diff --git a/.gitignore b/.gitignore index aad7d55..12bb543 100644 --- a/.gitignore +++ b/.gitignore @@ -8,6 +8,7 @@ *.ilg *.ind *.latexmain +*.lot *.lof *.log *.out diff --git a/chap-GS-background.tex b/chap-GS-background.tex index 12a2fb5..e4a3811 100644 --- a/chap-GS-background.tex +++ b/chap-GS-background.tex @@ -14,10 +14,19 @@ Before describing those scheme, let us recall in this Chapter the definition of Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group. On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key. In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it. -This primitive was introduced by Bellare, Micciancio and Warinschi~\cite{BMW03} in 2003 and was extended to dynamic groups by Bellare, Shi and Zhang ({BSZ}) in 2005~\cite{BSZ05}. +These interactions are summarized in Figure~\ref{fig:gs-relations}. + +The concept of group signatures was introduced by Chaum and van Heyst in 1991~\cite{CVH91}, but the works of Ateniese, Camenisch, Joye and Tsudik in 2001~\cite{ACJT00} were the first to provide scalable and secure group signatures. +In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed a formal definition for \textit{static} group signatures, where the group is defined once and for all at the setup phase. +This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. Those two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}. + The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}. The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user. +In the dynamically growing group setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager. +In this context, the two notions of the BMW model are kept, and a third one is added: the ``\textit{non-frameability}''. +This notion expresses the impossibility to frame a group of honest users in order to provide a signature that opens to one on them, \textit{even if the group manager and the opening authority are colluding}. + One application of this primitive can be to handle anonymous access control for public transportation systems. In order to commute, a person should prove the possession of a valid subscription to the transportation service. Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group. @@ -27,7 +36,7 @@ Then, the public transportation company is unable to learn anything from seeing Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building. As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful. -Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- we do not consider this approach. +Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of interest~\cite{LNWX17}. \section{Formal Definition and Correctness} \label{sse:gs-definitions} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction} @@ -43,7 +52,7 @@ This section recalls the syntax and the security definitions of dynamic group s \input fig-gs-relations \caption{Relations between the protagonists in a dynamic group signature scheme} - \label{fig:relations} + \label{fig:gs-relations} \end{figure} In the setting of \emph{dynamic groups}, the syntax of group signatures includes @@ -59,36 +68,22 @@ membership secret, $\scr_i$. %\paragraph{Syntax.} We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that the system will be able to handle. \begin{definition}[Dynamic Group Signature] - A \emph{dynamic group signature} scheme consists of the following algorithms - or protocols. + A \emph{dynamic group signature} scheme consists of the algorithms or protocols $(\Setup, \mathsf{Join}, \Sign, \Verify, \Open)$ described as follows. \begin{description} - \item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ - and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm - is run by a trusted party to generate a group public key $\mathcal{Y}$, - the group manager's private key $\mathcal{S}_{\GM}$ and the opening - authority's private key $\mathcal{S}_{\OA}$. Each key is given to the - appropriate authority while $\mathcal{Y}$ is made public. The algorithm - also initializes a public state $St$ comprising a set data structure - $St_{\users}=\emptyset$ and a string data structure $St_{\trans}= - \epsilon$.\\ - In the following, all algorithms have access to the public parameters - $\gspk$. + \item[\textsf{Setup}$(1^\lambda,1^{\Ngs})$:] given a security parameter $\lambda$ and a maximal number of group members $\Ngs \in \mathbb{N}$, this algorithm is run by a \textit{trusted party} to generate a group public key $\gspk$, the group manager's private key $\mathcal{S}_{\GM}$ and the opening authority's private key $\mathcal{S}_{\OA}$. + Each key is given to the appropriate authority while $\gspk$ is made public. + The algorithm also initializes a public state $\mathsf{st}$ comprising a set data structure $\mathsf{st}_{\users}=\emptyset$ and a string data structure $\mathsf{st}_{\trans}= \epsilon$.\\ + In the following, all algorithms have access to the public parameters $\gspk$. % - \item[\textsf{Join}:] is an \emph{interactive} protocol between the group manager - GM and a user $\mathcal{U}_i$ where the latter becomes a group member. - The protocol involves two interactive Turing machines $\join_{\user}$ and - $\join_{\GM}$ that both take $\mathcal{Y}$ as input. The execution - $\langle \join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM}) \rangle$, - ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i }$, - that no one else knows, and a membership certificate $\crt_{i }$. If the - protocol is successful, the group manager updates the public state $St$ by - setting $St_{\users}:=St_{\users} \cup \{ i \}$ as well as - $St_{\trans}:=St_{\trans} || \langle i ,\transcript_i \rangle$. + \item[\textsf{Join}$^{\join_{\user}, \join_{\GM}}$:] is an \emph{interactive} protocol between the group manager GM and a user $\mathcal{U}_i$ where the latter becomes a group member. + The protocol involves two interactive Turing machines $\join_{\user}$ and $\join_{\GM}$ that both take the group public key $\gspk$ as input. + The execution $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$, ends with user $\mathcal{U}_i$ obtaining a membership secret $\scr_{i}$, that no one else knows, and a membership certificate $\crt_{i }$. + If the protocol is successful, the group manager updates the public state $\mathsf{st}$ by updating the following state informations $\mathsf{st}_{\users}:=\mathsf{st}_{\users} \cup \{ i \}$ as well as $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || ( i ,\transcript_i )$. % %\item[\textsf{Revoke}:] is a (possibly randomized) algorithm allowing the GM %to generate an updated revocation list $RL_t$ for the new revocation period $t$. -%It takes as input a public key $\mathcal{Y}$ and a set $\mathcal{R}_t \subset St_{\users}$ +%It takes as input a public key $\gspk$ and a set $\mathcal{R}_t \subset \mathsf{st}_{\users}$ %that identifies the users to be revoked. %It outputs an updated revocation list $RL_t$ for period $t$. %% @@ -101,15 +96,15 @@ We denote by $\Ngs \in \poly[\lambda]$ the maximal number of group members that % \item[\textsf{Verify($\sigma, M$)}:] given a signature $\sigma$, %a revocation period $t $, the corresponding revocation list $RL_t$, - a message $M$ and a group public key $\mathcal{Y}$, this + a message $M$ and a group public key $\gspk$, this \emph{deterministic} algorithm returns either $0$ or $1$. % \item[\textsf{Open($\mathcal{S}_{\OA}, M, \sigma$)}:] takes as input a message $M$, a valid signature $\sigma$ w.r.t. - $\mathcal{Y}$ %for the indicated revocation period $t$ + $\gspk$ %for the indicated revocation period $t$ , the opening authority's private key $\mathcal{S}_{\OA}$ and the public - state $St$. - It outputs $i \in St_{\users} \cup \{ \bot \}$, which is the identity of + state $\mathsf{st}$. + It outputs $i \in \mathsf{st}_{\users} \cup \{ \bot \}$, which is the identity of a group member or a symbol indicating an opening failure. % \end{description} @@ -128,16 +123,16 @@ against them. And finally the \textit{anonymity} property is also formalized by \paragraph{Correctness for Dynamic Group Signatures.} Following the Kiayias-Yung terminology \cite{KY06}, we say that a public state -$St$ is \textit{valid} if it can be reached from $St=(\emptyset,\epsilon)$ by a -Turing machine having oracle access to $\join_{\GM}$. Also, a state $St'$ is said -to \textit{extend} another state $St$ if it is within reach from $St$. +$\mathsf{st}$ is \textit{valid} if it can be reached from $\mathsf{st}=(\emptyset,\epsilon)$ by a +Turing machine having oracle access to $\join_{\GM}$. Also, a state $\mathsf{st}'$ is said +to \textit{extend} another state $\mathsf{st}$ if it is within reach from $\mathsf{st}$. Moreover, as in \cite{KY06}, when we write -$\crt_{i}\leftrightharpoons_{\mathcal{Y}} \scr_{i}$, it means that there exists +$\crt_{i}\leftrightharpoons_{\gspk} \scr_{i}$, it means that there exists coin tosses $\varpi$ for $\join_{\GM}$ and $\join_{user}$ such that, for some valid -public state $St'$, the execution of the interactive protocol -$[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St',\mathcal{Y},\mathcal{S}_{\GM})](\varpi)$ -provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$. +public state $\mathsf{st}'$, the execution of the interactive protocol +$\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st}',\gspk,\mathcal{S}_{\GM}) \rangle_\varpi$ +provides $\join_{\user}$ with $(i,\scr_{i },\crt_{i })$. \begin{definition}[Correctness] A dynamic group signature scheme is correct if the following conditions are @@ -146,26 +141,26 @@ provides $\join_{\user}$ with $\langle i,\scr_{i },\crt_{i } \rangle$. % \begin{enumerate}[(1)] % - \item In a valid state $St$, $|St_{users}|=|St_{trans}|$ always holds and - two distinct entries of $St_{trans}$ always contain certificates with + \item In a valid state $\mathsf{st}$, $|\mathsf{st}_{users}|=|\mathsf{st}_{trans}|$ always holds and + two distinct entries of $\mathsf{st}_{trans}$ always contain certificates with distinct tag. % \item If - $[\join_{\user}(\lambda,\mathcal{Y}),\join_{\GM}(\lambda,St,\mathcal{Y},\mathcal{S}_{\GM})]$ + $\langle \join_{\user}(\lambda,\gspk),\join_{\GM}(\lambda,\mathsf{st},\gspk,\mathcal{S}_{\GM}) \rangle$ is run by two honest parties following the protocol and $\langle i, \crt_{i }, \scr_{i } \rangle$ is obtained by $\join_{\user}$, then - we have $\crt_{i } \leftrightharpoons_{\mathcal{Y}} \scr_{i }$. + we have $\crt_{i} \leftrightharpoons_{\gspk} \scr_{i }$. % \item For each %revocation period $t$ and any - $\langle i, \crt_{i }, \scr_{i } \rangle$ such that $\crt_{i } - \leftrightharpoons_{\mathcal{Y}} \scr_{i }$, satisfying condition 2, we have - $ \mathsf{Verify}\big(\mathsf{Sign}(\mathcal{Y}, \crt_{i }, \scr_{i - },M),M,\mathcal{Y}\big)=1$. + $(i, \crt_{i}, \scr_{i})$ such that $\crt_{i } + \leftrightharpoons_{\gspk} \scr_{i }$, satisfying condition 2, we have + $ \mathsf{Verify}\big(\mathsf{Sign}(\gspk, \crt_{i }, \scr_{i + },M),M,\gspk\big)=1$. % - \item For any outcome $\langle i, \crt_{i }, \scr_{i } \rangle$ of $[\join_{\user}(.,. ),\join_{\GM}(.,St,.,. )]$ for some valid - $St$, - if $\sigma =\mathsf{Sign}(\mathcal{Y},\crt_{i }, \scr_{i},M)$, then - $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\mathcal{Y},St')=i.$ + \item For any outcome $(i, \crt_{i }, \scr_{i })$ of + $\langle\join_{\user}(.,. ),\join_{\GM}(.,\mathsf{st},.,. )\rangle$ + for some valid state information $\mathsf{st}$, if $\sigma =\mathsf{Sign}(\gspk,\crt_{i }, \scr_{i},M)$, then + $\mathsf{Open}(M,\sigma,\mathcal{S}_{\OA},\gspk,\mathsf{st}')=i.$ % \end{enumerate} % @@ -186,17 +181,17 @@ variables: \item $\mathsf{state}_{\mathcal{I}}$: is a data structure representing the state of the interface as the adversary invokes the various oracles available in the attack games. It is initialized as - $\mathsf{state}_{\mathcal{I}}=(St,\mathcal{Y},\mathcal{S}_{\GM}, + $\mathsf{state}_{\mathcal{I}}=(\textsf{st},\gspk,\mathcal{S}_{\GM}, %\linebreak[4] \mathcal{S}_{\OA}) \leftarrow \mathsf{Setup}(1^\lambda,1^\Ngs)$. - It includes the (initially empty) set $St_{users}$ of group members and a - dynamically growing database $St_{trans}$ storing the transcripts of + It includes the (initially empty) set $\textsf{st}_{users}$ of group members and a + dynamically growing database $\textsf{st}_{trans}$ storing the transcripts of previously executed join protocols. %Finally, %$\mathsf{state}_{\mathcal{I}}$ includes a counter %$t$ (which is initialized to $0$) indicating the number of user revocation %queries so far. - \item $n=|St_{users}|<\Ngs$ denotes the current cardinality of the group. + \item $n=|\textsf{st}_{users}|<\Ngs$ denotes the current cardinality of the group. % \item $\mathsf{Sigs}$: is a database of signatures created by the signing oracle. Each entry consists of a triple $(i,M,\sigma)$ indicating that @@ -219,7 +214,7 @@ following oracles: % \item $Q_{\mathsf{pub}}$, $Q_{\mathsf{key\GM}}$ and $Q_{\mathsf{key\OA}}$: when these oracles are invoked, the interface looks up $\mathsf{state}_{\interface}$ and - returns the group public key $\mathcal{Y}$, the GM's private key + returns the group public key $\gspk$, the GM's private key $\mathcal{S}_{\GM}$ and the opening authority's private key $\mathcal{S}_{\OA}$ respectively. % @@ -227,16 +222,16 @@ following oracles: in the group. On behalf of the GM, the interface runs $\join_{\GM}$ in interaction with the $\join_{\user}$-executing adversary who plays the role of the prospective user in the join protocol. If this protocol successfully - ends, the interface increments $n$, updates $St$ by inserting the new user - $n$ in both sets $St_{users}$ and $U^a$. It also sets - $St_{\trans}:=St_{\trans} || \langle n, \transcript_n \rangle$. + ends, the interface increments $n$, updates $\mathsf{st}$ by inserting the new user + $n$ in both sets $\mathsf{st}_{users}$ and $U^a$. It also sets + $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$. % \item $Q_{\bjoin}$: allows the adversary, acting as a corrupted group manager, to introduce new honest group members of its choice. The interface triggers an execution of $[\join_{\user},\join_{\GM}]$ and runs $\join_{\user}$ in interaction with the adversary who runs $\join_{\GM}$. If the protocol successfully completes, the interface increments $n$, adds user $n$ to - $St_{users}$ and $U^b$ and sets $St_{\trans}:=St_{\trans} || \langle n, + $\mathsf{st}_{users}$ and $U^b$ and sets $\mathsf{st}_{\trans}:=\mathsf{st}_{\trans} || \langle n, \transcript_n \rangle$. It stores the membership certificate $\crt_{n }$ and the membership secret $\scr_{n }$ in a \textit{private} part of $\mathsf{state}_{\interface}$. @@ -251,7 +246,7 @@ following oracles: % \item $Q_{\mathsf{open}}$: when this oracle is invoked on input of a valid pair $(M,\sigma)$, - the interface runs algorithm $\mathsf{Open}$ using the current state $St $. + the interface runs algorithm $\mathsf{Open}$ using the current state $\mathsf{st} $. When $S$ is a set of pairs of the form $(M,\sigma)$, $Q_{\mathsf{open}}^{\neg S}$ denotes a restricted oracle that only applies the opening algorithm to pairs $(M,\sigma)$ which are not in $S$. @@ -262,8 +257,8 @@ following oracles: the public/private keys and the private part of $\mathsf{state}_{\interface}$ where membership secrets are stored after $Q_{\bjoin}$-queries. By using $Q_{\mathsf{write}}$, the adversary can modify $\mathsf{state}_{\interface}$ at - will as long as it does not remove or alter elements of $St_{users}$, - $St_{trans}$ or invalidate the public state $St$: for example, the adversary + will as long as it does not remove or alter elements of $\mathsf{st}_{users}$, + $\mathsf{st}_{trans}$ or invalidate the public state $\mathsf{st}$: for example, the adversary is allowed to create dummy users as long as it does not re-use already existing certificate tags. @@ -279,13 +274,13 @@ security properties are formalized as follows. \begin{figure}[H] \centering \procedure{Experiment $\Exp{\textrm{mis-id}}{\adv}(\lambda)$}{% - \mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA}) + \mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA}) \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\ (M^\star,\sigma^\star) \leftarrow \adv(Q_{\mathsf{pub}},Q_{\ajoin}, Q_{\mathsf{read}},Q_{\mathsf{keyOA}})\\ - \pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\ + \pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\ \pcind \pcreturn{0}\\ - i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \mathcal{Y},St')\\ + i =\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, \gspk,\mathsf{st}')\\ \pcif i \not\in U^a \pcthen \\ \pcind\pcreturn{1}\\ \pcelse\\ @@ -320,16 +315,16 @@ adversarially-controlled user. \begin{figure}[H] \centering \procedure{Experiment $\Exp{\mathrm{fra}}{\adv}(\lambda)$}{% - \mathsf{state}_{\interface}=(St,\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA}) + \mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA}) \gets \mathsf{Setup}(1^\lambda,1^\Ngs)\\ (M^\star,\sigma^\star) \gets \adv(Q_{\mathsf{pub}},Q_{\mathsf{key}\GM}, Q_{\mathsf{key}\OA}, Q_{\bjoin},%Q_{\mathsf{revoke}}, Q_{\mathsf{sig}}, Q_{\mathsf{read}}, Q_{\mathsf{write}}) \\ - \pcif \mathsf{Verify}(\sigma^\star,M^\star,\mathcal{Y})=0 \pcthen\\ + \pcif \mathsf{Verify}(\sigma^\star,M^\star,\gspk)=0 \pcthen\\ \pcind \pcreturn 0 \\ \pcif i=\mathsf{Open}(M^\star,\sigma^\star,\mathcal{S}_{\OA}, - \mathcal{Y},St') \not \in U^b \pcthen\\ + \gspk,\mathsf{st}') \not \in U^b \pcthen\\ \pcind \pcreturn 0\\ \pcif \bigwedge_{j \in U^b \textrm{ s.t. } j=i~} (j,M^\star,\ast) @@ -376,23 +371,23 @@ The adversary eventually aims at framing an honest group member. \begin{figure}[H] \centering \procedure{Experiment $\Exp{\textrm{anon}}{\adv,d}(\lambda)$}{ - \mathsf{state}_{\interface}=(St,\mathcal{Y},\mathcal{S}_{\GM},\mathcal{S}_{\OA}) + \mathsf{state}_{\interface}=(\mathsf{st},\gspk,\mathcal{S}_{\GM},\mathcal{S}_{\OA}) \gets \mathsf{Setup}(1^\lambda, 1^\Ngs)\\ \big(aux,M^\star,(\scr_{0}^\star,\crt_{0}^\star), (\scr_{1}^\star,\crt_{1}^\star )\big) \gets \adv(\mathsf{play};\, Q_{\mathsf{pub}},Q_{\mathsf{key\GM}}, %Q_{\mathsf{revoke}}, Q_{\mathsf{open}},Q_{\mathsf{read}},Q_{\mathsf{write}})\\ - %\If{\neg(\crt_{b}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{b}^\star) for b\in\bit} + %\If{\neg(\crt_{b}^\star \leftrightharpoons_{\gspk} \scr_{b}^\star) for b\in\bit} %{\Return \bot\\} %\If{\crt_{0 }^\star = \crt_{1 }^\star }{\Return \bot\\} \pcif - \neg((\crt_{0}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{0}^\star) - \wedge (\crt_{1}^\star \leftrightharpoons_{\mathcal{Y}} \scr_{1}^\star) + \neg((\crt_{0}^\star \leftrightharpoons_{\gspk} \scr_{0}^\star) + \wedge (\crt_{1}^\star \leftrightharpoons_{\gspk} \scr_{1}^\star) \wedge (\crt_{0}^\star \neq \crt_{1 }^\star)) \pcthen\\ \pcind\pcreturn \bot\\ %Pick random d \gets \bit; - \sigma^\star \leftarrow \mathsf{Sign}(\mathcal{Y},\crt_{d}^\star, + \sigma^\star \leftarrow \mathsf{Sign}(\gspk,\crt_{d}^\star, \scr_{d}^\star,M^\star)\\ d'\leftarrow \adv(\mathsf{guess};\,\sigma^\star,aux,Q_{\mathsf{pub}}, Q_{\mathsf{key\GM}},Q_{\mathsf{open}}^{\neg \{ (M^\star, \sigma^\star)\}}, diff --git a/chap-ZK.tex b/chap-ZK.tex index bf9976a..dc4335a 100644 --- a/chap-ZK.tex +++ b/chap-ZK.tex @@ -114,7 +114,7 @@ Commitment schemes~\cite{Blu81} are the digital equivalent of a safe. The goal i These algorithms should verify correctness, hiding and binding properties, where $\Exp{\mathrm{hiding}}{\adv, b}$ and $\Exp{\mathrm{binding}}{\adv}$ are described in Figure~\ref{fig:hiding-binding-games}. \begin{description} - \item[Correctness.] For any $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$. + \item[Correctness.] For any public parameters $\param \gets \Setup(1^\lambda)$, message $M$, commitment and opening $(\com, \open) \gets \Commit(\param, M)$, it holds that $\Open(\param, \open, M) = 1$. \item[Hiding.] For any \ppt{} adversary $\adv$ against the hiding experiment, we have that \[ \hspace{-1cm} \advantage{\mathrm{hiding}}{\adv}(\lambda) = \left| \Pr\left[\Exp{\mathrm{hiding}}{\adv, 1}(\lambda) = 1\right] - \Pr\left[\Exp{\mathrm{hiding}}{\adv, 0}(\lambda) = 1\right] \right| \leq \negl[\lambda], @@ -180,7 +180,7 @@ In the random oracle model, it is possible to transform a ZK proof into an NIZK \begin{definition}[Fiat-Shamir Transform~{\cite{FS86}}] \index{Zero Knowledge!Fiat-Shamir Transform} - Let $(P, V)$ be a three-round zero-knowledge proof for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function. + Let $(P, V)$ be a three-move ZK proof system for relation $R = \{ (x, w) \}$ as in Figure~\ref{fig:sigma} and $\mathcal H$ be a cryptographic hash function. Let $\hat P$ be the following non-interactive prover that takes as inputs $x$ and $w$: \begin{enumerate} @@ -233,13 +233,14 @@ For the sake of completeness, we can also mention $\NIZK$ in the standard model, Schnorr's methodology to construct proofs is based on the $\Sigma$-protocol technique to design zero-knowledge proofs. It has been introduced in order to prove the knowledge of a discrete logarithm (which can bee seen at the relation $R_{\mathsf{dlog}} = \{ (h, a) \in \GG \times \ZZ_p \mid h = g^a \}$ with $\GG = \langle g \rangle$ be a cyclic group of prime order $p\geq 2$) and is described in Figure~\ref{fig:schnorr-dlog}. -This methodology can be interpreted as follows. Given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in fixing the randomness used in the commitment scheme $r$ \emph{via} $\rho$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$. +An interpretation of this methodology is the following: given a commitment scheme $(\Setup, \Commit, \Verify)$, where the randomness $r$ used in $\Commit$ is made explicit, the first move of the prover $P$ consists in binding the randomness used in the commitment scheme $r$ using the transmitted value $\rho = g^r$, then the verifier asks the prover to commit to a challenge message $c$ using the randomness carried by $\rho$, and the prover sends the opening for this commitment $\open$. +Finally, the verifier accepts if and only if $\Verify(\param, \com, \open, c) = 1$. -In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}. +In the protocol described in Figure~\ref{fig:schnorr-dlog}, the underlying commitment is the Pedersen commitment scheme~\cite{Ped91}: a commitment of a message $M \in \Zp$ is $g^m \cdot h^r \in \GG$ and the opening is the randomness $r$ used to commit. Given its effiency, Schnorr's protocol is used along with Fiat-Shamir heuristic in the pairing-based group signature described in~\cref{ch:sigmasig}. -This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct zero-knowledge proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. +This methodology has also been adapted in the ideal lattice-setting by Lyubashevsky~\cite{Lyu08, Lyu09} along with a technique called \textit{rejection sampling} in order to construct ZK proofs from ideal lattice assumptions and is described in Figure~\ref{fig:schnorr-lwe}. In this description $D_y$ and $D_c$ are the distributions from which $\mathbf{y}_1, \mathbf{y}_2$ and $\mathbf{c}$ have to be sampled respectively, and $G$ describes the set of \textit{good} responses $\mathbf{z}_1, \mathbf{z}_2$ in order not to leak informations about $\mathbf{s}_1, \mathbf{s}_2$. The part under square braces is called the \textit{rejection} phase, and ensure that the transmitted $\mathbf{z}_1, \mathbf{z}_2$ will not leak any information about $\mathbf{s}_1, \mathbf{s}_2$ to V. This part induced a noticeable error-rate where the prover aborts the proof. As the protocol is proven \textit{witness indistinguishable}~\cite{Lyu09}, one can run the protocol multiple times in parallel and hope that one of them will not abort~\cite{FS90}. diff --git a/chap-proofs.tex b/chap-proofs.tex index 255ebfe..305d092 100644 --- a/chap-proofs.tex +++ b/chap-proofs.tex @@ -93,8 +93,14 @@ That's why we'll now define the principle of polynomial time reduction. In other words, a polynomial reduction from $A$ to $B$ is the description of a polynomial time algorithm (also called ``\emph{the reduction}''), that uses an algorithm for $B$ in a black-box manner to solve $A$. This is illustrated in Figure~\ref{fig:poly-reduction}. +To write down that a TM has black-box access to a TM $M_O$ that computes function $O$, we sometimes use the \textit{oracle} terminology. + +\begin{definition}[Oracle machine] \index{Turing machine!Oracle machine} + A Turing Machine $M$ is said to have \textit{oracle access} to a function $O(\cdot)$ if it has access to the result of $O(x)$ for any input $x$ of its choice in constant time. We denote the output of $M$ on input $x$ with oracle $O$ by $M^O(x)$. +\end{definition} + We can notice that \textsf{P} and \textsf{PP} are both closed under polynomial-time reduction. -Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then this problem is also in \textsf{P} (resp. \textsf{PP}). +Namely, if a problem is easier than another problem in \textsf{P} (resp. \textsf{PP}), then the former problem is also in \textsf{P} (resp. \textsf{PP}). Until know, we mainly focus on the running time of the algorithms. In cryptology, it is also important to consider the success probability of algorithms: diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index 8065c33..9731bce 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -1,6 +1,6 @@ %-------------------------------------------------- In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction. -Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove +Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove %-------------------------------------------------- \section{Building blocks} @@ -15,14 +15,14 @@ groups of prime order $p$ and we rely on the assumed security of the \SDL and \ \defSDL* -\subsection{Quasi-Adaptive NIZK Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk} -\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument NIZK quasi-adaptatif pour un sous-espace linéaire} +\subsection{Quasi-Adaptive $\NIZK$ Arguments for Linear Subspaces} \label{sse:sigmasig-qa-nizk} +\addcontentsline{tof}{section}{\protect\numberline{\thesection} Argument $\NIZK$ quasi-adaptatif pour un sous-espace linéaire} -Quasi-Adaptive NIZK (QA-NIZK) proofs \cite{JR13} are NIZK proofs where the common reference string (CRS) +Quasi-Adaptive $\NIZK$ (\QANIZK) proofs \cite{JR13} are $\NIZK$ proofs where the common reference string (CRS) may depend on the language for which proofs have to be generated. -Formal definitions are given in \cite{JR13,LPJY14,KW15}. %Appendix~\ref{QA-NIZK}. +Formal definitions are given in \cite{JR13,LPJY14,KW15}. -This section recalls the QA-NIZK argument of \cite{KW15} for proving membership in the row space of a matrix. +This section recalls the \QANIZK argument of \cite{KW15} for proving membership in the row space of a matrix. In the description below, we assume that all algorithms take as input the description of common public parameters $\mathsf{cp}$ consisting of asymmetric bilinear groups $(\GG,\Gh,\GT,p)$ of prime order $p>2^\lambda$, where $\lambda$ is the security parameter. @@ -58,16 +58,16 @@ We stress that $\mathsf{cp}$ is independent of the matrix $\mathbf{M} = (\vec{M} $ 1_{\GT} = e(\pi,\hat{g_z}) \cdot \prod_{j=1}^n e(v_j,\hat{g}_j) . $ \end{description} -The proof of the soundness of this QA-NIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. +The proof of the soundness of this \QANIZK argument system requires the matrix $\mathbf{M}$ to be witness-samplable. This means that the reduction has to know the discrete logarithms of the group elements of $\mathbf{M}$. This requirement is compatible with our security proofs. \section{A Randomizable Signature on Multi-Block Messages} \label{scal-sig} -In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the SXDH assumption. We show that their scheme +In \cite{LPY15}, Libert \textit{et al.} described an F-unforgeable signature based on the $\SXDH$ assumption. We show that their scheme implies an efficient ordinary digital signature which makes it possible to efficiently sign multi-block messages in $\Zp^{\ell}$ while keeping the scheme -compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying QA-NIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. -Moreover, we show that their scheme remains unforgeable under the SXDH assumption. +compatible with efficient protocols. In order to keep the signature length independent of the number of blocks, we exploit the property that the underlying \QANIZK argument \cite{KW15} has constant size, regardless of the dimensions of the considered linear subspace. +Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assumption. \begin{description} \item[\textsf{Keygen}$(\lambda,\ell):$] Choose bilinear groups $\mathsf{cp}=(\GG,\Gh,\GT,p)$ @@ -89,7 +89,7 @@ Moreover, we show that their scheme remains unforgeable under the SXDH assumptio \end{array}\right) , \end{equation} where $\mathbf{1}_{{}_{\ell+1}}=(1_{\GG},\ldots,1_{\GG})\in\GG^{\ell+1}$. -\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the QA-NIZK argument of Section~\ref{sse:sigmasig-qa-nizk} +\item Run $\mathsf{Keygen}(\mathsf{cp},M)$ of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} to get $\mathsf{crs}=(\{ z_i \}_{i=1}^{\ell+2},~ \hat{g}_z,~\{ \hat{g}_j \}_{j=1}^{2\ell+4} )$. \bigskip \item[] @@ -111,13 +111,13 @@ $\vec{m}\in \Zp^\ell$, choose $s \sample \Zp$ to compute = g^\omega\cdot (v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot w)^{s}, & \sigma_2 & = g^{s}, & \sigma_3 & = h^{s} . \end{align*} -Then, run $\mathsf{Prove}$ of the QA-NIZK argument to prove that +Then, run $\mathsf{Prove}$ of the \QANIZK argument to prove that the following vector of $\GG^{2\ell+4}$ \begin{align} \label{eq:vector} (\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega) \end{align} -is in the row space of $\mathbf{M}$. This QA-NIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot +is in the row space of $\mathbf{M}$. This \QANIZK proof $\pi\in\GG$ consists of $\pi = z_1^\omega \cdot (z_2^{m_1}\cdots z_{\ell+1}^{m_\ell} \cdot z_{\ell+2})^{s}.$ Return the signature $\sigma=\big(\sigma_1,\sigma_2,\sigma_3, \pi \big)\in\GG^{4}$. @@ -138,7 +138,7 @@ The signature on $\ell$ scalars thus only consists of 4 elements in $\GG$ while the verification equation only involves a computation of 5 pairings. \begin{theorem} \label{th:eu-cma-1} -The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the SXDH assumption holds in $(\GG, \Gh, \GT)$. +The above signature scheme is existentially unforgeable under chosen-message attacks (\textsf{eu-cma}) if the $\SXDH$ assumption holds in $(\GG, \Gh, \GT)$. \end{theorem} \begin{proof} @@ -158,7 +158,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \end{aligned} \end{equation} Since $(\sigma_1,\sigma_2^{m_1},\ldots,\sigma_2^{m_\ell},\sigma_2, \sigma_3^{m_1},\ldots,\sigma_3^{m_\ell},\sigma_3,\Omega)$ - is in the row space of $\mathbf{M}$, the QA-NIZK proof $\pi$ has the same distribution as if it were computed as + is in the row space of $\mathbf{M}$, the \QANIZK proof $\pi$ has the same distribution as if it were computed as \begin{equation} \label{eq:rel-sim-A} \begin{aligned} @@ -184,7 +184,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \end{gathered} \label{eq:rel-sig-B} \end{equation*} - The QA-NIZK proof $\pi$ is + The \QANIZK proof $\pi$ is computed as in \eqref{eq:rel-sim-A} by using $\mathsf{tk}=\{\chi_i \}_{i=1}^{2\ell+4}$. Note that Type B signatures can be generated without using $\omega \in \Zp$. \end{description} \smallskip @@ -205,9 +205,9 @@ The above signature scheme is existentially unforgeable under chosen-message att and wins if $\Verify(\mathsf{pk}, \sigma^\star, M^\star) = 1$. \item[Game 1:] We change the way $\bdv$ answers signing queries. - The QA-NIZK proofs $\pi$ are then computed as simulated QA-NIZK proofs + The \QANIZK proofs $\pi$ are then computed as simulated \QANIZK proofs using $\mathsf{tk}$ - as in~\eqref{eq:rel-sim-A}. These QA-NIZK proofs are thus simulated + as in~\eqref{eq:rel-sim-A}. These \QANIZK proofs are thus simulated proofs for true statements, and then their distribution remains unchanged. We have $\Pr[S_1] = \Pr[S_1 \wedge E_1] + \Pr[S_1 \wedge \neg E_1]$. @@ -225,7 +225,7 @@ The above signature scheme is existentially unforgeable under chosen-message att is smaller than $\advantage{\DDH}{\GG}(\lambda) + 1/p$. \end{description} - In Game $2.Q$, we know that if SXDH holds, $\adv$ can only output a type $\mathrm{A}'$ + In Game $2.Q$, we know that if $\SXDH$ holds, $\adv$ can only output a type $\mathrm{A}'$ forgery even if it only obtains type B signatures during the game. Nevertheless, lemma~\ref{le:final-forgery} shows that a type $\mathrm{A}'$ forgery in Game @@ -250,7 +250,7 @@ The above signature scheme is existentially unforgeable under chosen-message att \begin{proof} Let $\adv$ be an attacker that does not output a type $\mathrm{A}'$ forgery. We will build an attacker $\bdv$ against the soundness of the - Quasi-Adaptive NIZK (QA-NIZK) scheme, which security is implied from the double-pairing + Quasi-Adaptive $\NIZK$ (\QANIZK) scheme, which security is implied from the double-pairing problem that reduces from DDH as explained in~\cite{LPJY13}. Let us define the vector $\ssigma \in \GG^{2\ell+4}$ as \[ @@ -263,7 +263,7 @@ The above signature scheme is existentially unforgeable under chosen-message att Our reduction $\bdv$ receives as input $\mathsf{cp}=(\GG,\Gh,\GT,p)$, a matrix ${\mathbf{M}}$ as in (\ref{matrix-scal-sig}) and a common reference string $\mathsf{crs}$ (depending on the matrix) for an instance of the - QA-NIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. + \QANIZK scheme allowing to prove that vectors of dimension $2\ell + 4$ are in the row space of ${\mathbf{M}}$. The generation of the matrix ${\mathbf{M}}$ fixes $g$, $h$ and $\vec{v}=(v_1,\ldots,v_\ell,w)\in\GG^{\ell+1}$. After that, $\bdv$ picks $\omega \sample Z_p$ and $\hat g \sample \Gh$, and set $\Omega = h^\omega$. Then, the reduction $\bdv$ sends to $\adv$ $\mathsf{cp}$ and the verification key: @@ -305,7 +305,7 @@ If DDH holds in $\GG$, for each $k \in Then, queries are answered depending on their index~$j$:\\ \textbf{Case $\boldsymbol{j < k}$:} $\bdv$ computes a Type B signature, $\sigma = (\sigma_1, \sigma_2, - \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the QA-NIZK simulator + \sigma_3, \pi)$, using $\mathsf{tk}=\{ \chi_i \}_{i=1}^{2\ell + 4}$ with the \QANIZK simulator to computes $\pi$. \noindent\textbf{Case $\boldsymbol{j > k}$:} The last $Q - k - 1$ signing queries are computed as @@ -317,7 +317,7 @@ If DDH holds in $\GG$, for each $k \in depending on whether $\eta = g^{ab}$ or $\eta = g^{a(b+c)}$ for some $c \in_R \Zp$. Namely, $\bdv$ computes $\sigma_2 = g^b$, $\sigma_3 = \eta$, and $ \sigma_1 = g^\omega \sigma_2^{a_w + \sum_{i=1}^\ell a_{v_i} m_i} \sigma_3^{b_w + \sum_{i=1}^\ell b_{v_i} m_i}. $ - Then $\bdv$ simulates QA-NIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$. + Then $\bdv$ simulates \QANIZK proofs $\pi$ as recalled in \eqref{eq:rel-sim-A}, and sends $\sigma = (\sigma_1, \sigma_2, \sigma_3, \pi)$ to $\adv$. \smallskip If $\eta = g^{ab}$, the $k$-th signature $\sigma$ is @@ -690,7 +690,7 @@ This concludes the proof. % TODO: ugly \subsection{Signing a Committed Message} At a high level, the protocol involves a committer who wants to get a signature on ${\mathbf{m}}=(m_1,\ldots,m_\ell)$ and first computes a commitment of the form $c_v=v_1^{m_1}\cdots v_\ell^{m_\ell}\cdot u^{r}$, where $u$ is the extra public parameter (with unknown discrete log). The signer gives back elements of the form $\tau_1=g^\omega c_v^s$, $\tau_2=g^s$, $\tau_3=h^s$ which is almost the desired signature. To get the component $\sigma_1$ of the right form relatively to $\tau_2,\tau_3$ the committer has to remove the factor $u^{rs}$ from $\tau_1$. Then, the signer also sends $\tau_0=u^s$ to enable removing $\tau_0^r$. -In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the QA-NIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip +In the protocol some randomizing steps are included as well as other additional components allowing the committer to extract $\pi$, the \QANIZK part of the signature. In the security proof of the protocol we thus have to show that the additional value $\tau_0=u^s$ does not affect the unforgeability of the signature. \smallskip \noindent \textbf{The protocol.} % @@ -729,11 +729,11 @@ In comparison, the construction of \cite{CL02a} requires groups of larger hidde \noindent \textbf{Security.} % We briefly sketch the proof of the above protocol in front of malicious entities since classical arguments can be applied. Assuming that the committer uses secure ZKPK and does not output $\bot$, a malicious signer which receives perfectly hiding commitments $c_v,c_z$ cannot tell apart an honest proof from a simulated proof. Consequently the signer learns nothing from ${\mathbf{m}}$ during the execution of the protocol. -In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an SXDH challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip +In the other case, we have to show that a corrupted committer remains unable to produce valid signature on a new vector ${\mathbf{m}^\star}$. First, since the generation of $u$ is not under the controlled of the committer but of the random oracle, $u$ can be made independent of rest of $\mathsf{pk}$. Then, we only need to show that the signature remains unforgeable when $\tau_0$ is given in the signature. Since ${\mathbf{m}}$ and $s$ can be extracted from the proof of knowledge the reduction can output a signature on ${\mathbf{m}}$. Moreover it is easy to see from the security proof (in \cref{sse:sigmasig-qa-nizk}) of the signature how this additional element can be simulated. Actually the only place in the reduction where $\tau_0$ could not be computed directly as $u^s$ for a known $s$ is when the challenger $\bdv$ has to embed an $\SXDH$ challenge in a simulated signature. Given ($g,h,g^b,h^{b+c}$), $\bdv$ can compute $u=g^{a_u}h^{b_u}$ from random $a_u,b_u\gets\ZZ_p$ and program the random oracle to output this element $u$ as the specification of the public-key would do. Then to simulate $\tau_0$ $\bdv$ simply has to compute $\tau_0=(g^b)^{a_u}(h^{b+c})^{b_v}=u^bh^{c\cdot b_v}$ which is $u^b$ or random. The rest of the reduction remains unchanged since the value $a_u,b_u$ are completely independent of those already described in the sketch of proof in \cref{sse:sigmasig-qa-nizk}. \smallskip \noindent \textbf{Remark.} % -Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying QA-NIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form. +Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i\}_{i=1}^{2\ell+4}$ of the underlying \QANIZK argument, he could produce valid signature so that $\log_g \sigma_2\neq\log_h \sigma_3$. Then, if the committer later needs to proof knowledge of the received signature it then has to use the sigma protocol of Section~\ref{scal-sig} where both $\sigma_2$ and $\sigma_3$ only appear in committed form. @@ -749,7 +749,7 @@ on a committed message $\ID \in \Zp$. Here, we use a deterministic commitment to efficiency. When signing a message, each group member verifiably encrypts the components $(\sigma_1,\pi)$ of his membership certificate that depend on $\ID$ (and not $\sigma_2,\sigma_3$ which can be assumed to be honestly computed here, unlike in the previous section). For the sake of efficiency, we use a randomness re-using \cite{BBKS07} variant of the Cramer-Shoup encryption scheme \cite{CS98} whereby $\sigma_1$ and $\pi$ are both encrypted using the same encryption exponent $\theta \in \Zp$. For public verifiability purposes, the validity of Cramer-Shoup ciphertexts is demonstrated using -$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier NIZK proofs \cite{CS98}. \\ +$\Sigma$-protocols and the Fiat-Shamir heuristic \cite{FS86} (somewhat in the fashion of \cite{SG98}) rather than designated verifier $\NIZK$ proofs \cite{CS98}. \\ \indent In the join protocol, the user proves knowledge of his membership secret $\ID \in \Zp$ in a zero-knowledge manner, which restricts the group manager to sequentially interact with prospective users. However, this limitation can be removed using an extractable commitment as in \cite{DP06}. @@ -779,15 +779,15 @@ with prospective users. However, this limitation can be removed using an extract that will be modeled as a random oracle. \item Define - $\mathcal Y = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key. - The group manager's private key is $\mathcal S_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of - $ \mathcal S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. + $\gspk = \bigl\{ \pk_s, X_z, X_\sigma, X_\ID \bigr\} $ to be the group public key. + The group manager's private key is $\mathcal{S}_\GM = \omega = \sk_s$ whereas the opening authority's private key consists of + $ \mathcal{S}_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. \end{enumerate} \vspace{-1mm} % \begin{description} \item[\textsf{Join}$^{(\GM, \U_i)}$:] The group manager $\GM$, and the prospective user $\U_i$ run the following interactive protocol: - %$[ \mathsf J_{\user}(\lambda, \mathcal Y), \mathsf J_\GM(\lambda, St, \mathcal Y, \mathcal S_{\GM}) ]$ + %$[ \mathsf{J}_{\user}(\lambda, \gspk), \mathsf{J}_\GM(\lambda, St, \gspk, \mathcal{S}_{\GM}) ]$ \end{description} \vspace{-2mm} \begin{enumerate} \item $\U_i$ chooses ${\ID \sample \Zp}$ and sends the following to @@ -813,13 +813,13 @@ with prospective users. However, this limitation can be removed using an extract \item $\GM$ uses $V_\ID=v^{\ID}$ to sign $\ID$ using the scheme of section~\ref{scal-sig}: i.e., $\GM$ picks $s \sample \Zp$, and - uses $\mathcal S_\GM = \omega$ to compute + uses $\mathcal{S}_\GM = \omega$ to compute $\sigma_1= g^\omega\cdot(V_\ID \cdot w)^s= g^\omega \cdot (v^\ID \cdot w)^s$ and \begin{align*} \sigma_2 & = g^s, & \sigma_3 & = h^s. \end{align*} - Then $\GM$ uses $Z_{\ID}$ to generate the QA-NIZK proof $\pi\in \GG$ as + Then $\GM$ uses $Z_{\ID}$ to generate the \QANIZK proof $\pi\in \GG$ as \begin{align*} \pi &= z_1^\omega \cdot (Z_{\ID} \cdot z_3)^s = z_1^\omega \cdot (z_2^\ID \cdot z_3)^s @@ -836,7 +836,7 @@ with prospective users. However, this limitation can be removed using an extract \end{enumerate} % \begin{description} - \item[\textsf{Sign}$(\mathcal Y, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$ + \item[\textsf{Sign}$(\gspk, \scr_i, \crt_i, M)$:] Given a message $M \in \bit^*$ and a secret $\scr_i = \ID$, the user $\U_i$ does the following: \end{description} \vspace{-2mm} \begin{enumerate} @@ -888,7 +888,7 @@ with prospective users. However, this limitation can be removed using an extract \end{enumerate} % \begin{description} - \item[\textsf{Verify}$(\mathcal Y, M, \Sigma)$:] + \item[\textsf{Verify}$(\gspk, M, \Sigma)$:] Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as $(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, output 1 if the the zero-knowledge proof verifies. Namely, @@ -940,11 +940,11 @@ with prospective users. However, this limitation can be removed using an extract \end{enumerate} \vspace{-1mm} % \begin{description} - \item[\textsf{Open}$(\mathcal Y, \mathcal S_\OA, M, \Sigma)$:] Given a pair $(M,\Sigma)$ + \item[\textsf{Open}$(\gspk, \mathcal{S}_\OA, M, \Sigma)$:] Given a message-signature pair $(M,\Sigma)$ and the $\mathsf{OA}$'s private key $S_\mathrm{OA} = \bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$: \vspace{-1mm} \end{description} \begin{enumerate} - %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal S_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. + %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. \item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. @@ -985,18 +985,19 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas \subsection{Security} \begin{theorem} \label{gsig-anon} - If SXDH holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} + If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} \end{theorem} \begin{proof} We use a sequence of games where, for each $i$, $W_i$ is the event that the adversary $\adv$ wins in Game $i$. \\ -At the first transition, we need to rely on the security of the computational soundness of the QA-NIZK argument of Section~\ref{QA-NIZK-scheme} which relies on the SXDH assumption, since $\tilde \sigma_2$ and +At the first transition, we need to rely on the security of the computational soundness of the \QANIZK argument of Section~\ref{sse:sigmasig-qa-nizk} which relies on the $\SXDH$ assumption, since $\tilde \sigma_2$ and $\tilde \sigma_3$ appear un-encrypted in each group signature. \vspace{-2mm} \begin{description} - \item[Game 0:] This is the real CCA-anonymity game. In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that + \item[Game 0:] This is the real CCA-anonymity game.\\ + In the challenge phase, the adversary outputs two valid membership certificates and membership secrets $(\crt_0^\star,\scr_0^\star),(\crt_1^\star,\scr_1^\star)$ and obtains a challenge signature which the challenger computes using $(\crt_d^\star,\scr_d^\star)$, where $d\sample \{0,1\}$. We define $W_0$ to be the event that the adversary outputs $d'=d$. \item[Game 1:] This game is as Game $0$, except that the challenger $\bdv$ aborts in the event, @@ -1007,7 +1008,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature. This implies that the vector $(\sigma_1^\star, \sigma_2^{\star \ID}, \sigma_2^\star, \sigma_3^{\star \ID}, \sigma_3^\star, \Omega)$ is outside the row space of the matrix $\mathbf{M}$ (\ref{matrix-scal-sig}), so that $F_1$ would contradict - the soundness of the QA-NIZK proof of \cite{KW15} + the soundness of the \QANIZK proof of \cite{KW15} (via the same arguments as in Theorem 9 of \cite{LPY15} since the matrix can be witness-samplable here) and thus the DDH assumption in $\Gh$. We have $ [\Pr[W_1] - P[W_0] | \leq \advantage{\DDH}{\Gh}(\lambda).$ @@ -1027,7 +1028,7 @@ $\tilde \sigma_3$ appear un-encrypted in each group signature. Thus $|\Pr[W_2] - \Pr[W_1] | \leq 1/p^3$ \item[Game 3:] We modify again the generation of the challenge signature $ \Sigma^\star $. Namely, the challenger computes - $C_z, C_\sigma, C_\ID$ using $\mathcal S_\OA$ as follows + $C_z, C_\sigma, C_\ID$ using $\mathcal{S}_\OA$ as follows \begin{align*} C_z &= \tilde \pi \cdot C_1^{x_z} \cdot C_2^{y_z}, \\ C_\sigma &= \tilde \sigma \cdot C_1^{x_\sigma} \cdot C_2^{y_\sigma}, & @@ -1090,7 +1091,7 @@ It comes that $\Pr[W_5]=1/2$. \medskip $\bdv$ faithfully generates the signature public key by faithfully running steps $1$, $2$, $3$ of the signature scheme of Section~\ref{scal-sig} and then calls for the signing oracle to obtain homomorphic signatures $\{ (z_j, r_j) \}_{j=1}^3$ on the rows of the matrix $\mathbf{M} \in \GG^{3 \times 6}$. It then conducts the remaining steps faithfully to obtain a - group public key $\mathcal Y$. Since $\bdv$ knows $\mathcal S_\OA$, it an perfectly simulate the opening oracle. If + group public key $\gspk$. Since $\bdv$ knows $\mathcal{S}_\OA$, it an perfectly simulate the opening oracle. If $F_1$ occurs -- which it does by hypothesis --, one of the two membership certificate $\crt_d^\star$ of the challenge phase must contain a signature $\sigma^\star$ such that $\log_g(\sigma_2^\star) \neq \log_h(\sigma^\star_3)$. At this point, $\bdv$ can win the game against its challenger by outputting the vector $(\sigma_1^\star, \sigma^{\star \ID}_2, @@ -1162,7 +1163,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re \begin{theorem} In the ROM, the scheme is secure against - mis-identification attacks under the SXDH assumption in $(\GG,\Gh)$. + mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$. \vspace{-1mm} \end{theorem} % @@ -1179,7 +1180,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re scheme of section~\ref{scal-sig}. \medskip \\ \noindent \textit{Keygen.} At the key generation, $\bdv$ invokes its own challenger for the chosen-message security game to obtain the - public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\mathcal Y$. Except for $\mathcal S_\GM$, all keys + public key $\pk_s$ for the signature scheme. $\pk_s$ is embedded in the group public key $\gspk$. Except for $\mathcal{S}_\GM$, all keys are generated as in the normal \textsf{Keygen} algorithm. \medskip \\ @@ -1192,19 +1193,20 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re \medskip \\ \noindent At some point, the attacker $\adv$ produces a valid forgery - $(M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, - \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))$ for + \[ (M^\star, \Sigma^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, + \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star))\] for which the opening algorithm does not reveal a properly registered identity. With all but negligible probability, $\adv$ must have queried the random oracle value - $H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ which would have been unpredictable otherwise. \medskip - \\ + \[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)\] + which would have been unpredictable otherwise. + Thus, $\bdv$ replays the adversary $\adv$ with the \emph{same} input and random tape as in the first run. In the second run, the random oracle is also the same until the hash query - $H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. At this point, - the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains + \[ H(M^\star, C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\] + At this point, the forking occurs and $\bdv$ outputs fresh random oracle values. By the Forking Lemma of~\cite{BN06}, $\bdv$ obtains two suitably related forgeries with non-negligible probability $\varepsilon \cdot (\varepsilon / q_H -1/p) $. Namely, $\bdv$ will obtain two matching transcripts $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\star, s_\ID^\star, s_\theta^\star)$, $(C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star, \tilde \sigma_3^\star, c^\dag, s_\ID^\dag, s_\theta^\dag )$ of the $\Sigma$-protocol for the commitment message - $\mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star)$. + \[ \mathsf{com}=(C_{\mathsf{CS}}^\star,\tilde{\sigma}_2^\star,\tilde{\sigma}_3^\star, R_1^\star, R_2^\star, R_3^\star, R_4^\star).\] From the responses $s_\ID^\star$ and $s_\ID^\dag$ (that necessarily involve the same identifier $\ID^\star$ which is uniquely determined by $C_{\mathsf{CS}}^\star = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star)$), $\bdv$ runs the knowledge extractor of to obtain @@ -1222,7 +1224,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re %\end{align*} \medskip \\ - Finally $\bdv$ uses $\mathcal S_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs + Finally $\bdv$ uses $\mathcal{S}_\OA$ to extract $\tilde \sigma_1^\star, \tilde r^\star, \tilde z^\star$ and outputs $\bigl(\ID^\star, \sigma^\star = (\tilde \sigma_1^\star,\tilde \sigma^\star_2,\tilde \sigma_3^\star, \tilde r^\star, \tilde z^\star)\bigr)$ as a forgery for the signature scheme of Section~\ref{scal-sig}. %\vspace{-1mm} @@ -1235,10 +1237,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re \end{theorem} \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ \indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. -To generate the group public key $\mathcal{Y}$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. +To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. At step 1, $\bdv$ defines the generators $g,\hat{g}$ in $\pk_s$ to be those of its input and computes $h=g^{\alpha_h}$, $v=g^{\alpha_v}$, $w=g^{\alpha_w}$, $\hat{g}_z=\hat{g}^{\alpha_z}$ for randomly chosen scalars $\alpha_h,\alpha_v,\alpha_w,\alpha_z \sample \Zp$. -In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are QA-NIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) -As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\mathcal{Y}:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip +In order to compute $\{z_j\}_{j=1}^3$ of $\mathsf{crs}$ contained in $\pk_s$, $\bdv$ chooses $\mathsf{tk}=\{\chi_j\}_{j=1}^6$ of step 4 of the key generation algorithm of the signature scheme of Section \ref{scal-sig} with $\ell=1$. (Note that when $\ell=1$, $n=6$ and that $\{z_j\}_{j=1}^3$ are \QANIZK argument for the vectors $(g,1,1,1,1,h)$, $(v,g,1,h,1,1)$ and $(w,1,g,1,h,1)$. Moreover $\{\hat{g}_i=\hat{g}_z^{\chi_i}\}_{i=1}^6$ are the verifying key.) +As a result of this setup phase, $\bdv$ knows $\mathcal{S}_{\GM}=\sk_s=\omega$, $\mathcal{S}_{\OA}=\bigl(x_z, y_z, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$ and even $\mathsf{tk}$. The adversary $\adv$ is run on input of the group public key $\gspk:=(\pk_s,(X_z,X_\sigma,X_{\ID}),H)$, which has the same distribution as in the real attack game. \medskip \\ Should $\adv$ decide to corrupt the group manager or the opening authority during the game, $\bdv$ is able to reveal $\mathcal{S}_{\GM}=\sk_s$ and $\mathcal{S}_{\OA}$ when requested. %At the outset of the game, $\bdv$ picks a random $j^\star \sample \{1,\ldots,q_b\}$ and interacts with $\adv$ as follows. @@ -1257,9 +1259,9 @@ $ \vec{v}_i= (V_i,G_i,1,H_i,1,1)=(v,g,1,h,1,1)^{\ID_i}$ as \[ V_i =(g^a)^{\alpha_v\cdot\delta_i}, \quad G_i = (g^a)^{\delta_i}, \quad H_i =(g^a)^{\alpha_h\cdot\delta_i}, \] -and then computes $Z_i$ as a simulated QA-NIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$. +and then computes $Z_i$ as a simulated \QANIZK proof for $\vec{v}_i \in \GG^6$ using $\mathsf{tk}$. A straightforward calculation - shows that $Z_i=z_2^{\ID_i}$ since the QA-NIZK argument of Section \ref{QA-NIZK-scheme} has a deterministic proving algorithm, so that + shows that $Z_i=z_2^{\ID_i}$ since the \QANIZK argument of Section \ref{sse:sigmasig-qa-nizk} has a deterministic proving algorithm, so that $(V_i,Z_i,\hat{G}_{2,i},\hat{G}_{4,i})$ successfully passes the test of step 2. As for the last two components, for each $j\in \{2,4\}$, $\bdv$ computes \begin{eqnarray*} @@ -1271,7 +1273,7 @@ At step 3 of $\mathsf{Join}$, $\bdv$ simulates the interactive proof of knowledg In the rest of the protocol, $\bdv$ proceeds like the actual run and obtains $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$. Finally, $\bdv$ stores $(\crt_{i},Z_i,\delta_i,\hat{G}_{2,i},\hat{G}_{4,i})$. % \item[-] $Q_{\mathsf{pub}}$-queries: These can be answered as in the real game, by having the simulator return -%$\mathcal{Y}$. +%$\gspk$. \item[-] $Q_{\mathsf{sig}}$-queries: When $\adv$ requests user $i \in U^b$ to sign a message $M$, $\bdv$ is able to use the membership certificate $ \crt_{i}=(i, V_i, \sigma_1, \sigma_2, \sigma_3, \pi)$ to compute the ciphertext $C_{\mathsf{CS}}$ at steps 1-2 of the signing algorithm. While $\bdv$ does not know the witness $\ID_i=a\cdot\delta_i\in\Zp$ to generate a proof at step 3, $\bdv$ is able to simulate the @@ -1282,7 +1284,7 @@ More precisely, $\bdv$ re-randomizes the certificate $\crt_i$ by picking $r \tilde \pi & = \pi \cdot (Z_i \cdot z_3)^r, & \tilde \sigma_3 & = \sigma_3 \cdot h^r. \end{align*} Then $\bdv$ encrypts $\tilde \pi$, $\tilde \sigma_1$ and $V_i$ as in the real - signing algorithm to get ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$ + signing algorithm to get the encryption ${C}_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$. Then, $\bdv$ chooses $c, s_\ID, s_\theta\in\Zp$ and computes $R_1,R_2,R_3,R_4$ as in (\ref{gsig-verif-1}) and (\ref{gsig-verif-2}) of $\mathsf{Verify}$. Finally, $\bdv$ programs $H$ to return $c$ on inputs $(M, C_{\mathsf{CS}},\tilde \sigma_2, \tilde \sigma_3, R_1, R_2, R_3, R_4)$. In the event that $H$ is already defined at that point, @@ -1297,9 +1299,11 @@ $q_s$ is the number of signing queries. \end{align*} for some message $M^\star$, that opens to ${i^\star} \in U^b$ although user $i^\star$ did not sign $M^\star$. With high probability, $\adv$ must have queried the hash value $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$, which would be unpredictable otherwise. -Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run. +Hence, $\bdv$ can run $\adv$ a second time with the same input and random tape. + +At the moment when $\adv$ queries $H(M^\star, C_{\mathsf{CS}}^\star, \tilde \sigma_2^\star,\tilde \sigma_3^\star,R_1^\star, R_2^\star, R_3^\star, R_4^\star)$ in the second run, $\bdv$ starts responding with different random oracle values which depart from those of the initial run. The Forking Lemma of \cite{BN06} ensures that, with non-negligible probability the second run will result in a forgery -$\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)$ on +\[\Sigma^\dag = (C_1^\star, C_2^\star, C_z^\star, C_\sigma^\star, C_\ID^\star, \tilde \sigma_2^\dag, \tilde \sigma_3^\dag, c^\dag, s_\ID^\dag, s_\theta^\dag)\] on the same message $M^\star$, with distinct challenges $c^\dag\neq c^\star$. From the two responses $(s_\ID^\star, s_\theta^\star)$, $(s_\ID^\dagger, s_\theta^\dagger)$, $\bdv$ can extract witnesses @@ -1318,6 +1322,7 @@ We stress that the proofs can be easily adapted to the case where the opening a \subsection{Comparison with Existing Schemes} \begin{table*} + \small \centering \begin{tabular}{|c|c|c|c|c|c|c|} \hline diff --git a/macros.tex b/macros.tex index 52222f1..1c83902 100644 --- a/macros.tex +++ b/macros.tex @@ -16,6 +16,7 @@ \newcommand{\ZK}{\textsf{ZK}\xspace} \newcommand{\ZKAoK}{\textsf{ZKAoK}\xspace} \newcommand{\NIZK}{\textsf{NIZK}\xspace} +\newcommand{\QANIZK}{\textsf{QA-NIZK}\xspace} \newcommand{\PKE}{\textsf{PKE}\xspace} \newcommand{\OT}{\textsf{OT}\xspace} %% Common diff --git a/main.tex b/main.tex index 98ceb0f..1e191e5 100644 --- a/main.tex +++ b/main.tex @@ -2,6 +2,9 @@ \documentclass[a4paper, 11pt]{memoir} \semiisopage +%% Highlight overfull hbox +\overfullrule=1mm + \usepackage[utf8x]{inputenc} \usepackage[french,english]{babel} %\usepackage[UKenglish]{babel} @@ -123,12 +126,13 @@ \cleardoublepage {\let\newpage\relax \part{Group Signatures and Anonymous Credentials} -\label{pa:gs-ac} \addcontentsline{tof}{part}{\protect\numberline{\thepart} Signatures de groupe et accréditations anonymes} +\label{pa:gs-ac} } -\chapter{Dynamic Group Signatures} \label{ch:gs-background} +\chapter{Dynamic Group Signatures} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique} +\label{ch:gs-background} \input chap-GS-background @@ -153,11 +157,13 @@ \chapter{Lattice-Based Group Encryption} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Chiffrement de groupe à base de réseaux euclidiens} +\label{ch:ge-lwe} \input chap-GE-LWE \chapter{Lattice-Based Oblivious Transfer with Access Control} \label{ch:ac-ot} \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens} +\label{ch:ot-lwe} \input chap-OT-LWE diff --git a/sec-pairings.tex b/sec-pairings.tex index f0bb494..8fea2a1 100644 --- a/sec-pairings.tex +++ b/sec-pairings.tex @@ -3,7 +3,7 @@ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Pairing-based cryptography was introduced by Antoine Joux~\cite{Jou00} to generalize Diffie-Hellman key exchange to three users in one round. -Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{ACJT00,BBS04}. +Since then, many constructions have been proposed for cryptographic constructions, such as identity-based encryption~\cite{BF01,Wat05} or group signature~\cite{BBS04}. Multiple constructions and parameter sets coexist for pairings. Real-world implementation are based on elliptic curves~\cite{BN06, KSS08}, but recent advances in cryptanalysis makes it hard to evaluate the security level of pairing-based cryptography~\cite{KB16,MSS17,BD18}. @@ -50,5 +50,4 @@ In the aforementioned chapter, we also rely on the following assumption, which g where $a \sample \ZZ_p^{}$, computing $a \in \ZZ_p^{}$. \end{restatable} -This assumption is still a static and non-interactive assumption. - +This assumption is also static and non-interactive. diff --git a/sec-stern.tex b/sec-stern.tex index dc46dbf..b7ece28 100644 --- a/sec-stern.tex +++ b/sec-stern.tex @@ -56,7 +56,7 @@ The details of this proof is given in \cref{sse:stern-abstraction}, but it can b Ling, Nguyen, Stehlé and Wang~\cite{LNSW13} noticed that the \textsf{ZKAoK} of \cref{le:zk-ktx} straightforwardly works to prove knowledge of a vector in $\nbit^m$. -A technique to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13}\cite{LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\ref{sse:stern}). +%A method to relax the constraints on the \textsf{ZKAoK} of \cref{le:zk-ktx} is the so-called ``Decomposition-Extension'' technique~\cite{LNSW13,LSS14,ELL+15,LLNW16} as explained in the introduction of this Section (\cref{sse:stern}). \index{Lattices!Inhomogeneous \SIS} To prove the knowledge of an \ISIS preimage, i.e. diff --git a/symbols.tex b/symbols.tex index 5534821..1e927b0 100644 --- a/symbols.tex +++ b/symbols.tex @@ -26,6 +26,7 @@ $\ZK$ & Zero-Knowledge \\ $\ZKAoK$ & Zero-Knowledge Argument of Knowledge \\ $\NIZK$ & Non-Interactive Zero-Knowledge \\ + $\QANIZK$ & Quasi-Adaptive Non-Interactive Zero-Knowledge \\ $\OT$ & Oblivious Transfer \\ [1ex] \multicolumn{2}{l}{\scbf{Security Notions}} \\ EU-CMA & Existentially Unforgeable under chosen-message attacks \\ diff --git a/these.bib b/these.bib index dafbf09..f29ad8e 100644 --- a/these.bib +++ b/these.bib @@ -1,3 +1,4 @@ +% Encoding: UTF-8 @InCollection{BCKL08, author = {Belenkiy, Mira and Chase, Melissa and Kohlweiss, Markulf and Lysyanskaya, Anna}, title = {{P}-signatures and Noninteractive Anonymous Credentials}, @@ -1621,7 +1622,7 @@ } @InProceedings{CVH91, - author = {Chaum, David and Van Heyst, Eug{\`e}ne}, + author = {Chaum, David and van Heyst, Eug{\`e}ne}, title = {Group signatures}, booktitle = {{Eurocrypt}}, year = {1991}, @@ -2229,7 +2230,7 @@ @Article{KL11, author = {Kidron, Dafna and Lindell, Yehuda}, - title = {Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs}, + title = {Impossibility Results for Universal Composability in�Public-Key Models and with Fixed Inputs}, journal = {Journal of Cryptology}, year = {2011}, volume = {24}, @@ -2509,14 +2510,14 @@ } @InProceedings{dPLNS17, - author = {del Pino, Rafaël and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory}, + author = {del Pino, Rafa�l and Lyubashevsky, Vadim and Neven, Gregory and Seiler, Gregory}, title = {{Practical Quantum-Safe Voting from Lattices}}, booktitle = {CCS}, year = {2017}, } @InProceedings{LLNW17, - author = {Libert, Benoît and Ling, San and Nguyen, Khoa and Wang, Huaxiong}, + author = {Libert, Beno�t and Ling, San and Nguyen, Khoa and Wang, Huaxiong}, title = {{Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash}}, booktitle = {Asiacrypt}, year = {2017}, @@ -2526,7 +2527,7 @@ } @InProceedings{Ajt96, - author = {Ajtai, Miklós}, + author = {Ajtai, Mikl�s}, title = {{Generating Hard Instances of Lattice Problems}}, booktitle = {STOC}, year = {1996}, @@ -2562,7 +2563,7 @@ } @InProceedings{LMN16, - author = {Libert, Benoît and Mouhartem, Fabrice and Nguyen, Khoa}, + author = {Libert, Beno�t and Mouhartem, Fabrice and Nguyen, Khoa}, title = {{A Lattice-Based Group Signature Scheme with Message-Dependent Opening}}, booktitle = {ACNS}, year = {2016}, @@ -2591,7 +2592,7 @@ } @InProceedings{LPJY14, - author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti}, + author = {Libert, Beno�t and Peters, Thomas and Joye, Marc and Yung, Moti}, title = {{Non-malleability from Malleability: Simulation-Sound Quasi-Adaptive NIZK Proofs and CCA2-Secure Encryption from Homomorphic Signatures}}, booktitle = {Eurocrypt}, year = {2014}, @@ -2617,7 +2618,7 @@ } @InProceedings{LPJY13, - author = {Libert, Benoît and Peters, Thomas and Joye, Marc and Yung, Moti}, + author = {Libert, Beno�t and Peters, Thomas and Joye, Marc and Yung, Moti}, title = {{Linearly Homomorphic Structure-Preserving Signatures and Their Applications}}, booktitle = {Crypto}, year = {2013}, @@ -2716,4 +2717,13 @@ publisher = {Springer}, } +@InProceedings{LNWX17, + author = {Ling, San and Nguyen, Khoa and Wang, Huaxiong and Xu, Yahong}, + title = {{Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease}}, + booktitle = {ACNS}, + year = {2017}, + series = {LNCS}, + publisher = {Springer}, +} + @Comment{jabref-meta: databaseType:bibtex;}