pr[W_1]  \leq 1/p^3$




\item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes


$C_z, C_\sigma, C_\ID$ using $\mathcal S_\OA$ as follows


$C_z, C_\sigma, C_\ID$ using $\mathcal{S}_\OA$ as follows


\begin{align*}


C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\


C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, &



@ 1090,7 +1091,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip


$\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme


of Section~\ref{scalsig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$


on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a


group public key $\mathcal Y$. Since $\bdv$ knows $\mathcal S_\OA$, it an perfectly simulate the opening oracle. If


group public key $\gspk$. Since $\bdv$ knows $\mathcal{S}_\OA$, it an perfectly simulate the opening oracle. If


$F_1$ occurs  which it does by hypothesis , one of the two membership certificate $\crt_d^\star$ of the challenge


phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this


point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2,



@ 1162,7 +1163,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re




\begin{theorem}


In the ROM, the scheme is secure against


misidentification attacks under the SXDH assumption in $(\GG,\Gh)$.


misidentification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.


\vspace{1mm}


\end{theorem}


%



@ 1179,7 +1180,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re


scheme of section~\ref{scalsig}. \medskip


\\


\noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosenmessage security game to obtain the


public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\mathcal Y$. Except for $\mathcal S_\GM$, all keys


public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys


are generated as in the normal


\textsf{Keygen} algorithm. \medskip


\\



@ 1192,19 +1193,20 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re


\medskip


\\


\noindent At some point, the attacker $\adv$ produces a valid forgery


$(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star,


\tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))$ for


\[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star,


\tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for


which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value


$H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ which would have been unpredictable otherwise. \medskip


\\


\[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)\]


which would have been unpredictable otherwise.




Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query


$H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. At this point,


the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains


\[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\]


At this point, the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains


two suitably related forgeries with nonnegligible probability $\varepsilon \cdot (\varepsilon / q_H 1/p) $. Namely, $\bdv$ will obtain two matching transcripts


$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$,


$(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$


of the $\Sigma$protocol for the commitment message


$\mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$.


\[ \mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\]


From the responses


$s_\ID^\star$ and


$s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain



@ 1222,7 +1224,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re


%\end{align*}


\medskip


\\


Finally $\bdv$ uses $\mathcal S_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs


Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs


$\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery


for the signature scheme of Section~\ref{scalsig}.


%\vspace{1mm}



@ 1235,10 +1237,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re


\end{theorem}


\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\


\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.


To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.


To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.


At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$.


In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scalsig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)


As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\mathcal{Y}:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip


In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scalsig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.)


As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip


\\


Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested.


%At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows.



@ 1257,9 +1259,9 @@ $ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as


\[


V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i},


\]


and then computes $Z_i$ as a simulated QANIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$.


and then computes $Z_i$ as a simulated \QANIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$.


A straightforward calculation


shows that $Z_i=z_2^{\ID_i}$ since the QANIZK argument of Section \ref{QANIZKscheme} has a deterministic proving algorithm, so that


shows that $Z_i=z_2^{\ID_i}$ since the \QANIZK argument of Section \ref{sse:sigmasigqanizk} has a deterministic proving algorithm, so that


$(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2.


As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes


\begin{eqnarray*}



@ 1271,7 +1273,7 @@ At step 3 of $\mathsf{Join}$, $\bdv$ simulates the interactive proof of knowledg


In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$.


Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$.


% \item[] $Q_{\mathsf{pub}}$queries: These can be answered as in the real game, by having the simulator return


%$\mathcal{Y}$.


%$\gspk$.


\item[] $Q_{\mathsf{sig}}$queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use


the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 12 of the signing algorithm.


While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the



@ 1282,7 +1284,7 @@ More precisely, $\bdv$ rerandomizes the certificate $\crt_i$ by picking $r


\tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r.


\end{align*}


Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real


signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$


signing algorithm to get the encryption ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$


chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in


(\ref{gsigverif1}) and (\ref{gsigverif2}) of $\mathsf{Verify}$. Finally, $\bdv$


programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point,



@ 1297,9 +1299,11 @@ $q_s$ is the number of signing queries.


\end{align*}


for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value


$H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise.


Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run.


Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape.




At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run.


The Forking Lemma of \cite{BN06} ensures that, with nonnegligible probability the second run will result in a forgery


$\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)$ on


\[\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)\] on


the same message $M^\star$,


with distinct challenges


$c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses



@ 1318,6 +1322,7 @@ We stress that the proofs can be easily adapted to the case where the opening a


\subsection{Comparison with Existing Schemes}




\begin{table*}


\small


\centering


\begin{tabular}{ccccccc}


\hline





@ 16,6 +16,7 @@


\newcommand{\ZK}{\textsf{ZK}\xspace}


\newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace}


\newcommand{\NIZK}{\textsf{NIZK}\xspace}


\newcommand{\QANIZK}{\textsf{QANIZK}\xspace}


\newcommand{\PKE}{\textsf{PKE}\xspace}


\newcommand{\OT}{\textsf{OT}\xspace}


%% Common




10
main.tex
10
main.tex

@ 2,6 +2,9 @@


\documentclass[a4paper, 11pt]{memoir}


\semiisopage




%% Highlight overfull hbox


\overfullrule=1mm




\usepackage[utf8x]{inputenc}


\usepackage[french,english]{babel}


%\usepackage[UKenglish]{babel}



@ 123,12 +126,13 @@


\cleardoublepage


{\let\newpage\relax


\part{Group Signatures and Anonymous Credentials}


\label{pa:gsac}


\addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes}


\label{pa:gsac}


}




\chapter{Dynamic Group Signatures} \label{ch:gsbackground}


\chapter{Dynamic Group Signatures}


\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique}


\label{ch:gsbackground}




\input chapGSbackground





@ 153,11 +157,13 @@




\chapter{LatticeBased Group Encryption}


\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Chiffrement de groupe à base de réseaux euclidiens}


\label{ch:gelwe}




\input chapGELWE




\chapter{LatticeBased Oblivious Transfer with Access Control} \label{ch:acot}


\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}


\label{ch:otlwe}




\input chapOTLWE







@ 3,7 +3,7 @@


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%




Pairingbased cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize DiffieHellman key exchange to three users in one round.


Since then, many constructions have been proposed for cryptographic constructions, such as identitybased encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}.


Since then, many constructions have been proposed for cryptographic constructions, such as identitybased encryption~\cite{BF01,Wat05} or group signature~\cite{BBS04}.


Multiple constructions and parameter sets coexist for pairings.


Realworld implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairingbased cryptography~\cite{KB16,MSS17,BD18}.





@ 50,5 +50,4 @@ In the aforementioned chapter, we also rely on the following assumption, which g


where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$.


\end{restatable}




This assumption is still a static and noninteractive assumption.




This assumption is also static and noninteractive.





@ 56,7 +56,7 @@ The details of this proof is given in \cref{sse:sternabstraction}, but it can b




Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zkktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$.




A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zkktx} is the socalled ``DecompositionExtension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}).


%A method to relax the constraints on the \textsf{ZKAoK} of \cref{le:zkktx} is the socalled ``DecompositionExtension'' technique~\cite{LNSW13,LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\cref{sse:stern}).




\index{Lattices!Inhomogeneous \SIS}


To prove the knowledge of an \ISIS preimage, i.e.





@ 26,6 +26,7 @@


$\ZK$ & ZeroKnowledge \\


$\ZKAoK$ & ZeroKnowledge Argument of Knowledge \\


$\NIZK$ & NonInteractive ZeroKnowledge \\


$\QANIZK$ & QuasiAdaptive NonInteractive ZeroKnowledge \\


$\OT$ & Oblivious Transfer \\


[1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\


EUCMA & Existentially Unforgeable under chosenmessage attacks \\




26
these.bib
26
these.bib

@ 1,3 +1,4 @@


% Encoding: UTF8


@InCollection{BCKL08,


author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna},


title = {{P}signatures and Noninteractive Anonymous Credentials},



@ 1621,7 +1622,7 @@


}




@InProceedings{CVH91,


author = {Chaum, David and Van Heyst, Eug{\`e}ne},


author = {Chaum, David and van Heyst, Eug{\`e}ne},


title = {Group signatures},


booktitle = {{Eurocrypt}},


year = {1991},



@ 2229,7 +2230,7 @@




@Article{KL11,


author = {Kidron, Dafna and Lindell, Yehuda},


title = {Impossibility Results for Universal Composability in PublicKey Models and with Fixed Inputs},


title = {Impossibility Results for Universal Composability in<EFBFBD>PublicKey Models and with Fixed Inputs},


journal = {Journal of Cryptology},


year = {2011},


volume = {24},



@ 2509,14 +2510,14 @@


}




@InProceedings{dPLNS17,


author = {del Pino, Rafaël and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory},


author = {del Pino, Rafa<EFBFBD>l and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory},


title = {{Practical QuantumSafe Voting from Lattices}},


booktitle = {CCS},


year = {2017},


}




@InProceedings{LLNW17,


author = {Libert, Benoît and Ling, San and Nguyen, Khoa and Wang, Huaxiong},


author = {Libert, Beno<EFBFBD>t and Ling, San and Nguyen, Khoa and Wang, Huaxiong},


title = {{ZeroKnowledge Arguments for LatticeBased PRFs and Applications to ECash}},


booktitle = {Asiacrypt},


year = {2017},



@ 2526,7 +2527,7 @@


}




@InProceedings{Ajt96,


author = {Ajtai, Miklós},


author = {Ajtai, Mikl<EFBFBD>s},


title = {{Generating Hard Instances of Lattice Problems}},


booktitle = {STOC},


year = {1996},



@ 2562,7 +2563,7 @@


}




@InProceedings{LMN16,


author = {Libert, Benoît and Mouhartem, Fabrice and Nguyen, Khoa},


author = {Libert, Beno<EFBFBD>t and Mouhartem, Fabrice and Nguyen, Khoa},


title = {{A LatticeBased Group Signature Scheme with MessageDependent Opening}},


booktitle = {ACNS},


year = {2016},



@ 2591,7 +2592,7 @@


}




@InProceedings{LPJY14,


author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti},


author = {Libert, Beno<EFBFBD>t and Peters, Thomas and Joye, Marc and Yung, Moti},


title = {{Nonmalleability from Malleability: SimulationSound QuasiAdaptive NIZK Proofs and CCA2Secure Encryption from Homomorphic Signatures}},


booktitle = {Eurocrypt},


year = {2014},



@ 2617,7 +2618,7 @@


}




@InProceedings{LPJY13,


author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti},


author = {Libert, Beno<EFBFBD>t and Peters, Thomas and Joye, Marc and Yung, Moti},


title = {{Linearly Homomorphic StructurePreserving Signatures and Their Applications}},


booktitle = {Crypto},


year = {2013},



@ 2716,4 +2717,13 @@


publisher = {Springer},


}




@InProceedings{LNWX17,


author = {Ling, San and Nguyen, Khoa and Wang, Huaxiong and Xu, Yahong},


title = {{LatticeBased Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease}},


booktitle = {ACNS},


year = {2017},


series = {LNCS},


publisher = {Springer},


}




@Comment{jabrefmeta: databaseType:bibtex;}




Loading…
Reference in New Issue